Listen on Apple Podcasts, Spotify and YouTube.
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Howard Scheck.
A dual CPA/JD, Scheck is both an accountant and a lawyer, which has led to a fascinating career. Currently, Scheck is a partner with the StoneTurn Group where he helps firms with financial reporting related issues and investigations. Previously, Scheck was on the regulatory side of things, first working as a lawyer in the SEC’s Division of Enforcement for many years, before serving as Chief Accountant in the same division.
In this episode, we discuss trends in SEC enforcement actions that auditors should be aware of (including an increased focus on non-GAAP issues like cybersecurity and controls), landmark cases and penalties handed out in 2023, Scheck’s estimation of the incidence of fraud, and how auditors can best stay up to day on the SEC’s evolving agenda. We also dig into Scheck’s unique career path and what advice he has for others considering combining law and accounting.
Listen on Apple Podcasts, Spotify and YouTube.
Interview References:
Howard Scheck’s StoneTurn profile.
3:32 | Securities and Exchange Commission v. SolarWinds Corp., et al., 1:23-cv-09518 (S.D.N.Y. filed Oct. 30, 2023).
5:01 | H. Scheck. (2018). Internal Controls Violations in Cyber-Fraud Cases?.
5:40 | Charter Communications to Pay $25 Million Penalty for Stock Buyback Controls Violations U.S. Securities and Exchange Commission. (2023, November 14).
6:01 | Activision Blizzard to Pay $35 Million for Failing to Maintain Disclosure Controls Related to Complaints of Workplace Misconduct and Violating Whistleblower Protection Rule. U.S. Securities and Exchange Commission. (2023,February 3).
7:28 | 15 U.S.C. § 78j-1, Securities Exchange Act of 1934.
7:40 | U.S. Securities and Exchange Commission. (1999). Staff Accounting Bulletin No. 99: Materiality (Release No. SAB 99). 17 CFR Part 211.
8:50 | Malenko, N., Grundfest, J. A., & Shen, Y. (2022, November 24). Quadrophobia: Strategic rounding of EPS data. Journal of Financial and Quantitative Analysis.
12:01 | SEC Charges Audit Firm Marcum LLP for Widespread Quality Control Deficiencies U.S. Securities and Exchange Commission. (2023, June 21).
TRANSCRIPT
I. ON NEW TRENDS IN ENFORCEMENT ACTIONS
Jessica Stillman, Host: You were previously the chief accountant for enforcement at the SEC and these days you're a partner at StoneTurn Group, where you help firms with financial reporting related issues and investigations. What were some of the biggest trends in terms of enforcement you've seen over the last year?
Howard Scheck: There's some really big trends that have occurred in the last year and I think they boil down to internal controls related issues and disclosure controls related issues; things that actually don't relate to pure GAAP accounting. The first trend is that the SEC has been charging companies for internal control violations that don't involve accounting errors or the risk of an accounting error, which is the typical internal control violation that you see when companies get charged by the SEC.
The other trend is that the SEC is charging individuals for controls violations that are not involved in financial reporting. The example here would be the CISO or the Chief Information Securities Officer, which is different from the typical situation where it would be the CFO or the controller or chief accounting officer or someone like that. There's also continued emphasis on gatekeepers and penalties and whistleblowers.
JS: Can you give us an example of what those look like?
HS: There's three or four cases that I wanted to mention, but first I need to give a tiny bit of background. Not to get too far into the weeds, but section 13(b)(2)(B) is the internal control violation statute, but it has a number of prongs.
Prong two is the normal one for GAAP violations, but there's also a prong one and three that relate to management's authorization, either specific or general, for transactions or for access to assets. The SEC is bringing cases against companies for those. The main ones have been SolarWinds, Charter Communications, and Blizzard. And then regarding the non-GAAP measures, there was a case against a company called Newell and Gaia.
