In May, SEC Chief Accountant Paul Munter, quoted here, cautioned his conference audience about the potential for audit committee overload. “More demands are being put on audit committees, sometimes on topics outside their core responsibility,” he said. “Audit committees need to be continually vigilant that they have enough time to focus on their core mission—protecting investors—and don’t let other topics cloud that out.” While the AC’s primary responsibilities are generally thought to be oversight of financial reporting, including the audit of a company’s financial statements and internal control over financial reporting, these days, the AC often becomes the default committee of choice for oversight of other emerging risks, such as cybersecurity and even ESG. With ACs now perhaps the “kitchen sink of the board,” are its members stretched too thin to carry out fundamental responsibilities? Are members being asked to operate outside of their core skillsets? What is the impact? These concerns appear to have prompted the panel at last week’s meeting of the SEC’s Investor Advisory Committee discussing AC workload and transparency.
Last month, Cornerstone Research told us that accounting and auditing enforcement activity by the SEC in FY 2022 increased by 55% over the prior fiscal year to 68 enforcement actions, 25 of which alleged improper revenue recognition. Among the actions involving accounting restatements, 63% involved allegations regarding revenue recognition and internal control over financial reporting. We also saw a steep increase in actions against individuals, reportedly reflecting the emphasis of SEC Chair Gary Gensler on imposing individual accountability. (See this PubCo post.) With this new SEC Order charging USA Technologies, Inc., now known as …er… Cantaloupe, Inc.—clearly someone’s favorite fruit—with improper revenue recognition practices and ICFR violations, the SEC continues that trend. For their roles participating in these improper activities, the SEC also brought actions against USAT’s former VP of Sales and Marketing and its former Chief Services Officer.
In this report from Cornerstone Research, SEC Accounting and Auditing Enforcement Activity—Year in Review: FY 2022, Cornerstone tells us that accounting and auditing enforcement activity by the SEC increased sharply in FY 2022, although surprisingly, the aggregate amount of monetary settlements declined sharply. Perhaps most interesting is the steep increase in actions against individuals, reportedly reflecting the emphasis of SEC Chair Gary Gensler on imposing individual accountability and perhaps, by extension, spurring action by executives to prevent misconduct at their companies. The report found that over “half of all actions involved individual respondents only, a sharp increase from the FY 2017–FY 2021 average of 37%. Following Chair Gary Gensler’s swearing-in [in April 2021] through the end of FY 2022, approximately 49% of actions were initiated against individual respondents only.” According to one of the co-authors of the report, “[u]nder Chair Gensler’s leadership, the SEC has identified ‘holding individuals accountable’ as a ‘key priority area’ in its enforcement program”…. So, it is not a surprise that the percentage of actions initiated against individual respondents in FY 2022 was notably higher than those actions initiated during Jay Clayton’s administration.”
According to audit firm PwC, non-GAAP financial measures play an important role in financial reporting, “showing a view of the company’s financial or operational results to supplement what is captured in the financial statements,” and help to tell the company’s financial story, as the SEC has advocated in connection with MD&A, “through the eyes of management.” Yet, they also have the potential to open the proverbial can of worms, subjecting the company to serious SEC scrutiny and possible SEC enforcement if misused. Just a couple of weeks ago, the SEC announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance. According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly provided a misleading description of the scope of the expenses included in the company’s non-GAAP adjustment and failed to adopt a non-GAAP policy or to have adequate disclosure controls and procedures in place specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. (See this PubCo post.) So what can a company’s audit committee do to help prevent the types of problems that have arisen at DXC and elsewhere? Audit committees may find helpful this recent article from PwC providing guidance for committees tasked with oversight of the use of non-GAAP financial measures.
