Sarbanes Oxley & “Adequate Internal Controls”: Safeguarding Confidential Information in an SEC-Mandated Blackout

In 2002, the United States Congress passed the Sarbanes-Oxley Act (the “Act”) of 2002 to combat corporate and accounting fraud.[1] The Act was passed in response to a series of corporate bankruptcies and other scandals that occurred in previous years, the Enron scandal for example.[2] Under section 404 of the Act, the Securities Exchange Commission (“SEC”) had to adopt rules requiring that each annual report submitted by a company include an internal control report.[3] This internal control report should contain:

(1) a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management’s assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal control structure and procedures for financial reporting.[4]

The internal control report should also include “a statement that its auditor has issued an attestation report on management’s assessment.”[5] However, a challenge that has emerged from these requirements is figuring out what constitutes “adequate internal controls,” especially when it involves safeguarding information during SEC blackout periods.

Maintaining adequate internal controls is a task that has proven difficult for some companies. In 2019, the SEC settled charges with certain companies for failing to maintain adequate internal controls over their financial reporting (“ICFR”).[6] The companies had not been charged with making false or inaccurate statements because they had always disclosed weaknesses in their ICFR.[7] However, according to the SEC’s statement, “[d]isclosure of material weaknesses is not enough without meaningful remediation. . .. Companies cannot hide behind disclosures as a way to meet their ICFR obligations.” [8]

Internal Control Over Financial Reporting

Internal control over financial reporting is defined as “[a] process designed . . . to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”[9] Internal control over financial reporting is meant to help companies prepare reliable financial statements that are materially accurate.[10] Through their internal controls, companies can identify weaknesses that could cause their financial statements to be inaccurate.[11] Also, these procedures can help them detect and deter fraudulent financial accounting practices.[12]

The SEC staff is tasked with evaluating whether a company’s internal controls are adequate and serve their purpose. The SEC, however, has not specified or made available to the general public how it evaluates these controls or the exact criteria it uses. Even though the SEC has not shared this information, it has provided some recommendations for companies to ensure they have adequate and effective internal controls. The SEC staff recommends that a company’s management use its own experience and judgment to determine the company’s needs and risks to design an assessment process that is effective and appropriate.[13] Another recommendation is for the assessment process to focus on controls related to processes and transactions that are “most likely to have a material impact on the company’s financial statement.”[14]

Evaluating Internal Controls

When it comes to the preparation of supplementary material, the staff clarified that internal controls are also required to ensure their accuracy and management must assess their effectiveness regularly.[15] Finally, when evaluating internal control deficiencies, management should take into account all the facts and circumstances.[16] This shall include considering the “the probability of occurrence in light of the assessed effectiveness of the company’s internal control, keeping in mind that internal control over financial reporting is defined as operating at the level of ‘reasonable assurance.’”[17]

Reporting issuers and their management should make a genuine effort to establish internal controls that are sufficiently probative and effective in identifying and executing necessary remediation measures that comply with the SEC’s rules. These internal controls should be evaluated regularly and any deficiencies should be corrected. Companies which simply disclose their deficiencies without following up with any change or remediation are not in compliance with the regulations.[18] Although disclosure is important, disclosure alone will not exempt companies from facing charges with the SEC.

[1] See Stephen C. Gara & Craig J. Langstraat, The Sarbanes-Oxley Act of 2002: A New Ballgame for Accountants, 34 U. Mem. L. Rev. 73, 74 (2003); SARBANES-OXLEY ACT OF 2002, MNYMGUIDE ¶ 117.

[2] See Gara & Langstraat, supra note 1; Peter Bondarenko, Enron scandal, Britannica, (last visited Sept. 5, 2020) (“Enron scandal, series of events that resulted in the bankruptcy of the U.S. energy, commodities, and services company Enron Corporation and the dissolution of Arthur Andersen LLP, which had been one of the largest auditing and accounting companies in the world. The collapse of Enron, which held more than $60 billion in assets, involved one of the biggest bankruptcy filings in the history of the United States, and it generated much debate as well as legislation designed to improve accounting standards and practices, with long-lasting repercussions in the financial world.”).


