Image of Home Logo

Related Resources

Operational Advisory & Risk Management

Scrutiny of Internal Controls Growing

Sally L. Hoffman, CPA, CFE, CFF 02.12.2014 | Attorney Alert

Internal controls have been on regulators’ radar since at least 1977 with the passage of the Foreign Corrupt Practices Act. Still building steam, the concentration on the adequacy of a company’s internal controls, and the related required auditor scrutiny, has grown exponentially. The DOJ, SEC, PCAOB, as well as COSO in its latest revision to its Internal Control Framework,1 continue to warn constituents that improvements are needed. Management, audit committees, and auditors should all take notice.


In July 2013, the SEC announced the formation of a Financial Reporting and Audit Task Force to detect fraud in financial reporting and increase prosecution of violations involving false or misleading financial statements and disclosures. At a December 2013 AICPA conference in Washington D.C., the Task Force head, David Woodcock, alerted the audience that internal controls around financial reporting are being closely scrutinized. He encouraged those present to study two recent accounting enforcement actions, In re JPMorgan Chase & Co. (45 SRLR 1720, 9/23/13) and SEC v. PACCAR Inc. (PCAR) (45 SRLR 1103, 6/10/13), which cited inadequate internal controls significant in leading to material misstatements. Woodcock emphasized that the Task Force would continue to focus on adequacy of internal controls.

At the same conference, Brian Croteau, Deputy Chief Accountant, Office of the Chief Accountant, stressed the significance of internal controls over financial reporting. He also recommended reading the JPMorgan enforcement order, and cautioned that future reporting and disclosure investigations are going to continue to look closely at the adequacy of internal accounting controls as well as evaluations and conclusions about both internal control over financial reporting and disclosure controls and procedures. Croteau elaborated that the SEC is beginning to see auditor cases related to audits of internal control over financial reporting.


The JPMorgan case represents a stinging condemnation of the internal controls structure over valuing complex derivatives at the bank. The matter grew out of the $6 billion derivative trading losses by the notorious “London Whale.” The SEC Cease and Desist Order (the “Order”) explains that JPMorgan reported in its first quarter 2012 Form 10-Q that its disclosure controls and procedures were effective as of the end of the quarter. Yet, a few short months later, in the summer of 2012, the company disclosed that a material weakness in internal control over financial reported had existed as of March 31, 2012. It further reported that its disclosure controls and procedures as of March 31, 2012 were not effective and management’s prior conclusion in the firm’s May 20, 2012 quarterly report that they were effective was incorrect.

In particular, the government explains that the full extent of the trading losses during the first quarter was not detected and reported, in part because of the ineffectiveness of the internal control function within the firm’s Chief Investment Office (“CIO”), known as the Valuation Control Group (“CIO-VCG”). The Order faults the CIO-VCG for being insufficiently independent from traders, understaffed, and insufficiently supervised. According to the Order, the CIO-VCG did not adequately document its actual price-testing policies, and failed to escalate to CIO and JPMorgan management significant information required for management to make informed decisions about disclosure of the firm’s financial results for the first quarter of 2012. The Order also faults the firm for inadequate communication between JPMorgan’s Senior Management and the Audit Committee, stating, “JPMorgan Senior Management did not make a considered assessment of the significance of the relevant information to determine if it revealed a significant deficiency or material weakness at CIO-VCG that had to be disclosed to the Audit Committee.” (Order, ¶7). Croteau encouraged registrants to take careful note of the types of control deficiencies cited.


Woodcock also referenced SEC v. PACCAR Inc., a matter involving financial reporting, books and records, and internal controls violations by a commercial truck manufacturer. The Complaint filed by the SEC in District Court in the Western District of Washington on June 3, 2013, alleges a catalogue of insufficiencies. Among them are insufficient controls to monitor its compliance with the segment reporting requirements of GAAP, insufficient written policies and procedures to describe the primary elements of its loan loss methodology, insufficient written policies and procedures for identifying and measuring impairments on modified or restructured loans, and inadequate procedures to prevent or detect significant quantitative errors in its periodic cash flow reporting.

Another noteworthy case illustrates the SEC’s concentration on internal control deficiencies. In the Matter of Capital One Financial Corp., Exchange Act Rel. No 69442 (April 24, 2013) (the “Release”), Capital One Financial Corp. (“Capital One” or the “Company”) and two of its officers settled a cease and desist proceeding pursuant to Section 21C of the Exchange Act. The SEC’s release noted that, in calculating the reserve for the auto financing business (which the SEC alleged was understated), Capital One “failed to maintain effective internal controls to ensure appropriate and accurate recording and reporting of its loan loss expenses.” (Release, ¶1). Further, the SEC alleged that Capital One and/or its two officers failed to ensure: (i) the Company’s policies and procedures regarding establishment of loan loss reserves were followed; (ii) the reasons and rationale for excluding certain factors were documented; (iii) prior internal audit concerns were addressed; and (iv) allowance decisions and their rationale were adequately communicated to Capital One’s accounting group or committee responsible for vetting allowance decisions. Moreover, the SEC alleged that the accounting group failed to ensure that the provision for loan losses was properly supported, documented and determined in accordance with accounting requirements.


As SEC Deputy Chief Accountant Croteau mentioned in December, auditors are also under the microscope when it comes to internal controls. In this regard, the PCAOB staff issued Audit Practice Alert No. 112 last October (the “Alert”), emphasizing that PCAOB inspection reports have frequently cited significant auditing deficiencies relating to audits of internal controls over financial reporting. The Alert references PCAOB Release No. 2012-006, December 10, 2012, which details significant deficiencies in internal control audits from the 2010 inspections. In 2010, inspections staff identified deficiencies in the auditing of internal control in over 30% of the 309 internal control audit engagements inspected. Of those, 15% (46) were deficiencies so severe that the auditor failed to obtain sufficient appropriate evidence to support its opinion on the effectiveness of internal control. (Alert, p. 4). Inadequate internal control audits can spill over to the financial statement audit. PCAOB inspectors found that 39 of the 46 deficient internal control audits resulted in failing to obtain sufficient appropriate evidence to support the opinion on the financial statements, in other words, a failed audit. (Alert, p. 5). Further, the Alert explains that the results of inspections for years after 2010 showed similarly high levels of deficiencies. (Alert, p. 4).

The October 2013 Practice Alert was issued to highlight PCAOB standards’ requirements in light of the “significant auditing practice issues” discussed above. (Alert, p. 1). Advising auditors to take note of issues discussed in planning and performing their audits of internal controls, the Alert provides additional guidance on applying the relevant PCAOB standards.

Continuing its outreach to audit committees, the PCAOB staff also comments on actions audit committees might take related to internal control audits. The Practice Alert suggests that audit committees discuss with their external auditors internal control audit deficiencies identified in inspections (both internal and PCAOB inspections), the root causes, and how they are addressing the deficiencies. It also encourages audit committees to discuss specific planning and audit procedures their auditors perform in an internal control audit.


The message is clear: all key players in the financial reporting process, Management, Audit Committees, and Auditors, must recognize the significance of adequate internal controls to obtaining reliable financial reporting and achieving operations and compliance objectives. All must devote their attention to their role in establishing effective internal controls. And, all should stay tuned for more developments on the significance of internal controls.

This alert provides an overview of just some of the parameters to consider. If you have questions, please contact Sally Hoffman, senior advisor to the Berdon LLP Litigation, Valuation & Dispute Resolution Group at 212.331.7524 |

Operational Advisory & Risk Management LEAD ADVISORS View All