A couple of posts ago, I waded in on the infamous Reinhard & Rogoff spreadsheet error, in an attempt to extract lessons of a cautionary nature for accountants of public companies.
Since then, two interesting developments have occurred. First, I stumbled upon a research report published by the Financial Executives Research Foundation (FERF), which indicated that spreadsheet solutions — as opposed to automated processes — are still prevalent among the public and private companies studied. It’s nice to have some indication that my concerns regarding widespread control issues amount to something more than mere academic musings.
The second development to occur serves as the motivation for this spreadsheet encore: Ken Baker, whose research I referred to in that earlier post, emailed me the ZeroHedge analysis of a pretty consequential JPMorgan spreadsheet error; which although it did not seem to affect the financial statements, did affect important MD&A disclosures. I found similar coverage of the JPMorgan error in other online news outlets, but my admittedly cursory reading found no discussion of the question of how regulators might/should react to the error — and ensuing disclosures.
Background: The SEC’s Market Risk Disclosures and The Nature of the Spreadsheet Error
Public companies are generally required to provide disclosures in annual and quarterly reports about their positions in market-risk sensitive instruments. The rules governing these disclosures are set forth in Regulation S-K, Item 305, and the financial institutions that must comply with these rules often choose (it’s one of three allowed alternatives) to disclose estimates of “Value at Risk” (VaR) for some of their portfolios.
Without going into the calculations, a VaR disclosure goes something like this:
There is an x% probability that our losses on a portfolio could exceed $y over a z-day period.
In reading their disclosures, it looks like JPMorgan picks 2.5% for x and 100 days for z for all of their market-risk sensitive portfolios. For the portfolio for which a spreadsheet error was discovered (the financial instruments managed by its Chief Investment Office), the VaR numbers reported prior to the discovery of the spreadsheet area were on the order of $90 million dollars. The problem was that a spreadsheet error had the effect of understating VaR by about 50%. In other words, the portfolio was much riskier than JPMorgan reported, or may have been aware of themselves.
VaR statistics were calculated by financial institutions for internal purposes years before they found their way into SEC filings. Analysts consider them to be significant disclosures in part because they indicate how banking risks are being managed, and it seems that the spreadsheet JPMorgan utilized to calculate its VaRs was fittingly complex. According to Forbes:
“[The internal] Task Force Report into the Chief Investment Office’s $6 billion-plus loss [aka the “London Whale” fiasco] found the bank’s Value at Risk (VaR) was being calculated with an Excel spreadsheet that ‘required time-consuming manual inputs to entries and formulas, which increased the potential for errors.’ At another point the report found “the model operated through a series of Excel spreadsheets, which had to be completed manually, by a process of copying and pasting data from one spreadsheet to another.'” [emphasis added]
How Could a Spreadsheet Error Nail a CEO?*
Prior to 2002, there would have been no way to link a spreadsheet to a CEO. But, S-Ox changed that. It was enacted to protect the public from future implosions like Enron and Worldcom. But even before these terrible events, there was Cendant, which set the record (that stood for only a few years) as the largest fraud in U.S. history. Prosecutors claimed that dozens of Cendant’s SEC filings contained fraudulently inflated financial results. Yet, it still took eight years and three trials for the U.S. Attorney to win a conviction of CEO Walter Forbes on what, to the celebrated man in the street, would seem to be an open and shut case. This excerpt from the testimony of Forbes in one of the trials illustrates one reason prosecutors tore their hair out in frustration:
Q: In fact you signed all of the Qs and the Ks during the period when you were the CEO of the company?
A: Yes, I did.
Q: Okay. But let me understand. Is it your testimony that you didn’t always read these documents?
A: That’s correct. . .
Q: Okay. And at best, you skimmed it?
A: As I said before, I think occasionally I may have skimmed some of them; occasionally I may have read part of some.
Q: So your signature on this document [a 10-Q] is almost worthless then, isn’t it? [emphasis added]
MR. SULLIVAN: Objection.
THE COURT: Sustained.
In the wake of these scandals, I think it is fair to say that Congress and the public were incredulous to learn that CEOs or CFOs were not required to certify the accuracy of filings made by their company; or even to read the reports that bore their signatures.