[3] Press Release, U.S. Sec. & Exch. Comm’n, SEC Implements Control Provisions of Sarbanes-Oxley Act; Adopts Investment Company R&D Safe Harbor (May 27, 2003), [hereinafter SEC Internal Control Provisions]; 15 U.S.C.A. § 7262 (Westlaw through P.L. 116-150). [4] SEC Internal Control Provisions, supra note 3. [5] Id. [6] Nicolas Grabar et al., SEC Enforcement for Internal Control Failures, Harv. L. Sch. F. Corp. Governance (Mar. 7, 2019), [7] Id. [8] Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Four Public Companies With Longstanding ICFR Failures, (Jan. 29, 2019), [hereinafter SEC Charges Four Public Companies]. [9] Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, U.S. Sec. & Exch. Comm’n, (last visited Sept. 5, 2020). [10] Staff Statement on Management’s Report on Internal Control Over Financial Reporting, U.S. Sec. & Exch. Comm’n (May 16, 2005), [hereinafter Staff Statement]. [11] Id.  [12] Id. [13] Id. [14] Id. [15] Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, U.S. Sec. & Exch. Comm’n, (last visited Sept. 8,2020). [16] Staff Statement, supra note 11. [17] Id.  [18] SEC Charges Four Public Companies, supra note 8.

McConville v. SEC: Widening the Net through Falsities and Scienter

McConville v. United States involved a petition for review of an order of the Securities and Exchange Commission (“SEC”) finding violations of several sections of the Securities Exchange Act of 1934 by the chief financial officer of Akorn Incorporated.[1] Akorn Incorporated manufactured and sold diagnostic and therapeutic pharmaceuticals to wholesalers and end-use consumers.[2] Akorn would process and keep track of its orders using various rates, corporate credits, and payment schedules (e.g. current, thirty to sixty days past due, etc.).[3] Akorn used a system that involved three different financing offices and used different computer programs and record-keeping mechanisms to track its orders and payments.[4] Akorn tried using a new system to improve its record keeping but the system was incapable of tracking all of Akorn’s data.[5] The company switched to another software and it did not transfer the data from the previous software system to the new one.[6]

Between February 28, 1997 and March 20, 2001, Rita McConville (“Petitioner”) worked as chief financial officer (“CFO”) of the company and was responsible for (1) supervising the finance departments, (2) working with Akorn’s auditor, and (3) filing documents with the SEC.[7] In 2000, problems with the company’s financial records came to light.[8] First, Akorn’s auditor alerted the board of problems with the company’s financial record-keeping, e.g. misapplication of credits, failure to review accounts receivables, etc.[9] Second, a dispute arose between Akorn and one of its customers as a result of billing discrepancies amounting to close to $5 million.[10]

Despite these problems, Petitioner assured the auditor that the accounts were being reconciled.[11] Petitioner also participated in the drafting of financial documents during her time as CFO, including the 2000 Form 10-K.[12] Petitioner also signed two letters essentially stating that the financial statements did not need to be adjusted because no events had occurred after December, 2000 and after February, 2001 that had a material effect on the statements.[13] In 2002, Akorn restated its financial statements for the years 2000 and 2001.[14] Akorn reported that it had some errors in their financial statements, among other concerns, that the company had in fact sustained a net loss of $2.4 million in 2000 instead of the gain of $2 million it had initially reported.[15]

In 2003, the SEC started proceedings against Petitioner and the current CFO of Akorn alleging that Petitioner’s mismanagement of the financial department caused the company to file documents that were in violation of the federal securities laws.[16] The SEC found that Petitioner’s conduct violated Sections 10(b), 13(b)(2), and 13(b)(5) of the Securities Act of 1934 (“Act”), among others.[17] After the SEC’s findings, Petitioner filed a petition for review with the United States Court of Appeals for the Seventh District.[18]

