SEC Broadens Corporate Officer Liability Exposure By Adding Teeth to Internal Controls Certification and Disclosure Requirements

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Daniel O'Connor, Marko S. Zatylny and Kait Michaud

R. Daniel O'Connor, Marko Zatylny and Kait Michaud are Boston-based attorneys at Ropes & Gray LLP. A partner in the firm's business & securities litigation group, Dan's litigation practice is focused on securities enforcement matters, internal investigations, related trial work and compliance consulting. A partner in the firm's securities and public companies group, Marko focuses his practice on advising public and private companies, investment banks and investment funds in mergers & acquisitions, capital markets transactions and corporate governance issues. Kait Michaud is a litigation associate with experience in securities litigation and government enforcement matters.

The Securities and Exchange Commission's increased focus on identifying and penalizing misstatements in public company financials is no secret. In April of this year, Chairman Mary Jo White highlighted in prepared testimony before the U.S. House Financial Services Committee the SEC's new Financial Fraud Task Force and the strides it was taking to identify “both traditional and emerging financial fraud issues.” 1 Likewise, at the March 2014 “SEC Speaks” conference, an annual event where the agency provides an overview of recent initiatives, SEC representatives explained that they would be analyzing patterns of internal control problems even absent a restatement and holding “gatekeepers”—such as auditors and corporate officers—accountable for corporate misstatements. 2

The SEC's disclosure on July 30 of an enforcement action against two corporate executives of a small, Florida-based computer equipment company exemplifies the type of emerging theory the SEC staff is apt to pursue. 3 In a departure from past practice, the SEC pursued theories of fraud against both the chief executive officer and chief financial officer of Quality Services Group Inc. solely for alleged misrepresentations in public disclosures about the company's internal controls environment, which are required by the Sarbanes-Oxley Act of 2002.

What makes QSGI a unique case is that it did not arise from a restatement of the company's prior financial statements; indeed, there does not appear to have been any material mistakes in the company's reported financials. Here the SEC hinged its fraud claims on alleged unreported deficiencies in QSGI's internal controls over its accounting function.

Taking the SEC's theory to its furthest extension, this case may sound an end to the days where corporate officers may simply adopt a “no harm, no foul” approach to disclosure when a company identifies an immaterial accounting issue or otherwise fails to follow its accounting policies and practices.

The SEC's theory in the QSGI matter also appears to reflect a continuation of the SEC's “Broken Windows” strategy, a reference to a New York Police Department strategy that pursued small infractions on the theory that chasing minor violations may lead to preventing larger ones. This theory was originally adopted by a former director of the SEC Enforcement Division, Robert Khuzami, and rearticulated by Chairman White.

As Chairman White explained in her October 2013 remarks at the Securities Enforcement Forum: “The [Broken Windows] theory can be applied to our securities markets—minor violations that are overlooked or ignored can feed bigger ones, and, perhaps more importantly, can foster a culture where laws are increasingly treated as toothless guidelines. And so, I believe it is important to pursue even the smallest infractions.” 4

The SEC's focus on “small” internal controls misstatements that are unaccompanied by restatements of public company financials should serve as a reminder to corporate officers that Sarbanes-Oxley certifications can form the basis of personal liability for minor, known problems. While it may be debatable whether the SEC's resources are best spent pursing such cases, the environment today at the agency is such that we may see more of these types of cases. Commissioner Aguilar's August 28, 2014 Dissenting Statement In the Matter of Lynn R. Blodgett and Kevin R. Kyser reinforces that certain voices within the SEC are committed to deter fraud with the imposition of suspensions for individuals involved regardless of whether those individuals acted with any intent. 5 Commissioner Aguilar emphatically noted that “the Commission mustbe willing to charge fraud and must not hesitate to suspend [individuals] from appearing or practicing before the Commission. This is true regardless of whether the fraudulent misconduct involves scienter” (emphasis in original).

Therefore, companies that identify internal control problems, large or small, should quickly address the issues and consider the need to report such issues to their auditors and, after evaluating the potential risks posed by the issue, the investing public.

The SEC's Allegations Against QSGI's Corporate Officers

The SEC alleged that QSGI's CEO (Marc Sherman) and former CFO (Edward Cummings) knew of significant internal controls issues in the company's inventory practices that they failed to disclose to auditors and investors. Central to the SEC's theory of fraud is that Sherman and Cummings (1) signed Form 10-Ks with management reports on internal controls (required by Sarbanes-Oxley Act §404) that falsely omitted issues; and (2) signed certifications (required by Sarbanes-Oxley Act §302) in which they falsely represented that they had evaluated the management report on internal controls and disclosed all significant deficiencies to auditors.

