Category Archives: Reporting

ICFR Reporting and Acquisitions

In the year a company completes an acquisition, ICFR reporting for the combined business can be problematic.  If the acquired company has been private, or has not built an ICFR evaluation process, it may not be practicable to include the acquired business in the acquiror’s assessment of ICFR, and, if applicable, in the auditor’s attestation report over ICFR.  This is particularly true when an acquisition happens near year end.

Interestingly, this situation is addressed not in Regulation S-X, but in a Sarbanes-Oxley C&DI:

Question 3 

Q: If a registrant consummates a material purchase business combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?

A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment. In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (also refer to the last two sentences in the answer to question 7). In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

On February 28, 2023, Lamb Weston Holdings, Inc., a global producer, distributor, and marketer of frozen potato products, acquired LW EMEA, an entity previously accounted for using the equity method.  Item 9A in the company’s Form 10-K for their fiscal year ended May 28, 2023, included this disclosure about the exclusion of the acquired company from the ICFR evaluation:

Our management, under the supervision and with the participation of our Chief Executive Officer and Chief Financial Officer and oversight of the Board of Directors, assessed the effectiveness of our internal control over financial reporting as of May 28, 2023. Management based this assessment on criteria for effective internal control over financial reporting described in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Management’s assessment included evaluation of elements such as the design and operating effectiveness of key financial reporting controls, process documentation, accounting policies, and our overall control environment. Management’s assessment of internal control over financial reporting as of May 28, 2023 excludes internal control over financial reporting related to LW EMEA (acquired February 28, 2023), which accounted for 7% of consolidated net sales and 30% of consolidated total assets as of and for the year ended May 28, 2023. Based on this assessment, management concluded that, as of May 28, 2023, our internal control over financial reporting was effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of consolidated financial statements for external reporting purposes in accordance with GAAP. We reviewed the results of management’s assessment with the Audit and Finance Committee of our Board of Directors.

As always, your thoughts and comments are welcome!

SEC Enforcement for Deficient Disclosures About Related Person Transactions

On March 7, 2024, the SEC announced settled charges against Skechers U.S.A., Inc. for failure to disclose related person transactions in its proxy statements and Part III of Form 10-K.  The Enforcement Order details several instances where family members and persons sharing the same household as directors and executive officers received compensation from Skechers in excess of the $120,000 disclosure threshold specified in Regulation S-K Item 404.  In addition, two executives had loans from the company related to unreimbursed personal expenses paid by the company in excess of $120,000.

This case has a proxy focus similar to the many cases the SEC has brought relating to inadequate perks disclosures.

The company entered into a cease and desist order and paid a fine of $1.25 million.

As always, your thoughts and comments are welcome.

Form 8-K and Cybersecurity Events

When a company experiences a cybersecurity incident it must make a complex materiality judgment to determine if an Item 1.05 Form 8-K is required. The Form 8-K instructions state:

Item 1.05 Material Cybersecurity Incidents.

      • If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspect of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

In many cases companies may want to make the breach public before a materiality determination is complete. This example is from a February 21, 2024, Form 8-K filed by UnitedHealth Group:

Item 1.05.  Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

How to make this essentially voluntary disclosure on Form 8-K is addressed in this May 21, 2024,  Announcement from CorpFin Director Erik Gerding titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”  In the Announcement, Mr. Gerding suggests:

“If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).”

He notes that Form 8-K Item 1.05 is actually titled “Material Cybersecurity Incidents” and disclosure of incidents where materiality is not determined could be confusing to investors.

When considering this voluntary disclosure, companies, however, may want to use Item 7.01 (rather than Item 8.01) of Form 8-K so that the information is deemed “furnished” rather than “filed.”  Importantly, from a potential liability standpoint, information that is “furnished” — as opposed to “filed”, is not (unless the company states otherwise):

    • subject to Section 18 of the Exchange Act;
    • incorporated by reference into a registration statement, proxy statement, or other report, which means that it will not be subject to potential liability under Securities Act Section 11.

Companies should use an Item 8.01 Form 8-K only if they want the information to be considered “filed” and thus, for example, incorporated by reference into 33 Act shelf registration statements.  And while some companies may use an 8.01 Form 8-K and include a statement that the information is to be considered furnished rather than filed, such language is a nullity and of no effect – an Item 8.01 Form 8-K is in fact “filed” and such language does not change that status.  It would be the same as including language on the cover of a Form 10-K indicating that “This Annual Report on Form 10-K shall be deemed “furnished” and shall not be deemed “filed” . . .  .” – that would clearly not work.

The Announcement makes the point that it is not intended to discourage companies from making  voluntary disclosures before a materiality determination is made.  In addition, a company that filed voluntarily under a different Form 8-K Item would need to file an Item 1.05 Form 8-K if it later determined that the incident, in fact, was material.  Helpfully, the Announcement also provides a discussion of various considerations in making materiality determinations.

As always, your thoughts and comments are welcome!

