Recent SEC Comments and Actions on Non-GAAP Measures
December 17, 2019
Institute of Internal Auditors Survey Report: Corporate Boards may be Blind to Risks
According to The Institute of Internal Auditors (IIA) survey report1 released on October 15, 2019, titled “OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk,” Boards are overconfident.
Boards consistently view the organization’s capability to manage risks higher than executive management, evidence of a critical misalignment between what executive management believes and what is communicated to the board.
This finding, among many others, was based on a qualitative survey based on 90 in-depth interviews with professionals in North American boardrooms, C-suites, and internal audit functions as well as a quantitative survey of top risks as viewed by more than 600 internal audit leaders, primarily Chief Audit Executives (CAE). The report recommended that 1) boards should exercise professional skepticism when evaluating the information received from executive management; 2) obtain the opinion of the CAE on the quality of the information being provided; and 3) hold management accountable when information appears to be inaccurate or is not provided timely.
Internal Controls and the U.S. Securities and Exchange Commission (SEC)
The Federal Foreign Corrupt Practices Act (FCPA) which was enacted in 1977 as an amendment to the Securities Exchange Act of 19342 (Exchange Act), added two sections to the Exchange Act which were 1) the anti-bribery provision (Section 30A) which is enforced by the Department of Justice; and 2) the books-and-records provision (Section 13(b)) which is enforced by the SEC.
Section 13(b) requires an issuer to:
Make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.
Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that:
Transactions are executed in accordance with management’s general or specific authorization.
Transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (2) to maintain accountability for assets.
Access to assets is permitted only in accordance with management’s general or specific authorization.
The recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken regarding any differences.
Three Recent SEC Enforcement Actions
The anti-bribery provision includes two critical elements:
A payment or a promise of a payment is made; and
The recipient is a foreign official, a foreign political party or party official, or a candidate for foreign political office.
Three recent SEC enforcement actions indicate that the SEC will be applying the books-and-records provision in the absence of the two critical elements of the anti-bribery provision are present.
The Stryker Case3
The SEC found that Stryker Corporation (Stryker) violated Sections 13(b)(2)(A-B) of the Exchange Act as explained below:
Internal Controls - Stryker failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions were recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles which included the failure to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions were executed in accordance with management’s general or specific authorizations.
Books and Records - Stryker was unable to provide any documentation for 27% of sampled high-risk transactions on Stryker India’s general ledger. For other compliance-sensitive transactions, the available documentation was insufficient for purposes of determining accurately the recipient, amount, or purpose of the payments at issue. As a result, Stryker failed to make and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.
As part of the sanctions ordered upon Stryker in this case, Stryker remediation included the following:
Stryker had to retain an Independent Consultant (Stryker shall not have the authority to terminate the Independent Consultant without the prior written approval of the Staff) for a period of eighteen (18) months; and
Styker was forced to hire an independent consultant for remedial efforts as part of the Cease-and-Desist Order
The Independent Consultant’s responsibility is to review and evaluate Respondent’s internal controls, record-keeping, and anti-corruption policies and procedures relating to use of dealers, agents, distributors, sub-distributors, and other such third parties that sell on behalf of Stryker (“the Policies and Procedures”) and to make recommendations designed to reasonably improve the Policies and Procedures. This review and evaluation shall include an assessment of the Policies and Procedures as actually implemented, including in India, China, Kuwait, and other countries selected by the Independent Consultant, and how the Policies and Procedures fit within Respondent’s ethics and compliance function. The Independent Consultant shall consider whether the ethics and compliance function has sufficient resources, authority, and independence, and provides sufficient training and guidance [emphasis added].
It is noteworthy in the Stryker case that although the SEC found that Stryker violated the books-and-records provision, the SEC’s Cease-and-Desist Order did not allege that there was any direct or indirect benefit on the part of any Indian government official or any state-owned entity.
The Petrobras Case4
In the Cease-and-Desist Order, the SEC found that, over an extended period of time, Petróleo Brasileiro S.A. – Petrobras (Petrobras) had engaged in a massive corruption scheme, perpetrated by certain former senior executives of Petrobras who conspired with Petrobras’s largest contractors and suppliers to inflate the cost of Petrobras’s infrastructure projects by billions of dollars, resulting in material misstatements and omissions by Petrobras. The same executives also engaged in other bribery schemes with companies that sought to win contracts with Petrobras or to obtain better terms for those contracts. This scheme generated millions of dollars in bribes that the Corrupt Executives used for their own benefit and for the benefit of their political patrons. The SEC found that Petrobras failed to detect and disclose these corruption schemes.
