LAFITTE Pierre
AC504E External auditing
Take home case
Pacific Sunwear of California Inc
1
Executive summary ................................................................................................................................. 3
The Sarbanes Oxley act: a compliance plan ............................................................................................ 4
Overview: ............................................................................................................................................ 4
Summary of the Sarbanes-Oxley act: .................................................................................................. 4
The Sarbanes-Oxley 404: Checklist: .................................................................................................... …show more content…
5
Auditing standards n°5: description of the procedures to comply with the section 404 ................... 5
International standards of auditing in reference with the case.......................................................... 6
Processes to comply with the Section 404.............................................................................................. 7
How to comply with the Section 404? ................................................................................................ 7
Procedures implemented by Pacific Sunwear..................................................................................... 8
Evaluation of the effectiveness of the process implemented by PacSun ........................................... 9
Impact of the information disclosed on the stock prices...................................................................... 10
Costs and benefits of Sarbanes-Oxley ................................................................................................... 13
Recommendations for PacSun .............................................................................................................. 15
References............................................................................................................................................. 16
Appendix A : Deadline for the compliance with the different sections of the act............................ 17
Appendix B: Certification required by the SEC about internal controls........................................... 19
Appendix C: Certification required by the SEC about disclosure controls ....................................... 20
2
Executive summary
Pacific Sunwear of California entered in the stock market on Nasdaq in 1993. The Sarbanes
Oxley act redacted in 2002, established new or enhanced standards for listing companies in the US markets and in particular the section 404 about the creation of an internal report each year, in response to a number of major corporate and accounting scandals like Enron or
WorldCom.
In this report, we will establish the impact of this United States federal law on PacSun by analyzing the process engendered, influence of the disclosures on the stock price, and the cost/benefits relation.
3
The Sarbanes Oxley act: a compliance plan
Overview:
The Sarbanes-Oxley act enacted in 2002 is a United States federal law to respond to some major corporate and accounting scandals such as Enron, Tyco international or World com.
These scandals cost billions of dollars to investors when stock prices collapsed and decreased the public confidence about nation’s securities markets and auditing standards.
So, this standard established new or improved standards and regulations, for all US public company and all foreign companies listed in the US stock markets. This act contains 11 sections and required the Securities and Exchange Commission (US regulator which regulates the securities industry and the stocks and options markets) to implement the rules and comply with the new law. The deadlines to implement SOX are exposed in Appendix 1.
Summary of the Sarbanes-Oxley …show more content…
act:
Then, we are going to describe quickly the different sections of the SOX act (except the section 4 explained below):
1 Public Company Accounting Oversight Board (PCAOB): the objective of this board is to register and regulate all public accounting firms to implement compliance standards
2 Auditor independence: creation of standards for external auditor independence to reduce conflicts of interest
3 Corporate responsibility: defines the relation between external auditors and corporate audit committees 5 Analyst conflicts of interest: evokes practice to create a new public confidence in the reporting 6 Commission resources and authority: highlights practice to create a new public confidence in the financial analysts
7 Studies and reports: SEC has to make various studies and explain their findings
8 Corporate and criminal fraud accountability: describes criminal penalties for fraud
9 White collar crime penalty enhancements
10 Corporate tax returns required to be signed by the Chief Executive Officer
11 Corporate fraud accountability: identified corporate fraud and records classified as criminal offenses
4
The Sarbanes-Oxley 404: Checklist:
The section 4 is about enhanced financial disclosures and increases requirements for financial reporting like off-balance sheet transactions. It requires internal controls to offer the accuracy of financial reports and disclosures. An internal control system is what will reduce the likelihood of non compliance and alert the company to breaches, failures, or weaknesses in the system that must occur.
The section 404 is the cornerstone of the section 4 and demands that each annual report contain an internal control report. This additional report assesses the responsibility of management for establishing and implementing adequate procedures for financial reporting.
This report must include: assessment of effectiveness of internal control structure and procedures, any code of ethics and contents of that code.
Consequently, this section is really decisive because it implies extra costs to comply with this requirement for registered public companies in the US stock markets.
The Appendix 2 and 3 sum up the certifications required by the SEC.
Auditing standards n°5: description of the procedures to comply with the section 404
Issued the 24th may 2007, the Auditing standards n°5 substitutes the Auditing standards n°2.
