Lacking Effective Internal Controls? Prepare for External Grief

A lack of internal controls is bringing external grief to an increasing number of American companies.

The result of a reinvigorated SEC (not the collegiate football conference) internal controls enforcement focus means that more companies are being hauled into legal proceedings by the Securities and Exchange Commission (that SEC), which has ramped up its efforts in this area of corporate financial accountability.

Following the 2002 passage of the Sarbanes-Oxley Act, the SEC in 2003 came out with its rules under the new law, including those on internal controls. Agencies such as the SEC have two things they must do: enforce and prioritize their enforcement efforts. Last year the SEC launched a new mechanism to bring heat on suspected internal controls malefactors: the Financial Fraud Task Force (FFTF). This year, companies are paying for it.

In a July 2, 2013 news release announcing the FFTF, the SEC said,

“The Financial Reporting and Audit Task Force dedicated to detecting fraudulent or improper financial reporting, whose work will enhance the Division's ongoing enforcement efforts related to accounting and disclosure fraud.”

Internal controls are in the SEC’s enforcement cross-hairs because faulty or fraudulent internal controls mean that false financial information is presented to investors and can misstate a company’s position for tax purposes.

A few examples:

• Washington D.C., Sept. 25, 2014 — The Securities and Exchange Commission today sanctioned a Scottsdale, Ariz.-based software company for having inadequate internal accounting controls over its financial reporting, which resulted in misstated revenues in public filings.
• Hewlett Packard paid a $108 million fine when it was charged that company employees bribed officials in three countries to obtain or keep contracts. As Great Britain’s “The Guardian” reported:

“Kara Brockmeyer, of the SEC enforcement division, said: ‘Hewlett-Packard lacked the internal controls to stop a pattern of illegal payments to win business in Mexico and Eastern Europe. The company's books and records reflected the payments as legitimate commissions and expenses.

Companies have a fundamental obligation to ensure that their internal controls are both reasonably designed and appropriately implemented across their entire business operations, and they should take a hard look at the agents conducting business on their behalf."

• J.P. Morgan ran afoul of the SEC’s focus, to the unhappy tune of $200 million: Washington D.C., Sept. 19, 2013 — The Securities and Exchange Commission today charged JPMorgan Chase & Co. with misstating financial results and lacking effective internal controls to detect and prevent its traders from fraudulently overvaluing investments to conceal hundreds of millions of dollars in trading losses.

Lest anyone should think that an internal controls imperative is exclusive to the private sector, it’s a necessity even for the revenue collectors, as the government’s General Accounting Office has shown:

• GAO Sees Need for Improvement in IRS’s Internal Controls: “The Internal Revenue Service is suffering from several new deficiencies in its internal controls, although it has managed to address a number of older problems, according to a new report from the Government Accountability Office.”

If your internal controls aren’t what they should be, or if you think they aren’t what they could be, you have either a serious problem or a problem in the making.

Here’s what to do:

Talk to a professional and experienced internal auditor about the alpha-to-omega of setting up an internal controls system, and then get a second opinion. This will document what you’ve done and, more importantly, it will put you in the best possible position to have the internal controls you need.

Through this process you’ll be able to identify where problems exist; where your controls are working; where they’re exposing you to danger, what processes you need to put in place; and who you need have on your team to make sure it’s done correctly.

Under any circumstances, don’t delegate the responsibility – and authority – to a single individual to establish and maintain top-flight internal controls. It won’t work. You’ll regret it, eventually.

Effective internal controls are an indispensable friend. Don’t allow ineffectiveness to make internal controls your enemy. The cost is too high.