Under Section 10(b) of the Act, the Commission must show that Petitioner “(1) made a false statement or omission (2) of material fact (3) with scienter[19] (4) in connection with the purchase or sale of securities.”[20]  The issue was whether there was substantial evidence to support the Commission’s finding.[21]

Petitioner argued that the Commission did not prove the first and third elements by substantial evidence.[22] However, the appellate court found that the Commission proved the first element because Petitioner not only drafted Akorn’s financial statements, but she also reviewed and approved them, including the Form 10-K.[23] She also assured auditors that the documents were accurate and that no events had occurred that would make the documents misleading.[24] Therefore, the court concluded that Petitioner’s substantial involvement in the making of the documents and her statements to the auditors established that she made a false statement or omission.[25]

The court also found that the Commission proved the third element of scienter.[26] The court stated that “the requisite for scienter is an ‘extreme departure from the standards of ordinary care, which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it.’”[27] Here, the court found that Petitioner was aware of the problems in Akorn’s financial department and that she failed to disclose them in the financial statements.[28] For example, Petitioner stated that all customer accounts would be reconciled by a specific date, but this was not accomplished.[29] Despite this, Petitioner told auditors that nothing had occurred that would have made the financial statements misleading.[30] Therefore, the court concluded that Petitioner’s conduct occurred with recklessness and that the Commission proved the third element.[31] In addition, the appellate court found that there was substantial evidence that Petitioner violated SEC rules 13(b)(2) and 13(b)(5) of the Act.[32] As a result, the appellate court denied the petition for review.[33]

McConville highlights the importance of good record keeping. Purposely submitting inaccurate or false information in documents filed with the SEC is not the only method of running afoul with the commission. Bad tracking and recordkeeping that causes inaccurate reports, even if not intentional, may also lead to violations and charges with the SEC. It is also not necessary for a person to sign a document for it to be attributed to them, it is enough that the person was substantially involved in the process of making the document, e.g. drafting, reviewing, or affirming the document’s accuracy and content.

[1] McConville v. United States, 465 F.3d 780 (7th Cir. 2006). [2] Id. at 782. [3] Id. [4] Id.  at 783. [5] Id. [6] McConville, 465 F.3d at 783. [7] Id. [8] Id. [9] Id. [10] Id. [11] McConville, 465 F.3d at 784. [12] Id. at 785 (A 10-K Form is a document reporting a corporation’s financial health to the SEC.).  [13] Id. [14] Id.  [15] Id. at 786.  [16] McConville, 465 F.3d 786 (Petitioner was the CFO during the preparation of the documents filed with the SEC but was removed shortly before the company filed its financial statements with the SEC. She continued to work gathering information for the financial statements in her new position as corporate controller.). [17] Id. [18] Id. [19] While not defined in the regulations, the United States Supreme Court has described the term “scienter” as proscribing conduct evinced by an intent to deceive, manipulate, or defraud; see, Ernst & Ernst v. Hochfelder, 425 U.S. 185 (1976). [20] Id. [21] Id. at 787. [22] McConville, 465 F.3d at 787. [23] Id. [24] Id. at 788. [25] Id. [26] Id. [27] McConville, 465 F.3d at 788 (quoting Makor Issues & Rights, Ltd. v. Tellabs, Inc., 437 F.3d 588, 600 (7th Cir. 2006)). [28] Id.  [29] Id.  [30] Id. [31] Id. at 789. [32] McConville, 465 F.3d at 789-90 (The opinion also explains how Petitioner violated rules 13(b)(2) and 13(b)(5) but the focus of this article was on rule 10(b)).  [33] Id. at 790.

