In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018). The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.
Now that it’s time for 10-Q filings, questions have been raised about the timing of some of the Inline XBRL-related changes. (See this Cooley Alert and this PubCo post.)
You might recall that, in 2016 and early 2017, the SEC made a big push—through a series of staff oral admonitions and written guidance, as well as an enforcement action—to require issuers to be more transparent and more consistent in the use of non-GAAP financial measures and to avoid altogether non-GAAP measures that were misleading. For example, companies were advised that they needed to present GAAP measures with equal or greater prominence relative to the non-GAAP measures. (See, e.g., this PubCo post.) By early 2017, the SEC staff were apparently sufficiently satisfied (see this PubCo post) with the responses to their campaign that the pendulum swung back, and the relentless finger-wagging by the staff about non-GAAP financial measures appeared to have tailed off. (See this PubCo post.) But, according to this analysis from Audit Analytics, it wasn’t until this year that the SEC staff’s comments regarding non-GAAP financial measures actually began to decline.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.
Are we just reading the wrong newspapers and reports or does it seem that auditors—although they spend hours and hours performing audits—rarely identify instances of fraud? Most companies rely on their auditors to uncover irregularities and breathe a sigh of relief when the audit comes up “clean.” Is that reliance misplaced? Probably so, according to this article from CFO.com. “Audits almost never find fraud,” the author writes; the data shows that “external audits find it 4% of the time, and internal 15%.” Instead, the author suggests, to detect fraud, management should look in a different direction.
You may have noticed that there’s still no effective date for the new Disclosure Update and Simplification, which was adopted in August. (See this Cooley Alert.) The new amendments are scheduled to become effective 30 days after publication in the Federal Register, but at this point, the release has not been published. The reason for the delay is anyone’s guess. In the meantime, however, questions have arisen about when filers may be expected to comply with certain financial statement requirements in the new amendments for purposes of upcoming Forms 10-Q.