The SEC Division of Enforcement has renewed its focus on financial reporting by public companies. As highlighted by a senior SEC official at an ABA program, the SEC has established a special task force that is taking proactive and innovative steps, including data-mining for financial reporting anomalies that may reflect potential misconduct by public companies. Coupled with the SEC’s new “Broken Window” policy to police even technical, non-fraud violations, internal control policies and procedures, more so than ever, should be on the top of every public company’s compliance priorities.
Formed in mid-2013, the SEC’s Financial Reporting and Audit Task Force (Task Force) is expected to have an increasing impact on the SEC’s financial reporting enforcement efforts, based on comments made by David Woodcock on a program held at the 2015 Spring Meeting of the Business Law Section. (Linda Griggs and Peter Chan, the authors of this article, participated in this program as moderator and panelist, respectively.) At that time, David Woodcock was the chair of the Task Force. During the program, titled “What Companies Need to Know Now About the SEC’s Financial Reporting Initiatives” (audio here), David explained that the development of financial reporting cases generally takes quite a long time. He noted that, at the time of the Spring Meeting, only one of the cases identified by the Task Force had actually resulted in an SEC enforcement action, but that he expected more in the future.
Much has been discussed regarding the SEC’s whistleblower program under Dodd-Frank to solicit leads for enforcement investigations. Indeed, the SEC’s website openly invites corporate insiders and gatekeepers to “Blow the Whistle on Financial Reporting Fraud.” However, David explained that, unlike most of the SEC’s enforcement work, which is reactive to sources such as restatements and whistleblowers, the Task Force proactively tries to identify issues before they are reported. One of the tools the Task Force uses is the Corporate Issuer Risk Assessment program. The staff uses the program to search for companies with identified profiles, such as companies that had a specific amount of growth over an identified period, operate in a particular industry, and have recently changed auditors and made late SEC filings. Once such a “risky” company is identified, the Task Force reviews the company’s financial statements and considers whether there is an issue that should be referred to others in the Division of Enforcement for investigation. In some cases, the Task Force will “incubate” the matter because it does not yet have enough information to make a decision as to whether to recommend an investigation. During that process, members of the Task Force will call the company to ask for information, perhaps take testimony, and discuss the company with the reviewers in the Division of Corporation Finance. In any such call with a company, the Task Force identifies what it is doing and expects the company to be cooperative.
The Task Force is not confining its work to cases involving potential financial reporting fraud. It is also looking at internal control and negligence cases that may only involve a violation of Section 13 of the Securities Exchange Act of 1934. In the area of internal control, the SEC’s Office of the Chief Accountant, Division of Corporation Finance, as well as the Division of Enforcement are concerned about the absence of disclosures of material weaknesses except when a company restates its financial statements. All three of these SEC offices are focusing on internal controls, which Andrew Ceresney noted in a speech in early March at the CBI’s Pharmaceutical Compliance Congress “are key building blocks to ensure reliable financial reporting.” This focus on internal control is consistent with the SEC’s “Broken Window” policy to bring enforcement actions against non-fraud, technical violations. Based generally on former New York City Mayor Rudolph Giuliani’s crime-fighting policy of the same name, the policy’s rationale is that enforcement against technical or “petty” violations will create a culture of compliance that will deter more serious violations. Thus, enforcement cases on inadequate internal control will deter and prevent the more serious financial reporting fraud.
Historically, cases involving internal control violations when a company had not restated its financial statements were confined generally to cases also involving foreign payments. Today, the SEC is likely to bring more varied cases in which internal controls are inadequate or circumvented even when a company has not restated its financial statements. An example is the SEC’s action against Polycom, Inc. and its CEO resulting from Polycom’s failure to disclose as compensation the CEO’s reimbursement for personal travel and other expenses. The SEC issued an order in March 2015 announcing Polycom, Inc.’s agreement to settle the SEC’s action based on the company’s violations of (1) Sections 13(a) and 14(a) of the Securities Exchange Act of 1934 and related rules because of its failure to disclose the reimbursed personal expenses as compensation in its proxy statements, (2) Section 13(b)(2)(A) of the Exchange Act because Polycom erroneously recorded the personal charges as business expenses rather than compensation, and (3) Section 13(b)(2)(B) of the Exchange Act because Polycom failed to have adequate internal controls related to air travel bookings and the use by the CEO’s administrative assistants of company purchasing cards. The CEO had charged air travel expenses without being required to describe the purpose for the travel and his assistants had used their individual purchasing cards to pay certain of the CEO’s personal expenses, although the cards were intended to be used for charges incurred by the assistants that were then required to be approved by the CEO.