At bottom, the SEC's theory is reducible to two internal controls “deficiencies.” First, the SEC viewed inventory controls at one of QSGI's facilities as insufficient, principally because inaccurate inventory counts occurred when product was routinely moved into and out of the facility without appropriate entries in the company's books and records. The SEC explained that the inaccurate inventory counts were a product of multiple issues at the facility, including (1) a general practice of removing component parts from products in inventory without documenting it, (2) belated and insufficient efforts to introduce new controls, and (3) failure to hire experienced accounting personnel and granting autonomy to unqualified individuals.

Second, the SEC asserted that QSGI took advantage of the internal control weaknesses to accelerate revenue recognition by a matter of days, up to approximately a week, to maximize QSGI's borrowing potential based on the terms of a private working capital loan agreement.

The SEC's enforcement action did not allege, however, that the revenue acceleration materially altered QSGI's financial statements. (One has to wonder if this “early recognition” issue is what first drew the attention of the SEC enforcement staff.)

The company's internal controls “deficiencies” translated to misstatements in public disclosures in two ways. First, QSGI's management reports on internal controls over financial reporting were “false” because they stated that Sherman had evaluated QSGI's management controls using the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission in Internal Control. In the SEC's view, however, Sherman did not participate in any such evaluation and, in fact, was unaware of the referenced evaluation framework.

Likewise, QSGI's §302 certifications were “false” because they certified that the signatories (Sherman and Cummings) had evaluated the management report on internal controls and disclosed all significant deficiencies to auditors when, in the SEC's view, both men were aware of and failed to disclose to auditors the aforementioned inventory and revenue recognition controls issues when they signed the certifications.

The SEC's Fraud Theory

Rather than pursue a theory of negligence on the basis of this fact pattern, the SEC has advanced fraud charges against Sherman and Cummings under §10(b) of the Securities and Exchange Act of 1934. In addition, the SEC has asserted claims against both for violating §13(b)(5) of the Exchange Act, which prohibits knowingly falsifying books and records and circumventing a company's internal controls, and causing QSGI to violate §13(b)(2) of the Exchange Act, which requires companies to “make and keep accurate books and to devise and maintain effective internal accounting controls.” The SEC also charged them with making false statements to the company's auditors under Exchange Act Rule 13(b)(2), by omitting to disclose the internal controls significant deficiency and the inventory recognition scheme.

The §10(b) fraud claim carries a high burden of proof with respect to intent. Section 10(b) prohibits the “a) use of any device, scheme, or artifice to defraud; b) the making of material misrepresentations or omissions; and c) any act, practice or course of business which operates or would operate as a fraud or deceit upon any person” in connection with the purchase or sale of a security. Section 13(b)(5) forbids “knowing falsification” of a public company's books and records or “knowing circumvention” of a public company's internal controls. In the §10(b) context, the SEC must establish that the defendant acted with scienter, “a mental state embracing intent to deceive, manipulate, or defraud.” 6 This requires “proof that the defendant acted knowingly or recklessly,” 7 where “[r]eckless conduct … represents an extreme departure from the standards of ordinary care such that the defendant must have been aware of it.” 8

The weight of the SEC's evidence may yet be tested. At the time the SEC announced its theory of liability, it disclosed that Cummings entered into a settlement without admitting or denying the SEC's claims. 9 Cummings' settlement carried with it a $23,000 civil monetary penalty, a minimum five year bar from appearing in front of the SEC as an accountant, and a five year bar from acting as an officer or director of a public company. Unlike Cummings, however, Sherman has not settled his claims and will be required to appear at an evidentiary hearing before an Administrative Law Judge to contest the SEC's allegations. 10

Corporate Officers' Obligations to Attest To a Corporation's Internal Controls

Congress' enactment of Sarbanes-Oxley in 2002 is well acknowledged as a bellwether moment in the general movement to heighten corporate executive accountability. Specifically, §§302 and 404 were intended to place more responsibility on corporate officers to establish and monitor internal control systems. Some have argued that these certification requirements were born of former Enron CEO Jeffrey Skilling's testimony in front of the U.S. Senate Banking and Commerce Committee in 2002, in which he claimed ignorance of and denied responsibility for the details of Enron's accounting. Regardless, the congressional record regarding Sarbanes-Oxley acknowledged a dual purpose to the executive certification requirements: prevention of fraud and accountability. Specifically, representatives in favor of the bill noted it would “improve the ethical standards of top corporate officers” and ensure they would be liable in the event of fraud. 11

Taken together, §§302 and 404 require corporate officers to (1) certify that they have evaluated and maintained internal controls, (2) identify the framework used to make such an evaluation, and (3) certify that they have reported significant deficiencies in the design of internal controls to auditors. Section 302 and 404 certifications are formalized, requiring the following elements:

  •  Section 302's certification asserts:
  • that the financial statements and related disclosures fairly present the company's operations and financial condition in all material respects;
  • that the CEO and CFO have designed disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting;
  • that the CEO and CFO have evaluated the effectiveness of the company's internal controls in a management statement on internal controls over financial reporting; and
  • that the CEO and CFO have disclosed to the auditor and audit committee all significant deficiencies or material weaknesses in the design or operation of internal controls and any fraud, whether or not material, that involved management or other employees with a significant role in internal controls.
  •  Section 404's report on internal controls requires:
  • a statement asserting management's responsibility for establishing and maintaining adequate internal control over financial reporting;
  • a statement identifying the framework used by management to evaluate the company's internal controls; and
  • management's assessment of the effectiveness of the company's internal controls and disclosure of any material weaknesses in the internal controls.

