Since enacting the Securities Exchange Act in 1934, Congress has repeatedly expanded the arsenal of the SEC to protect investors through enforcement actions. As a result, the SEC—though constrained by limited resources—has steadily increased the number of enforcement actions. In 2016, the SEC brought 868 actions, the most in the agency's history.
The author's analysis of 1,563 accounting and auditing enforcement cases from 2008 to 2014 shows the most frequent securities law violations adjudicated by the SEC, the penalties rendered, and the person most often at the center of a case during this period.
By studying and understanding the findings, accountants can learn where standard accounting practices failed or were subverted and how to best deter, prevent, detect, or correct violations. The best practice recommendations are based on five general principles derived from the lessons learned and include examples of high-frequency frauds and high-dollar penalties.
ENFORCEMENT OF FRAUD CASES
Research suggests that enforcement actions reflect priorities the SEC sets to target violations that are considered to cause the most harm to investors. The majority of the 1,563 SEC accounting and auditing enforcement cases were of an administrative nature, but about 12% were classified as frauds. Financial reporting frauds were the most frequent, followed by violations of standards set by the PCAOB, independence violations, acts of foreign corruption and bribery, and internal control violations (see the chart "Frequent Frauds, 2008—2014").
Violations of the Foreign Corrupt Practices Act resulted in the highest penalties, averaging $43.8 million per case and constituting 47% of the more than $1.02 billion in penalties the SEC assessed in fraud cases during the six-year period. Internal control violations represented about 23% of the penalties assessed, followed by financial reporting violations (8%) and independence violations (1%). PCAOB violations accounted for less than 1% of total penalties assessed (see the chart "Penalty Totals Per Fraud, 2008—2014").
The industry that was assessed the highest penalty total during the period studied by far was financial services (44.1%), followed by mining (17.1%), energy (16.3%), apparel and accessories (6.7%), and manufacturing (4.6%) (see the chart "Total Dollar Penalties by Industry, 2008—2014). The research did not address why the financial services industry made up such a large portion of the total penalties assessed. It should be noted, however, that the six years studied coincided with a global financial crisis that started in the United States and led to the establishment of the Financial Fraud Enforcement Task Force in 2009.
Fraud charges enforced by the SEC were most often focused on the CFO (25%), followed by the corporation (23%) and the CEO (14%). But corporations paid higher penalties than individuals (see the chart "Total Assessed Fines by Level of Profession, 2008—2014").
The highest fine and punishment levied upon individuals was $208 million, designated as restitution, to be paid by the CEO, the chairman of the board, and the CFO of a financial services company. The SEC case was accompanied by an FBI investigation and federal prosecution. The CEO received 50 years in prison, the chairman of the board got 25 years in prison, and the CFO 10 years in prison. All three executives also were sentenced to two years of supervised release. About 5,000 investors were defrauded of more than $200 million, and state regulators were deliberately misled.
The Sarbanes-Oxley Act of 2002 includes a clawback provision, Section 304. If there is a restatement because of material noncompliance, due to misconduct, with financial reporting requirements under the federal securities laws, Section 304 generally requires public company CEOs and CFOs to disgorge bonuses, other incentive- or equity-based compensation, and profits on sales of company stock that they receive within the 12-month period following the public release of financial information. Application of the clawback provision was not encountered in the cases studied for this analysis.
The accounting profession has diverse protocols, procedures, rules, and regulations in addition to the relevant financial laws codified in state or federal statutes. The author suggests that best practices most applicable to deter, detect, expose, or correct violations represented in the SEC accounting and auditing enforcement cases can be described in five general principles:
Clearly define the external audit mission, objectives and framework, and evaluate any internal audit practices relevant to those objectives.
"Preventing false and misleading disclosures" is a logical external audit objective. In the example below, the "deficient underwriting and loan monitoring controls" were the direct cause of the "false and misleading disclosures." Thus, revealing and fixing those deficient controls would have prevented those false and misleading disclosures and would have prevented or ameliorated a bank's false and misleading disclosures of past-due loans and loan losses in 2009 and 2010.
The bank had deficient underwriting and loan monitoring controls and failed to take appropriate action on many of its matured loans. As a result, the bank omitted almost $669 million in past-due matured loans in its filings with the SEC. The faulty information was then incorporated into materials provided for the bank's 2010 public offering.
Internal audit practices recommended in the bullets below would have ensured that controls are in place for monitoring the specified items and that these controls are audited monthly, and that disclosures of past-due loans comply with the standards.
- Ensure that controls for monitoring underwriting, loans, completions, and payoffs-at-maturity are in place and audited monthly, including the continuation, sale, or lease of the construction projects underlying those loans.
- Ensure that disclosures of past-due loans comply with GAAP and Regulation S-K (SEC Industry Guide 3).
Make sure the auditor/client relationship is strong and open to full communication and that everything that should be communicated is in fact communicated.
