You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.
A new rulemaking petition advocating that the SEC mandate environmental, social and governance disclosure under a standardized comprehensive framework has just been submitted by two academics and multiple institutional investors, representing over $5 trillion in assets. Not only is ESG disclosure material and relevant to understanding long-term risks, the petition contends, but the variety of approaches currently employed highlight the need for a more coherent standard that will provide clarity, completeness and comparability. In the past, concerns have been raised about whether uniform disclosure rules could really be effective for ESG. Can those concerns be overcome?
Are we just reading the wrong newspapers and reports or does it seem that auditors—although they spend hours and hours performing audits—rarely identify instances of fraud? Most companies rely on their auditors to uncover irregularities and breathe a sigh of relief when the audit comes up “clean.” Is that reliance misplaced? Probably so, according to this article from CFO.com. “Audits almost never find fraud,” the author writes; the data shows that “external audits find it 4% of the time, and internal 15%.” Instead, the author suggests, to detect fraud, management should look in a different direction.