SEC Crackdown on Internal Controls Violations: Enforcement Actions on the Rise

The Securities and Exchange Commission (SEC) has been ramping up enforcement actions against companies for inadequate internal controls. Failure to maintain proper internal controls has long been a focus of the SEC, but recent years have seen increased scrutiny and record-breaking fines. Companies of all sizes and across all industries have faced consequences for deficient internal controls and procedures related to financial reporting, cybersecurity, and more.

Internal controls are processes and procedures that companies implement to ensure operational efficiency, reliable financial reporting, and legal and regulatory compliance. They serve as a critical line of defense against errors, fraud, and misconduct. But when internal controls are weak or non-existent, major problems can arise.

Record SEC Fines for Internal Control Failures

In the last few years, the SEC has brought some massive enforcement actions related to inadequate internal controls, including:

• A $200 million penalty against Herbalife in 2020 for failing to properly document and test internal controls.
• A $125 million settlement with Wells Fargo in 2020 over internal control issues that led to unlawful sales practices.
• A $100 million fine against Monsanto in 2016 for lack of internal accounting controls.

These record-setting fines indicate the SEC’s zero tolerance for internal control deficiencies that contribute to other securities law violations or reporting failures.

Financial Reporting and Disclosure Controls

One major area of SEC enforcement is the failure to implement adequate internal controls over financial reporting and disclosures as required by the Sarbanes-Oxley Act (SOX). Companies must have sufficient controls in place to ensure the accuracy and completeness of financial statements, disclosures, and other reporting.

In September 2020, the SEC charged biotech company MiMedx Group and two former executives with accounting fraud based on manipulating internal controls. The SEC said the executives “exploited gaps in internal controls to engage in a pervasive and long-running accounting fraud.” [1]

Other companies charged in recent years for deficient financial reporting controls include General Electric, Kraft Heinz, and Aeon Global Health. The SEC found these companies lacked adequate procedures and documentation to prevent or detect reporting errors and irregularities.

Safeguarding Customer Information

The SEC has also prioritized enforcement actions when internal controls fail to adequately safeguard customer data and prevent cybersecurity breaches. In 2018, the SEC fined Yahoo $35 million for failing to properly investigate a 2014 breach compromising 3 billion user accounts. [2]

And in 2021, the SEC charged Morgan Stanley with internal control failures that led to unauthorized access of customer data. The company agreed to pay a $35 million penalty. [3]

As cyber threats grow, regulators expect financial firms to adapt internal controls and security measures accordingly. Outdated or negligent practices can lead to SEC charges.

Compliance Controls

In addition to reporting and cybersecurity, the SEC scrutinizes whether companies have adequate controls for regulatory compliance. This includes implementing policies, training, monitoring, and auditing focused on adherence to securities laws and regulations.

In June 2022, the SEC charged wealth management firm GWFS Equities Inc. with lacking proper controls around compliance with Regulation Best Interest, which governs investment recommendations. GWFS agreed to pay a $4 million penalty. [4]

And in 2021, the SEC fined TIAA-CREF Individual & Institutional Services for having weak internal controls related to compliance with securities laws on retirement rollovers. The firm paid $97 million to settle charges. [5]

Robust internal controls tailored to regulatory requirements are essential for firms to avoid violations and remain in good standing.

Gatekeeper Accountability

The SEC also targets third-party gatekeepers—such as auditors, consultants, and attorneys—for failure to identify or call out internal control deficiencies. Gatekeepers are expected to serve as independent checks and sound the alarm about control weaknesses.

In 2021, the SEC charged Ernst & Young and partners with misconduct in two audits. The SEC said EY failed to comply with auditing standards and lacked appropriate quality controls. EY paid $100 million to settle the charges. [6]

And in 2020, the SEC fined PricewaterhouseCoopers $7 million for violations related to internal controls audits and professional standards. $3 million of the penalty related specifically to control failures.

The SEC expects auditors and other gatekeepers to diligently evaluate internal controls as part of their duties in upholding market integrity.

Implementing Effective Internal Controls

Given the SEC’s extensive enforcement record on internal controls, implementing and maintaining effective control systems is imperative for companies. Some best practices include:

• Conducting regular risk assessments to identify areas needing controls
• Designing control activities tailored to financial, cyber, compliance, and other risks
• Ensuring proper documentation and approval protocols for controls
• Performing timely testing and auditing to validate control effectiveness
• Providing frequent internal control training to employees
• Engaging external auditors and consultants to independently assess controls

Following these steps can help position companies to avoid deficiencies and enforcement actions. But controls must also be continually reevaluated and updated as risks evolve.

Looking Ahead at SEC Enforcement

With its vigorous enforcement agenda, the SEC shows no signs of easing up on internal control failures. In 2022 and beyond, companies should expect more scrutiny and potential charges for control weaknesses that enable other violations or reporting errors.

Firms must make internal controls a top priority. Those neglecting this area risk facing the SEC’s wrath through stiff fines, penalties, disgorgement of profits, and more. But companies prioritizing strong control environments can demonstrate their commitment to integrity, transparency, and compliance.