Would SOX 404(b) Have Protected Koss?
By Mark Bailey · Trackback URL
Last week Koss, the manufacturer of high quality head phones, disclosed that their principal accounting officer had embezzled between $4.5 million and $31 million between 2005 and December, 2009. The advocates of requiring small issuers to annually file integrated audit reports on their respective internal control systems immediatley pointed at Koss as justification for requiring the implementation of 404(b) beginning in June, 2010. Is this adequate justification? For several reasons, I don’t believe it is.
This was an intentional fraud. Neither financial statement nor internal control audits are designed to guarantee the detection of fraud. Yes, an internal control audit would have disclosed the existence of significant deficiencies and material weaknesses. An expanded internal control review might have even stumbled across the defalcation. More likely it would have only resulted in an adverse opinion on the internal control systems by the company’s auditor. This could have been an alert to investors, but more likely it would have been ignored as the SEC’s own studies have indicated. Integrated audits have not resulted in a higher level of confidence by investors. Fraud audits for all issuers require a lower level of materiality that can not be justified economically.
If in this particular case the amount embezzled was material for any of the five years effected it would seem that it should have been detected under normal financial statement audit procedures in at least one year. A failure by the audit firm to properly complete an audit is not justification for adding another layer of regulation on small issuers under SOX.
The company had retained the same national audit firm for the past five years. Based on the professional fees disclosed in the proxy statement it is possible that Koss was a small fish in the big pond of this national firm and may or may not have gotten the service it needed and deserved. Some large national firms have been known to ‘rank’ their clients. If you are not the big dog on the porch you are not likely to get the same level of expertise, experience and service as the bigger clients.
Cost. Certainly for Koss the cost of an ICFR program – including both the external audit fees and the internal program costs - would have been less expensive than the amount embezzled, but requiring all firms to bear a cost to ‘potentially’ prevent an occasional fraud loss of this type is ridiculous. Theoretically, 404(b) would cost a firm similar in size to Koss, $250,000 annually (ballpark WAG). One-third to one-half of that being for the external auditors. So the investors in Koss would have been out something in excess of a million dollars. The cost/benefit equation for requiring this universally just wouldn’t seem to balance, unless you subscribe to the premise that something graeter than 10% of all statements are fraudulent.
There are already criminal and civil penalties in place to protect the investor from this type of malfeasance as we’ve discussed in our prior posts. Another in the form of 404(b) is not needed. The responsibility to the shareholders rightfully lies with the Audit Committe of the Board, the Board of Directors and management. If more company oversight is needed and beneficial those charged with governance are ostensibly sophisticated enough and in the best analytical position to know and provide it.
I still view the cost of 404(b) as an ineffective unsupportable dissipation of investors equity. We’ve had some great dialog on this topic in the past. Did I change anyone’s mind?
Although I have had a lot of business over the last 8 years providing SOX compliance services to companies, I agree completely with the premise of this article that SOX 404(b) would probably not have either prevented or discovered the fraud at Koss. From comments by the CEO, it was clear that he placed no value on internal controls in any significant form. His lack of real business experience in any environment other than Koss and his total abdication of oversight in favor of trust placed in the principal accounting officer would likely have resulted in him finding ways to excuse the improper actions of the accounting officer, even if they had been identified. And, if the company had already been subject to 404(b) external audit of controls requirements, it could have minimized the potential for an adverse controls opinion by designing 2nd person review/approval procedures that could have given the appearance of effective control design and operation without actually providing any cross-check on control failure risk as a result of segregation of duties. As mentioned in the article, the size of the fraud was significant enough that normal auditing procedures, if the auditors had applied a reasonable level of auditor skepticism, should have been adequate to identify the fraud without SOX 404(b).
However, I disagree with the view that SOX compliance does not provide benefits to smaller companies in relation to the costs incurred. Basically, I challenge the SOX compliance costs presented in the article. Any public company the size of Koss ($50 million in revenues) that is paying $250,000 even for 1st year compliance either has near zero internal controls at any level or is being grossly overcharged for both its compliance and internal control audit. Under AS 5, COSO for Smaller Public Companies, and the SECs guidance to management, there is no reason that a company under $100 million in revenue should be paying more than $100 thousand for compliance and $25 thousand additional for a 404(b) audit under the single audit, single report approach allowed under AS 5. In fact, for companies in the size range of Koss, there are tools & compliance methods available that should allow compliance for even less. And, as I’ve stated, that should only be for 1st year compliance. Compliance in subsequent years should be lower than that by at least 25%. If your company is a smaller public company and is paying $250,000 for SOX compliance, you need to find a new advisor or bring someone in assist you in defining a more cost-effective approach and negotiating with your external audit firm to achieve effective audit compliance meeting at all standards at a lower cost to the company.