Highlighting Recent Cyber-Related Financial Losses, the SEC Urges Public Companies to Revisit Internal Accounting Controls

Charles Soranno, Managing Director Internal Audit and Financial Advisory

Even the best-intended internal controls are only as effective as the degree to which they are designed and executed. According to a recent FBI report, failure to adhere to payment and reconciliation controls has cost companies more than $5 billion over the past five years.

In addition, a recent cyber threat investigation by the U.S. Securities and Exchange Commission (SEC) found widespread vulnerabilities at public companies involving fraudulent wire transfers and vendor payments initiated via compromised business email accounts. The investigation found that while victims seemingly had adequate controls in place, those controls were circumvented by employees who did not fully understand them and did not recognize signs that emailed payment instructions might not be reliable.

Last month, the SEC issued a report advising public companies to review internal accounting controls related to business email compromises (BECs), more commonly known as “spearphishing.” These attacks, seeking financial application data, are not new but have seen a resurgence as the value of personal information has declined in market value and become harder to get. The report includes what we might call “graphic examples” of unwittingly complying with fraudulent requests, some of which involve executives who failed to question those requests. Protiviti has published a Flash Report summarizing the SEC findings and related guidance. In our Flash Report, we also offer our point of view and recommendations for companies to effectively address the SEC’s concerns.

Public companies, and those organizations aspiring to go public, are required to adapt their internal accounting controls to the current risk environment. Executives are expected to attest to the efficacy of those controls in their periodic SEC filings. Ultimately, however, the people responsible for these controls at the operating level must know and follow the rules. The SEC has chosen – for now – not to impose penalties but to issue a warning to issuers. Nevertheless, its investigative report is  certainly eye-opening and raises the stakes for issuers and their certifying officers ultimately responsible for reliable financial reporting and mitigation of material financial risks.

For more information and guidance, download the Protiviti Flash Report.

Add comment