Inadequate Internal Controls and SEC Enforcement: Investigation Risks

Inadequate Internal Controls and SEC Enforcement: Investigation Risks

When companies fail to implement adequate internal controls over financial reporting, they expose themselves to significant risks of SEC enforcement actions. Recent cases highlight how inadequate controls can lead to accounting errors, misstatements, and even fraud going undetected for years. Companies and executives who ignore internal control weaknesses or fail to prioritize remediation face stiff civil penalties, charges of negligence, and damage to their reputations.

Internal Control Requirements

Public companies are legally required under the Securities Exchange Act of 1934 to maintain internal controls over financial reporting (ICFR) and to evaluate their effectiveness annually[1]. The SEC defines internal controls as processes designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements[2]. This includes having sufficient staffing, policies, training, and oversight in areas like:

• Revenue recognition
• Expense authorization
• Inventory counts
• Reconciliations
• Segregation of duties

When companies identify material weaknesses in ICFR, they must disclose them and explain the specific remediation plans. The SEC expects prompt action to fix control gaps, not delays of months or years[3].

Common SEC Charges for Control Failures

The SEC frequently brings enforcement actions against public companies that fail to implement or maintain adequate internal controls. Recent charges involve:

• Books and records violations – Inaccurate financial records due to weak controls[1].
• Failure to evaluate ICFR – Not completing required annual ICFR evaluations[3].
• Deceptive disclosures – Misleading investors about control weaknesses[5].
• FCPA violations – Bribery and corruption resulting from poor compliance controls[4].

The SEC often charges both companies and individuals like CEOs or CFOs who had responsibility for controls[5].

Investigation Triggers

Certain events tend to spur SEC investigations into internal controls, such as[6]:

• Restatements – Correcting serious errors in financial reports due to control failures.
• Whistleblower tips – Complaints to the SEC about accounting irregularities or excessive pressure to meet targets.
• Bankruptcies – Companies collapsing soon after giving clean control opinions.
• M&A activity – Control problems coming to light during due diligence.

In addition, the SEC uses data analytics to spot red flags like unusual revenue trends, suspicious patterns in disclosures, or frequent auditor changes.

Investigation Process and Defenses

The SEC enforcement investigation process typically involves[2]:

1. Document requests – Demanding emails, financial records, policies, board minutes, etc.
2. Executive testimony – Interviewing or deposing senior managers about controls.
3. Wells notices – Formally warning targets they may face charges.
4. Settlements – Resolving charges before litigation by paying fines and penalties.
5. Litigation – Filing civil complaints in federal court.

Companies have several potential defenses against charges of inadequate controls[2]:

• Showing controls were reasonable and documented, even if they failed.
• Blaming lapses on rogue employees circumventing controls.
• Arguing control weaknesses were disclosed properly to investors.
• Demonstrating diligent remediation efforts.
• Highlighting reliance on competent external auditors.

However, companies should be aware that merely having written policies is insufficient if they are not applied rigorously. And the SEC often counters that the “tone at the top” encouraged aggressive accounting or discouraged transparency.

Penalties and Reputational Damage

When control failures lead to charges, companies face harsh penalties even if they settle cases. Recent SEC settlements include[1] [3] [5]:

• Fines from $1 million to over $100 million.
• Executive clawbacks of compensation.
• Mandated improvements to ICFR.
• Multi-year monitoring by an independent consultant.
• Admissions of wrongdoing.

In addition to direct costs, companies suffer significant reputational damage. Customers, investors, and business partners lose trust after learning about accounting improprieties and negligent oversight. Regulators also often force governance changes like director resignations and stronger committee oversight.

Best Practices for Robust Controls

Given the severe consequences, public companies should take all necessary steps to implement and monitor robust internal controls[6]:

• Perform thorough ICFR risk assessments.
• Maintain adequate staffing in key functions like accounting.
• Document all policies; review and update regularly.
• Rigorously test controls; investigate failures.
• Foster a culture of transparency and compliance.
• Provide frequent ICFR training.
• Rotate staff to avoid conflicts.
• Welcome whistleblowers and address concerns.
• Report control weaknesses promptly; remediate quickly.

While mistakes happen at times, companies should show regulators they take financial reporting seriously and act responsibly when issues arise. A pattern of neglecting internal controls poses unacceptable risks in the current enforcement environment.

References

[1] SEC Charges Andeavor for Inadequate Controls Around Authorization of Stock Buyback Plan

[2] Securities and Exchange Commission Division of Enforcement Enforcement Manual

[3] SEC Charges Four Public Companies With Longstanding ICFR Failures

[4] SEC Enforcement Actions: FCPA Cases

[5] SEC Charges The Kraft Heinz Company and Two Former Executives for Engaging in Years-Long Accounting Scheme

[6] Enforcement Overview