You might recall that, in 2016 and early 2017, the SEC made a big push—through a series of staff oral admonitions and written guidance, as well as an enforcement action—to require issuers to be more transparent and more consistent in the use of non-GAAP financial measures and to avoid altogether non-GAAP measures that were misleading. For example, companies were advised that they needed to present GAAP measures with equal or greater prominence relative to the non-GAAP measures. (See, e.g., this PubCo post.) By early 2017, the SEC staff were apparently sufficiently satisfied (see this PubCo post) with the responses to their campaign that the pendulum swung back, and the relentless finger-wagging by the staff about non-GAAP financial measures appeared to have tailed off. (See this PubCo post.) But, according to this analysis from Audit Analytics, it wasn’t until this year that the SEC staff’s comments regarding non-GAAP financial measures actually began to decline.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.
Are we just reading the wrong newspapers and reports or does it seem that auditors—although they spend hours and hours performing audits—rarely identify instances of fraud? Most companies rely on their auditors to uncover irregularities and breathe a sigh of relief when the audit comes up “clean.” Is that reliance misplaced? Probably so, according to this article from CFO.com. “Audits almost never find fraud,” the author writes; the data shows that “external audits find it 4% of the time, and internal 15%.” Instead, the author suggests, to detect fraud, management should look in a different direction.
You may have noticed that there’s still no effective date for the new Disclosure Update and Simplification, which was adopted in August. (See this Cooley Alert.) The new amendments are scheduled to become effective 30 days after publication in the Federal Register, but at this point, the release has not been published. The reason for the delay is anyone’s guess. In the meantime, however, questions have arisen about when filers may be expected to comply with certain financial statement requirements in the new amendments for purposes of upcoming Forms 10-Q.
Here’s a reminder from the SEC: interim financial statements included in Forms 10-Q are required to be “reviewed” by outside auditors. On Friday, in a first enforcement proceeding of its kind, the SEC announced charges against five companies that had filed their 10-Qs with their quarterly financial statements prior to review by their independent external auditors.
You remember, of course, that last month, the president, on his way out of town for the weekend, tossed out to reporters the idea of eliminating quarterly reporting. (See this PubCo post.) The president said that, in his discussions with leaders of the business community regarding ways to improve the business environment, Indra Nooyi, the outgoing CEO of Pepsico, had suggested that one way to help business would be to trim the periodic reporting requirements from quarterly to semiannually. The argument is that the change would not only save time and money, but would also help to deter “short-termism,” as companies would not need to focus on meeting analysts’ expectations on a quarterly basis at the expense of longer term thinking. “We are not thinking far enough out,” he added. (For more on saving time and money through semiannual reporting, see this PubCo post.) But how much impact would a shift to semiannual reporting really have on short-termism?