Under the pressure of institutional investors, environmental groups, employees, consumers and other stakeholders, many companies have sought to demonstrate their bona fides when it comes to ESG through disclosure about their sustainability efforts, goals and achievements, whether in periodic reports or in separate sustainability reports. But, as reporting increases, so do concerns by some about potential greenwashing. How can companies assure the quality of their sustainability reporting and create more trust and confidence among stakeholders? One way might be through effective internal controls. So far, however, according to a new report from Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, ”[f]ew best practices have been established. While some larger institutions have progressed in building controls around environmental, social, and governance (ESG) reporting, many organizations have designed ad hoc controls around certain key sustainable business metrics. Many also perform internal verification and assurance procedures to ensure management comfort with this information. Yet few of them seem to have developed effective, integrated systems of internal control over their material or decision-useful sustainable business information.” Now, leveraging insights gleaned from development of the most widely used internal control framework—the COSO Internal Control-Integrated Framework—COSO has developed the concept of ”internal control over sustainability reporting” (ICSR). In its new report, which weighs in at 114 pages, COSO provides supplemental guidance that explains and interprets how each of the 17 principles in the 2013 version of the COSO ICIF applies to sustainable business activities and sustainable business information. According to the authors, “[i]nternal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.” As companies seek to “generate sustained value—ethically and responsibly—over the longer term,” with an emphasis on sustainability and ESG, both companies and their stakeholders need effective controls and oversight to provide the reliable and high-quality data needed for “decision making in this changing world.”
In this new statement, SEC Chief Accountant Paul Munter—no longer “acting” Chief, he got the job—discusses some of the issues arising out of the increased use by lead auditors of other accounting firms and individual accountants (referred to as “other auditors”) on many issuer audit engagements. While, in this context, much of the responsibility falls on the lead auditors, audit committees also have an important oversight role, and Munter has some useful advice for audit committee members.
The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020. According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.” What’s more, the SEC alleged, DXC’s disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately,…and failed to implement an appropriate non-GAAP policy” or adequate disclosure controls and procedures specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”
It was just November last year when the SEC finally adopted rules to implement Section 954 of Dodd-Frank, the clawback provision. (Remember that Dodd-Frank dates to 2010 and the clawback rules were initially proposed by the SEC back in 2015.) The new rules directed the national securities exchanges to establish listing standards requiring listed issuers to adopt and comply with clawback policies and to provide disclosure about their policies and implementation. Under the rules, the clawback policy must provide that, in the event the listed issuer is required to prepare an accounting restatement—including a “little r” restatement—the issuer must recover the incentive-based compensation that was erroneously paid to its current or former executive officers based on the misstated financial reporting measure. (See this PubCo post.) The final rules required any covered exchanges to file proposed listing standards with the SEC no later than February 27, with the listing standards to be effective no later than one year after publication. On Tuesday, the SEC posted the listing standards proposed by Nasdaq and by the NYSE. They’re largely the same, with some differences, both tracking the SEC requirements closely. Both proposals are open for comment until 21 days after publication in the Federal Register.
If you’re waiting with bated breath to find out what the SEC has in store for public companies in its final version of its climate disclosure regulations (see this PubCo post, this PubCo post and this PubCo post), you might also want to take a look at this California bill—the Climate Corporate Data Accountability Act (SB 253)—previously known as the Climate Corporate Accountability Act when it went belly up last year after sailing through one chamber of the legislature but coming up shy in the second (see this PubCo post). In fact, this year, the press release announces, the bill is part of California’s Climate Accountability Package, a “suite of bills that work together to improve transparency, standardize disclosures, align public investments with climate goals, and raise the bar on corporate action to address the climate crisis. At a time when rising anti-science sentiment is driving strong pushback against responsible business practices like risk disclosure and ESG investing,” the press release continues, “these bills leverage the power of California’s market to continue the state’s long tradition of setting the gold standard on environmental protection for the nation and the world.” If signed into law this time, the bill, which was introduced at the end of January and has a hearing scheduled in March, would mandate disclosure of GHG emissions data—Scopes 1, 2 and 3—by all U.S. business entities with total annual revenues in excess of a billion dollars that “do business in California.” The bill’s mandate would exceed, in several key respects, the requirements in the current SEC climate proposal. Whether this new bill will face the same fate as its predecessor remains to be seen.