OCIE Risk Alert Cautions Registered Funds to Address Deficiencies

Recently, the Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert listing the deficiencies and weaknesses found most often by the agency while examining registered investment companies (“funds”).[1] The Risk Alert also includes observations that focus on money market funds and target-date funds.[2] According to the Risk Alert, the most common deficiencies and weaknesses are those related to the fund compliance rule, disclosure to investors, the board approval process involving advisory contracts, and the fund code of ethics rule.[3]

The Fund Compliance Rule

Under this rule, a fund is required to “adopt and implement written policies and procedures reasonably designed to prevent violations of the federal securities laws by the fund.”[4] The rule also requires that the fund board approve the policies and procedures of the fund’s service providers and annually review the adequacy and effectiveness of the policies and procedures. The most common deficiencies or weaknesses regarding the fund compliance rule are:

  • That funds’ compliance programs did not consider the nature of the business activities or risks specific to the fund;[5]
  • That funds did not follow or enforce their compliance policies and procedures;[6]
  • That funds did not “adopt and implement policies and procedures” to monitor compliance by service providers;[7]
  • That some funds did not “conduct annual reviews of their policies and procedures,” and others had so little documentation that it was unclear whether the reviews had been completed at all;[8] and
  • That certain funds conducted annual reviews but did not address how effective and adequate the fund’s policies and procedures were.[9]

Disclosure to Investors

“The federal securities laws make it unlawful to make untrue statements of material fact or omit material information necessary to make other statements not misleading in registration statements, reports, and other documents filed with the Commission or otherwise provided to investors.”[10] The most common deficiencies or weaknesses observed involved:

  • Funds that provided “incomplete or potentially materially misleading information in their prospectuses, statements of information, or shareholder reports when compared to the funds’ actual activities.”[11]

Some examples of incomplete or misleading information include not disclosing the payment of fees made to service providers and not disclosing changes to an investment strategy.[12]

1940 Act Section 15(c) Process

Section 15(c) “requires a majority of the fund’s independent directors to approve the fund initially entering into, or renewing, a contract or agreement with a person who undertakes regularly to serve or act as an investment adviser of or a principal underwriter for such fund.”[13] Among other considerations, board members of the fund have a duty to request and asses the information needed to evaluate the terms of the contract and to preserve the documents considered by the board when approving the terms or renewal of the contract.[14] The most common deficiencies or weaknesses involving the Section 15(c) process are:

  • That some fund boards may not have requested or considered information necessary to evaluate the fund’s investment advisory agreement, while others may have received incomplete information and did not request the missing information.[15]
  • That funds’ shareholder reports that did not “discuss adequately the material factors and conclusions that formed the basis for the board’s approval of an investment advisory contract”;[16] and
  • That, in some cases, the funds’ advisory contract review process did not comply with section 15(c).[17]

Fund Code of Ethics

The fund code of ethics requires funds and other entities “to adopt a written code of ethics containing provisions reasonably necessary to prevent their ‘access persons’ from engaging in fraudulent, deceptive, or manipulative acts in connection with the purchase and sale of securities held or to be acquired by the fund.”[18] The most common deficiencies and weaknesses related to the fund code of ethics rule are:

  • Funds that failed to implement procedures necessary to prevent violations of their codes of ethics or had procedures that were inadequate;[19]
  • Funds that failed to follow, enforce or “use reasonable diligence to prevent violations of their codes of ethics”;[20] and
  • Funds that failed to comply with their approval and reporting obligations.[21]

In addition, OCIE conducted an examination focusing on Money Market Funds (“MMF”) and Target Date Funds (“TDF”) and found some deficiencies and weaknesses as well.

Money Market Funds

  • When it comes to “eligible securities” and minimal credit risk determinations some MMFs did not maintain adequate records and in their credit files, did not include information required under Rule 2a-7;
  • When it comes to “eligible securities” and minimal credit risk determinations some MMFs did not have policies and procedures that addressed, among other things, filling accurate and timely information with the Commission, and testing for issuer diversification to ensure that no more than 5% of the funds’ assets were invested in any one issuer.[22]
  • Some MMFs provided stress test results that “did not include the required summary of significant assumptions used in the stress tests”;[23]
  • Some MMFs had not adopted and implemented policies and procedures to comply with Rule 2a-7;[24] and
  • MMFs did not disclose on their websites information required under Rule 2a-7 and/or the information was inaccurate.[25]

