With the twelfth anniversary of the implementation of the Sarbanes Oxley Act of 2002 ("SOX") swiftly approaching, it may or may not be coincidental that the SEC has been involved in several SOX-related enforcement actions recently, including (i) bringing charges against the CEO and former CFO of a Florida-based computer equipment company for misrepresenting the state of its internal controls over financial reporting and (ii) awarding more than $400,000 to a whistleblower who reported fraudulent activity to the SEC after the whistleblower's company repeatedly failed to address the issue internally. This Bulletin, however, should serve as a clear reminder that, even with the passage of time and additional mandates to implement other regulatory frameworks such as the Dodd-Frank Act and the JOBS Act, the SEC continues to actively and aggressively monitor reporting companies' compliance with the disclosure, internal control and certification practices and procedures mandated by SOX.
What Are the Certifications Related to Disclosure Controls and Procedures Required by Section 302 and Section 906 of SOX?
Section 302 and Section 906 of SOX generally require CEOs and CFOs of reporting companies to certify to the truth, accuracy and completeness of their company's disclosures in 10-Qs and 10-Ks and to their responsibilities and duties as officers related to ensuring such truth, accuracy and completeness.
What Is the Management Report Related to Internal Control over Financial Reporting Required by Section 404 of SOX?
Section 404 of SOX generally requires reporting companies to include in their 10-Ks a report of management that reiterates that management is ultimately responsible for establishing and maintaining adequate internal control over financial reporting, assesses the effectiveness of the company's internal control over financial reporting and identifies the framework used by management for that assessment and cites the attestation report issued by the company's registered public accounting firm related to its audit of internal control over financial reporting.
If CEOs and/or CFOs Fail to Fulfill Their Responsibilities under Section 302, Section 906 and Section 404 of SOX, Are There Ramifications?
Yes, and two recent enforcement actions illustrate certain potential consequences.
Enforcement Action Against CEO and Former CFO
In a recently instituted enforcement action, the SEC alleges
that the CEO, Marc Sherman, and former CFO, Edward L. Cummings, of
Quality Services Group, Inc. ("QSGI")
(i) falsely represented in a management report filed with
QSGI's 2008 10-K that the CEO had participated in the
evaluation of QSGI's internal controls, (ii) falsely
represented in certifications required under Section 302 of SOX
that the CEO and CFO had evaluated QSGI's internal control over
financial reporting and disclosed all significant deficiencies to
the external auditors and (iii) affirmatively misled the
company's external auditors by withholding information
regarding certain inadequate inventory controls and certain
improper accounting techniques designed by Sherman, and implemented
by Cummings, to accelerate the recognition of certain inventory and
accounts receivables in QSGI's books and records.
Signaling its zeal to regulate culpable conduct, the SEC stated
that "[c]orporate executives have an obligation to take the
Sarbanes-Oxley disclosure and certification requirements very
seriously. Sherman and Cummings flouted these regulatory
requirements and misled investors and external auditors in the
process."
Although the SEC will continue to pursue its enforcement action
against Sherman, Cummings entered into a cease-and-desist order
finding that he willfully violated, and caused QSGI's
violations of, federal securities laws. In connection with the
cease-and-desist order, Mr. Cummings agreed to (i) pay a $23,000
civil monetary penalty, (ii) to be barred for five years from
serving as an officer or director of a publicly traded company and
(iii) to be barred for at least five years from practicing as an
accountant on behalf of any publicly-traded company or other entity
regulated by the SEC.
Significant Bounty Paid to Whistleblower
Recently, in a separate matter, a whistleblower received a
sizable bounty in respect of certain fraudulent activity that the
whistleblower ultimately reported to the SEC. Prior to informing
the SEC, the whistleblower made repeated, but unsuccessful,
internal reports through various company channels and mechanisms.
When the company did not act to investigate or remediate the
matter, the whistleblower reported the fraudulent activity to the
SEC. According to the SEC, "[t]he whistleblower did everything
feasible to correct the issue internally. When it became apparent
that the company would not address the issue, the whistleblower
came to the SEC in a final effort to correct the fraud and prevent
investors from being harmed . . . this award recognizes the
significance of the information that the whistleblower provided us
and the balanced efforts made by the whistleblower to protect
investors and report the violation internally."
The SEC's announcement did not provide any details regarding
the nature of the problem or the circumstances of the
whistleblower's complaint. Given that a bounty was ultimately
paid (and, therefore, there was a successful enforcement action),
it is interesting that (i) the company repeatedly failed to address
the whistleblower's concerns and (ii) the CEO and CFO could
deliver Section 302 and Section 906 certifications and a Section
404 management report in connection with the company's periodic
reports unless the CEO and CFO were never made aware of the
fraudulent activity.
According to the Wall Street Journal, the SEC's
whistleblower program has generated tips from more than 6,500
people from at least 68 countries and resulted in more than $150
million in restitution and fines and more than $15 million in
bounty payments to the whistleblowers. Interestingly, retirees
comprised the largest group of whistleblowers with investors and
engineers placing second and third.
What Can Be Done to Ensure Compliance with Section 302, Section 906 and Section 404 of SOX?
Although many of these recommendations are now commonplace, in light of recent events, companies may wish to reconsider the following action items:
- Evaluate disclosure controls and procedures and internal control on a quarterly basis
- Require written sub-certifications from officers other than the CEO and CFO
- Review all periodic reports with the audit committee applying the "fairly presents" standard
- Ensure legal counsel reviews 10-Qs and 10-Ks for compliance with the Exchange Act
- Establish a Disclosure Committee to coordinate the review of SEC filings by all pertinent parties
In addition, we would suggest that companies keep written records of all activities designed to ensure compliance with Section 302, Section 906 and Section 404 of SOX.
For further information visit Waller
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.