The Public Company Accounting Oversight Board releases the AS no5 to describe the procedures to comply with the section 404: o Highlights a top-down risk based approach (financial risk assessment) o Places greater reliance on entity-level controls o Focuses on understanding and testing controls related to risks for significant accounts and disclosures o Allows for greater ability to rely on work of others o Changes definition of material weakness and significant deficiency:
-
Material weakness: “a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”
-
Significant deficiency: “A deficiency or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important to merit the attention by those responsible for oversight of the company’s financial reporting.”
o Simplifies the auditor’s opinion by eliminating opinion on management’s assessment of internal control
5
International standards of auditing in reference with the case
The section 404 referred to some ISA standards:
ISA 230 about audit documentation
ISA 300 about planning an audit of financial statements
ISA 330 about the auditor’s procedures in response to assessed risks
ISA 500 about audit evidence
ISA 600 about using the Work of Another Auditor
ISA 610 about considering the Work of Internal Auditing
6
Processes to comply with the Section 404
After evoking the requirements of the section 404, we will describe the processes implemented by Pacific Sunwear first and by the other listed companies in general.
Complying with Sarbanes-Oxley is complex; compliance requires a multiple approach involving many departments and many people which will be detailed below.
How to comply with the Section 404?
Generally, according to Sanjay Anand an internal control in accordance with Sarbanes-Oxley is following an eight-step process:
1 Establish a compliance committee which is specialist of the compliance with SarbanesOxley and can have a general overview of the company about the risk and the solutions. The objective of this committee is to commit the various departments, to provide training and to communication about the objectives.
2 Assess risk in order to identify the magnitude and potential impact of each risk in order to create a risk portfolio.
3 Set reporting objectives by determining the probability of risks and errors to define decision rules and reporting objectives. For ensuring internal control compliance, these areas need to be created: personnel control, system and resource controls, strategic planning controls and business service controls.
4 Prepare a formal implementation plan, which is a transition plan to move from project step to a day-to-day operation for an internal control system.
5 Communicate the ongoing procedures by presenting clearly and effectively with the focusing on understanding, acceptance and observance.
6 Provide training implemented by the compliance committee in internal policies, practices and procedures.
7 Document processes and risk management certified by the Chief Executing Officer and the
Chief Financial Officer so as to demonstrate the efficiency of the internal control system.
8 Perform continuous evaluation performed by the manager in order to establish and maintain controls and to ensure the appropriate compliance.
7
Procedures implemented by Pacific Sunwear
The most expensive costs of compliance were those linked with the section 404: costs about internal controls over financial reporting. The procedures of compliance are only described for the two first years in the case study: 2004 and 2005.
Before the compliance, PacSun had not internal control system. They only created it in mid
2003 and they paid the services of a Big-4 auditing firms as required by the section 404.
They expanded the internal control department at the end of 2004.
About the procedures they implemented in 2004, PacSun followed a process in five steps:
1) Scope and plan the evaluation
2) Document the controls
3) Evaluate the design and operating effectiveness of the controls
4) Identify, assess and correct deficiencies
5) Reports on internal
control
They identified also 21 major business processes assigned to an “owner” with the objective to develop detailed process narratives. These major business processes were divided into sub processes with the detail of the business objectives and the risks. At the end of 2004, they had identified a total of 238 key controls and they managed to highlight a significant deficiency about the revaluation of deferred leases which can affect by definition the reliability of external auditing data. Then, all public officers had to certify in their area that the control was effective. The CEO and CFO certified then of the fairness and reliability of the financial statements.
In 2005, the process became easier because all the information had already been created.
They reduced the number of key controls to 222, only a 7% decrease, in comparison with larger companies (19% of decrease). They discovered a new significant deficiency because they didn’t recognize liabilities about the company’s loyalty program.
8
Evaluation of the effectiveness of the process implemented by PacSun
Strengths:
-
Enables to discover two significant deficiencies which misstate the financial statements -
Enable to create an efficient internal control system, which reduces the risks and increases the efficiency of the global system
-
Implementation of a double control : internal control and Big-4 auditing firms control -
Better assessment of risks implied
-
Significant reduction of the costs after the first year of implementation of about
40%, comparable to the other companies
-
Commitment of all the employees which can increase the motivation and the corporate culture
-
Better disclosure of financial information for financial analysts and investors
Weaknesses:
-
Compliance costs of $2 million in 2004 and $1.2 million in 2005
-
Additional costs associated with the training of the staff with the necessary creation of a SOX program training
-
The compliance is very time-consuming with an increase of the formalization
-
Competitive disadvantage in comparison with the other competitors not listed
Overall, PacSun had efficiently implemented the compliance and the weaknesses will tend to reduce over the long term. However, PacSun management believed that the costs are greater than the benefits engendered. The costs implied and generally the time spent to respect the compliance rules, can justify this opinion.