Target Date Funds

The OCIE noted that most of the TDF’s were following the 1940 Act in the areas reviewed, but there were still some deficiencies and weaknesses related to their disclosures and compliance programs.[26] “Some TDS had incomplete and potentially misleading disclosures in their prospectuses and advertisements.”[27] For example, some information in the TDFs marketing materials was different than the TDFs’ prospectus disclosures.[28] In addition, TDFs had incomplete or missing policies and procedures.[29] Some of the missing or incomplete policies and procedures involved monitoring asset allocations and overseeing advertisements and sales literature.[30]

The key takeaway from this risk alert is that boards of funds need to take a more active role in ensuring compliance with securities regulations. In particular, to avoid non-compliance, funds should review the fund compliance rule, expand disclosure to investors,  improve the board approval process involving advisory contracts, and ensure the thorough implementation of the fund code of ethics rule.

[1] Top Compliance Topics Observed in Examinations of Investment Companies and Observation from Money Market Fund and Target Date Fund Initiatives, Office Compliance Inspection & Examinations (Nov. 7, 2019), [hereinafter Top Compliance Topics]. [2] Id. [3] Id. [4] Id. [5] Id. at 5. [6] Top Compliance Topics, supra note 1, at 5. [7] Id. [8] Id. [9] Id. [10] Id. at 3. [11] Top Compliance Topics, supra note 1, at 3. [12] Id. [13] Id. [14] Id. [15] Id. [16] Top Compliance Topics, supra note 1, at 3. [17] Id. at 3-4. [18] Id. at 4. [19] Id. [20] Id. [21] Top Compliance Topics, supra note 1, at 4. [22] Id. at 5. [23] Id. [24] Id. at 6. [25] Top Compliance Topics, supra note 1, at 6. [26] Id. [27] Id. [28] Id. at 7. [29] Id.  [30] Top Compliance Topics, supra note 1, at 7.  

Racing Against the Clock: How Somers Forces Whistleblowers into Silence or Premature SEC Reporting

On February 21, 2018, the Supreme Court in Digital Realty Trust, Inc. v. Somers[1] narrowly construed the definition of “whistleblower” in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act” or “Act”) and thus limited who qualifies for the anti-retaliation protections afforded by the Act. The Court narrowly interpreted the Dodd-Frank Act, holding that a whistleblower is entitled to the anti-retaliation protections of the Act only if the employee reports alleged securities law violations directly to the Security Exchange Commission (SEC) while still employed by the issuer[2].[3]

The Supreme Court’s decision in Digital Realty arose after it granted certiorari[4] to resolve a conflict in the courts highlighted in the Ninth Circuit Court of Appeal’s decision in Somers v. Digital Realty Trust (2017) .[5] Paul Somers (Somers) worked as Vice President of Digital Realty Trust from 2010 to 2014.[6] Somers’s complaint asserted that Digital Realty terminated him only after he reported potential violations of the securities laws internally to company management.[7] Somers did not provide this information to the SEC while employed.[8] Somers subsequently brought a whistleblower retaliation claim under the Dodd-Frank Act against Digital Realty for his termination.[9] The company moved to dismiss the claim on the grounds that Somers did not qualify as a whistleblower under the Dodd-Frank Act because he had not reported the alleged securities law violations to the SEC before his termination.[10] The district court denied the motion, reasoning that the whistleblower provisions under Dodd-Frank were ambiguous and, as a result, the SEC’s broader Rule 21F-2, which accorded protection to internal reports, was entitled to Chevron deference.[11] The Ninth Circuit affirmed, concluding that adoption of the statutory definition of whistleblower, as the company urged, would narrow the anti-retaliation provisions to protect only active employees who report possible violations of securities laws both internally and to the SEC, which was unlikely to occur.[12]

On review, the Supreme Court held that a plain reading of Dodd-Frank’s definition of “whistleblower” in conjunction with its anti-retaliation provision, as well as the intent of Congress in enacting the statute, cut against the Ninth Circuit’s expansive reasoning. The issue before the Supreme Court in Digital Realty was the language of the Dodd-Frank Act, which defines “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established . . . by the Commission.”[13] The Supreme Court unanimously, with two concurrences, overturned the Ninth Circuit’s holding and concluded that Mr. Somers’s failure to make a report to the SEC while employed was fatal to his case.[14]

