Top Menu

“[The SEC’s] Theory Of Internal Accounting Controls Violations Amounts To A Wholesale Rewriting Of The Law”


This previous post highlighted the SEC’s “non-FCPA, FCPA enforcement action” (that is an enforcement action that charges violations of the FCPA’s books and records and/or internal controls provisions yet has nothing to do with foreign bribery) against SolarWinds Corporation and various individuals based on, among other things, control failures related to allegedly known cybersecurity risks and vulnerabilities.

The post was one of just several in recent years to highlight the SEC’s unhinged theory of enforcement regarding the FCPA’s internal controls provisions (see herehere, here, here, here, here, here, here and here for instance).

Unlike most issuers which roll over and play dead when the SEC has an expansive legal theory, the defendants are mounting a defense – and this is good from the perspective of case law development of the FCPA’s internal controls provisions.

As to the internal controls portion of SolarWinds enforcement action, in a recently filed motion to dismiss the defendants state in summary fashion:

“[The SEC’s] theory of “internal accounting controls” violations amounts to a wholesale rewriting of the law. The agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companies’ cybersecurity controls—a role for which the SEC lacks congressional authorization or substantive expertise.”

As stated in the motion to dismiss brief (certain internal citations omitted):

“The SEC’s theory on internal accounting controls claim is not only meritless, it is a bald attempt to arrogate power Congress has not granted. Section 13(b)(2)(B) of the Exchange Act is a narrow provision requiring public companies to maintain “a system of internal accounting controls.” Yet the SEC seeks to recast it as a boundless mandate for it to regulate public companies’ cybersecurity controls—even controls for detecting bugs in software products. Relying on a clause that requires companies to have “internal accounting controls” that reasonably safeguard “access to assets,” 15 U.S.C. § 78m(b)(2)(B), the SEC contends that “SolarWinds’ information technology network environment, source code, and products were among the Company’s most crucial assets”—ergo, any failure to reasonably protect those “assets” from hackers constitutes an “internal accounting controls” violation. This specious argument reads “accounting” right out of the statute and has no support in the text, legislative history, or caselaw.

[The] text [of the internal controls provisions] makes clear that the provision governs only internal accounting controls—not internal controls generally. The text equally makes clear that the “assets” it concerns are those related to accounting, i.e., the sort of assets that would be involved in a company’s transactions and appear on its balance sheet. Nothing in the text suggests that it covers cybersecurity controls over information-technology “assets” with no nexus to accounting.

The ordinary meaning of the text is confirmed by the legislative history. Congress introduced the “internal accounting controls” provision as part of the Foreign Corrupt Practices Act of 1977, which it enacted in response to concerns about “bribery of foreign officials by United States business interests.” United States v. Kay, 359 F.3d 738, 746 (5th Cir. 2004). Congress’s explicit purpose was “to strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure,” in order “to prevent the use of corporate assets for corrupt purposes” and to provide “assurance that corporate recordkeeping is honest.” S. Rep. No. 95-114, at 7 (1977). Thus, the focus was on bookkeeping, not anything broader (and certainly not cybersecurity).

Indeed, the specific language of Section 13(b)(2)(B) comes from a Statement on Auditing Standards published by the American Institute of Certified Public Accountants (AICPA). See id. at 8 (citing AICPA Statement on Auditing Standards No. 1, 320.28 (1973) (“SAS 1”)). That Statement explained that “accounting controls” are limited to “the safeguarding of assets and the reliability of financial records.” SAS 1 at 320.28. It further explained that “safeguarding assets” in this context does not broadly mean protecting assets “against something undesirable,” id. at 320.14, but rather means protecting assets against “loss”—of the sort that could cause accounting discrepancies, such as “understatement of sales through failure to prepare invoices,” “overpayments to vendors or employees arising from inaccuracies in quantities of materials,” or “physical loss of assets such as cash, securities, or inventory.” Id. at 320.15 & 320.19; see also In re Ikon Office Sols., Inc. Sec. Litig., 277 F.3d 658, 672 n.14 (3d Cir. 2002) (“‘Internal accounting controls’ refers to the mechanism by which companies monitor their accounting system (their individualized method of processing transactions) for errors and irregularities in order to safeguard company assets and ensure that records are sufficiently reliable.”).