9
Impact of the information disclosed on the stock prices
In 2005, PacSun need to restate his prior two years’ financial statements, which resulted in no material change to net income. Auditors judge restatement like deficiencies but they don’t agree about the type of deficiency: two of the Big-4 firms judge this particular type of restatement as only a significant deficiency, i.e. a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to be in accordance with
GAAP. The others two judge it to be a material weakness, i.e. a significant deficiency, or combination of significant deficiencies, that result in more than remote likelihood that a material misstatement of financial statements will not be prevented or detected.
In 2006, the company discovered a new significant internal control deficiency created by the
PacSun loyalty program called “Pac Bucks”. In fact, the liabilities and expenses of this program were not recognizing in the proper quarter. This accounting problem was considered by external auditors like a significant deficiency, but not a material weakness.
Thus, in FY 2005, PacSun received clean financial statement and 404 opinions.
What is the impact of Information Disclosure provided by these deficiencies on PacSun’s stock price?
In this graph, we can see that the PacSun‘s stock price is very volatile between 2005 to 2007
(Beta higher than 1) when the NASDAQ is regularly up. This volatility can be explained by
10
the convergence of PacSun to SOX and the substantial increase of information provided on the firm. But it is very hard to have a real opinion of the impact of Information Disclosure on stock Market Returns with a unique firm. Thus we will answer with papers which study this impact on a large sample of US Company.
“The Sarbanes-Oxley Act of 2002 is one of the , if not the, most important pieces of legislation affecting corporations traded on the US stock exchanges, since the Securities Act of 1932 and Securities Exchange Act of A934 were enacted” (Gordon et al.2007). The SOX act introduced significant changes to financial practice and corporate governance regulation, including new rules designed to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. And the part of the Act having the most impact must be Section 404, which requires management to submit to the SEC with the company’s annually filed financial statements, an internal control report, an assessment of the effectiveness of the internal control structure and procedures for financial reporting, and finally an audit report which include a description of material weakness in such internal controls and of any material noncompliance. Furthermore, where significant deficiencies exist, they need to be identified as required under SOX like we saw in the PacSun case.
Many studies demonstrate that the passage of mandatory government regulation like SOX may be altering the operation of capital market by affecting the stock performance of firms. In
2007, Balakrishnan et Al., examine, by a dataset on stock market abnormal returns and consists of 300 firms, how the stock market reaction varies for 8-K filling and how this reaction have changed since the passage of the SOX act. The result is that the SOX have the particularity to increase the information flow of a firm. Thus when a disclosure of a deficiency is promulgated, the information is quickly announced by media and have a direct negative impact on the stock market price. Inversely, when a firm received clean financial statement and 404 opinions, we can think that stock price is positively impacted because it’s an evidence of a very good internal control of the firm. Another interesting dimension to consider would be the size of the firm. “The effect of Sarbanes-Oxley on the firm’s information environment is expected to vary with the size of the firm” (Ghose et al. 2006). In fact, media coverage is generally better for larger firms. PacSun is not considered like an international firm, but in the US sportswear market, this size is important. In a stock market where diversification is one of the solutions to leverage the risk, PacSun can be a blue chip.
Thus, a special attention is paid to it by media.
11
Finally, we can say that disclosure of these deficiencies have had a negative effect on firm’s stock price but, on the contrary, clean financial statement certification and Good 404 opinion have a positive impact on stock price. In addition, a firm can decide to increase the speed with which information reaches investors by publicizing it in media articles. It’s a good way to build a loyal firm’s brand image i.e. increase the investor recognition and limited the impact of bad news on the stock price.
12
Costs and benefits of Sarbanes-Oxley
PacSun executives seem convinced that the costs of complying with SOX were greater than the benefits to the company. Though, according to a survey entitled “Oversight Systems financials Executive Report” conducted with 222 corporate finance leaders, 74 percent said their company benefited from SOX, 79 percent reported “significantly stronger” or “somewhat stronger” internal controls as a result of SOX, 46 percent said SOX compliance benefits the company by ensuring accountability and 75 percent said they would vote to keep Section
404 if they were members of Congress. In fact, the benefits of SOX Compliance are multiple:
There is a positive influence on maintaining investor confidence (and long-term share price) through increased transparency and fewer surprises. Financial reporting is more timely and reliable. Overall control culture and corporate governance process are improved. Outdated, redundant and inflective processes and controls are eliminated. Employee on-boarding process is easier… Then, why did PacSun not benefit from the compliance process to the same extent as some other companies? Or were their compliance costs too high?