The Application of IFRS 19, Subsidiaries without Public Accountability in SEC Filings

Cheryl Linthicum, Associate Director at SEC Institute wrote this post.  You may want to check out the foreign private issuer workshops she and Gary Brown will be leading this year at https://www.pli.edu/programs/seci

IFRS 19, adopted in May 2024, permits financial statements of certain subsidiaries of reporting companies to provide reduced disclosures when applying recognition, measurement, and presentation requirements of IFRS.  On May 17, 2024, SEC Chief Accountant Paul Munter and Corporation Finance Division Director Erik Gerding issued a Statement for foreign private issuers (FPIs) to consider making additional disclosures when including financial statements that apply IFRS 19.

Foreign private issuers are permitted to file financial statements in accordance with either U.S. GAAP or IFRS as issued by the IASB.  A reporting FPI would not be allowed to apply IFRS 19.  However, it is possible in some situations, such as an acquisition of a subsidiary of another company where the subsidiary applies IFRS 19, that financial statements subject to the reduced disclosure requirements of IFRS 19 could be included in an SEC filing.

The SEC’s statement reminds foreign private issuers that in such a situation:

    • The scope of IFRS 19 is limited to entities that do not have public accountability;
    • There may be situations where financial statements that apply IFRS 19 are included in filings with the SEC;
    • In these situations, the staff believes that the requirements of IFRS 19 and the SEC’s disclosure requirements are likely to necessitate additional disclosure in financial statements filed with the SEC; and
    • SEC staff in the Office of the Chief Accountant and in the Division of Corporation Finance are committed to assisting registrants and are available for consultation.

Further Relief for Former BF Borgers Clients

In this blog post we discussed an enforcement action against BF Borgers CPA PC and its owner barring them from public company auditing, along with a Statement to help former clients navigate the impact of this situation.  On May 20, 2024, the SEC provided additional assistance in this Order which allows former clients of BF Borgers 30 days of deadline relief for Form 10-Q, rather than the 5 days specified in Form 12b-25, for filings delayed because of issues in retaining a new auditor.

As always, your thoughts and comments are welcome!

SEC Clarifies Current Share Repurchase Disclosure Requirements

On December 19, 2023, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s May 3, 2023, share repurchase disclosure rules (Chamber of Com. of the USA v. SEC, No. 23-60255 (5th Cir.).   As a result of this decision, CorpFin issued this Announcement on February 9, 2024, clarifying that companies should follow the pre-amendment disclosure requirements in S-K Item 703 to provide monthly information about share repurchase transactions.  The following example from Proctor and Gamble’s June 30, 2023 Form 10-K follows the prior rules:

Note that this disclosure is included in Item 5 of Form 10-K.

As always, your thoughts and comments are welcome.

CorpFin Updates Disclosure Guidance for Certain Confidential Treatment Applications

In 2019 and 2020, CorpFin modernized the process companies use to request confidential treatment.  Prior to the modernization, companies essentially had to request and obtain permission from the staff to redact information from a filing.  The modernized procedure allows companies to redact information in material contracts without specific staff approval if the information is immaterial and customarily and actually treated as private or confidential.  This process is subject to staff review.  While the new process is simpler for companies, the old process is still occasionally used today.

On January 8, 2024, CorpFin updated sections of Disclosure Guidance Topic No. 7 related to confidential treatment applications pursuant to the old guidance, which is in Rules 406 and 24b-2.  In an explanatory note CorpFin explains:

This guidance has been generally updated, including with respect to options for confidential treatment orders that are about to expire. Different extension procedures apply depending on whether the order is greater or less than three years old. The prior version of this guidance referred to a fixed date rather than a rolling three-year period.

You can find the updated Disclosure Guidance Topic here.

As always, your thoughts and comments are welcome!

A Cybersecurity Incident Form 8-K

As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required.  The Instructions for the 1.05 Form 8-K state:

Item 1.05 Material Cybersecurity Incidents. 

(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

The instructions also state:

A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K.  After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:

As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

As always, your thoughts and comments are welcome!

Cybersecurity Disclosures – SEC and FBI Guidance

When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents.  You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post.

One of the complex issues in the 1.05 Form 8-K is this instruction:

(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.

The FBI has established a process to request such disclosure delays on this webpage: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements.  Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office.  It also notes that “delay requests won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.”

On December 14, 2023, CorpFin issued four new Compliance and Disclosure Interpretations in Section 104B (C&DIs) that address questions about the delay process.  The new C&DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K.  In this situation, the 8-K must be filed by its original due date.  The C&DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.

To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this Speech providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K.  In his speech Director Gerding states:

“But I want to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults.  To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.”

As always, your thoughts and comments are welcome!

SEC’s Fall Regulatory Agenda

On December 6, 2023, SEC Chair Gary Gensler published a Statement noting that the SEC’s Fall Regulatory Agenda has been published.  His Statement does not mention any specific projects.  As you can read in the Agenda, the Climate Change Disclosure and Special Purpose Acquisition Company projects are both in the final rule stage, with expected final rules by April 2024.  Human Capital Management disclosures are in the proposed rule stage.

As always, your thoughts and comments are welcome!