Risk & Compliance

Risky Business: SEC Focuses on Internal Controls

A decline in accounting fraud has freed up time for SEC staff to prioritize internal controls over financial statements.
Howard ScheckNovember 16, 2016
Risky Business: SEC Focuses on Internal Controls

(Editor’s note: The author is a former chief accountant of the Securities and Exchange Commission’s Division of Enforcement.)

A developing trend in the SEC’s approach to accounting enforcement has increased risk for public companies in the area of internal controls over financial reporting (ICFR).

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Howard Scheck

Howard Scheck

Specifically, SEC enforcers have been investigating and prosecuting a broader range of ICFR violations than ever before, raising the stakes for officers certifying SEC filings and others involved in financial reporting. Due to the heightened risk, it is helpful to understand why the SEC has expanded its focus and to consider strategies to minimize exposure and potential consequences.

SEC enforcers have always been interested in investigating allegations of accounting fraud and prosecuting those responsible for “cooking the books. On the other hand, enforcers often viewed ICFR violations as ancillary — either “add-ons” in fraud cases or as fallbacks in non-fraud settlements.

In recent times, however, the SEC has been viewing ICFR issues as primary considerations during investigations, potentially prosecuting conduct that would not have been pursued in the past, even in the absence of a restatement of previous filings.

For instance, SEC staff has been focused on whether companies have properly identified material weaknesses, or have done so in a timely manner. While prosecutions solely along these lines have been limited thus far, the risks of getting caught-up in a controls-focused inquiry have been increasing for companies that have restated financials or have otherwise gotten onto the SEC’s radar.

Specific issues that investigators have been addressing include whether a material weakness: (1) existed in a reporting period before a restatement; (2) was adequately described as to scope; (3) existed, even if there was no material error; and (4) existed in connection with controls and procedures for disclosure, or in connection with 302 certification processes.

Relating to independent auditors, SEC staff has been focusing on the adequacy of the firm’s processes in connection with illegal acts under Section 10A of the Securities Exchange Act.

Companies could be charged with ICFR violations in accounting and bribery actions since the Foreign Corrupt Practices Act (FCPA) was enacted in 1977, while sections 404 and 302 of the Sarbanes-Oxley Act have been around since 2002.

The SEC’s expanded focus may seem surprising, given that past and present chairmen have long stressed financial-statement integrity and transparent disclosures as bedrocks of fair and efficient securities markets. However, the lower incident rates of accounting fraud and less-significant restatements in recent times appear to have caused prosecutors to shine their light more closely on ICFR.

The Dwindling of Accounting Fraud

Pre-Sarbanes-Oxley, and for a time thereafter, accounting prosecutions — including fraud and non-fraud cases — averaged about 25% of all SEC enforcement actions per year. However, after peaking at 31% in 2007, accounting actions dropped to just 10% in 2013.

While that rate has increased to about 17% in the past few years, whether it will go much higher remains unclear. Accounting scandals such as Enron and WorldCom have just not been as prevalent, nor has there been a recent pervasive accounting abuse, such as China-reverse-merger frauds or stock-options backdating.

Fewer incidents of accounting fraud is, of course, good for investors, but less fraud will give enforcers more time, and perhaps incentive, to focus on potential ICFR violations, which historically had been secondary considerations.

Nowadays, the SEC is likely to target potential ICFR violations at the outset of investigations and to continue pursuing them even when there is no fraud found, or even indicia of bad faith. Thus, errors that appear to have arisen from honest mistakes and restatements with few fraud risk factors may be pursued.

Additionally, the SEC does not need to prove fraudulent intent to establish ICFR violations, making potential enforcement hurdles easier to overcome.

Risks of Material Misstatement

For instance, the SEC has been pursuing whether material weaknesses should have been reported sooner or whether ICFR was designed, or operated in a manner, that created an unidentified risk of material misstatement.

In such circumstances, a clean audit opinion and Sarbanes-Oxley Section 404 report may not insulate CEOs, CFOs, and others who sign or certify SEC filings from having to respond to an SEC inquiry questioning whether they exercised reasonable judgment, or had adequate support for accounting, disclosure and ICFR-related decisions.

While the SEC could decline to investigate or prosecute actual or suspected ICFR violations, considering them to be minor infractions best dealt with by enhancing systems and remedial actions, convincing SEC staff to do so is becoming harder.

Certain strategies to minimize consequences, should staff start “second guessing” accounting-related conclusions, include:

  • Maintaining contemporaneous documentation for critical accounting, disclosure, and ICFR-related judgments, including those made by auditors concerning Section 10A
  • Performing and regularly updating risk assessments, including those relating to fraud and corruption
  • Taking a fresh look at how potentially material information is gathered and reviewed for disclosure consideration in connection with quarterly 302 certification processes
  • Reviewing how the severity of identified control deficiencies are evaluated
  • Ensuring that qualitative materiality factors are considered and documented when assessing accounting and disclosure issues, especially when there are financial reporting red flags
  • Using appropriate legal and forensic accounting experts to investigate anomalies, including early notification to independent auditors about potential illegal acts
  • Ceasing any problematic conduct and working promptly to enhance controls
  • Self-reporting to, and cooperating with, the government in appropriate circumstances

A Commitment to Integrity

While engaging in these practices cannot shield companies and individuals from getting caught up in an SEC inquiry, enforcers like to see a tone that is focused on investor protection.

Therefore, demonstrating a commitment to financial reporting integrity ― before an incident occurs and during the handling of an incident ― positions subjects to be viewed in the most favorable light by SEC staff, thus increasing the odds of a favorable outcome.

Howard Scheck, a former chief accountant with the SEC’s Division of Enforcement, is a partner with StoneTurn in Washington, D.C.