SEC data demonstrates that SOX ICFR failures are rarely isolated incidents

6 minute read
SEC data demonstrates that SOX ICFR failures are rarely isolated incidents


Effective internal controls are the bedrock of quality financial reporting – the essential checks and balances that help to ensure a sound process will deliver a quality product. 

As we discussed in the previous blog, effective internal controls are the bedrock of quality financial reporting – the essential checks and balances that help to ensure a sound process will deliver a quality product. And confidence in the accuracy and quality of the fundamental financial information is essential to driving investor and market confidence in a company. As SEC Chief Accountant Wes Bricker stated: “Well-run public companies have effective internal controls not just because internal controls are a first line of defense against preventing or detecting material errors or fraud in financial reporting, but also because strong internal controls contribute to better internal accountability and information flow.” 

To that end, public companies are required to follow very specific requirements around internal control over financial reporting (ICFR) to comply with Sarbanes-Oxley (SOX). Despite these protocols, ICFR weakness and failures remain all too common. Even more alarming, SEC data clearly demonstrates that ineffective controls are likely to be persistent over time, leading to a cascade of negative effects which can undermine investor confidence and stock prices. 

ICFR failures common across the board, especially for smaller companies 

SEC data and reporting on ineffective ICFR shows that this foundational problem is very common across companies of all sizes. Non-accelerated filers experience a higher incidence of ineffective ICFR. These are typically smaller companies who have less experience and fewer dedicated financial reporting resources. The SEC chart below shows that nearly 4 in 10 non-accelerated filers report material weaknesses in ICFR in any given reporting year: 

ICFR failures are rarely isolated incidents 

In recent years, the SEC has spoken consistently about the problem of “persistence of material weaknesses in ICFR.” When a company reports a failure of ICFR in one reporting period, they often have more than one problem, and/or that problem extends well beyond a single reporting period. The table below supports this: companies reporting ineffective ICFR in 2018 were much more likely to have demonstrated persistent problems over the past two, three or even four years. Indeed, nearly half of accelerated filers reporting an ICFR issue in 2018 had issues going back to 2016 – and for 1 in 10, those issues had persisted since at least 2014

SEC cracking down on persistent ICFR failures 

In the past decade, the SEC Division of Enforcement has rigorously pursued cases against failures in financial reporting. The SEC observed that “recent Commission enforcement actions might lead to a reduction in the persistence of material weaknesses in ICFR.” In early 2019, the SEC announced enforcement action against four publicly-traded companies – Grupo Simec S.S.B. de C.V., Lifeway Foods Inc., Digital Turbine Inc., and CytoDyn Inc. – for failure to maintain adequate internal control over financial reporting. What made these enforcement actions notable – as a Harvard Law analysis points out – is that the problem wasn’t that the companies hadn’t properly disclosed ineffective ICFR. Rather, the key issue was that the companies failed to take timely, effective action to remediate these disclosed material weaknesses. They allowed these material weaknesses to persist, as the data above indicates is so often the case. These four examples are just the latest in a long list of companies targeted by the SEC for audit control failures.  

But this definitive action was a clear warning shot from the SEC: Materials weaknesses in ICFR cannot be treated as isolated incidents to be solved merely through revised disclosure. 

Cascading negative consequences of persistent ICFR failures 

Even if your company doesn’t appear in the headlines as a target of SEC enforcement actions, persistent material weaknesses in ICFR can have cascading negative effects. SEC data demonstrates that companies with persistent ICFR failures are much more likely to issue restatements – and have to refile again in subsequent periods. Re-stating financials has been proven to have a direct correlation with a company’s stock price dropping. And while a single incident might be easy to recover from, repeated restatements will undoubtedly have a more significant and long-lasting impact on public trust in a company’s financial reporting data. Analysts and investors grow less interested in following the company – after all, they can’t trust the data. Investor confidence and interest wanes. These are outcomes no company wants. 

Resolving underlying control failures through automation 

When an auditor identifies ineffective controls, the conventional approach is to focus on resolving that specific issue and filing a restatement. Without a remedy for the underlying cause of the control failure(s), then the problems are very likely to persist from quarter to quarter or even year to year leading to SEC and market scrutiny. 

The SEC data on recurring material weaknesses in financial reporting clearly demonstrates that this approach does not work and makes companies vulnerable. Resolving ineffective ICFR demands that a company step back and consider the design and components of their entire control system.  

Between the risk of SEC enforcement action, and the potential for long-term damage to stock price and investor confidence, companies need to master SOX compliance. Smart financial reporting and compliance technologies ease this obligation. Today, powerful software tools help to automate the burden of analyzing and auditing ICFR and financial statements – driving faster, more effective solutions to address ineffective ICFR. In fact, some of the most forward-thinking companies are going a step further – leveraging these automated software solutions to drive a much more proactive approach to assessing and improving ICFR, so they can foster investor confidence and the health of their business. Even the SEC has observed the benefits of an automated SOX reporting system:  “Recent changes in technology, such as the potential for management to use automated controls testing and process automation, may result in improvements in ICFR…. if their increased application results in more robust financial reporting processes with fewer opportunities for deficiencies and/or in an increase by management in control testing and related improvements.” 

Stay tuned for our next blog on ICFR failures, where we will dive deeper into the common reasons that various stakeholders within companies frequently overlook the risks of ineffective ICFR and persistent material weaknesses. 

Toppan Merrill is here to help.

For decades, the experts at Toppan Merrill have supported internal audit professionals through creating efficiencies, transparency and predictability of cost within their SOX compliance programs. Visit our SOX compliance page to learn more – or connect with one of our experts at [email protected] or by calling 800.688.4400.

Jennifer Froberg - Sr SEC Product Specialist

With over 15 years of industry experience in the SEC regulatory landscape, Jennifer supports and advises clients in how to get their filings right. Part of a Toppan Merrill team of EDGAR experts who provide practical compliance expertise in a variety of subjects, Jennifer focuses on analyzing the scope of SEC rulemaking, where the agency is headed and how regulatory changes will impact the filers, investors and the market. She has a particular focus on structured data and ESG initiatives.

Jennifer Froberg - Sr SEC Product Specialist's Photo

Related Insights

When you’re ready to optimize, we’re ready to help.