In early 2014, the SEC’s enforcement director said that the agency’s investigators “were planning to pursue some internal control-related cases,” noting that this area “has been less scrutinized in the past” (Sarah N. Lynch, “SEC Charges QSGI CEO, Former CEO Over Internal Control Failures,” Reuters, July 30, 2014,). In this second part of the series, the authors discuss the internal control rules, how the SEC has enforced them against CFOs, and how CFOs can avoid liability.
As seen in Part One of this series, CFOs are considered “control persons” for purposes of liability under various securities laws and SEC rules enforcing those laws. As such, they possess certain responsibilities regarding internal controls, which the SEC takes very seriously. The consequences for failure can be severe, but a careful study of recent cases reveals the precautions CFOs can take and the pitfalls they should avoid.
The Internal Control Rules
In 1977, Congress enacted the Foreign Corrupt Practices Act (FCPA). The better-known provision of the FCPA prohibits bribing foreign officials in order to obtain or keep business, but this law also requires publicly traded companies to maintain accurate books and records in reasonable detail and to devise and maintain a system of internal accounting controls. Similar provisions exist in section 13(b)(2)(a) of the Securities Exchange Act of 1934, and SEC Rule 13b2-1 further prohibits any person from falsifying those books and records.
Section 13(b) of the Exchange Act states that internal accounting controls must be sufficient to provide reasonable assurances that—
- ▪ transactions are executed in accordance with management’s general or specific authorization;
- ▪ transactions are recorded as necessary 1) to permit preparation of financial statements in conformity with GAAP or any other criteria applicable to such statements, and 2) to maintain account-ability for assets;
- ▪ access to assets is permitted only in accordance with management’s general or specific authorization; and
- ▪ the recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken with respect to any differences.
It has been noted, however, that “internal controls typically presume proper segregation of duties and hence are quite powerless against collusion and management override of controls. In fact, the COSO [Committee of Sponsoring Organizations] Fraud Study (1999) found that in 83% of the frauds examined, the CEO and CFO had colluded” (Sridhar Ramamoorti, David E. Morrison, III, Joseph W. Koletar, and Kelly R. Pope, A.B.C.’s of Behavioral Forensics: Applying Psychology to Financial Fraud Prevention and Detection, Wiley, 2013). Section 404(a) of the Sarbanes-Oxley Act of 2002 (SOX) builds upon section 13 of the Exchange Act and mandates that the SEC prescribe rules requiring annual reports filed by accelerated filers (i.e., those whose total common equity is $75 million or more) to contain an internal control report that 1) states management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting and 2) contains an assessment, as of the end of the issuer’s most recent fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting. Furthermore, SOX section 404(b) requires that each registered public accounting firm that prepares or issues an audit report for an issuer report on and attest to such assessment. Finally, SEC Rule 13b2-2 prohibits officers and directors of a public company from misleading or coercing the auditor.
SOX section 302(a) further requires the CEO and CFO to certify the material accuracy and completeness of the financial and other information contained in an issuer’s quarterly and annual reports and the fair presentation of an issuer’s financial position, as well as to establish, maintain, and regularly evaluate the effectiveness of internal controls. Section 302(a)(5) specifically requires that, as part of this certification, a CFO must state that he has disclosed to the corporation’s audit committee all significant deficiencies in the design or operation of the internal controls and any fraud involving management that he knows about.
SEC Rule 13a-14 requires reports filed on Forms 10-K and 10-Q to include the certifications of the CEO and CFO, so that a colluding CFO will automatically incur liability for making a false certification. The SEC has stated that “an officer providing a false certification potentially could be subject to Commission action for violating Section 13(a) … of the Exchange Act and to both Commission and private actions for violating Section 10(b) of the Exchange Act and Exchange Act Rule 10b-5” (SEC Release Nos. 33-8124, 34-46427, Certification of Disclosure in Companies’ Quarterly and Annual Reports, August 29, 2002, https://www.sec.gov/rules/final/33-8124.htm#P161_38746). Moreover, an officer who willfully makes a false certification may be liable for criminal violation of the Exchange Act.