The SEC found that Petrobras violated Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act, which require reporting companies to make and keep books, records, and accounts which, in reasonable detail, accurately and fairly reflect their transactions and dispositions of their assets, and to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles.
Similar to the Stryker case cited above, the SEC did not allege that Petrobras made any illegal payments. Instead, the SEC’s Cease-and-Desist Order was based only on the fact that the company’s books and records inflated the value of PP&E and other assets in which kickbacks from the bribes were included and concealed, and that the company did not maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions were recorded as necessary to permit preparation of financial statements in accordance with GAAP.
The MetLife5 Case
In the Cease-and-Desist Order, the SEC found that MetLife, Inc. (MetLife) violated Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act, which require reporting companies to make and keep books, records, and accounts which, in reasonable detail, accurately and fairly reflect their transactions and dispositions of their assets, and to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles.
MetLife’s violation of the books-and-records provision of the Exchange Act related to two separate errors which resulted in MetLife understating reserves and overstating income in its annuity business. One error going back over a 25-year period resulted in a prior period restatement of $372 million while the other error going back over a 10-year period resulted in a prior period restatement of $682 million.
All three of these recent enforcement actions may be a harbinger of the SEC’s intent to apply the books-and-records provision of the Exchange Act to future cases that do not include critical elements of the anti-bribery provision of the FCPA.
SEC Report on Certain Cyber-Related Frauds and Related Internal Accounting Controls Requirements
T
he SEC’s Division of Enforcement (“Division”), in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, investigated whether certain public issuers that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls6.
In connection with the investigation, the Commission considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Exchange Ac which require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization7.
The Division’s investigation focused on the internal accounting controls of nine issuers that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors. The issuers covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods, reflecting the reality that every type of business is a potential target of cyber-related fraud. At the time of the cyberscams, each issuer had substantial annual revenues and had securities listed on a national securities exchange8.
As a result of the Division’s investigation, the SEC cautioned that, “issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.”
SEC Stresses the Important of Internal Control & the Tone at the Top9
On December 30, 2019, the SEC issued a public statement to the audit committees of public companies reminding them about the importance of the “Tone at the Top” and internal controls over financial reporting (ICFR), of which, excerpts are provided below:
Tone at the Top – Because audit committees of public companies have financial reporting and independent auditor oversight authority and responsibility, they are instrumental in setting the tone for the company's financial reporting and the relationship with the independent auditor. We encourage audit committees to focus on the “tone at the top” with the objective of creating and maintaining an environment that supports the integrity of the financial reporting process and the independence of the audit. In this regard, it is important for the audit committee to set an expectation for clear and candid communications to and from the auditor, and likewise to set an expectation with both management and the auditor that the audit committee will engage as reporting and control issues arise. It is similarly important for audit committees to proactively communicate with the independent auditor to understand the audit strategy and status, and ask questions regarding issues identified by the auditor and understand their ultimate resolution.
ICFR – Audit committees are responsible for overseeing ICFR, including in connection with their consideration of management’s assessment of ICFR effectiveness and, when applicable, the auditor’s attestation. We believe audit committees are most effective when they have a detailed understanding of identified ICFR issues and engage proactively to aid in their resolution. If material weaknesses exist, it is important for audit committees to understand and monitor management’s remediation plans and set an appropriate tone that prompt, effective remediation is a high priority.
Closing Remarks
The IIA’s OnRisk 2020 survey report discussed earlier discusses many different risks facing the business community for 2020 and beyond and this list is by no means a complete one. While it’s obvious that a one-size-fits-all cookie cutter approach will not work, it is also true that internal controls must be robust and constantly updated to address current risks.
The SEC has shown a willingness to not only apply the books-and-records provision of the Exchange Act to future cases that do not include critical elements of the anti-bribery provision of the FCPA but to also require that independent consultants be hired to oversee internal control issues, including staffing. Therefore, it is imperative that public companies remain vigilant and proactive when it comes to addressing risks and matters of internal control that can affect external financial reporting.
Over the next several months, we will explore and discuss various factors related to internal control. If you any questions about this article or any other matters related to this, please feel free to contact Scott Wilson, MBA, CPA, CFE, at swilson@chief-financial-solutions.com or call him directly 443-325-7227.
Ibid. [excerpt from report]
Ibid. [excerpt from report]