With SolarWinds, the SEC is essentially alleging misleading cybersecurity disclosures. They're alleging that the company didn't have internal controls or disclosure controls, and they charged the company and the CISO, the chief information officer. The allegation is that because of their lack of cybersecurity controls, the company could not protect their critical assets and therefore, those are the reasons those internal control provisions were violated.
JS: What's the motivation for this increased focus on cybersecurity? Is it just that it's becoming more critical? Is there a bigger risk they're catching up to? What do you think is motivating them to look at these non-GAAP measures?
HS: That's a great question. To step back, in 2018 the SEC brought a 21(a) report.. That's not an enforcement action, but it's the results of an investigation and it was into cybersecurity. It was basically about nine companies that were victims of cyber fraud where outsiders were able to misappropriate money from companies and they had lax controls.
The SEC wrote a report saying you should be aware of this; you should have better controls; you should update and enhance your controls. They were looking at embezzlement, stealing money from companies. Now it's expanding into this other prong of the internal controls where they're looking at safeguarding assets and other things. The SEC is always looking for ways to expand and be novel about cases.
I wrote an article back in 2018 about that Cyber 21(a) report saying that I didn't think it was necessarily fair to charge companies that are victims unless they really are recidivists and are aware of it and don't actually fix it. I mentioned disclosure controls back then, and now the SEC are going after disclosure controls on cyber; they're going after the authorization, not having good ways to protect the actual assets. Cyber is just a hot area right now.
JS: Let's go back to the cases because you mentioned a few there. You talked about SolarWinds. Is there another one that you think is important to dig into a little deeper so that our audience can hear a little bit more about the details?
HS: Yeah. There's probably two. One is Charter Communications, and essentially they did, I think, 70 billion of stock buybacks and it was 50% of their outstanding shares, and they did it pursuant to a 10b5-1 plan. The SEC came in and said, “You violated the 10b5-1 requirements, and therefore you didn't act with management's authorization.” They charged them with those internal control violations.
Blizzard was an interesting case because the company made disclosures about its workforce and all companies make disclosures about the workforce. They said attracting talent is important to us and without attracting talent, we might not be able to operate our business, a pretty standard and general disclosure.
But the SEC said that they didn't have disclosure controls in place to know that at the time they said that, that there were actual workforce misconduct things going on at the company. That information was not flowing to the people that made disclosure decisions and they made this an example of a disclosure control case. So it just shows how far out from accounting that the SEC might be willing to go, to either tag disclosure or internal controls. I think they're important trends for accountants to be aware of, and lawyers.
JS: How about external auditors reviewing companies financial disclosures? What would you say the takeaway for them is? Is there anything in particular you would advise?
HS: I think that's a great question about auditors because they tend to not maybe pay as much attention when we're talking about disclosure controls or things that don't relate to the financial statements and GAAP financials, or the MDNA, because some of the cases involve MDNA violations, which are not part of the financial statements and the opinion that the auditors give.
I think it's just being aware of the potential arguments that the SEC can make. Auditors do have responsibilities under the securities laws related to illegal acts under Section 10A of the Exchange Act. So, auditors, if they are aware of a violation, they have to assess whether there's a material impact.
Auditors also have to be cognizant of qualitative materiality factors too. It's not just gigantic errors auditors need to worry about. There's a Staff Accounting Bulletin 99, which most auditors should know about, and it talks about how the qualitative factors, like small errors, might still be material.
I think it comes down to the control aspect because the auditors are sometimes opining on the internal controls of financial reporting. If there's a material weakness related to some of these things, they have to assess that as well.
–
II. ON CASE SOURCING AND WHISTLEBLOWER PROGRAMS
JS: How is the SEC sourcing their cases? What are you seeing there?
HS: There's a number of ways that they're sourcing their cases. It hasn't really changed a whole lot over time, but one of the biggest ways is whistleblowers. They have an office of market intelligence within enforcement and they have a whistleblower office that fields whistleblower complaints and those get vetted and filtered to folks to investigate.
