Tips For Public Co. Financial Controls Amid Growing Scrutiny

By Scott Kimpel and Matthew Bosher
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Securities newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (April 30, 2020, 5:38 PM EDT )
Scott Kimpel
Matthew Bosher
The COVID-19 pandemic's impact on business cannot be overstated, and public companies have begun to deal with a host of financial and operational issues that have adversely impacted their quarterly results and future prospects.

In the coming weeks, public companies preparing their next Form 10-Q will face a myriad of novel and often unfamiliar financial reporting issues, including subsequent event disclosure, fair value and impairment measurement, accounting for loss contingencies and exit activities, revenue recognition, tax liabilities, going concern and potential insurance recoveries, just to name a few.

Businesses accepting federal or other stimulus funds will be required to operationalize a variety of limitations on executive compensation, workforce relations, share repurchases and dividends, among other things. And the pressure on employees to cut corners is often greater in an economic downturn.

The 2008 financial crisis demonstrated how difficult these issues can be to navigate during a period of economic uncertainty accompanied by widespread volatility in the markets. In addition to the reemergence of these stresses, public companies must now also sort them out while their independent audit firms and substantially all of the key company participants in the financial reporting process are working physically apart from one another.

With mandatory lockdown orders in place in most states, and at least one such order that extends all the way through June 10, it has become clear that there is no quick end in sight.

Even when shelter-in-place and social distancing protocols become relaxed, many businesses could face a long glide path before one can expect some semblance of normality to return. Regretfully, some businesses will teeter on the edge of insolvency and others will face the prospect of bankruptcy.

Legal Framework

Briefly, Section 13(b)(2)(A) of the Securities Exchange Act of 1934 requires public companies to make and keep books, records and accounts which, in reasonable detail, accurately and fairly reflect transactions and dispositions of assets.

Section 13(b)(2)(B) of the Exchange Act requires public companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, or GAAP, and to maintain accountability for assets.

Item 307 of Regulation S-K also requires management periodically to assess disclosure controls and procedures.

The securities laws and auditing standards issued by the Public Company Accounting Oversight Board, together with a vast accounting and financial reporting literature, largely inform the process by which accounting professionals and management evaluate the effectiveness of internal controls.

In light of the recent disruption to the markets and the widespread dislocation of key personnel, we expect audit firms to be especially vigilant in their interim reviews of internal controls during this Form 10-Q cycle.

The U.S. Securities and Exchange Commission regularly alleges violations of disclosure controls and internal controls when the agency brings accounting and disclosure cases against public companies, management and outside auditors.

For example, the SEC's highly publicized enforcement case[1] against Tesla Inc. found that the company had no disclosure controls or procedures in place to determine whether CEO Elon Musk's social media posts contained information required to be disclosed in the company's SEC filings.

Using the 2008 financial crisis as a benchmark, an SEC enforcement case involving deficiencies in internal controls arising from market turmoil during that period is particularly instructive in light of current market conditions.

The case[2] focused on The St. Joe Company (a publicly traded real estate developer), much of its senior management team and two senior members of its accounting department. There, the SEC found that the company improperly accounted for impairments surrounding the declining value of its residential real estate developments during the 2008 financial crisis and subsequently failed to correct those errors.

As a result of this misconduct, St. Joe reported materially overstated earnings and assets in 2009 and 2010. The SEC also determined that the company failed to disclose in its 2010 Form 10-K that it had decided not to proceed with the material development and planning of two of its largest real estate developments, and had instead determined to sell the related undeveloped land in the future.

Accordingly, the SEC charged the respondents with committing or causing various violations of the anti-fraud, internal controls, books and records, periodic reporting and other provisions of the federal securities laws.

The SEC's order specifically called out the fact that St. Joe failed to maintain adequate books and records concerning its impairment testing of real estate developments. The SEC found that the company failed to sufficiently perform the following critical activities:

  • Maintain adequate records of quarterly impairment testing reviewed as part of its quarterly and annual accounting close process;

  • Document support for assumptions used in undiscounted cash flows used in impairment testing;

  • Document its processes and procedures concerning impairment testing;

  • Maintain the integrity of the economic models used in connection with past impairment testing; and

  • Document identified errors in past impairment testing.

Importantly, the SEC emphasized that St. Joe's books and records failures adversely impacted the SEC's investigation, including causing "unreasonably prolonged uncertainty" concerning the company's historic impairment testing procedures and causing "substantial delays to, and otherwise unnecessary steps in, that investigation."

