2. Required disclosure about internal control deficiencies
Item 307 of Regulation S-K, ‘‘Disclosure Controls and Procedures,’’ requires firms to report on the effectiveness of the registrant’s controls and procedures.1 Registrants need to disclose their conclusions regarding the effectiveness of internal controls in their report. They are also required to report changes to the internal control system and disclose whether these changes were to remediate material weaknesses or significant deficiencies.2
There is no explicit requirement that firms disclose material weaknesses to the public under Section 302. However, Item 307 of Regulation S-K makes it difficult for firms to comply with the regulation and not disclose an identified material weakness. Item 307 requires firms to disclose whether or not their control systems are effective, and it is likely that firms will be compelled to conclude that their control systems are ineffective if they discover a material weakness. In contrast, firms are only required to report significant deficiencies if they make changes to their internal control systems to remediate them.3
Disclosure of material weaknesses and significant deficiencies are similar under Section
404 of SOX but the assessments of internal control systems are more extensive. Under Section 404, registrants are required to undertake a more formal evaluation of internal control systems and auditors are required to report on management’s assessment. Firms were required to make significant investments to evaluate their internal control systems and comply with Section 404. In the process, firms reported ICDs that they discovered in their preparation for Section 404 compliance even before Section 404 became effective.4
2.1. Assumptions about voluntary versus mandatory disclosure in ACK and DGM
The primary difference between ACK and DGM is the assumption made about the extent to which incentives to discover ICDs vary across firms and the extent to which disclosure of ICDs is voluntary. ACK view the ultimate disclosure of an ICD as the combination of three conditions: (1) the presence of an ICD, (2) the detection of an ICD, and (3) the disclosure of an ICD. Accordingly, they make predictions about factors that influence the likelihood of each of these conditions. ACK offer several reasons for incentives to discover and disclose ICDs to vary across firms. First, prior to Section 404, the procedures firms must use to evaluate controls and procedures are not specified. Therefore, differences in the effort firms make to discover ICDs could give rise to variation in ICD disclosure. Second, the authors point to the fact that disclosure of significant deficiencies is not required. Third, there is ambiguity in the definitions of material weaknesses and significant deficiencies, which would allow firms some latitude in disclosure by the way they classify the ICDs (material weaknesses versus
significant deficiencies).