Last week Koss, the manufacturer of high quality head phones, disclosed that their principal accounting officer had embezzled between $4.5 million and $31 million between 2005 and December, 2009. The advocates of requiring small issuers to annually file integrated audit reports on their respective internal control systems immediatley pointed at Koss as justification for requiring the implementation of 404(b) beginning in June, 2010. Is this adequate justification? For several reasons, I don’t believe it is.
This was an intentional fraud. Neither financial statement nor internal control audits are designed to guarantee the detection of fraud. Yes, an internal control audit would have disclosed the existence of significant deficiencies and material weaknesses. An expanded internal control review might have even stumbled across the defalcation. More likely it would have only resulted in an adverse opinion on the internal control systems by the company’s auditor. This could have been an alert to investors, but more likely it would have been ignored as the SEC’s own studies have indicated. Integrated audits have not resulted in a higher level of confidence by investors. Fraud audits for all issuers require a lower level of materiality that can not be justified economically.
If in this particular case the amount embezzled was material for any of the five years effected it would seem that it should have been detected under normal financial statement audit procedures in at least one year. A failure by the audit firm to properly complete an audit is not justification for adding another layer of regulation on small issuers under SOX.
The company had retained the same national audit firm for the past five years. Based on the professional fees disclosed in the proxy statement it is possible that Koss was a small fish in the big pond of this national firm and may or may not have gotten the service it needed and deserved. Some large national firms have been known to ‘rank’ their clients. If you are not the big dog on the porch you are not likely to get the same level of expertise, experience and service as the bigger clients.
Cost. Certainly for Koss the cost of an ICFR program – including both the external audit fees and the internal program costs – would have been less expensive than the amount embezzled, but requiring all firms to bear a cost to ‘potentially’ prevent an occasional fraud loss of this type is ridiculous. Theoretically, 404(b) would cost a firm similar in size to Koss, $250,000 annually (ballpark WAG). One-third to one-half of that being for the external auditors. So the investors in Koss would have been out something in excess of a million dollars. The cost/benefit equation for requiring this universally just wouldn’t seem to balance, unless you subscribe to the premise that something graeter than 10% of all statements are fraudulent.
There are already criminal and civil penalties in place to protect the investor from this type of malfeasance as we’ve discussed in our prior posts. Another in the form of 404(b) is not needed. The responsibility to the shareholders rightfully lies with the Audit Committe of the Board, the Board of Directors and management. If more company oversight is needed and beneficial those charged with governance are ostensibly sophisticated enough and in the best analytical position to know and provide it.
I still view the cost of 404(b) as an ineffective unsupportable dissipation of investors equity. We’ve had some great dialog on this topic in the past. Did I change anyone’s mind?