A 2014 SEC case that involved several real estate investment trusts and their executives and advisers resulted in fines totaling $1.7 million and cease-and-desist actions. The trusts misrepresented and omitted information in SEC filings concerning the valuation of their units in SEC filings. Also, personal loans and cash transfers were not approved by an affirmative vote of the trusts' independent directors. The internal control failures in the case show the need for affirmative actions and protections.
Deficient internal controls caused some information to be misrepresented and some to be simply omitted: Not everything that should have been communicated actually was, leading to errors and fraud resulting in high fines and cease-and-desist actions.
The internal control failures in this case show the need (as in the first and fourth bullets below) for explicit affirmative actions and protections to force detection and disclosures relating to valuations, interpart transactions, and all significant compensation.
Similarly, as in the second and third bullets below, explicit disclosure controls and procedures are needed to communicate and reveal changes to relevant realities in market conditions, valuations, or appraisals.
- Ensure that internal controls force detection and disclosures relating to valuations, related-party transactions such as loans and guarantees, and all significant compensation to or among executives or directors.
- Devise and maintain sufficient disclosure controls and procedures to meaningfully evaluate whether changes in market conditions or other factors require changes to valuation disclosures.
- Disclose appraisal or other valuation methodologies as applied to assets and meaningful estimates of underlying or realizable value.
- Disclose all regular and supplemental compensation to and among officers, directors, and advisers, and ensure that these facts do not contradict affirmative disclosures to the public, to partners, or to other stakeholders.
Avoid a same-as-last-year approach to analyze accounts and transactions.
Take a fresh view, taking into account changes in the business or in the laws relevant to its business operations, so as to remain sensitive to finding or recognizing areas of risk, error, or malfeasance. Speak to the company's internal auditing or accounting team. Even seemingly innocuous questions, including, "Is there anything here that I might need or want to know?" can elicit valuable insights or pointers to aspects of company records that might otherwise have not seemed questionable.
Focus on high-risk areas and potential trouble areas, and reduce time and effort spent on low-risk areas.
With consolidated financial statements, drill down to identify material accounts that should be audited for effective controls. For example, high-risk areas in a mining company's operations might involve methods of assessing resources, valuations, and sales and distribution arrangements, as well as validating sources and timings. Potential trouble areas might include expected (or unexpected) changes in shipping operations or practices, routes or carriers, and labor contracts, practices, or agencies. Low-risk areas include inventories of low-value supplies or inventories of large concrete blocks.
In an SEC case that involved bribes paid by a middleman working for subsidiaries of a multinational company, proper controls and monitoring functions could have detected, for example, a sham 10-year distributorship agreement with markups and commissions unrelated to legitimate services that was recorded in the company's books and records and approved by its in-house counsel.
Make use of software that enables proper document sharing between auditor and client, which will effectively detect errors or omissions in financial data and will analyze inconsistencies or unexpected variations.
Technology alone, however, cannot detect consistent lies in the basic raw data on which all subsequent processing is based. Only conscientious follow-up action can expose and correct such fundamental violations in material noncompliance with GAAP, as the following example illustrates.
The SEC fined the CEO of an enterprise software company $2,570,596 in bonuses, other incentive-based or equity-based compensation, and stock sale profits because the company reported false financial results from 2007 until 2012 to accelerate revenue recognition and achieve quarterly revenue targets. Methods used included "pre-booking," which meant professional service hours were recorded and billed in advance of actual performance, and "under-booking," which involved not reporting, or incorrectly reporting, professional service hours worked to conceal budget overruns.
The company admitted that internal controls existing at the time were circumvented and that it failed to devise and maintain adequate internal accounting controls over its professional services business and subsidiaries over the period of the fraud.
This research reviewed SEC securities law violations from 2008 to 2014 for which the SEC published punishments or rulings adverse to the parties deemed to be at fault for those violations. The SEC files, which are publicly available, contained original case data that had not been manipulated. Most examples for best practice recommendations are derived from relevant cases from 2012 through 2014 using a combination of high-frequency frauds and high-dollar assessments by the SEC.
About the author
Howard A. Kanter (email@example.com) is an associate professor of accountancy and management information systems at DePaul University in Chicago.
To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, senior editor, at Sabine.Vollmer@aicpa-cima.com or 919-402-2304.
- "SEC Filed More Than 800 Enforcement Actions in Fiscal 2015," JofA, Oct. 22, 2015
- "News Digest: Fraud," JofA, Jan. 2015
- "SEC's Ramped-Up Scrutiny Means CFOs Need to Reevaluate Processes," JofA, Nov. 4, 2013
- "Fraud in Financial Reporting, Auditing Among Targets of New SEC Initiatives," JofA, July 3, 2013
- Managing the Business Risk of Fraud: A Practical Guide, acfe.com
- Building a Fraud Resistant Organization (#164600, online; #GT-CAQ5, group pricing)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.