SEC Enforcement’s Greater Focus on the Role, Responsibilities, and Adequacy of the Compliance Function
Section 404 of the Sarbanes-Oxley Act (SOX) stipulates that companies must include information regarding the adequacy of their internal control procedures relative to financing reporting in their annual reports. As of December 15, 2014, companies that are subject to Section 404 are required to comply with more stringent updated standards for assessing their internal control systems. And that could mean significant changes in the way your organization manages its compliance function. Moreover, failure to comply with the new guidelines could result in some unwanted attention from the Securities and Exchange Commission.
Background
Since the enactment of SOX in 2002 public companies have been required to strictly adhere to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. First implemented in 1992, this set of rules requires organizations to account for internal controls in five key business areas:
- Risk assessment
- Control environment
- Information and communication
- Control activities
- Monitoring
What Is changing?
In May 2014, COSO amended the framework to require companies to incorporate a number of additional principles that are intended to strengthen oversight and place greater focus on detecting fraudulent activities. Organizations must now be able to demonstrate oversight of the risk assessment of outsourced third-party business partners, as well as document their use of technology in the accounting for and protecting of data. Additionally, companies must demonstrate oversight of the data protection process by the board of directors.
How is the SEC involved?
It’s important to note that COSO is only responsible for developing and updating the framework. The actual enforcement falls under the purview of the Securities and Exchange Commission (SEC). The SEC will determine whether an organization’s systems of internal controls for financial reporting meet the new COSO standards. As of now, it is still unclear as to what punitive measures the SEC will implement against companies that do not comply by the December 15 deadline. At minimum, non-compliant companies can expect to receive a comment letter from the SEC.
Organizational impact of the new rules
Depending on the organization, achieving compliance with the new COSO framework could result in additional cost and considerable effort. In organizations that previously relied on a loose, informal risk assessment process, the onus will be on the board, management, and auditors to develop a more formalized assessment procedure. Specifically, organizations must be certain that the risk assessment aligns with the five original COSO framework areas and the updated principles.
Additionally, companies that rely on services performed by third-party vendors will need to more closely scrutinize these relationships. It’s possible that companies may need to rework contractual language to give them greater oversight and control over vendor activities, which could be met with strong initial resistance from the vendors.
Make your best effort to achieve initial compliance
The relatively short time frame that companies have been given to meet the December 15 deadline has made it a challenge for many to comply with the new requirements in time. According to Toby DeRoche, an audit, risk, and compliance market consultant at global information and publishing services company Wolters Kluwer, having something in place is better than nothing at all. You’ll be able to demonstrate to the SEC that you’ve at least made an effort. Going forward, you can begin the process of working toward total compliance.
What to expect in the event of an SEC investigation
What if SEC scrutiny of your internal control compliance efforts results in more than the issuance of a comment letter? It’s possible that the SEC could spot red flags that warrant further review, or that a whistleblower could alert it of fraud or other areas of non-compliance. If so, it will likely implement an investigative process consisting of the following steps:
- Conducting of an informal fact-finding inquiry
- If the SEC deems it necessary to move further, it will then launch a formal inquiry. You are required to publicly disclose the existence of a formal inquiry, typically through the public issuance of a Form K-8.
- If the formal inquiry uncovers a potential violation, the SEC will issue what is known as a Wells letter, which states the nature of the violation and provides specific details. You will have 90 days to respond to the allegations.
- The final step is waiting for the SEC to take any additional investigative steps it deems necessary and make its final determination.
According to David K. Erickson, a member of the National Investor Relations Institute Ethics Council, it is prudent to seek the advice of legal counsel as early in the investigative process as possible, preferably prior to communicating with the SEC on your own. When responding to a Wells letter, full disclosure is the best policy.
For a breakdown of how the new COSO principles apply to the five basic internal control components, click here.