The Securities and Exchange Commission (SEC) “filed a record 755 enforcement actions covering a wide range of misconduct and obtained orders totaling $4.16 billion in disgorgement and penalties, according to preliminary figures” for their fiscal year ending September 30, 2014.1 The 755 enforcement actions are significantly higher than the 686 they filed in FY 2013, which is largely attributed to new data and analytical tools. Some of these enforcement actions hit at the core of inadequate controls, which led to accounting errors and fraud. This article takes a deeper look at three recent SEC enforcement actions in an effort to raise awareness, comprehend conduct and spark debate. Ten lessons and thoughts are presented for auditors, executive management, control owners, legal counsel and Board directors to consider.
SEC Charges Company CEO and Former CFO With Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements (SEC Press Release No. 2014-152)
Familiar executive titles for many SEC enforcement actions, the CEO and CFO of QSGI Inc., who were both co-founders of the company, were charged with misrepresenting investors and their external auditors regarding the state of their internal controls over financial reporting (ICFR). Specifically, the CEO did not participate in management’s assessment of internal controls as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX or the Act) despite signing a certification2 that he had evaluated the ICFR. The CEO certified that he had disclosed all significant deficiencies and material weaknesses in the design or operation of the ICFR to the auditors and the audit committee, which was not the case.
According to the SEC Order against the CEO, the internal control problems resulted in the falsification of books and records relating to inventory. Specifically, company personnel shipped certain inventory received into its facilities out to customers without making the appropriate entries into the company’s books and records. They also removed items from physical inventory without relieving the inventory from the company’s books and records. According to the SEC Order, “the company failed to design procedures taking into account the existing control environment, including the qualifications and experience level of persons employed to handle accounting. Training of accounting, sales and warehouse personnel either did not take place or was inadequate.” A contributing cause to these control deficiencies was that replacement personnel for departing accounting personnel lacked accounting backgrounds and failed to fully carry out their responsibilities. During this period, the CEO knew of the ongoing deficiencies and the circumvention of internal controls relating to inventory. The CEO also accelerated recognition of accounts receivable and/or the receipt of product into inventory to increase the company’s borrowing base associated with its revolving credit tactility. The SEC Order goes on to state that the CEO signed misleading management representation letters for the auditor and falsely represented that he evaluated the ICFR using criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their Internal Control – Integrated Framework.
Lessons and Thoughts:
- The CEO and CFO have an obligation to take SOX disclosure and certification requirements seriously. This includes understanding COSO’s Internal Control – Integrated Framework, since this is the control framework they cite for purposes of their management assessment of ICFR per Item 308 of SEC Reg S-K.
- Accounting personnel must be competent in performing their duties, including having appropriate credentials and receiving ongoing training. Fraudsters often hide behind the incompetency of others.
- Just because something is signed does not mean that the substance of the details was truthful or completed. Signatures are important for obvious reasons, but they need to be interpreted with professional skepticism. Over-reliance on signatures is risky.
- Where is the governance oversight? Without appropriate controls at the Board level, fraud committed by executive management is not likely to be prevented or detected in a timely manner. Directors’ reputation is at risk, especially for those on the audit committee.
SEC Charges Arizona-Based Software Company for Inadequate Internal Accounting Controls Over Its Financial Reporting (SEC Press Release No. 2014-216)
The SEC sanctioned JDA Software Group Inc. for having inadequate ICFR, resulting in misstated revenues in public filings. Specifically, the SEC investigation found that the company failed to properly recognize and report revenue from certain software license agreements it sold to customers because controls failed to consider necessary information for determining a critical component of revenue recognition for software companies. If companies are unable to demonstrate vendor-specific objective evidence (VSOE) in determining the fair value of certain services related to a software license agreement, then they cannot immediately recognize the revenue. If the company had proper ICFR, they would have considered VSOE and recognized revenue ratably over the terms of the services agreements.
According to the SEC Order, the company failed to accurately record and report revenue because of inadequate controls regarding revenue recognition. For example, the company lacked adequate revenue recognition policies and procedures and failed to identify all service-related contracts needed for VSOE testing to determine the fair value of certain services. In addition, the company did not have sufficient controls to determine whether software license agreements and related services contracts were linked to each other. As a result of these ICFR failures, the company restated financial statements for 2008, 2009, 2010 and for the first three quarters of 2011. In connection with the restatements, the company identified a previously undisclosed material weakness in its ICFR related to revenue recognition. The SEC imposed sanctions on the company including a cease-and-desist order from committing or causing further violations, as well as a civil money penalty of $750,000 to the U.S. Treasury, which the company agreed to pay as settlement of the SEC’s charges.
