Internal Accounting Controls Requirements for Issuers
Under federal law, public companies are responsible for devising and maintaining a system of internal accounting controls sufficient to reasonably assure that:
- transactions are executed in accordance with management authorization;
- transactions are recorded as necessary to:
- permit preparation of financial statements in conformity with GAAP; and
- maintain accountability for assets;
- access to assets is permitted only in accordance with management authorization; and
- recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken regarding any differences.
Qualifying for a SEC Whistleblower Award
Common Inadequate Internal Accounting Controls
Over the past few years, the SEC has increasingly enforced rules that require companies to maintain sufficient internal controls over financial reporting (“ICFR”). Despite this, a recent report by the Public Company Accounting Oversight Board (“PCAOB”) revealed that one of the most frequent audit deficiencies continues to be inadequate internal accounting controls. Violations include:
- failing to devise and maintain adequate internal controls, as specified under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (“Exchange Act”);
- failure by management to evaluate the effectiveness of ICFR as of the end of each fiscal year, as required by Exchange Act Rule 13a-15(c);
- failure to maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the ICFR, as required by Item 308 of Regulation S-K; and
- invalid certifications by the executives and financial officers that confirm that the Form 10-Q or 10-K does not contain any untrue statement of material fact or omit to state a material fact necessary to make the statements not misleading in light of the circumstances under which the statements were made, as required by Exchange Act Rule 13a-14.
Purpose of Internal Accounting Controls
Maintaining adequate ICFR provides companies, investors, and other interested parties with reasonable assurance that misstatements, omissions, and fraud will timely be prevented or detected. This assurance is especially critical in a time when external auditors have consistently failed to identify flaws in public companies’ ICFRs.
In 2016, the PCAOB inspected 12 publicly traded companies audited by PwC and found deficiencies in 10 of the audits related to testing controls for purposes of the of the ICFR opinion. PwC revised its opinion on internal controls in 6 cases. At Deloitte, the PCAOB identified problems in the internal-control audit for all 13 of the audits selected.
Internal Controls Prevent and Reveal Fraud
Recent ground-breaking research about internal control deficiencies underscores the critical role of internal controls in detecting and preventing fraud. In an August 2017 article titled Internal Control Weakness and Financial Reporting Fraud published in Auditing: A Journal of Practice & Theory, the authors demonstrate a strong correlation between material weaknesses and future fraud revelation. A summary of the article in CFO notes that about 30% of fraud revelations were preceded by reports of material weakness.
Inadequate Internal Accounting Controls Lead to $22M SEC Whistleblower Reward
In a recent enforcement action, on August 30, 2016, the SEC issued a $22 million-plus award to a whistleblower who exposed that Monsanto had inadequate internal accounting controls to account for millions of dollars in rebates. Monsanto’s deficient controls caused it to materially misstate its earnings during a 3-year period. While the SEC investigation found no personal misconduct, the company was fined $80 million for the accounting violations.
SEC Chairman Mary Jo White stated, “Financial reporting and disclosure cases continue to be a high priority for the Commission and these charges show that corporations must be truthful in their earnings releases to investors and have sufficient internal accounting controls in place to prevent misleading statements.”
Additional SEC Enforcement Actions Against Inadequate Internal Accounting Controls
Failure to Report Tax Liabilities of Controlled Foreign Subsidiary
On January 23, 2017, Overseas Shipholding Group Inc. (OSG) agreed to pay $5 million fine to the SEC to settle charges it failed to report hundreds of millions of dollars in tax liabilities for over a decade. According to the SEC’s order, OSG and its former chief financial officer, Myles Robert Itkin, failed to report a controlled foreign subsidiary’s federal income tax liabilities in financial statements from 2000 through 2012. This failure caused the company to significantly understate its net loss in that same period and ultimately file for bankruptcy in 2012.
Gerald Hodgkins, Associate Director of the SEC’s Enforcement Division, stated “Where public companies derive economic benefits from their offshore earnings, it is critical that those responsible for the company’s accounting and financial reporting understand the federal income tax consequences triggered from these benefits.”