There's also self-reporting by companies, where if they find a violation, they have to make decisions about whether to self-report and when. The SEC is also doing proactive analytics, using data analytics to flag cases. I think the big example of that is the EPS rounding initiative that they did.
There was an article called “Quadrophobia” that a former commissioner wrote about the fear of the number four, and that companies might be rounding EPS up to the next penny. The SEC is using data analytics to actually search for that and then look for unsupported entries or things that are being done to enable the companies to meet expectations, either revenue or EPS.
JS: I'm interested in what you said there about whistleblowers. I know that the SEC paid out, I think it was more than a hundred million to whistleblowers last year, but I'm also interested in whistleblowers internally. Do you have any advice on how companies should structure or run an internal whistleblower program?
HS: Absolutely. First, the basics. Companies really need to have a hotline. They need to enable it to be anonymous. They need to have training so people know that the hotline exists and that they have this avenue to do this.
Then the other main thing is the tone from the top and the control environment, which auditors will appreciate. Tone from the top is something that has to be assessed for internal controls. You're looking at things like, is there pressure being put on the employees to meet expectations or are they being aggressive towards accounting? Making sure there's a good tone at the top is important.
It is good to actually prevent whistleblowers needing to whistleblow in the first place. Training and awareness on what the red flags are regarding fraud is another aspect. For example, looking at things like the rounding that I mentioned, if there are unsupported entries, if there is an undue emphasis, say, on meeting earnings expectations or revenue?
One of the things that the SEC has been doing is going after disclosure issues related to something called Pullins or Pull Forwards, where companies, if a sale is scheduled to be delivered in a future quarter, they're going to customers and they're saying, “Could we deliver early so they can get the revenue early?” The SEC is pushing disclosure issues and whether that should be disclosed. If you're inside a company and you see that's taking place, be aware that those things could create problems.
Hopefully companies are going to do a risk assessment on what kind of fraud could occur and then have controls in place to prevent that or prevent the whistleblower issue in the first place, but otherwise, it's really just training awareness, making sure they have one, and hoping that someone doesn't go to the SEC first if you're a company because the company would rather hear before the SEC does.
JS: We talked about cases, but the SEC also handed out some landmark penalties in 2023. Can you highlight a couple of those that are the most consequential or noteworthy for auditors?
HS: Yeah, for sure. To put it in context, the SEC puts out an annual report every year and it came out in November and there's $3.54 billion in discouragement, which is paying back ill-gotten gains, not penalties. And there's about $1.6 in penalties overall. We're talking about huge numbers. The Director of Enforcement has indicated that's going to continue likely in the future.
There was a large one against an audit firm, which the auditor audience will care about, against Marcum. If you're from Marcum, I apologize for mentioning the name, but it was a big case. Basically, the audit firm was doing hundreds of SPAC audits and the SEC alleged that there were systematic quality control failures related to those audits.
It was a $10 million penalty, which is pretty large against an accounting firm. The message to accounting firms generally is to make sure that you have good quality controls. Follow the auditing standards, obviously, but you want to have controls across the firm to make sure that it's being applied evenly across all the audits. Looking at whether your firm has good quality controls and is able to comply with the standards and make any enhancements is something that I'd highly recommend.
The other cases I mentioned before, Blizzard and Charter, there was a $25 million penalty in the Charter case, and there was a $35 million penalty in the Blizzard case, and then there were some larger penalties in some FCPA cases, bribery cases. There was a case against Phillips in ABB, where there were some large penalties as well.
JS: Do you have a recommendation for how auditors should best stay on top of all these enforcement actions so that they can use them to improve their own practice? Is it just a matter of following everything that the SEC puts out? What would be your recommendation for how to do that efficiently and well?
