SEC on a Roll, Cracks Down on Internal Control

by Edith Orenstein

Recent SEC Enforcement actions illustrate the agency’s stepped-up efforts to crack down on companies where internal controls are lacking.

“Weak internal controls create greater opportunity for accounting fraud, and investors are left holding the bag," said Jina Choi, Director of the SEC's San Francisco Regional Office, when the SEC announced charges against  Silicon Valley's Saba Software on September 24. In the Saba case, the SEC charged the company with fraudulently increasing its revenue to meet targets via schemes perpetrated by consultants in India who manipulated revenue recognition through  "pre-booking" and "under-booking" consulting revenue.

Choi added, "Saba Software used off-shore operations to cut costs, but also cut corners on its internal controls over financial reporting," resulting in a "black box" atmosphere in which, "U.S. and European managers approving time records of India-based consultants for revenue recognition purposes had little visibility into who was performing what work and when."

Claws Out

Saba Software reached a $1.75 million settlement with the SEC, two VP's consented to an Order charging them with violation of anti-fraud provisions and falsification of books and records, along with fines and charges for disgorgement of ill-gotten gains, and the CEO was hit with a $2.5 million compensation clawback.

CFOs and CEOs take note: the comp clawback, allowed under the Sarbanes-Oxley Act, represented "bonuses and stock profits that [the CEO] received while the accounting fraud was occurring, even though he was not charged with misconduct."

On September 25, the SEC announced charges against JDA Software Group, Inc. for "[failing] to properly recognize and report revenue from certain software license agreements it sold to customers." How did this happen? "[Because JDA Software's] internal accounting controls failed to consider information needed for determining a critical component of revenue recognition for software companies."

Revenue Recognition a Point of Focus

The critical component in question wasVendor Specific Objective Evidence (VSOE)  of fair value. According to the SEC, "when determining the value of certain services related to a software license agreement, [a company] cannot immediately recognize the entire revenue from that agreement." The SEC said if JDA Software had had "proper internal controls that appropriately considered VSOE," the company would have recognized revenue "ratably over the term of a services agreement."

The settlement with JDA Software Group comes at a time that companies are beginning to immerse themselves in the sweeping new revenue recognition standard released by FASB and the IASB in May of this year. The standard has an effective date of 2017 for public companies, and 2018 for private companies.

We previously reported that the PCAOB is reminding auditors to step up their efforts for auditing revenue recognition under existing guidelines, and that the audit regulator plans to monitor implementation of the new "rev rec" standard to determine if any additional guidance or amendments to auditing standards are necessary.

COSO Comes a-Calling

With the advent of an updated COSO internal control framework released last year, set to supercede the 1992 COSO framework by December 15, 2014, a finding of a "previously undisclosed material weakness in ... internal control over financial reporting," such as cited by the SEC in the JDA Software case, sends chills up the spine of C-Suite execs charged with signing certifications on the effectiveness of internal control.

The undercurrent that hums just below the COSO implementation activity taking place now  is to work toward documenting how existing internal control systems meet the 17 principles articulated in COSO's 2013 internal control framework, which builds upon the five core concepts of internal control in the original COSO framework.

Companies will not want to be blindsided by an auditor or regulator finding that their internal control over financial reporting is not effective, and particularly will not want to see a finding of a "previously undisclosed material weakness in internal control." That is why companies are taking the COSO implementation effort very seriously, to not only document a path or 'map' of their controls from the 1992 to 2013 COSO frameworks, but also to consider if substantive improvements to their internal control systems can be made as well.

Read more about increased scrutiny of internal control over financial reporting by the SEC and PCAOB, as companies near the final stretch for implementing COSO 2013, in The Season of ICFR published in the SEC Institute-PLI Blog on Oct. 3, authored by former SEC Division of Corporation Finance Chief Accountant Carole Stacey, and in Assessing the Increased Regulatory Focus on Public Company Internal Control and Reporting, published in BloombergBNA's Securities Regulation & Law Reporter on October 6, authored by Orrick, LLP attorneys Jason M. Halper, Jonathan E. Lopez, William J. Foley and Blake L. Osborn.

FEI, one of the five founding members of COSO, provides additional resources to help you with efficient and effective implementation of the updated COSO framework, at

A Time-Honored Recipe

At the turn-of-the-century (or should I say, millenium), six seasoned attorneys from law firm Fried, Frank published a Recipe for Avoiding SEC Accounting Fraud Enforcement.  Among the six chefs who authored that recipe was Harvey Pitt, who subsequently served as chairman of the SEC.

In my view, the six steps in the Fried, Frank recipe, summarized below, still hold true today, particularly if you want to avoid heartburn from SEC Accounting & Auditing Enforcement actions:

  1. Expect Scrutiny of the CEO (I would add the CFO)
  2. Set the Right Tone at the Top
  3. Review Internal Controls
  4. Be Alert to Independence Concerns
  5. Watch for Revenue Recognition Issues
  6. Treat All SEC Staff Comments as Seriously as an Inquiry from the Enforcement Division