One of the noteworthy features of the Sarbanes-Oxley Act was the legislation’s creation of the requirement for reporting companies to provide a certification from management regarding the company’s internal controls. This requirement has not been the focus of a great deal of attention since the legislation was enacted in 2002. However if the administrative actions filed against two corporate officials last week are any indication, these requirements could be the source of a significant attention in the months ahead.
By way of background, Section 404 of Sarbanes-Oxley Act requires company management to file n internal control report with the company’s annual report. The report must describe management’s responsibilities to establish and maintain a system of internal controls over the company’s financial reporting and management’s conclusion regarding the effectiveness of the internal controls at year-end. The report must also confirm that the company’s has attested to and reported on the company’s internal controls. The company’s CEO and CFO must sign certifications confirming they have disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.
The internal control reporting requirement was one of the more controversial parts of the legislation and it has proven difficult for the management of many companies to implement. But by and large it has not been the focus of regulatory enforcement action. That may be about to change.
As reflected in its press release about the action (here), on July 30, 2014 the SEC instituted administrative proceedings against the CEO and former CFO of QSGI for misrepresenting to external auditors and the investing public the state of its internal controls over financial reporting. The administrative cease desist orders against the two individuals can be found here and here.
The SEC alleges that in the company’s 2008 annual report, the CEO attested that they had assessed the company’s internal controls. However, the SEC alleges that Sherman did not actually participate in assessing the controls. The SEC also alleges that the CEO and CFO certified that they had disclosed all significant deficiencies to outside auditors, but that they failed to tell the auditors about inadequate controls over inventory in the company’s Minnesota operations.
The SEC alleges that the CEO and CFO also withheld from auditors and investors that the CEO was directing and the CFO was participating in a series of maneuvers to accelerate the recognition of inventory and accounts receivables in QSGI’s books and records by up to a week at a time. The allegedly improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, allegedly were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor. The company ultimately filed for bankruptcy in 2009. It later reorganized and emerged from bankruptcy in 2011.
The CFO has agreed to settle the case without admitting or denying the charges. (In an administrative proceeding, no court approval is required, so the recent judicial aversion to SEC settlements in which the defendant neither admits nor denies the charges is not a factor here.) The CFO agreed to pay a $23,000 penalty and also agreed to a five year ban from practicing as an accountant before the SEC or serving as the officer or director of a public company. The CEO reportedly intends to fight the charges.
In a July 30, 2014 article about the administrative cases (here), Reuters reports that earlier this year the SEC’s enforcement director had said that the agency’s investigators “were planning to pursue some internal control-related cases,” noting that it is an area that “has been less scrutinized in the past.” The SEC’s enforcement action on this issue is also consistent with SEC Chair Mary Jo White’s vow to focus more effort and attention on bringing accounting-related enforcement actions, an area that has seen less activity in recent years.
The SEC’s press release quotes the deputy head of the enforcement division as saying that ““Corporate executives have an obligation to take the Sarbanes-Oxley disclosure and certification requirements very seriously.” The CEO and CFO, the individual said, “flouted these regulatory requirements and misled investors and external auditors in the process.
At a minimum, this enforcement actions raise the possibility that the Sarbanes=Oxley internal control reporting and certification requirements may be the source of increased scrutiny in the months ahead. If this case is just the first of many enforcement actions focusing on these requirements, senior company officials could be facing increased regulatory scrutiny and possible enforcement liability.
An increased regulatory focus on these issues could prove helpful for the plaintiffs bar as well. The SEC allegations not just that the reporting requirements were violated but that the shortcomings led to or facilitated financial reporting violations could help plaintiffs to craft allegations to serve as the basis of damages claims. The kinds of allegation raised here suggest the possibility that these kinds of enforcement actions could lead to follow-on civil litigation.
These kind of internal control reporting deficiencies have not been a major focus of attention for the plaintiffs’ bar, but to the extent the SEC does become more active on this issue, the follow-on civil lawsuits could trail along behind as well