December 6, 2018

Cybersecurity: Who’s Fessed Up to a “Material Weakness?”

The SEC’s recent Cyber 21(a) Report highlighted cybersecurity internal control shortcomings at 9 different companies. This Audit Analytics blog looks at which companies have disclosed a “material weakness” following a data breach. This excerpt says that not many have:

The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies. Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics’ cyber breaches dataset, we looked at recent examples & disclosures of companies that fell victims to the attacks described in the report.

In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies’ internal controls.

The blog also reviews the disclosures made by companies that determined a material weakness existed following a data breach.

Audit Committee Disclosures: More, More, More

The amount of information available to investors about audit committee oversight of the independent auditor continues to increase. That’s the conclusion of the 5th annual “Audit Committee Transparency Barometer,” jointly issued by the Center for Audit Quality & Audit Analytics. This excerpt from the CAQ’s blog lays out the highlights:

– 40% of S&P 500 companies disclose considerations in appointing the audit firm (up from 13% in 2014), compared to 27% of mid-cap companies (up from 10% in 2014) and 19% of small-cap companies (up from 8% in 2014).

– 46% of S&P 500 companies disclose criteria considered when evaluating the audit firm (up from 8% in 2014), compared to 36% of mid-cap companies (up from 7% in 2014) and 32% of small-cap companies (up from 15% in 2014).

– 26% of S&P 500 companies disclose that the evaluation of the external auditor is at least an annual event (up from 4% in 2014), compared to 17% of mid-cap companies (up from 3% in 2014) and 12% of small-cap companies (up from 4% in 2014).

The CAQ & Audit Analytics also provide disclosure examples to illustrate how audit committees are enhancing information for investors & other constituencies. Check out this recent blog from Cydney Posner for more details on the Transparency Barometer’s finding as well as commentary on how SEC & PCAOB actions (particularly the new audit report standard) may drive more audit committee disclosure.

Latest Stats: S&P 500 Political Spending Disclosure

The latest “CPA-Zicklin Index” reviews disclosure policies & practices on political spending by the S&P 500. Here’s a summary of its findings on election-related spending disclosure:

– 294 S&P 500 companies disclosed some or all of their election-related spending, or prohibited such spending in 2018, compared with 295 for 2017.

– When these numbers are broken down further, 231 companies disclosed some or all election-related spending in 2018, compared to 236 such companies in 2017. Turnover in the S&P 500 influenced this fluctuation significantly.

– In 2018, 176 companies prohibit at least one category of corporate election-related spending, a sizable increase from 158 companies in 2017, 143 companies in 2016 and 125 companies in 2015.

This WSJ article has more details on the survey’s findings regarding corporate political spending & disclosure.

John Jenkins