SEC Enforcement Against CFOs
There were at least five instances of SEC enforcement of these rules against CFOs in late 2013 and 2014. Some of the CFOs charged were clearly bad actors, aware that they were doing something wrong, as can be seen in the following three cases.
In the case of DGSE Companies Inc., deficiencies in internal controls led to the improper booking of certain transactions. To bring the accounts back into balance, the CFO made repeated false accounting entries that inflated the value of inventory on the balance sheet. The SEC filed fraud charges against the CFO under section 10(b) of the Exchange Act and also alleged that he knowingly violated the books and records and internal controls rules. The CFO agreed to pay a $75,000 penalty, be permanently barred from serving as an officer or director of a public company, and be suspended from practicing before the SEC as an accountant (“SEC Charges Former CFO of Dallas-Based Jewelry and Collectibles Company with Accounting Fraud,” May 27, 2014, SEC Press Release 2014-106, http://1.usa.gov/1o7F6j8).
Similarly, the former CFO of a bank was accused of willfully violating the SEC’s books and records rules by allowing certain loans to be misclassified, thereby minimizing a pretax loss for the quarter. The former CFO agreed to pay a $100,000 penalty and was suspended from practice before the SEC as an accountant for one year (“SEC Charges Fifth Third Bancorp and Former CFO for Improper Accounting of Substantial Loan Losses During Financial Crisis”, December 4, 2013, SEC Press Release 2013-255, http://1.usa.gov/1LjDRSO).
In a 2014 administrative proceeding, the SEC alleged that the CEO and former CFO of QSGI Inc. falsely represented in management’s internal control report for fiscal year 2008 that the CEO participated in management’s assessment of the internal controls. The SEC also alleged that the CEO and former CFO misled the auditors, chiefly by withholding information that inadequate inventory controls existed within the company’s Minnesota operations. The former CFO was aware of these deficiencies, the acts taken to circumvent them, and the resulting falsification of QSGI’s books and records. He also participated in the decision to improperly accelerate (by up to a one week) recognition of accounts receivable and receipt of inventory in order to increase the borrowing base available under a revolving credit facility with QSGI’s chief creditor. Significantly, the SEC conceded that the former CFO was not aware of any acceleration that would have materially affected the accuracy of the financial statements. Nevertheless, he was penalized, agreeing to a $23,000 penalty and a five-year ban from practicing as an accountant before the SEC or serving as the officer or director of a public company (“SEC Charges Company CEO and Former CFO with Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements,” July 30, 2014, SEC Press Release 2014-152, http://1.usa.gov/23ZGqVz).
Investors Criticize Auditor Performance
Ernst & Young (E&Y) was criticized in a May 21, 2015 letter to the PCAOB Director of Enforcement and Investigations for allegedly giving an incorrect opinion regarding its client’s internal control over financial reporting. The CtW Investment Group, which works with union pension funds, holds about 0.15% of Wal-Mart Stores Inc. stock. In its letter to the PCAOB (http://online.wsj.com/public/resources/documents/CtWletter.pdf), CtW claimed that E&Y knew of a preliminary internal inquiry conducted by Wal-Mart that found reasonable suspicion to believe that U.S. and Mexican anti-bribery laws were violated. Nevertheless, E&Y issued unqualified opinions on Wal-Mart’s financial statements for the years ending January 31, 2006 and 2007. The company failed to disclose that it had obtained evidence of reasonably probable illegal acts that were qualitatively material to the financial statements, and E&Y issued an unqualified opinion on the relevant financial statements, despite the fact that it allegedly knew that Wal-Mart failed to disclose such reasonably probable violations. E&Y also allegedly failed to obtain sufficient evidence to support its unqualified opinion on management’s attestations with respect to the effectiveness of internal control over financial reporting for the relevant periods.
Even a CFO who is merely careless can be held legally responsible for section 13 violations. The CFO need not be aware of fraud being committed; it is enough to act unreasonably. In another 2014 case, a CPA served as the CFO of ACS, whose financial statements violated GAAP and overstated revenue. ACS allegedly kept books and records that inaccurately reported its transactions and failed to devise and maintain a system of sufficient internal controls. The CFO was accused of violating the certification requirements of Rule 13a-14. Notably, the SEC did not allege that he acted knowingly. The CFO settled the charges by agreeing to cease and desist from violating the books and records and internal controls provisions of the Exchange Act and to disgorge improperly received bonus payments that were tied to revenue growth (In re Bloggett and Kyser, Administrative Proceeding File 3-16045, August 28, 2014, http://1.usa.gov/1TcM1mt).