Improper Revenue Recognition
On January 11, 2017, the SEC fined an aerospace contractor, L-3 Technologies Inc., $1.6 million for improperly recording revenue on contracts. In late 2013, L-3 realized that it was at risk of not meeting its performance target. In order to inflate revenue, and in violation of L-3’s revenue recognition policy, the VP of Finance directed employees to generate roughly 69 invoices and then recognize $17,9 million in income. This extra revenue allowed L-3 to meet its performance target and qualify for incentive bonuses. This practice of improperly recognizing revenue was not uncommon.
In total, L-3’s inadequate internal controls for revenue recognition led to inflated pre-tax income of $169 million. This caused the company to amend its SEC filing in October 2014. SEC Director Andrew Calamari noted, “[a]dequate internal accounting controls function as a critical safeguard against the type of improper revenue recognition that occurred at L3.”
Failure to Maintain Adequate Internal Controls to Prevent Insider Trading
On August 21, 2017, hedge fund Deerfield Management Company L.P. paid approximately $4.6 million to settle charges that it failed to maintain adequate controls to prevent the misuse of inside information. According to the SEC’s complaint, a former government employee with inside information about upcoming CMS decisions concerning Medicare and Medicaid reimbursement rates related to cancer treatments or kidney dialysis tipped two analysts at a hedge fund. The hedge fund was paying him approximately $193,000 to provide political intelligence consulting. The hedge fund’s use of this suspicious information violated its procedures barring insider trading.
Insufficient Controls Resulting in Unauthorized Payments to Executives
On December 11, 2017, took enforcement action against a biotechnology company for its failure to maintain sufficient controls surrounding the reporting and disclosure of travel and entertainment expenses submitted by its executives. The company’s former CEO treated the company “as his personal piggy bank,” obtaining millions of dollars from the company using limited, fabricated, or non-existent expense documentation, and these unauthorized perks and benefits were not disclosed to investors. Examples include cosmetic surgery for friends and personal travel. The company’s “insufficient internal accounting controls contributed to and failed to detect these improper and unauthorized payments, which were not accurately recorded in the company’s books and records.”
SEC Whistleblower Rewards and Bounties
Under the SEC Whistleblower Program, whistleblowers may be eligible for monetary awards when they voluntarily provide the SEC with original information about violations that leads the SEC to bring a successful enforcement action that results in monetary sanctions exceeding $1 million. Whistleblowers are eligible to receive between 10% and 30% of the monetary sanctions collected.
Whistleblower Protections for SEC Whistleblowers
The SEC Whistleblower Program also protects the confidentiality of whistleblowers and does not disclose information that might directly or indirectly reveal a whistleblower’s identity. And the Dodd-Frank Act protects whistleblowers from retaliation by their employers for reporting violations of securities laws.
In addition, the whistleblower protection provision of the Sarbanes-Oxley Act protects disclosures about deficient internal controls. On the fifteenth anniversary of SOX, leading whistleblower law firm Zuckerman Law released a free guide to the SOX whistleblower protection law: “Sarbanes-Oxley Whistleblower Protection: Robust Protection for Corporate Whistleblowers.” The guide summarizes SOX whistleblower protections and offers concrete tips for corporate whistleblowers based on lessons learned during years of litigating SOX whistleblower cases.
The goal of the guide is to arm corporate whistleblowers with the knowledge to effectively combat whistleblower retaliation, avoid the pitfalls that can weaken a SOX whistleblower case, and formulate an effective strategy to obtain the maximum recovery.
SEC Whistleblower Law Firm
See our column in Forbes: One Billion Reasons Why The SEC Whistleblower-Reward Program Is Effective.
See our column in Going Concern: Sarbanes-Oxley 15 Years Later: Accountants Need to Speak Up Now More Than Ever.
See our post in Accounting Today: Whistleblower Protections and Incentives for Auditors and Accountants.