Section 13(b)(2)(B) thus does not authorize the SEC to bring suit based on purported “shortcomings to SolarWinds’ cybersecurity controls.” If Congress had meant to authorize the SEC to serve as some sort of roving cybersecurity commissioner for public companies, it would have said so in plainer terms, and there would have been some discussion of it in the legislative history. Any such mandate would have sweeping implications for public companies, as well as for the SEC—which lacks the expertise or resources to perform such a role. Congress does not legislate this way; it “does not hide elephants in mouseholes by altering the fundamental details of a regulatory scheme in vague terms of ancillary provisions.” Sackett v. Env’t Prot. Agency, 598 U.S. 651, 667 (2023); see also West Virginia v. EPA, 142 S. Ct. 2587, 2610 (2022) (courts are skeptical of “claims to discover in a long-extant statute an unheralded power representing a transformative expansion in [an agency’s] regulatory authority”).

No court has endorsed the SEC’s revisionist reading of the statute. Courts have instead uniformly dismissed Section 13(b)(2)(B) claims that are not directed at controls specifically related to accounting. See, e.g., S.E.C. v. Felton, 2021 WL 2376722, at *12 (N.D. Tex. 2021) (dismissing claim because “the SEC does not identify a single internal control that governed the handling of sales, inventory, exchanges, returns, recognition of revenue, etc.” (quotation marks omitted)); S.E.C. v. Patel, 2009 WL 3151143, at *26 (D.N.H. 2009) (dismissing claim where allegations said “nothing about manual or automated reviews of records, methods to record transactions, reconciliation of accounting entries, or anything else that might remotely qualify as an internal accounting control”); see also In re Equifax, 357 F. Supp. 3d at 1230 (“Even if Equifax’s data breach protocol was vastly deficient, this does not establish that it had insufficient internal controls over financial reporting.”). This Court should likewise dismiss the SEC’s claim here.”

In an amicus brief, the Chamber of Commerce and Business Roundtable assert in summary fashion:

“The Chamber and Business Roundtable have a significant interest in this case. The SEC’s expansion of the internal-accounting-controls provision of the FPCA [a rather embarassing typo] would enable it to charge any public company with a violation of the federal securities laws for failing to apply the company’s own internal policies or even for being the victim of crime. The SEC has already asserted this power, far beyond what Congress intended, in non-litigated actions against other public companies, extracting large penalties. The SEC’s interpretation creates profound uncertainty for the members of the Chamber and Business Roundtable because it suggests a standard that is virtually impossible to meet and discernible only in hindsight.”

As stated in the brief:

“The text [of the internal accounting controls] alone is dispositive, but the history should make the SEC blush. The SEC itself proposed the language that became the accounting-controls provision. It borrowed the language nearly verbatim from the American Institute of Certified Public Accountants’ Statement on Auditing Standards 1 (SAS 1), which expressly stated that “accounting controls” are controls that have an “important bearing on the reliability of the financial statements.” SAS 1, §§ 320.11-12. SAS 1 further explained that accounting controls are concerned with unauthorized “access to assets” only insofar as it creates accounting risk—that is, the risk that a company could be unaware of a loss of assets reported in its financial statements (primarily liquid assets such as cash, securities, and inventory), and thus incorrectly account for the assets in its financial statements.

See SAS 1, §§ 320.42, 320.36, 320.15. Those settled meanings travelled with the language, and the SEC and Congress for decades described accounting controls, and their objective of reasonably ensuring that access to assets is authorized, solely by reference to financial reporting.

As if all of that were not enough, there is a parallel provision of Sarbanes-Oxley that requires “internal control[s] . . . for financial reporting,” 15 U.S.C. § 7262(a)(1)—and the SEC has long said it interprets the two statutes in pari materia. The SEC has not defined “internal control[s] . . . for financial reporting” as all internal controls, or as all controls intended to protect anything a company owns. Rather, the SEC has defined that phrase only in the context of financial reporting risk. It requires companies to have controls that prevent or timely detect the unauthorized acquisition, use, or disposition of assets “that could have a material effect on the financial statements,” 17 C.F.R. § 240.13a-15(f)(1)-(3)—and the SEC has made clear that is all Section 13(b)(2)(B)(iii) requires as well. Indeed, the SEC rejected reading Sarbanes-Oxley more broadly for reasons of text, workability, and cost that apply equally to Section 13(b)(2)(B). In short, all of the indicia of statutory meaning—text, history, case law, parallel provisions, and the SEC’s own guidance—point in the same direction.