Another 2014 SEC enforcement action, In re Clayton T. Marshall (Administrative Proceeding File 3-15783, March 11, 2014, http://1.usa.gov/20Zi0Jt), involved a divisional CFO who signed false documents that he knew or should have known to be false. The SEC alleged violations of the books and records and internal controls rules, among others, and issued a five-year cease-and-desist order.
In October 2015, the SEC charged two former top executives at OCZ Technology Group Inc. with “channel stuffing” by shipping a customer more product than it could resell and concealing product returns. The SEC alleged that the former CFO “instituted or maintained policies that caused OCZ to record transactions in a manner that was not in accordance with U.S. GAAP” and “failed to implement sufficient internal accounting controls to prevent OCZ from misclassifying sales discounts as marketing expenses and significantly overstating its revenues and gross profits.” The SEC charged the CFO with violating certain antifraud, certification, and internal controls provisions, and with aiding and abetting OCZ’s violations of the reporting, books and records, and internal controls provisions. He agreed to be permanently enjoined from violating or aiding and abetting violations of these provisions, to be barred from acting as an officer or director of a public company, to pay $130,000 in disgorgement, prejudgment interest, and civil penalties, and to forego any claims against OCZ for $170,000 in unpaid compensation (“SEC Charges Former Executives with Accounting Fraud and Other Accounting Failures,” October 6, 2015, SEC Press Release 2015-234, http://1.usa.gov/1p1H84r).
Violations by CFOs of the books and records and internal controls rules can take various forms (see the sidebar, “Books and Records”) and, as seen above, this can result in a variety of significant consequences. CFOs who are also CPAs may also be suspended from practicing before the SEC and face disciplinary action by their state licensing board. Whether or not the above CFOs believed that they were guilty of the alleged activities, most settled the charges against them. These instances demonstrate the zealousness of the SEC and the significant monetary and professional penalties sustained by CFOs.
The FCPA requires a “degree of assurance as would satisfy prudent officials in the conduct of their own affairs” in order to provide “reasonable assurance” regarding the reliability of the firm’s financial reporting (SEC Release Nos. 33-8238; 34-47986). The law provides little concrete guidance regarding the design or implementation of the system, and one commentator has argued that the SEC actually uses a strict “failure to prevent standard” in certain cases (Mike Koehler, “Why You Should Be Alarmed by the ADM FCPA Enforcement Action,” Bloomberg BNA White Collar Crime Report, 09 WCR 54, Jan. 24, 2014).
On August 14, 2003, the SEC promulgated rules to implement SOX section 404. The rules require that management’s SOX-prescribed internal control report contain “a statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting.” The SEC further stated that COSO’s 1992 Internal Control–Integrated Framework “satisfies [the SEC’s] criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements” (Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, SEC Release Nos. 33-8238, 34-47986, and IC-26068, http://www.sec.gov/rules/final/33-8238.htm).
The majority of publicly traded companies in the U.S. have adopted COSO’s framework, which was updated in 2013, effective as of December 15, 2014. The new framework keeps the 1992 framework’s five primary components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring activities—but it now explicitly includes 17 principles previously only implicit in the 1992 framework. The principles are “essential in assessing that the five components are present and functioning” (J. Stephen McNally, The 2013 COSO Framework and SOX Compliance, June 2013, http://bit.ly/1o7JMWl). For management to be able to conclude that its system of internal controls is effective, all five components and all relevant principles must exist in the design and operation of the control system. CFOs should carefully document their company’s transition to the 2013 framework and retain the documentation as evidence of their efforts to institute and maintain an appropriate set of internal controls.
Best practices require continual improvement. As McNally says, “Companies should periodically reassess their system of internal control over external financial reporting to identify opportunities” for improvement. In short, to avoid running afoul of the SEC, whether for control person liability or liability related to inadequate internal controls, CFOs should always exercise and carefully document their due diligence.