HS: Interestingly, I think back in 2010 or 11, when I was the chief accountant enforcement, I made two speeches in front of the ICPA. And that's one of the things I mentioned, what auditors can do to get up to speed and understand what's going on. And one of the biggest things is to go to the SEC website. They have a section where they have the enforcement actions. It's called accounting auditing enforcement releases. You can look through and see what those cases are.
Also, law firms write articles about it, other companies write articles about it, but I think having a general awareness is very useful for an auditor. I would say read SAB 99 on the materiality standard, refresh it if you haven't read it in a while. Look at the CorpFin website to look at the compliance and disclosure interpretations. There's a lot of information out there that auditors can look at, including audit firms that put out their own reports, technical advice. The Big Four and other firms do that.
—
IV. ON THE INCIDENCE OF FRAUD
JS: I want to ask a somewhat more general question because fraud is one of the topics we've focused on in our first round of interviews and we've had ex-regulators like yourself, we've had practitioners, we've had academics, and some of the academics we've had on the podcast have come up with estimates for how common fraud is exactly. I'm interested to get your perspective, given your unique perch at the SEC. What is your impression of how common fraud is? And do you think auditors are alert enough to fraud given your estimate?
HS: Let me backup to say, I think it's important to define what you mean by fraud when you answer a question like that. I think there was an article, that said the incidents might be as high as 40% or something like that. To put it in context, for 2023, the SEC brought I think 784 cases total across all program areas. There were 107 cases against issuers for accounting and disclosure cases. There were four FCPA cases, which are bribery cases. Those represented 17% of 4% of all the cases that were brought.
Just as a percentage of the cases each year that the SEC brings, it's only 17% for accounting disclosure and 4% for FCPA. But then if you look at the broader context of how many public companies there are, there's about 2,400 on the New York Stock Exchange, about 3,600 on NASDAQ, and then the OTC has 10,000 plus.
If you're talking about 16,000 companies, the amount of at least accounting cases the SEC brings is a super small fraction of that. My experience is that, I'm sure there's things going on that the SEC and the auditors are not catching, but I think the incidence rates are not nearly in the double digits. I can't put a number on it, but if you're only talking accounting fraud I think it's lower than the estimates that I've seen. If you're talking about embezzlement and all kinds of stealing and different things that are immaterial to companies quantitatively, I'm sure that the numbers would be higher.
JS: And do you think auditors are alert enough to the possibility of fraud, or do you think they should be more attentive to this as an issue?
HS: I was at two Big Four firms. I was in the forensic practice, but I was also on the audit engagement teams as the forensic advisor, so I used to talk about these kinds of issues and what we would advise the audit teams was to be aware of at least the qualitative aspects of SAP 99 and the kinds of things that might be small, quantitative numbers that could still affect the financial statements and therefore cause GAAP violations. Be alert for those kinds of things.
I'm not at an audit firm now, but I help defend auditors as well. I think they're doing a pretty good job on those basic things. They're well aware of the bribery FCPA statutes. I think largely the immaterial stuff, if it does come up, is going to be under 10A where, if the auditor learns about something, they're going to invoke 10A and try to determine whether there is a material effect. I think the incidence of auditors actually finding these frauds is probably a lot smaller, but I don't actually have metrics on that.
JS: I want to move on and talk about your career, but before we do that is there any other bit of practical advice or area of focus you'd urge auditors to look at this year in regard to enforcement that we haven't gotten a chance to talk about?
HS: Probably the obvious one is auditor independence. The SEC is constantly talking about the importance of auditor independence. All auditors understand that, obviously. But the SEC is still bringing cases every year. Auditors should make sure that if there's any kind of relationship or any kind of activity that might be viewed as potentially a conflict or something that might impair independence, they should clearly be assessing that.
The SEC is always focused on gatekeepers, so the auditors are always going to be part of the mix when the SEC has an investigation or the DOJ. They're going to want the audit work papers. They're going to see what the auditors did. And if there is an accounting error, they're potentially on the hook for being charged.
