SEC Enforcement Targets Ineffective Controls – Who Else Is at Risk?

The Securities and Exchange Commission recently fined four companies for having ineffective internal controls.

In its enforcement press release, the SEC told the four companies, Grupo Simec S.A.B. de C.V. [SIM: NYSE], Lifeway Foods [LWAY: Nasdaq], Digital Turbine [APPS: Nasdaq] and CytoDyn [CYDY: OTC], that disclosure of ineffective internal controls wasn’t enough, but that these firms also needed to fix the problem.

In its release, the SEC said the four companies failed to maintain effective internal control over financial reporting (ICFR) for seven to ten consecutive reporting periods. Additionally, two of the four didn’t complete the required evaluation of the efficacy of their internal controls for two straight annual reporting periods. Although the companies disclosed material weaknesses in internal controls in high-risk areas of their financial statements, they took months, sometimes years, to fix the problems after being contacted by SEC staff. Grupo Simec remains in the process of remediation.

The release is unusual for two reasons. First, the charges against these companies were bundled together and announced in a single press release. Second, the SEC decided the internal controls in these firms were so poor that it based its enforcement on this issue alone. While the SEC will bring internal control problems in an enforcement case, it’s usually in the context of a material accounting error, fraud or other primary issues. Rarely does the agency cite internal controls as the main reason for their enforcement action.

To see how unusual the SEC’s action was, we reviewed accounting and auditing enforcement releases from 1999 through January 2019. Out of 930 releases citing internal control issues, 723 have a related restatement and of those, 116 have a restatement associated with a material weakness.  

However, only 44 release summaries include the terms “ICFR” or “internal control over financial reporting” and 37 include the term “material weakness”.1 Of the four companies cited, only one, Lifeway, had financial restatements related to ICFR weaknesses discussed in the release. It is important to note that CytoDyn had a non-reliance restatement in 2011 related to rescission liability, but this restatement was not discussed in the SEC press release.

The SEC was blunt in its press release. “Companies cannot hide behind disclosures as a way to meet their ICFR obligations. Disclosure of material weaknesses is not enough without meaningful remediation. We are committed to holding corporations accountable for failing to timely remediate material weaknesses,” said Melissa Hodgman, an associate director in the SEC’s Enforcement Division.

This is a sign that the SEC is taking poor internal controls more seriously, not only in terms of disclosure but also from a proactive perspective of fixing those issues. The SEC is putting companies on notice that boilerplate disclosure language with no identified remediation plan or efforts is not sufficient anymore, and poor internal controls are now a risk factor.

What’s common among the four companies mentioned is that, in general, there were minimal attempts to fix their weak internal controls. All had long-term ICFR weaknesses, with Digital Turbine at seven years, CytoDyn and Lifeway both at nine years and Grupo Simec at ten years.  All companies hired Sarbanes-Oxley consultants, but still had material weaknesses, while Lifeway and Grupo Simec neglected management ICFR assessments for multiple years.

Lifeway stands out for poor internal controls. It had three material restatements since fiscal 2012, including two restatements in fiscal 2016. For several years, the Company disclosed material weaknesses related to inventory, assignment of cost of goods sold, and income taxes. The SEC noted that the failure of Lifeway to timely remediate the material weaknesses was compounded by the restatements, each involving issues with costs related to manufacturing, cost of goods sold, or inventory. The company itself said their closing process was “fragmented”:

“We had material weakness arising from a lack of segregation of duties in financial reporting, a fragmented financial statement preparation process with various levels of input and control resulting from the use of external consultants for the processing and preparation of our financial statements, inadequate systems used to identify, record and review period end activity and calculations of inventory and inadequate entity level controls.”

Remediation efforts began in 2013 but were not completed until fiscal year ended December 31, 2017.

When it comes to poor internal controls, these companies are some of the worst offenders, as the problems were allowed to linger for years. Looking at data from 2007 and 2018, 3.4% of registrants with any ineffective ICFR report had seven ineffective management ICFR reports, comparable to Digital Turbine.  This percentage decreases to 1.9% for registrants such as LifeWay and CytoDyn that had nine ineffective ICFR reports.

Overall, less than 10% of registrants with any ineffective ICFR management ICFR report had seven or more ineffective reports. 

As the biggest of the four registrants, Grupo Simec is noteworthy, being one of only 72 companies traded on NYSE that had ineffective independent auditor’s reports on internal controls in 2017 and one of only two companies that has had ten ineffective audited reports since 2007.

Small companies may have ineffective controls because it might not be feasible to afford the accounting personnel to segregate duties properly. Company size is not an issue for the four companies, especially Grupo Simec, which is traded on NYSE with $4.7 billion in market cap and $1.7 billion in revenue.

All four companies were charged a civil monetary penalty. The smallest company in the group, CytoDyn, was ordered to pay a $35,000 civil penalty. The largest company in the group, Grupo Simec, was ordered to pay a $200,000 civil penalty and will be required to retain a Sarbanes-Oxley consultant at the company’s expense. These penalty amounts seem to be consistent with other imposed penalties for similar issues; the median penalty for the 930 AAERs that reference internal control issues was $100,000.

In conclusion, analysts should be aware that the SEC is taking a heightened look at ineffective internal controls. If this is important to the agency, it becomes a risk factor. Although it was not specifically mentioned in this release, cybersecurity and failure to provide adequate protections to prevent hacking and other types of cyber attacks falls under ineffective internal controls.2

These four companies were flagged for many problems related to ineffective internal controls, but other firms may be at risk, such as companies which have previously disclosed multiple ineffective ICFR reports yet have demonstrated minimal remedial actions.

Companies must realize that they can no longer ignore lingering ineffective internal controls. This has been elevated to a primary risk factor and must be taken seriously if the SEC is starting to issue enforcement releases solely for poor internal controls.

For more information on this article, or regarding our Accounting and Auditing Enforcement Release database, please contact us at or (508) 476-7007.

This article was first available to subscribers of Accounting Quality Insights by Audit Analytics on Bloomberg, Eikon, FactSet, and S&P Global.

1. Audit Analytics maintains a database of key data points extracted from AAERs released since 1999, see: An Overview of Accounting and Auditing Enforcement Releases (1999-2018)
2. For more information on cybersecurity and internal controls over financial reporting, see: SEC Registrants with Poor Cyber Controls