Lessons and Thoughts:
- Accounting restatements are often tied to material weaknesses that were previously undisclosed. Identifying material weaknesses years after the control deficiencies existed casts a shadow on both management and their auditors for not identifying them in a timely manner.
- Revenue recognition can be complex, especially for software companies in demonstrating proper VSOE. Drawing upon the proper expertise, both for control owners and internal audit, is critical.
- The SEC is looking at ICFR and imposing sanctions on companies found to have material misstatements.
SEC Charges Two Information Technology Executives With Mischaracterizing Resale Transactions to Increase Revenue (SEC Press Release No. 2014-179)
This SEC investigation found that the CEO and CFO of Affiliated Computer Services (ACS), which has since been acquired by Xerox Corporation, caused disclosure failures in light of the company’s revenue falling short of guidance and consensus analyst expectations. As a result, they orchestrated a scheme to arrange for an equipment manufacturer to re-direct through ACS pre-existing orders that the manufacturer already had received from one of its customers. This positioned the company to have the appearance that they were involved in resale transactions when, in fact, they were not. ACS went on to report $124.5 million in fiscal year 2009 revenue from these transactions as though it had resold the equipment itself. The inflated revenue numbers allowed the CEO and CFO to boast a falsified key metric in their earnings releases and other public statements to investors. In addition, the inflated revenue was linked to a portion of their annual bonuses.
What is especially interesting about this case is that one of the five commissioners, Luis A. Aguilar, casted a dissenting vote from the SEC’s order. In his Dissenting Statement, Commissioner Aguilar discusses the CFO’s role of the misconduct, pointing out that as a CPA, the CFO takes on an even greater responsibility of public trust. Commissioner Aguilar stated, “When these accountants engage in fraudulent misconduct, the Commission must be willing to charge fraud and must not hesitate to suspend the accountant from appearing or practicing before the Commission.” The SEC instead charged the CFO with non-fraud charges of violations of the books and records, internal controls, reporting and certification provisions of the federal securities laws. Commissioner Aguilar went on to say that he is “concerned that the Commission is entering into a practice of accepting settlements without appropriately charging fraud and imposing Rule 102(e) suspensions against accountants in financial reporting and disclosure cases.” He also identified a downward trend regarding SEC Rule 102(e) suspensions since the SEC’s fiscal year 2010. Rule 102(e) allows the SEC to deny accountants and attorneys, either temporarily or permanently, the privilege of appearing or practicing before it in any way, including being a Board member or officer of a public company.
Lessons and Thoughts:
- Invoke professional skepticism of executive compensation numbers that are controlled by the CEO and CFO. Yes, ultimately these executives control company performance; however, there needs to be strong ICFR to combat the risks of fraudulently manipulating the performance and compensation metrics.
- Accountants and attorneys should be held to a greater level of public trust. As licensed professionals, they are granted the privilege to practice; this should never be taken for granted.
- Perhaps the SEC should revisit their performance metrics to focus more on holding fraudsters accountable (i.e., an outcome measure), rather than showcasing the number of enforcement cases they pursued (i.e., an output measure). Performance measures utilizing outcomes are generally more meaningful than measure of inputs or outputs. Also, by not holding fraudsters’ feet to the fire, the regulatory and criminal justice aspects of government are fueling the rationalization for fraudsters to commit fraud since they will not likely be held accountable.
In conclusion, the journey over the course of a business career will have many decision points triggering judgments that ultimately define us all. Staying true to your moral compass and seeking learning opportunities in the spirit of continuous improvement are key ingredients that are priceless to your employer and career.
Candela Solutions LLC is a CPA firm building value for clients through strong governance and internal auditing services to deliver piece of mind to the CFO and Audit Committee. Visit our website at www.CandelaSolutions.com for more information.
This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 3, published on November 12, 2014.
2 Section 302 of the Act requires a signed certification by the CEO and CFO for all annual and quarterly reports filed with the SEC, which is Exhibit 31.1 and 31.2 to the periodic reports.