In settling the case, the company and the individual defendants each agreed to cease and desist from future violations of the affected provisions of the federal securities laws. St. Joe paid a civil monetary penalty of $2.75 million, and individual defendants agreed to disgorgement and civil monetary penalties ranging from $25,000 to over $550,000. Several individual defendants were each denied the privilege of appearing and practicing before the commission as an accountant for various periods of time.

The Challenge for Management

We recommend that companies begin to assess their existing disclosure and internal controls by taking stock of what has changed in the current financial reporting environment. Unique or novel accounting issues should be carefully analyzed, and expert advice sought when internal resources are insufficient.

Potential and actual disruptions to a company's supply chain, customer base, operations, processes and workforce should be weighed when evaluating the operating effectiveness of legacy controls. As part of this process, companies should also assess any potential deficiencies in review-type internal controls, and the ability of employees to perform control duties in light of shelter-in-place orders and other company-specific remote-work protocols.

Based on this assessment, companies should determine whether existing controls are sufficient to prepare financial statements and disclosure documents at the reasonable assurance level. If a legacy control cannot be performed as previously designed, companies should determine what new controls may be necessary to reduce the risk of errors and fraud. In doing so, they should ensure that any changes in design address both the original risks of material misstatement as well as any new risks.

With many companies migrating to a telework environment, companies should especially reconsider the SEC's guidance[3] on cybersecurity controls and disclosure. We have recently observed an uptick in business email compromise schemes, which the SEC has previously identified[4] as an emerging risk.

According to the SEC, having internal accounting control systems that account for such cyber-related threats and related human vulnerabilities is vital to maintaining a sufficient accounting control environment and safeguarding company assets.

The SEC has provided a 45-day grace period[5] and other minor accommodations[6] for making periodic filings, including Form 10-Q, and we have observed public companies of all sizes availing themselves of the relief. Nevertheless, in a recent public statement,[7] the SEC's chief accountant emphasized that although the SEC staff has some degree of flexibility due to COVID-19 disruptions, ultimately the agency still expects high-quality accounting and disclosure from public companies.

The SEC chairman and director of the Division of Corporation Finance echoed these sentiments in another recent public statement,[8] urging companies responding to the pandemic to "provide as much information as is practicable regarding their current financial and operating status, as well as their future operational and financial planning."

Relatedly, we remind companies to make sure that their disclosure controls are operating effectively so they can produce thoughtful and robust disclosures for investors. In a series of interviews and public statements, the SEC's chairman and other senior officials have recently urged public companies to provide timely updates on the current and forward-looking impact of the pandemic on their businesses, including whether a company has applied for or received federal or other stimulus funds.

Finally, and in light of the above, public companies must determine whether they have made any change to the design of their internal controls that has materially affected, or is reasonably likely to materially affect, those controls such that disclosure is required in Form 10-Q in accordance with Item 308(c) of Regulation S-K. Likewise, management must be able under Item 307 to disclose the conclusions of its principal executive and principal financial officers as to the effectiveness of the issuer's disclosure controls and procedures.

Parting Thoughts

In the current environment, public companies of all types should expect to find themselves under heightened scrutiny from the news media, putative whistleblowers, agency inspectors general, consumer watchdog groups, members of Congress and other political figures.

Businesses accepting stimulus funds may find that scrutiny to be pervasive and relentless. Plaintiffs firms are already actively seeking out securities and other cases involving alleged misconduct relating to the pandemic.

As we alluded to above, the SEC brought a wide range of enforcement cases after the last financial crisis involving accounting irregularities, deficient controls, insider trading and other forms of securities fraud. These cases are frequently brought with the benefit of hindsight. We fully expect history to repeat itself when the current crisis abates.

The best defense against the prospect of future regulatory inquiries or outright litigation remains a robust control environment. Companies should not hesitate to change their procedures when circumstances require. And they should retain well-documented support files for all material disclosures.



Scott Kimpel and Matthew Bosher are partners at Hunton Andrews Kurth LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] http://www.sec.gov/litigation/complaints/2018/comp-pr2018-226.pdf.

[2] http://www.sec.gov/litigation/admin/2015/33-9967.pdf.

[3] https://www.huntonak.com/images/content/3/5/v2/35839/sec-publishes-guidance-public-company-cybersecurity-disclosure.pdf.

[4] https://www.huntonak.com/images/content/5/4/v2/54682/sec-issues-report-on-cybersecurity-internal-controls.pdf.

[5] https://www.sec.gov/news/press-release/2020-73.

[6] https://www.sec.gov/sec-coronavirus-covid-19-response.

[7] https://www.sec.gov/news/public-statement/statement-teotia-financial-reporting-covid-19-2020-04-03.

[8] https://www.sec.gov/news/public-statement/statement-clayton-hinman.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!