First, the Court pointed to the explicit statutory language of Dodd-Frank, noting that the specific text of the statute defined a whistleblower as someone who reported to the SEC, and the statutory definition of whistleblower applied to govern the anti-retaliation provisions under the Act.[15] The Court also reasoned that Congress must have intended to use a government-reporting requirement because it incorporated such a requirement into the whistleblower definition but not elsewhere in the statute.[16] Second, the Court relied on the legislative intent, holding that the “core objective” of Dodd-Frank was “to prompt reporting to the SEC” and interpreting Dodd-Frank’s definition of whistleblower strictly furthered that goal, even if it narrowed the field of eligible employees.[17]  Since Congress had directly spoken to the precise question before it, the Court saw no need to accord deference to a contrary view adopted by the SEC in Rule 21F-2.[18]

The Court therefore held that individuals not meeting the threshold requirement of providing pertinent information to the SEC cannot benefit themselves of Dodd-Frank’s anti-retaliation protections; the Court noted that such a requirement is by statutory design.[19] The Court stressed that Congress enacted Dodd-Frank “to motivate people who know of securities law violations to tell the SEC,” and, in connection with this purpose, Congress granted such individuals “immediate access to federal court, a generous statute of limitations . . .  and the opportunity to recover double backpay.”[20] The Court, however, found that the reason for such incentives was to effectuate Dodd-Frank’s narrow objective of motivating individuals to “tell the SEC,” and not to “disturb the ‘corporate code of silence’” and embolden employees to report fraudulent behavior “not only to the proper authorities . . . but even internally.”[21]

In sum, Digital Realty determines an employee is entitled to no anti-retaliation protections if the employee only reports such purported violations internally, utilizing the employer’s internal compliance processes. Time will tell whether the Supreme Court’s ruling will deter or increase the number of whistleblower actions. Employees may either fail to report altogether for fear of unprotected retaliation, or, to ensure protection against retaliation, simultaneously report to both the regulators and internal compliance departments before those teams have a chance to review, investigate, and remediate as necessary. The decision is limited to the Dodd-Frank whistleblower statute involving securities laws and does not appear to affect or mention the numerous other whistleblower protection statutes. In the wake of Digital Realty ruling, employers should review their whistleblower policies frequently, in conjunction with legal counsel, to ensure that employees have multiple avenues to report suspected illegal and/or unethical conduct. Likewise, whistleblower polices should assure employees that such reports will not be met with retaliation.

[1] Dig. Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). [2] “Issuer” is a term which refers to an organization offering one or more securities for investment. [3] Id. at 778. [4] The Supreme Court grants certiorari when a party challenges the decision of a lower court and the Court decides to review the case. It’s effectively like asking for a manager and having the manager decide to closely review the subordinate’s work. [5] See, Somers v. Digital Realty Tr., Inc., 850 F.3d 1045 (9th Cir. 2017). [6] Id. [7] Id. at 1047. [8] Id. [9] Id. [10] Somers, 850 F.3d at 1047. [11] The scope of the Chevron deference doctrine is that when a legislative delegation to an administrative agency on a particular issue or question is not explicit but rather implicit, a court may not substitute its own interpretation of the statute for a reasonable interpretation made by the administrative agency; see, generally, Thomas W. Merrill & Kristin E. Hickman, Chevron’s Domain, 89 Geo. L.J. 833 (2001); see also, Chevron U.S.A. Inc. v. Natural Resources Defense Counsel, Inc., 467 U.S. 837 (1984). [12] Somers v. Digital Realty Tr. Inc., 850 F.3d 1045 (9th Cir. 2017). [13] 15 U.S.C. § 78u-6 (a)(6). [14] Dig. Realty Tr., 138 S. Ct. at 772. [15]Id. at 775. [16] Id. at 777. [17] Id. at 780. [18] Id. at 781-82. [19] Dig. Realty Tr., 138 S. Ct. at 781-82. [20] Id. at 778. [21] Id.