This Update summarizes recent developments relating to public company audit committees and their oversight of financial reporting and of the company’s relationship with its auditor.
Broken Windows and Broken Gates: SEC Chair Outlines Enforcement Philosophy
In an October 9 speech (available here) to the Securities Enforcement Forum, SEC Chair Mary Jo White, expanding on earlier public statements, outlined her philosophy regarding the Commission’s enforcement program. Her theme was that SEC enforcement would “strive to be everywhere” and would not ignore minor violations of the securities laws because “even the smallest infractions have victims” and “the smallest infractions are very often just the first step toward bigger ones down the road.” Ms. White analogized this approach to the “broken windows” theory of policing employed by former New York City Mayor Rudy Giuliani. She assured the audience that, under her leadership, the Commission would pursue “[n]ot just the biggest frauds, but also violations such as control failures, negligence-based offenses, and even violations of prophylactic rules with no intent requirement.”
From an audit committee perspective, the most significant feature of the speech was the emphasis Chair White placed on gatekeepers. She stressed that the enforcement program would continue to focus on auditors because “auditors serve as critical gatekeepers – experts charged with making sure that the processes that companies use to prepare and report financial information are ones that are built on strength and integrity.” She noted that the Commission had launched an initiative called “Operation Broken Gate” designed “to identify auditors who neglect their duties and the required auditing standards” and to “prob[e] the quality of audits and determin[e] whether the auditors missed or ignored red flags; whether they have proper documentation; and, whether they followed their professional standards.”
With respect to directors’ gatekeeper responsibilities, Chair White commented only on investment company boards. In that context, she responded to the argument that enforcement actions against directors might discourage board service “for fear of being second-guessed or blamed for every issue that arises.” While she acknowledged the concern, Chair White stated: “But this is my response: first, being a director or in any similar role where you owe a fiduciary duty is not for the uninitiated or the faint of heart. And, second, we will not be looking to charge a gatekeeper that did her job by asking the hard questions, demanding answers, looking for red flags and raising her hand.”
Comment: Ms. White’s emphasis on gatekeepers and on financial reporting and auditing enforcement are consistent with her prior comments, discussed in the July and April, 2013 Updates. The initial Operation Broken Gate enforcement actions (available here) have involved smaller firms and audits of smaller public companies. And, recent enforcement actions involving directors have focused on investment company boards. It is likely, however, that attention will eventually shift to include larger public company audits and industrial company directors. Whether the broken windows enforcement philosophy will also be applied at the large company level is more difficult to predict. It seems unlikely that the SEC will conclude that it is in a position to devote substantial enforcement resource to minor violations, but there is certainly a risk that relatively technical mis-steps will occasionally be pursued.
JP Morgan Chase Settles London Whale Case; Admits Failure to Inform Audit Committee of Control Breakdown
On September 19, the SEC’s announced the filing and simultaneous settlement of an administrative enforcement proceeding against JPMorgan, based on financial reporting and internal control violations relating to losses suffered by the firm’s Chief Investment Office (CIO) as a result of the activities of a JPMorgan derivatives trader known as the “London Whale”. The gravamen of the order (available here) is that JPMorgan’s internal controls failed to ensure that the CIO was properly valuing its portfolio and that management failed to inform the audit committee about the internal controls breakdown and the steps it was taking to address it. JP Morgan agreed to settle the SEC’s case by paying a $200 million civil penalty and consenting to a cease-and-desist order. On the same day, the UK Financial Conduct Council, the Federal Reserve, and the Comptroller of the Currency also announced settlements with JP Morgan in cases involving the same matter. Penalties in all four actions totaled $920 million.
The SEC’s case involves inaccurate financial reporting and a material weakness in internal controls over financial reporting (ICFR) for the first quarter of 2012. The Commission alleged that, in late April, after the CIO portfolio began to decline in value, JPMorgan commissioned various internal reviews of the effectiveness of the controls over the valuation of the CIO’s derivatives. As a result, senior management learned that the group whose function was to detect and prevent trader mis-marking was ineffective and not independent from the traders. However, the audit committee was not informed of the progress of these reviews and related remedial action and approved JPMorgan’s Form 10-Q filed on May 10, 2012. Subsequently, in July, 2012, JPMorgan announced that it would restate its results for the first quarter and that a material ICFR weakness had existed on as of March 31. (The case is a reminder that, even though the Sarbanes-Oxley Act only requires an annual ICFR assessment, public companies have an obligation to maintain effective controls at all times.)
This is one of the first settlements implementing the SEC’s new policy of – in some cases -- requiring admissions, rather than allowing the defendant to make the traditional statement that it neither admits nor denies the Commission’s charges. The SEC’s order includes a 15-page appendix of admitted facts and an acknowledgment that JPMorgan violated the securities laws. Among the admissions are that senior management failed to adequately update the audit committee on important facts concerning the CIO before the firm filed its 2012 first quarter report; and that, as a result, the audit committee was hindered in its ability to discharge its obligations to oversee management and to ensure the accuracy of the firm’s financial statements.