SEC Enforcement for Internal Control Failures

Nicolas Grabar and Sandra L. Flow are partners and Alexander Janghorbani is a senior attorney at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb memorandum by Mr. Grabar, Ms. Flow, Mr. Janghorbani, Alejandro Canelas Fernandez, and Tapan Oza.

On January 29, 2019, the SEC announced four settlements with publicly-traded companies for failure to maintain adequate internal control over financial reporting (ICFR). None of the companies was charged with making false or inaccurate statements, either about its ICFR or otherwise; indeed, each had repeatedly disclosed material weaknesses in ICFR over many years.

These cases are interesting for at least three reasons:

  • They were announced together to send a message about the SEC’s focus on its agenda to strengthen accounting and controls at public companies.
  • The cases are about controls, and not about disclosure. Material weaknesses in ICFR are not just a disclosure issue: a continuing failure to maintain adequate controls is a violation of law, even if the failure is fully disclosed and there is no other disclosure problem.
  • The cases join several recent instances in which the SEC has shown a willingness to use the internal controls provisions of the Securities Exchange Act of 1934 independently of specific disclosure requirements.


Section 13(b)(2) of the Exchange Act imposes record keeping requirements on public companies and requires them to “maintain a system of internal accounting controls.” [1] That has been true since 1977, when these provisions were added to the Exchange Act by the Foreign Corrupt Practices Act. The broadly worded statutory requirement was given specific content in 2003 when the SEC adopted a specific regulatory framework, based on Section 404 of the 2002 Sarbanes-Oxley Act, that requires a public company to (1) maintain ICFR, (2) assess its effectiveness annually, (3) disclose the assessment in the annual report and (4) (with some exceptions) disclose the report of the independent auditor on the effectiveness of ICFR. The framework is provided primarily by Rule 13a–15, [2] and it is often referred to as “SOX 404.”

After the adoption of the SOX 404 framework, questions arose about whether filing an annual report that discloses material weaknesses and ineffective ICFR has other consequences under the SEC’s rules. In particular, the SEC took the view that such a report does not make a company ineligible to use short-form registration under the Securities Act of 1933. [3]

There have been some SEC enforcement actions for Rule 13a–15 violations. The SEC has included charges of violating the ICFR maintenance requirement where the company has also engaged in intentional misconduct or had to restate prior disclosures. [4] The SEC has also cited violations of the ICFR evaluation requirement in a 2018 action against Primoris for violating the maintenance requirement. [5]

More recently, ICFR has been a focus of public statements by SEC staff. In a December 2018 speech, SEC Chief Accountant Wesley Bricker encouraged ongoing attention to the adequacy of and basis for a company’s assessment of the effectiveness of ICFR. [6] The speech emphasized that “internal controls are the first line of defense against . . . material errors or fraud in financial reporting,” a remark that is repeated almost verbatim in Mr. Bricker’s quote in the SEC press release announcing the settled ICFR-related charges. [7]

The Settled Charges

The settled charges involve four companies that, according to the settlement orders, failed to maintain ICFR for multiple years:

  • Grupo Simec S.A.B. de C.V. (a Mexican producer of iron and steel alloy products) reported material weaknesses in ICFR for nine consecutive years. Simec still has not reported effective ICFR.
  • Lifeway Foods, Inc. (an Illinois producer of kefir and other dairy products) reported material weaknesses in ICFR for ten consecutive years. It then reported effective ICFR as of December 31, 2017.
  • Digital Turbine, Inc. (a Texas-based provider of mobile delivery platform technology) reported material weaknesses in ICFR for seven consecutive years. It then reported effective ICFR as of March 31, 2018.
  • CytoDyn Inc. (a Washington-based biotech company) reported material weaknesses in ICFR for nine consecutive years. It then reported effective ICFR as of May 31, 2017.

At each company, there were various material weaknesses, some of them recurring year after year. The orders indicate that the SEC staff had been in contact with each company over several years, and they imply that the companies’ remediation efforts were partly prompted by the staff’s inquiries.

Sending a message to reporting companies seems to be the purpose of grouping these companies together in a single announcement, and maybe even of referring them for enforcement in the first place. As the announcement says:

Companies cannot hide behind disclosures as a way to meet their ICFR obligations. Disclosure of material weaknesses is not enough without meaningful remediation. We are committed to holding corporations accountable for failing to timely remediate material weaknesses.