Consequently, a main theme of S-Ox is to to place responsibility on those presumed to be in the best position to catch and police bad practices. Most germane to the specific case of JPMorgan’s erroneous VaR disclosures, Sections 302 and 906 of S-Ox established the following:**
- The CEO and CFO are to separately certify in each annual and quarterly report, that they have actually reviewed the report, and that based on their knowledge, the report does not contain an untrue statement of a material fact, or omit to state a material fact.
- The CEO and CFO must acknowledge that they are responsible for designing, evaluating and reporting on the effectiveness of Disclosure Controls and Procedures (DC&P) that ensure to a reasonable degree that material information is made known to them, particularly during the period in which the annual or quarterly report is being prepared.
- The CEO and CFO must state that they have evaluated the effectiveness of DC&P as of a date within 90 days prior to the filing of the annual/quarterly report.
- CEO/CFO civil liability under the Exchange Act, and criminal liability (including significant jail time) for “knowingly” or “willfully” signing a false certification.
Are these provisions of S-OX fair to the thousands of honest CEO/CFOs and the shareholders in their companies? I dunno. Have these provisions been effective in deterring misinformation and fraud? Many say yes, but a huge source of public frustration arising out of the 2008 financial crisis is that no CEO has even been prosecuted for playing a part in the immense value destruction that occurred, much less convicted of a crime.
Is it plausible that JPMorgan’s VaR spreadsheet error could lead to sanctions of its CEO or CFO under S-Ox?
On the one hand, every accounting major knows that no system of controls will prevent every error; hence, the fact of JPMorgan’s misstatement does not necessarily trigger even civil liability. But, once such a high-profile does occur, it seems to me that there can be no reason for the SEC to let it go without making further inquiries. Did spreadsheet controls consistent with the DC&P requirements exist; were they reasonably designed to detect an error; or did an error occur because the system of controls did not operate as designed? These are all questions the SEC should be asking JPMorgan as a matter of course.
The public deserved to know from JPMorgan how it came to be that a too-big-to-fail bank grossly underestimated its risk profile. Even if a civil enforcement action isn’t warranted, there is nothing to keep the SEC — through the normal review processes conducted by its Division of Corporation Finance — from issuing a comment letter to JPMorgan, which, along with JPMorgan’s response will eventually become public.
I wonder, though, if the SEC has decided to let sleeping dogs lie. After all, other government agencies have other bones to pick with JPMorgan, and they have been doing it in public. Interestingly, in a NYT report describing the recent spate of attacks on JPMorgan by regulators, nothing about the VaR spreadsheet error is mentioned. But, the spreadsheet story gets a lot worse than what I have let on so far:
- In the period after the spreadsheet error allegedly became known to JPMorgan, the analysis by ZeroHedge sure makes it look like that JPMorgan provided misleading statements about the reason for the large increase in VaR in the periodic filing following the discovery (and apparent correction) of the spreadsheet error.
- ZeroHedge also states that the spreadsheet error did not become public knowledge until the distribution of the report of the task force put together to investigate the London Whale debacle.
As to JPMorgan’s motivation to cover-up their error, it is not unreasonable to assume that fear of the consequences under the S-Ox DC&P requirements attaching to their CEO and CFO was at least part of the reason. Moreover, an evasion strategy might have worked if not for the revelations in a task force report on a seemingly unrelated matter.
But, was it worth the risk? It would seem that the VaR spreadsheet error by itself would have amounted to at most a civil violation under the purview of the SEC. The discovery of an alleged cover-up, however, may have escalated the violation from a civil to a criminal case. As opposed to the SEC, that’s a question for the Department of Justice to investigate.
Let’s see if they do, and if in the process this turns into the Wall Street equivalent of Watergate.
*General disclaimer: I am not an attorney, and it is not my intention to allege any new facts or violations. My intent is to rely on other sources for the factual basis of my analysis. All references to S-Ox and other laws and regulations are only a summary of my general understanding. They should not be relied upon for making inferences to this case, or similar facts and circumstances.
**Basically, Section 302 is more inclusive and requires specific actions by the CEO and CFO, Section 906 focuses on the mental state of the certifying executive.