How Is SOX Compliance Part of ERM? This Is How

I never expected the Securities and Exchange Commission to appreciate Throwback Thursdays—but that’s what we saw from the SEC yesterday, when it served up a good old-fashioned enforcement action for faulty evaluation of internal controls.

The target was Magnum Hunter Resources Corp., an oil services company in Texas (with a name like that, where is else would it be?) that filed for bankruptcy in December. The poor oversight in question occurred from 2011 through 2013, and ultimately led to sanctions for the company, two former executives, its external auditor, and a consultant hired to perform internal audit functions.

Compliance professionals today get so swept away in Dodd-Frank Act rules, cybersecurity, anti-bribery training, and the like that we sometimes forget: Sarbanes-Oxley compliance is still a thing. What’s more, problems with SOX compliance usually suggest more fundamental issues at your organization. The saying is, “SOX compliance is only one part of enterprise risk management.” The Magnum case shows how true those words are; if your SOX compliance is failing, bigger failures are likely to blame. That’s what happened here, so let’s discuss.

First, the cast of characters. Ronald Ormand and David Kreuger are the former chief financial and chief accounting officers, respectively, of Magnum Hunter. Joseph Allred was an outside consultant working on internal controls for the company. Wayne Gray was a CPA working as Magnum Hunter’s external auditor. All four of them managed to misapply SEC rules about identifying weaknesses in internal control over financial reporting, until the company unraveled in late filings and an SEC probe.

What went wrong? For starters, the company grew like weeds from 2009 through 2011, largely through acquisitions. According to the SEC complaint, Magnum Hunter went from $6 million in revenue in 2009, to $23 million in 2010, to more than $100 million by mid-2011—thanks to three acquisitions totaling $647 million.

Throughout that period, Magnum Hunter’s accounting staff was not resourced to the levels necessary to keep pace with that growth. By late 2011, the department was so overwhelmed it gave up closing the books monthly in favor of a quarterly close. Reconciliations were not prepared or not reviewed in a timely manner; documentation was slipshod. At one point, Krueger (the chief accounting officer) signed off on Magnum Hunter’s third-quarter 2011 filing five days after the Form 10-Q was filed with the SEC. That’s bad.

OverwhelmedAllred, the outside consultant, did cite inadequate staffing as an issue. By February 2012 he sent a report to Magnum Hunter’s audit committee that said: “The potential for error in such a compressed work environment presents substantial risk.” You can’t get much clearer than that.

Still, Allred only flagged the problem as a significant deficiency rather than a material weakness, and the company had not experienced any material error yet—so Ormand and Kreuger decided to interpret those circumstances to mean no, the company did not have any material weaknesses in its ICFR. And since management is required to disclose only material weaknesses, Magnum Hunter kept issuing management assertions that ICFR was just fine.

What about the external auditor? Gray essentially was parroting Allred’s behavior. He, too, warned the audit committee that manpower issues “increase the possibility of a material error occurring and being undetected and reduces the Company’s ability to file its 10-K on time.” He, too, only flagged the problem as a significant deficiency rather than a material weakness. As the SEC says, “The audit work papers failed to adequately document the basis for this conclusion.”

Lessons to Learn

First, let’s note what a material weakness is: any weakness that creates a reasonable possibility (“more than remote but less than likely,” according to the SEC) that a material error might happen and go undetected. Both Allred and Gray used phrases like “substantial risk” (Allred) or “there is not adequate internal control over financial reporting due to inadequate staffing” (Gray). That sounds like a material weakness to me. I won’t speculate on their motives, but their decisions to classify the problem only as a significant deficiency served the interests of Ormand and Kreuger, who presumably did not want to disclose that their ICFR was rickety.

The bigger lesson to learn, however, is about where Magnum Hunter’s problems fit into the COSO framework of good internal control. Problems of staffing are problems in the control environment—and if you have problems in the control environment, that should be a full-stop moment. That part of the COSO framework has five principles, including “exercises oversight responsibility” (Principle 2), “demonstrates commitment to competence” (Principle 4), and “establishes structure, authority, and responsibility” (Principle 3).

Granted, Magnum Hunter’s failings happened before those principles were fully articulated in COSO’s revised 2013 framework—but weaknesses in staffing are nothing new for ICFR. Compliance Week did a study of material weaknesses in 2006, and lack of skilled staff was the top problem then.

What we had here was an enterprise risk—too much growth too quickly, staffing details be damned—that first manifested as an ICFR failure. Management and auditor turned a blind eye to the SOX compliance problem here, but that didn’t mean the underlying risk went away. It waited there until it exploded in 2013. That is what we mean by SOX compliance as a subset of enterprise risk.

The epilogue to this story: eventually Magnum Hunter sent CFO Ormand packing and switched audit firms. In April 2015 the company published an 1,174-word update stressing that it did not need to restate any financials, and that it went on an accountant hiring binge to seal up its material weaknesses. It’s just a shame that prior executives played fast and loose with the control environment until it led to meltdown.

1 Comments

  1. […] March 11, 2016 | How Is SOX Compliance Part of ERM? This Is How […]

Leave a Comment

You must be logged in to post a comment.