As securities lawyers know, disclosure is generally regarded as the best disinfectant.  However, in a recent enforcement action, the SEC determined that disclosure is not always enough.  Specifically, when it comes to internal controls over financial reporting, or ICFR, companies need to actually fix the problems they disclose.

In the action, the SEC cited four companies for failing to maintain ICFR for periods ranging from seven to 10 consecutive annual reporting periods.  While each of the companies disclosed material weaknesses in ICFR, it took them months or years to remediate the weaknesses – even after being contacted by the SEC!  (I don’t usually use exclamation points in my postings, but this calls for an exception to my usual policy.)  As noted in the SEC’s press release on the action, “[c]ompanies cannot hide behind disclosures as a way to meet their ICFR obligations. Disclosure of material weaknesses is not enough without meaningful remediation.”

Others have noted that the cases in question are outliers.  That’s undoubtedly true — at least I hope so, because it’s hard to imagine hearing from the SEC and doing nothing about it, much less over a period of years).  However, the moral of the story remains unchanged: if you’re going to disclose an ICFR problem, you better fix it, too.