—
V. ON BEING A CPA AND A LAWYER
JS: Let's turn now to your career, because you've had this very fascinating, broad career where you've moved back and forth between accounting, law, and regulatory roles. Just to start us off in that conversation, can you give us a quick walkthrough of how you ended up taking this unusual path?
HS: Sure. I started my career as an accountant out of undergrad. I was an accounting major at Boston University, and I went to work for Touche Ross. I guess I’ve dated myself. And then I worked in-house in the accounting department. I was a senior corporate accountant in helping prepare financial statements and dealing with the auditors.
I did that for a year and then I decided to go to law school here in Washington, DC. Fortunately I had access to internships with the government. I interned at the Justice Department and the tax division. I also was fortunate enough to get an internship during the school year at the SEC. I kept bugging my supervisor for a job and fortunately they gave me a job right out of law school.
I made the switch from auditor to lawyer. I was hired as an attorney in the enforcement division, and I worked as an attorney for 11 years, prosecuting cases. Then I discovered the forensic accounting world. I ended up going to Deloitte and their forensic practice. I did that for five years.
There was an opening for the chief accountant and some folks in the securities bar that I worked with had suggested that maybe I should apply for that job given my background. I thought that would be a good idea. So I made the switch back to accounting, becoming the chief accountant, knowing that if I did that, I probably would not go back to a law firm in the future. When I left the SEC, I went back into forensic accounting and now I've been at StoneTurn for seven years.
The one consistent thing is to try to defend the client or, if it's an audit committee investigation, find out what the actual facts are and report that to the board. And I'm able to understand really well what the attorneys want because I've been on that side and I'm an accountant, so I can do both. It's been very useful to me.
JS: What were your motivations to go to law school? Because that's not such a common career path. How did you decide to take that jump?
HS: Well, I don't want to offend the auditors in the group, but after doing financial statements for audits for three and a half years, I decided I didn't want to continue to do that. It was a great experience. I learned a lot, got to apply my accounting, but I just didn't want to be an audit partner, so that's why I went in-house.
Then once I was in I liked it, but I had always thought it would be interesting to work for the SEC. I didn't know that would actually come about in the future, but one of the main reasons why I decided to go to law school is I thought it would be interesting to work for the SEC and do the work that I was fortunately able to do.
JS: Do you have any advice for other listeners, maybe someone who's earlier in their career and is thinking, “Hey, I might want to combine accounting and law.” Any tips on making that work?
HS: I think most people have to start as an accountant. Some lawyers could do it the other way around. It's more common that you would get an accounting degree and then go to law school. For folks that have an accounting degree and then are thinking about law school, I would definitely say, go for it.
The one thing that you have to keep in mind is be prepared to make the permanent switch and not switch back like I did. I wouldn't go to law school unless you really wanted to be a lawyer and practice, but it doesn't foreclose the opportunity to do other things once you become a lawyer. You can always go back to consulting, like I do forensic accounting. You can go in-house at an accounting firm. Going to law school really just opens up doors and opportunities that you wouldn't otherwise have as an accountant.
JS: One of the animating ideas of this podcast is that peers learning from peers can be really valuable. I'd love to ask you how you rely on peers in your career to deal with tough situations or manage tough decisions. Can you think of a time when advice from a peer was really critical for your career?
HS: One I mentioned is when I was at one of the Big Four firms in the forensic practice and the opening opened up at the SEC for the chief accountant. I wasn't sure whether I wanted to apply and go down that route. And peers from the securities bar that I knew encouraged me to do that based on knowing my experience and my background.
The other thing is just day-to-day work. There's an informal network of SEC enforcement alumni that meet. Before COVID, every month someone would host a lunch and we'd get together and discuss issues. There's a listserv sort of network that questions go around. There's a lot of opportunity for people to ask questions from others and everyone's usually eager to help other people, within the bounds obviously of confidentiality and work product and things like that.
Listen on Apple Podcasts, Spotify and YouTube.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on January 31, 2024.
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