There are some differences in the charges against the four companies, reflecting differing circumstances. Each company was found to have violated both the general statutory requirement to maintain sufficient internal accounting controls (Exchange Act Section 13(b)(2)(B)) and the specific regulatory requirement to maintain ICFR (Rule 13a–15(a)). In addition, Simec and Lifeway failed even to evaluate the effectiveness of ICFR for two reporting periods, so they were found to have also violated the requirement to evaluate ICFR (Rule 13a–15(c)). [8] Finally, Lifeway restated its financial statements three times during the years in question, and it was found to have violated the requirements to keep accurate books and records (Section 13(b)(2)(A)) and to file periodic reports (Rule 13a–1).

In addition to cease-and-desist orders, the SEC levied relatively modest civil penalties ranging from $35,000 to $200,000. Simec, which has not yet reported effective ICFR, was also required to retain an independent consultant acceptable to the SEC to help remediate its ICFR weaknesses.


The two orders finding only violations of the ICFR maintenance requirements (Digital Turbine and CytoDyn) are the most instructive. While the SEC has previously found violations of the maintenance requirements, those cases typically targeted companies that were found to have engaged in other misconduct as well. Here there is no finding of any other misconduct—in fact, the two companies had complied with the evaluation requirement (finding their ICFR to be ineffective) and the disclosure requirement (disclosing their findings).

At what point does persistent ineffectiveness ripen into a violation of the ICFR maintenance requirement? In these cases the persistence was egregious—seven years for Digital Turbine and nine years for CytoDyn—but it seems safe to guess that the line can be crossed much faster than that, depending on the circumstances. In general, last week’s SEC actions signal to companies that they should undertake quick and effective remediation efforts for control deficiencies they identify.

Time will tell whether the SEC is interested in bringing more cases predicated solely on controls violations and, if so, what specific substantive obligations it may consider ripe for action. But, in the meantime, the current cases reinforce the SEC’s recent focus on controls over the quality of information being disseminated to investors. Other such recent cases include the SEC’s September 2018 settlement with Tesla for not having disclosure controls over the Twitter feed of its CEO Elon Musk, [9] and its October 2018 findings on whether certain public companies that were victims of cyber-related frauds violated the statutory requirement to maintain internal controls. [10]


1Exchange Act Section 13(b)(2), 15 U.S.C. § 78m(b)(2).(go back)

217 C.F.R. § 240.13a–15. See also Rule 15d–15, 17 C.F.R.(go back)

§ 240.15d–15 (identical requirements for a reporting company not registered under the Exchange Act). The framework is also implemented in the SEC’s forms for annual reports. See Item 9A of Form 10-K (which incorporates the ICFR requirements under Item 308 of Regulation S-K) and Item 15 of Form 20-F.[/ref]

3See Question 4, SEC Staff’s Frequently Asked Questions (FAQs) on Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, available at The FAQ on this point was originally published in 2004 and last revised in 2007.(go back)

4See, e.g., In re JPMorgan Chase & Co., 2013 SEC LEXIS 2862 (Sept. 19, 2013) (finding bank failed to maintain ICFR and disclosure controls and procedures, which led to restatement of first quarter 10Q); In re S. USA Res., Inc., 2013 SEC LEXIS 3725 (Nov. 22, 2013) (company failed to make regular quarterly filings and annual filings; to disclose resignations of key officers; and to maintain ICFR or disclosure controls and procedures).(go back)

5In re Primoris Servs. Corp., 2018 WL 4537220 (Sept. 21, 2018) (finding violations of Section 13(b)(2) along with a failure to properly evaluate the effectiveness of ICFR under Rule 13a–15).(go back)

6Wesley Bricker, Statement in Connection with the 2018 AICPA Conference on Current SEC and PCAOB Developments (Dec. 10, 2018), available at back)

7See back)

8It is not uncommon for the SEC to bring charges for failure to even evaluate the effectiveness of ICFR under Rule 13a-15(c). See, e.g., Primoris, supra note 5; In re Traci J. Anderson, 2015 WL 9297356 at *17–18 (Dec. 21, 2015) (finding officer of company violated evaluation rules relating ICFR by failing to assess its effectiveness).(go back)

9Elon Musk Settles SEC Fraud Charges; Tesla Charged With and Resolves Securities Law Charge (Sept. 29, 2018), available at (Tesla settled charges that it failed to have disclosure controls and procedures surrounding Musk’s tweets).(go back)

10Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls, SECURITIES & EXCHANGE COMMISSION (Oct. 16, 2018), available at back)

Both comments and trackbacks are currently closed.