Five SOX pitfalls for shipping and transport companies

Companies listed in the US are familiar with the challenging Sarbanes-Oxley Act (SOX) requirements around internal controls. Many aim to satisfy these requirements by reference to the respected COSO internal control framework.

Here are our top five areas where, in this sector, internal control deficiencies often arise:

1.     Review of assurance reports received from service organisations

Many companies use third party service organisations for processing applications or transactions. These services can be effective and efficient – but the service organisation’s internal control systems could have a significant impact on a company’s financial reporting. Where such relationships exist, the COSO framework indicates that management should, both for the service organisation and their company, document the relevant controls that mitigate the risk of errors. There should also be policies for periodic monitoring of controls and action taken to mitigate potential new risks.

In response, many companies request assurance reports on the internal controls of their service organisations. For example, they obtain a SOC or ISAE3402 report from external vessel managers. Many assume that receipt of such a report and a review of the Independent Auditor’s Report is an adequate control measure. However, the objectives stated within these reports are derived from the service organisations – not the client company. The shipping client’s own risk objectives may not necessarily align with those included in the report. It’s therefore important to check that the report is relevant for your own internal control purposes.

2.    Testing of business continuity and disaster recovery plans

COSO specifically addresses the importance of business continuity and disaster recovery plans. It highlights that these plans should be tested periodically (at least annually) and updated for changing conditions.

Based on our work with shipping and transport clients, we know that business continuity and disaster recovery plans are generally reviewed on a regular basis (usually annually). However, they are rarely subjected to an appropriate level of scrutiny and testing. It’s vital to check that these plans are truly fit for purpose so that, should the worst happen, the business can recover quickly.

3.    Classification of dry dock costs

The COSO framework focuses attention on whether management’s financial reporting philosophy, including its attitude towards estimates and judgments, tends to be conservative. In addition, biases that could affect significant accounting estimates and other judgments should be minimised. In the shipping sector, the classification of dry dock costs is a key area where an element of judgment is required and, in our experience, it’s also an area where accounting treatment is often disputed by the statutory auditor.

Making the distinction between expensed and capitalised dry dock costs requires sound business and technical knowledge as well as accounting expertise. Often companies apply a materiality when considering costs for their capital potential. However, it is important to be aware that a large number of individually immaterial items – when considered together – could have a material impact on the financial statements. Whatever the methodology, it should not only have a rational basis and be consistently applied, but should also be documented.

4.    Related parties

Regulators are often concerned about related parties because of the impact they can have on business transactions and financial performance. The COSO framework not only looks to see that processes in place ensure transactions are appropriately accounted for and disclosed, but COSO also indicates that there should be appropriate policies for matters such as accepting new business and conflict of interest. These policies and procedures should be adequately communicated throughout the organisation.

US GAAP’s definition of a related party limits this to someone related to a director or officer of the company. However, the definition under IFRS and UK GAAP goes further to include a person or a close member of that person’s family who has control, joint control or significant influence over the entity. Any US-listed shipping company complying only with US GAAP could therefore be vulnerable to transactions where there is a potential conflict of interest – perhaps where a member of key management strikes a favourable deal with a family member. If such deals go sour and become subject to media scrutiny, the business could be severely damaged. It’s important, therefore, that shipping company directors review their policies and controls around related parties to ensure their business is sufficiently protected.     
 
5.    Board effectiveness

The board has a responsibility in law to make sure that the organisation it oversees does what it was set up to do. The members of the board must have the appropriate skills and abilities, be effective and be focused on the right things. Company success depends on it. COSO also focuses heavily on the board: its tone, competency, efficacy, leadership and stewardship of the organisation for stakeholders.

We often find that board effectiveness is assumed and not appropriately dissected. A lack of relevant expertise from both directors and non-executive directors along with a poorly defined corporate charter are common deficiencies. An independent board effectiveness review is a useful tool to ensure that board dynamics and roles are suitable for the organisational environment.


If you are worried about any of the areas of above, or would like to discuss SOX compliance with one of our experts, please contact us.
 

Leave a comment

 Security code