Prior to the QSGI decision, perhaps given the ambiguity inherent in determining whether internal controls are adequate or effective, SEC enforcement actions premised on “false” §§302 and 404 certifications were almost always accompanied by other alleged misstatements, such as an accounting misstatement. Even in the civil securities fraud arena, courts routinely held that false certifications are insufficient on their own to enable a securities fraud action to survive a motion to dismiss.

This principle was affirmed as recently as this year by the U.S. District Court for the Southern District of New York in its analysis of In re Magnum Hunter Resources Corp. Sec. Litig., 2014 BL 173951 (S.D.N.Y. June 23, 2014). In granting a motion to dismiss a §10(b) fraud action, Judge Forrest stated that “‘failure [of corporate executives] to identify problems with the defendant-company's internal controls and accounting practices does not constitute reckless conduct sufficient for Section 10(b) liability.’” Therefore, even though the court found that there may have been misstatements in the company's public statements, and that as a result management certifications may have been false, such allegations did not sufficiently plead the scienter requirement of §10(b).

Now, however, the SEC is signaling an intent to enforce §§302 and 404 certification requirements even absent material misstatements in a company's financial statements.

Key Takeaways

In its press release announcing the charges, the SEC took the opportunity to state that corporate executives have “an obligation to take the Sarbanes-Oxley disclosure and certification requirements very seriously.” 12 Corporate officers should remember three key takeaways:

1. Where appropriate, be open with the company's external auditors about perceived internal controls setbacks. Transparency with the company's audit committee and with external auditors regarding evaluations of the company's internal controls will protect the company, its investors and its officers. Possible steps to achieve this end may include: taking additional ownership over the internal audit function, hiring adequate personnel with accounting background to place in appropriate management positions and ensuring that accounting practices are consistent throughout the company. Although it is no silver bullet, it is much more difficult for the SEC's enforcement staff to bring a fraud case against an officer when an issue has been fully vetted with the company's auditor.

2. It may be appropriate for officers to revisit their company's internal controls review framework, as well as their individual involvement in the same. The Sarbanes-Oxley §404 certification places ultimate responsibility for an operational and effective internal controls environment at officers' feet. Accurate descriptions of the scope of each corporate officer's involvement in internal controls development and monitoring will head off a theory of fraud premised on over-selling an officer's involvement in internal controls.

3. The SEC's “Broken Windows” strategy might extend to issues that many consider to be immaterial. Although the SEC has shown with recent cases that it will pursue non-restatement accounting issues against companies (for example, PACCAR's $225,000 payment to the SEC in 2013 to settle charges that the company misinformed investors through “various accounting deficiencies that clouded their financial reporting”), it appears to be extending this approach to individuals. The SEC may take the view that a corporate officer's obligations extend beyond responding to problems as they develop, and encapsulate “rooting out” systemic issues before they turn into larger problems and keeping auditors informed as the company identifies and addresses problems.




1 Mary Jo White, Chairman, U.S. Sec. & Exch. Comm'n, Testimony before U.S. House Fin. Servs. Comm. (Apr. 29, 2014), available at

2See generally (speeches dated Mar. 12, 2014).

3 ( 12 CARE 887, 8/1/14).

4 Speech, Mary Jo White, Chair, U.S. Sec. & Exch. Comm'n (Oct. 9, 2013), available at


6Luis A. Aguilar, Comm'r, U.S. Sec. & Exch. Comm'n, Dissenting Statement In the Matter of Lynn R. Blodgett and Kevin R. Kyser, CPA, Respondents (Aug. 28, 2014), available at


7 Ernst & Ernst v. Hochfelder, 425 U.S. 185, 193 n.12 (1976).

8 Hollinger v. Titan Capital Corp., 914 F.2d 1564, 1568-69 (9th Cir. 1990) (en banc).

SEC v. Rubera, 350 F.3d 1084, 1094 (9th Cir. 2003).


U.S. Sec. & Exch. Comm'n, Release No. 2014-152, SEC Charges Company CEO and Former CFO with Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements (July 30, 2014), available at

10 Id.

11 House Consideration and Agreement to the Conference Report to Accompany H.R. 3763, Sarbanes-Oxley Act of 2002 (July 25, 2002).

12 U.S. Sec. & Exch. Comm'n, Release No. 2014-152, SEC Charges Company CEO and Former CFO with Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements (July 30, 2014), available at

Request Corporate on Bloomberg Law