In response to the continued increase in cybercrime, the SEC issued an investigative report1 on October 16, 2018, that cautioned companies to consider cyber threats when they are implementing their internal accounting controls. The report focuses on the internal accounting controls of nine issuers in a range of sectors “that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors,” commonly referred to as business e-mail compromise (BEC) scams. The SEC considered whether the companies affected by the BECs complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, under which certain issuers are required to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.” Further, the report emphasized that “[w]hile the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.”
Heads Up is prepared by members of Deloitte's National Office as developments warrant. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.