None of that, however, has stopped the SEC from gradually converting Section 13(b)(2)(B) into a general grant of corporate police power. Over time, and as this case shows, the SEC has invoked the provision to pursue substantial penalties against companies that allegedly failed to comply with controls that had nothing to do with the accuracy of their financial statements. Here, the SEC alleges that “shortcomings” in “SolarWinds’ cybersecurity-related policies and procedures” enabled hackers to access SolarWinds’s systems. But the SEC notably does not claim that those alleged failures posed any risk, much less a material risk, to the reliability of the company’s financial statements. Failing to prevent a trespass, whether in physical space or cyberspace, is not a violation of the FCPA.

Under the SEC’s contrary reading, companies can be in violation of the federal securities laws for failing to apply a host of internal policies or even for being the victims of crime. In recent years, the SEC has challenged everything from stock buyback policies to airline flight routes. Its power grab has left companies in constant peril and uncertainty about how to design their internal control systems, because once “accounting controls” are no longer about accounting, virtually everything is fair game. This case is an excellent example. The SEC is not a cybersecurity enforcement agency—it is not remotely equipped to judge whether SolarWinds’s systems were reasonably designed to repel an attack by a hostile nation-state with advanced cyber capabilities. Nor does it have the statutory directive to address this question: whatever the answer, it has nothing to do with the FCPA or Congress’s desire to make it harder to conceal illicit payments. Because the SEC’s Complaint does not point to SolarWinds’s failure to design or maintain any “accounting controls,” the Seventh and Eighth Claims for Relief should be dismissed.”

A final portion of the brief states:

“While Section 13(b)(2)(B) was enacted as part of “limited-purpose legislation” to combat foreign bribery … in the SEC’s hands, the provision has been abused as a roving mandate for the agency to penalize every aspect of companies’ risk management. The SEC has found companies in violation of the federal securities laws simply for failing to apply their own internal policies, or processes the SEC deems appropriate. The SEC’s power grab has left companies in constant peril and with profound uncertainty about how to design their internal control systems.


The SEC has thus sought to vest itself with a vast and essentially unchecked power. For large entities like most public companies, it is exceedingly difficult, if not impossible, to ensure compliance with all policies, procedures, and controls at all times. By treating Section 13(b)(2)(B) as a grant of generalized monitoring authority, the SEC has attempted to position itself as a super enforcer of corporate behavior well beyond the bounds of federal securities laws. The SEC’s own Commissioners have objected to this overreach. See Statement of SEC Comm’rs Hester M. Peirce and Elad L. Roisman – Andeavor LLC (Nov. 13, 2020), (stating that “the Commission’s resolution of this case . . . risks uprooting the core concept of ‘internal accounting controls’ from the language, statutory context, and history of Section 13(b)(2)(B),” and that it was improper to use Section 13(b)(2)(B), which “Congress confined” to a “limited scope,” “to second-guess management[] . . . on matters that do not directly implicate the accuracy of a company’s accounting and financial statements”); The SEC’s Swiss Army Statute: Statement of SEC Comm’rs Hester M. Peirce and Mark T. Uyeda (Nov. 14, 2023) (criticizing “[t]he Commission’s attempts to convert an internal accounting controls provision into an ever-unfolding utility tool that magically converts every corporate activity into something the Commission regulates”). And, of course, if the Commission has the back-end power to punish, then it has the front-end power to shape corporate behavior. See id. (“The Commission in recent years has taken to using . . . Section 13(b)(2)(B) as its own Swiss Army statute—a multi-use tool handy for compelling companies to adopt and adhere to policies and procedures that the Commission deems good corporate practice.”). Congress did not hide such a broad and important power in an accounting-controls provision.”

Powered by WordPress. Designed by WooThemes