Sec enforcement for internal control failures what is electricity


On January 29, 2019, the SEC announced four settlements with publicly-traded companies electricity grid australia for failure to maintain adequate internal control over financial reporting (ICFR). None of the companies was charged with making false or inaccurate statements, either about its ICFR or otherwise; indeed, each had repeatedly disclosed material weaknesses in ICFR over many years.

Section 13(b)(2) of the Exchange Act imposes record keeping requirements on public companies and requires them to “maintain a system of internal accounting controls.” [1] That has been true since 1977, when these provisions were added to the Exchange Act by the Foreign Corrupt Practices Act. The broadly worded statutory requirement was given specific content in 2003 when the SEC adopted a specific regulatory framework, based on Section 404 of the 2002 Sarbanes-Oxley Act, that requires a public company to (1) maintain ICFR, (2) assess its effectiveness annually, (3) disclose the assessment in the annual report and (4) (with some exceptions) disclose the report of the independent auditor on the effectiveness of ICFR. The framework is provided primarily by Rule 13a–15, [2] and it is often referred to as “SOX 404.”

After the adoption of the SOX 404 framework, questions arose about whether filing an annual report that discloses material weaknesses and ineffective ICFR has other consequences under the SEC’s rules. In particular, the SEC took the view that such a report does not make a company ineligible to use short-form registration under the Securities Act of 1933. [3]

There have been some SEC enforcement actions for Rule 13a–15 violations. The SEC has included charges of violating the ICFR maintenance requirement where the company has also engaged in intentional misconduct or had to restate prior disclosures. [4] The SEC has also cited violations of the ICFR evaluation requirement in a 2018 action against Primoris for violating the maintenance requirement. [5]

More recently gas guzzler tax, ICFR has been a focus of public statements by SEC staff. In a December 2018 speech, SEC Chief Accountant Wesley Bricker encouraged ongoing attention to the adequacy of and basis for a company’s assessment of the effectiveness of ICFR. [6] The speech emphasized that “internal controls are the first line of defense against . . . material errors or fraud in financial reporting,” a remark that is repeated almost verbatim in Mr. Bricker’s quote in the SEC press release announcing the settled ICFR-related charges. [7] The Settled Charges

There are some differences in the charges against the four companies, reflecting differing circumstances. Each company was found to have violated both the electricity use general statutory requirement to maintain sufficient internal accounting controls (Exchange Act Section 13(b)(2)(B)) and the specific regulatory requirement to maintain ICFR (Rule 13a–15(a)). In addition, Simec and Lifeway failed even to evaluate the effectiveness of ICFR for two reporting periods, so they were found to have also violated the requirement to evaluate ICFR (Rule 13a–15(c)). [8] Finally, Lifeway restated its financial statements three times during the years in question, and it was found to have violated the requirements to keep accurate books and records (Section 13(b)(2)(A)) and to file periodic reports (Rule 13a–1).

The two orders finding only violations of the ICFR maintenance requirements (Digital Turbine and CytoDyn) are the most instructive. While the SEC has previously found violations of the maintenance requirements, those cases typically static electricity how it works targeted companies that were found to have engaged in other misconduct as well. Here there is no finding of any other misconduct—in fact, the two companies had complied with the evaluation requirement (finding their ICFR to be ineffective) and the disclosure requirement (disclosing their findings).

At what point does persistent ineffectiveness ripen into a violation of the ICFR maintenance requirement? In these cases the persistence was egregious—seven years for Digital Turbine and nine years for CytoDyn—but it seems safe to guess that the line can be crossed much faster than that, depending on the circumstances. In general, last week’s SEC actions signal to companies that they should undertake quick and effective remediation efforts for control deficiencies they identify.

Time will tell whether the SEC is interested in bringing more cases predicated solely on controls violations and, if so, what specific substantive obligations it may consider ripe for action. But, in the meantime, the current cases reinforce the SEC’s recent focus on controls over the quality of information being disseminated to investors. Other such recent cases include the SEC’s September 2018 settlement with Tesla for not having disclosure controls over the Twitter feed of its CEO Elon Musk, [9] and npower gas price reduction its October 2018 findings on whether certain public companies that were victims of cyber-related frauds violated the statutory requirement to maintain internal controls. [10] Endnotes

3 See Question 4, SEC Staff’s Frequently Asked Questions (FAQs) on Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, available at The FAQ on this point was originally published in 2004 and last revised in 2007. (go back)

4 See, e.g., In re JPMorgan Chase Co., 2013 SEC LEXIS 2862 (Sept. 19, 2013) (finding bank failed to maintain ICFR and disclosure controls and procedures, which led to restatement of first quarter 10Q); In re S. USA Res., Inc., 2013 SEC LEXIS 3725 (Nov. 22, 2013) (company failed to make regular quarterly filings and annual filings; to disclose resignations of key officers; and to maintain ICFR or disclosure controls and procedures). (go back)

8It is not uncommon for the SEC to bring charges for arkansas gas and oil commission failure to even evaluate the effectiveness of ICFR under Rule 13a-15(c). See, e.g., Primoris, supra note 5; In re Traci J. Anderson, 2015 WL 9297356 at *17–18 (Dec. 21, 2015) (finding officer of company violated evaluation rules relating ICFR by failing to assess its effectiveness). (go back)