Inadequate Internal Controls
Inadequate Internal Accounting Controls
Under federal law, publicly traded companies are responsible for devising and maintaining a system of internal accounting controls sufficient to reasonably assure that:
- transactions are executed in accordance with management authorization;
- transactions are recorded as necessary to:
- permit preparation of financial statements in conformity with GAAP; and
- maintain accountability for assets;
- access to assets is permitted only in accordance with management authorization; and
- recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken regarding any differences.
Over the past few years, the SEC has increasingly enforced rules that require companies to maintain sufficient internal controls over financial reporting (“ICFR”). Despite this, a recent report by the Public Company Accounting Oversight Board (“PCAOB”) revealed that one of the most frequent audit deficiencies continues to be inadequate internal accounting controls. Violations include:
- failing to devise and maintain adequate internal controls, as specified under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (“Exchange Act”);
- failure by management to evaluate the effectiveness of ICFR as of the end of each fiscal year, as required by Exchange Act Rule 13a-15(c);
- failure to maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the ICFR, as required by Item 308 of Regulation S-K; and
- invalid certifications by the executives and financial officers that confirm that the Form 10-Q or 10-K does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements not misleading in light of the circumstances under which the statements were made, as required by Exchange Act Rule 13a-14.
Purpose of Internal Accounting Controls
Maintaining adequate ICFR provides companies, investors, and other interested parties with reasonable assurance that misstatements, omissions, and fraud will timely be prevented or detected. This assurance is especially critical in a time when external auditors have consistently failed to identify flaws in public companies’ ICFRs.
In 2016, the PCAOB inspected 12 publicly traded companies audited by PwC and found deficiencies in 10 of the audits related to testing controls for purposes of the ICFR opinion. PwC revised its opinion on internal controls in 6 cases. At Deloitte, the PCAOB identified problems in the internal-control audit for all 13 of the audits selected.
As former SEC Chair Arthur Levitt recently noted in a Wall Street Journal op-ed, “[g]ood internal controls are essential bulwarks against sloppiness, errors and irregularities. An audit might make sure that inventories are reported accurately, or that vendors are legitimate, or that cybersecurity policies and antihacking protocols are implemented effectively. Auditors may review internal emails to detect potential fraud. They can see into the regular operations of a company and, if empowered, call out the kinds of mistakes or malfeasance that leads to major financial restatements and other market-moving events.” In cautioning against a proposal to exempt more companies from internal control audits, Chair Levitt notes that from 2014-16, exempted companies had a restatement rate of 11.2%, while similarly sized companies still subject to the audit requirements had a rate of 6.2%.
Internal Controls Prevent and Reveal Fraud
Recent ground-breaking research about internal control deficiencies underscores the critical role of internal controls in detecting and preventing fraud. In an August 2017 article titled Internal Control Weakness and Financial Reporting Fraud published in Auditing: A Journal of Practice & Theory, the authors demonstrate a strong correlation between material weaknesses and future fraud revelation. A summary of the article in CFO notes that about 30% of fraud revelations were preceded by reports of material weakness.
SEC Enforcement Actions
Inadequate Internal Accounting Controls Lead to $22M SEC Whistleblower Award
In a recent enforcement action, on August 30, 2016, the SEC issued a $22 million award to a whistleblower who exposed that Monsanto had inadequate internal accounting controls to account for millions of dollars in rebates. Monsanto’s deficient controls caused it to materially misstate its earnings during a 3-year period. While the SEC investigation found no personal misconduct, the company was fined $80 million for the accounting violations.
SEC Chairman Mary Jo White stated, “Financial reporting and disclosure cases continue to be a high priority for the Commission and these charges show that corporations must be truthful in their earnings releases to investors and have sufficient internal accounting controls in place to prevent misleading statements.”
Additional SEC Enforcement Actions Against Inadequate Internal Accounting Controls
Inaccurate Accounting of Reserves for Annuity Benefits
On December 18, 2019, MetLife, Inc. agreed to pay $10 million to settle charges that it violated the books and records and internal accounting controls provisions of the federal securities laws relating to two errors in its accounting for reserves associated with its annuities businesses. In particular, MetLife improperly released reserves for annuity benefits associated with MetLife’s Retirement and Income Solutions Business – that is, reducing liability for future policy benefits, which resulted in a corresponding increase in income. To correct the error, MetLife increased reserves by $510 million pre-tax. The SEC’s order also finds that MetLife overstated reserves and understated income relating to variable annuity guarantees assumed by a MetLife subsidiary. MetLife disclosed that this error was caused by data mistakes, including a failure to properly incorporate policyholder withdrawals into MetLife’s valuation model. To correct this error, MetLife reduced reserves by $896 million as of year-end 2017.
Failure to Report Tax Liabilities of Controlled Foreign Subsidiary
On January 23, 2017, Overseas Shipholding Group Inc. (OSG) agreed to pay $5 million fine to the SEC to settle charges it failed to report hundreds of millions of dollars in tax liabilities for over a decade. According to the SEC’s order, OSG and its former chief financial officer, Myles Robert Itkin, failed to report a controlled foreign subsidiary’s federal income tax liabilities in financial statements from 2000 through 2012. This failure caused the company to significantly understate its net loss in that same period and ultimately file for bankruptcy in 2012.
Gerald Hodgkins, Associate Director of the SEC’s Enforcement Division, stated “Where public companies derive economic benefits from their offshore earnings, it is critical that those responsible for the company’s accounting and financial reporting understand the federal income tax consequences triggered from these benefits.”
Improper Revenue Recognition
On January 11, 2017, the SEC fined an aerospace contractor, L-3 Technologies Inc., $1.6 million for improperly recording revenue on contracts. In late 2013, L-3 realized that it was at risk of not meeting its performance target. In order to inflate revenue, and in violation of L-3’s revenue recognition policy, the VP of Finance directed employees to generate roughly 69 invoices and then recognize $17,9 million in income. This extra revenue allowed L-3 to meet its performance target and qualify for incentive bonuses. This practice of improperly recognizing revenue was not uncommon.
In total, L-3’s inadequate internal controls for revenue recognition led to inflated pre-tax income of $169 million. This caused the company to amend its SEC filing in October 2014. SEC Director Andrew Calamari noted, “[a]dequate internal accounting controls function as a critical safeguard against the type of improper revenue recognition that occurred at L3.”
Failure to Maintain Adequate Internal Controls to Prevent Insider Trading
On August 21, 2017, hedge fund Deerfield Management Company L.P. paid approximately $4.6 million to settle charges that it failed to maintain adequate controls to prevent the misuse of inside information. According to the SEC’s complaint, a former government employee with inside information about upcoming CMS decisions concerning Medicare and Medicaid reimbursement rates related to cancer treatments or kidney dialysis tipped two analysts at a hedge fund. The hedge fund was paying him approximately $193,000 to provide political intelligence consulting. The hedge fund’s use of this suspicious information violated its procedures barring insider trading.
Insufficient Controls Resulting in Unauthorized Payments to Executives
On December 11, 2017, took enforcement action against a biotechnology company for its failure to maintain sufficient controls surrounding the reporting and disclosure of travel and entertainment expenses submitted by its executives. The company’s former CEO treated the company “as his personal piggy bank,” obtaining millions of dollars from the company using limited, fabricated, or non-existent expense documentation, and these unauthorized perks and benefits were not disclosed to investors. Examples include cosmetic surgery for friends and personal travel. The company’s “insufficient internal accounting controls contributed to and failed to detect these improper and unauthorized payments, which were not accurately recorded in the company’s books and records.”