Officials at the SEC all seem to be singing the same tune these days, emphasizing the need to amp up company disclosures regarding Brexit, the LIBOR phase-out and cybersecurity. As reported by the WSJ, Corp Fin Chief Accountant Kyle Moffatt, speaking at the FEI Current Financial Reporting Issues Conference, echoed the earlier informal guidance provided by SEC Chair Jay Clayton, Corp Fin Director William Hinman and Deputy Director Shelley Parratt that the SEC will be looking for enhanced disclosure on these topics where material. (See this PubCo post.) Given the onslaught of admonitions, companies would be well advised to pay attention.
The Center for Audit Quality, working with Audit Analytics, has just released a new edition of its annual Audit Committee Transparency Barometer, which, over the past five years, has measured the robustness of audit committee disclosures in proxy statements among companies in the S&P Composite 1500. The bottom line, according to the CAQ, is that the level of voluntary transparency has continued to steadily increase in most areas. The report includes several useful examples of the types of disclosure discussed.
In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018). The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.
Now that it’s time for 10-Q filings, questions have been raised about the timing of some of the Inline XBRL-related changes. (See this Cooley Alert and this PubCo post.)
You might recall that, in 2016 and early 2017, the SEC made a big push—through a series of staff oral admonitions and written guidance, as well as an enforcement action—to require issuers to be more transparent and more consistent in the use of non-GAAP financial measures and to avoid altogether non-GAAP measures that were misleading. For example, companies were advised that they needed to present GAAP measures with equal or greater prominence relative to the non-GAAP measures. (See, e.g., this PubCo post.) By early 2017, the SEC staff were apparently sufficiently satisfied (see this PubCo post) with the responses to their campaign that the pendulum swung back, and the relentless finger-wagging by the staff about non-GAAP financial measures appeared to have tailed off. (See this PubCo post.) But, according to this analysis from Audit Analytics, it wasn’t until this year that the SEC staff’s comments regarding non-GAAP financial measures actually began to decline.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.