The SEC took the action against Polycom even though the inadequate internal controls did not result in a restatement of financial statements. Given the SEC focus on internal accounting controls and the function of the Task Force to proactively identify financial reporting irregularities, the Task Force is likely to seek to identify internal control weaknesses so that the weaknesses can be remedied before inaccurate financial statements are prepared.
Perhaps such actions might include weaknesses that permit successful phishing or cyber breaches. Catherine deMadrid, a forensic accountant with Ernst & Young who also participated on the ABA Spring Meeting program, explained how successful phishing situations may result because of either inadequate controls or the circumvention of internal controls. In so-called phishing situations, a third party asks a member of the finance department to pay an amount that is owed in connection with an extremely confidential and time-sensitive matter being managed by senior executives. Because of inadequate controls or training, the finance department employee may not realize that a wire is not supposed to be sent to an address that differs from the usual address or may expedite the wire transfer because he or she believes that is what the senior executive would expect.
Other types of cases that the Task Force might identify for the SEC are ones involving inadequate disclosure controls and procedures related to the preparation of the management’s discussion and analysis (MD&A). For example, the Corporate Issuer Risk Assessment program may enable members of the Task Force to identify cases in which management failed to discuss in the MD&A risks or uncertainties that are reasonably likely to have a material effect on the company’s financial condition or results of operations. Task Force members may be able to search for companies that did not discuss in their MD&A a risk that other companies in the same industry had discussed in their MD&As.
The activities of the Task Force, including data mining made possible by the Corporate Issuer Risk Assessment program, should enhance the SEC’s financial reporting enforcement efforts and result in an increasing level of financial reporting cases. Even if the Task Force does not become a permanent part of the SEC’s enforcement program, the processes that the Task Force has developed will be useable by other SEC staff members to improve the SEC’s identification of financial reporting irregularities. This increased focus on financial reporting by the SEC suggests that public companies should take steps to ensure that they maintain effective internal control over financial reporting and other disclosure controls and procedures, such as the following:
- Update Internal Control Over Financial Reporting and Other Disclosure Controls and Procedures: As the market or economy changes or as a public company’s operations, business, personnel, or processes change, a public company should carefully evaluate the need to update its controls so that it maintains internal control over financial reporting as well as disclosure controls and procedures that are effective in enabling the company to prepare reliable financial statements, MD&As, and other disclosures.
- Respond to Red Flags: As part of robust internal control, a public company should respond proactively to review and address any apparent financial reporting anomalies, such as unusual spikes in quarterly earnings that cannot be explained by normal business fluctuations, since the Task Force is also looking for such anomalies through data mining. In addition, the SEC is more likely to bring internal control cases against a company if the company failed adequately to respond to red flags or other previous warnings of internal control weaknesses. Be sure to have adequate documentation of how the company reasonably addressed such red flags in the event the SEC comes knocking.
- Emphasis on Culture: Even the best written internal control policies and procedures are useless if a company does not have a strong culture of compliance and transparency. In addition to the appropriate tone at the top, it is particularly important to ensure that a strong compliance culture is established throughout a company’s domestic and overseas operations. Some of the recent SEC enforcement cases involve multinational companies where misconduct occurred in certain overseas operations where there may have been preexisting local cultural biases against transparency and compliance.
Since the Task Force may informally seek information from a company before determining whether or not to refer the matter to other SEC offices for investigation, it is important that the company, perhaps in consultation with outside counsel, provide responsive, complete, and accurate information and explanations to such informal queries. For the same reason, responses to Division of Corporate Finance questions should be provided with great care.