The main issue of PacSun is this medium size ($1billon in market capitalization). The high cost of SOX implementation is financially draining many firms. The SOX doesn’t make a distinction between large-cap billion-dollar companies and small-cap; $75-millon companies
(the minimum cap to be obliged to apply SOX). Therefore, the Act requires all public companies to comply with the same regulations; it doesn’t take into consideration that small companies aren’t as complex in organizational structure as large companies. Because large corporations have complex business models, more complicated accounting practices, they already have a lot of controls in place to ensure the efficiency of their operations that are required by SOX. In other hand, smaller companies have simpler organizational structures and, thus, have slighter accounting practices, which generate simpler financial statements.
These small firms require less internal controls. Therefore, since small companies have simpler business models and less complicated accounting practices, they shouldn’t be subject to the same internal control and external auditing requirement of large companies. In the case of PacSun, this business model and accounting practice are closer from a small firm as shown this number of key controls (222 versus an average of 540 for the large companies). 13
In addition, the SOX were created to fight against corporate scandals like Enron. But the majority of these scandals have occurred in large corporations with thousand of shareholders by the intermediary of retirement/pension fund. PacSun doesn’t have the same type of shareholders and doesn’t require the same level of protection for the shareholder interests.
Therefore, although shareholder interests should be protected, SOX regulations aren’t needed for smaller firms that have simple business structures and a small number of shareholders that are unlikely to fraud themselves (entrepreneurs who start the company, their families, and public shareholders without any link between them).
Implanting SOX is a long and costly process for companies. In the case of PacSun where his market is not occupied by large companies but especially by little firms (under the $75-million cap) which don’t apply SOX, this implantation creates for PacSun a competitive disadvantage and stumps their growth by requiring them to spend excessive amounts of money and time to implement regulation. As example of costs, we have the cost of training, the implementation of a strong internal control, an increase of the size of finance/accounting departments, the fees of the audit firms…; the required amount of money is disproportionately larger in comparison with the largest firms.
Thus in conclusion, we can say that SOX were designed in priority for large and complex companies. These costs are too high in relation with the engendered benefits for small caps.
14
Recommendations for PacSun
Continue the work to reduce the number of key controls and try to improve a large part of them (better define it and really find an utility)
Check the conformity between all marketing projects and internal control before a launching Optimize the balance between internal and external auditors to reduce the work of the external auditors
Change your mind: SOX is an advantage to improve internal control
Create a training and development program with an e learning module for example
15
References
Anand, S. (2006), “Sarbanes-Oxley guide for finance and information technology professionals”, John Wiley and Sons, 2nd edition
Balakrishnan, K., Ghose, A. and Ipeirotis, P. (2007), “the Impact of Information Disclosure on
Stock Market Returns: The Sarbanes- Oxley Act and the Role of Media as an Information
Intermediary”, University of Cambridge
Bowling, D. Julien, R. and Rieger, L. (2003), “Implementation of Sarbanes-Oxley § 404:
Ensuring Compliance, Leveraging Opportunities”
Ghose, A. and Rajan. U. (2006) “The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare” Proceedings of the
Workshop on Economics of Information Security, University of Cambridge
Gordon, L., Loeb, M., Lucyshyn, W. and Sohail, T. (2006), “The Impact of the SarbanesOxley Act on the Corporate Disclosures of Information Security Activities.” Journal of
Accounting and Public Policy, 25(5) pp. 503-530.
Grinberg, E. (2007), “The impact of Sarbanes Oxley Act 2002 on Small Firms”, Pace
University
Ramos, M. (2004), “How to comply with Sarbanes-Owley Section 404. Assessing the
Effectiveness of Internal Control”, John Wiley and Sons, Inc. Available on: http://books.google.fr/books?id=GAMR23qTQUC&dq=process+to+comply+with+section+404&printsec=frontcover&source=bl&ots= d1hZItb6F_&sig=kFBcTi73CdDEk2lceZgEN0sjH1k&hl=fr&ei=nzaySby-LaTJjAf1eHjBQ&sa=X&oi=book_result&resnum=8&ct=result#PPA21,M1
16
Appendix A : Deadline for the compliance with the different sections of the act1
1
Anand, S. (2006), “Sarbanes-Oxley guide for finance and information technology professionals”, John
Wiley and Sons, 2nd edition, page 63/64
17
18
Appendix B: Certification required by the SEC about internal controls2
2
Anand, S. (2006), “Sarbanes-Oxley guide for finance and information technology professionals”, John
Wiley and Sons, 2nd edition, page 68
19
Appendix C: Certification required by the SEC about disclosure controls3
3
Anand, S. (2006), “Sarbanes-Oxley guide for finance and information technology professionals”, John
Wiley and Sons, 2nd edition, page 69
20