Federal Examiner Finds Internal Control and Audit Committee Failures at Mortgage Company
A federal bankruptcy court examiner has found that a failure to establish and monitor internal controls over financial reporting substantially contributed to a company’s accounting errors and allowed those errors to go undetected. Many of the control failures related to the lack of written and effective policies for calculating accounting estimates. The examiner also found that the company’s audit committee had been deficient in a number of areas. The examiner was appointed by the US Trustee at the court’s direction to investigate accounting and financial statement errors or misstatements. (In re New Century TRS Holdings, Inc., US Bankruptcy Court for the District of Delaware, No. 07-10416).
The company, which filed for bankruptcy protection, was at one time the second largest originator of subprime residential mortgage loans. Company management had conducted its assessment of the internal controls as required by section 404 of the Sarbanes-Oxley Act and a Big Four audit firm had assessed the internal controls using PCAOB Auditing Standard No. 2.
The examiner found that the company failed to develop effective policies for performing accounting estimates requiring the exercise of considerable judgment. It did not remediate internal control deficiencies that existed at year-end despite representing to the outside auditor that it would. Overall, the company did not devote sufficient internal resources to the Sarbanes-Oxley assessment process.
In its 2004 management letter, the audit firm reported that management neglected to create adequate documentation evidencing the appropriate application of GAAP in certain areas. The same findings were not made in 2005 even though the auditor found in the 2005 Sarbanes-Oxley audit that the company continued to lack written policies in several key accounting areas, including loan losses and repurchase reserve. The examiner said that there was no sufficient explanation for why the auditor reached a different conclusion in 2005.
Despite the company’s failure to adopt adequate repurchase reserve policies for the second year in a row, the outside auditor concluded that this deficiency was inconsequential and did not report it to the audit committee. Moreover, in the examiner’s opinion, the audit engagement team failed to appreciate the impact of material, improper changes in the methodology for calculating the repurchase reserve.
According to the examiner, the company’s failure to develop policies for calculating the repurchase reserve was at least a significant deficiency, if not a material weakness, in its internal control environment that contributed to a material misstatement in its financial reports. The examiner also concluded that management did not sufficiently test and evaluate the severity of, and the auditor did not sufficiently review, the allowance of loan losses controls during the 2005 Sarbanes-Oxley audit.
Separately, the examiner found that the audit committee was deficient in a number of areas. The audit committee did not ensure that management conducted an adequate analysis of entity-wide risk, nor did it ensure that key operational risks were addressed. Further, the audit committee did not adequately supervise or make effective use of internal audit.
Sound corporate governance dictates that the audit committee guide an entity-wide risk management process, said the examiner. Moreover, under the audit committee’s supervision, internal audit should provide assurance to the audit committee on the effectiveness of a company’s entity-wide risk management program.
While neither section 404 nor the regulations adopted under it specifically assign any role to the audit committee in connection with management’s internal control assessment or the auditor’s attestation, noted the examiner, the auditor should take a significant interest in reviewing the annual 404 internal control assessment, the auditor’s attestation, and the process by which both were arrived at. In the examiner’s opinion, this review should include presentations by management and the external auditor at audit committee meetings regarding the 404 internal control report and attestation.