Question

1. Coca Cola, McAfee, and Krispi Crème have each been associated with what kinds of violations by the SEC? What transaction cycle is that phenomenon associated with? Both answers required.

2. Why did we discuss service organizations recently, provide an example of a service organization, and explain why SOC reports may be requested of them?

Answer 1

“The violations found by the state agencies include operating without a valid license, or No Objection Certificate, both in 2015 and currently in 2016 , Of the two Effluent Treatment Plants (ETPs) at the plant (one for medium and the other for high strength organic wastewater), the ETP for the high strength organic wastewater was not working and in 'defunct' state”, the site says.
Pointing out that the unit was discharging wastewater into a pond located 1.5 kilometers from the plant, the site says, the plant was “encouraging farmers to use the water from the pond for irrigation, even as pond water tested found “it is not complying the general standards.”
Noting that fecal coliform, an indicator of raw sewage, was found to exceed the standard by 3,400 times in the pond water, the site says, “The boilers and the diesel generator sets in the plant were violating air pollution laws” and the plant's two sewage treatment plants “were non-operational and in the junk state.”
“The shocking findings led the CPCB to recommend in December 2015 that the bottling plant's juice production line cease operations because the high strength organic waste was not being treated properly”, the site says.

The complaint states that "McAfee overstated its revenues by $622 million in order to meet revenue and earnings targets and understated its cumulative net losses by $353 million. McAfee stuffed its distribution channel and improperly recorded hundreds of millions of dollars of revenue on sales transactions with distributors in violation of the antifraud and other provisions of the federal securities laws. In a fraudulent scheme to oversell its products and immediately record the revenue from those transactions, McAfee secretly gave its distributors substantial cash payments, price discounts, rebates, and other concessions as inducements to continue buying, as well as to not return, McAfee products that the distributors had no reasonable expectation of selling to customers."

The complaint also states that McAfee "inflated its revenues in certain quarters during the relevant period by engaging in sham sales transactions that lacked economic substance".

The three count complaint alleges, securities fraud under Section 10b and Rule 10b5, and reporting violations under Section 13(a) of the Exchange Act, and books and records and internal controls violations under Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act.

McAfee did not admit any of the allegations contained in the complaint, but consented to the entry of an order that enjoins it from violating the antifraud, books and records, internal controls, and periodic reporting provisions of the federal securities laws, and fines it $50 Million.

The SEC said the doughnut retailer avoided lowering its earnings guidance and improperly reported its quarterly earnings per share after it experienced delays in new store openings.

Krispy Kreme agreed to cease and desist from committing future securities law violations.

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

• Oversight of the organization
• Vendor management programs
• Internal corporate governance and risk management processes
• Regulatory oversight

SOC reports provide thorough business overviews delivered in a common and consistent framework, canvassing the organization’s in-scope systems in a logical way. Whether entering a new partnership or reviewing your current inventory of business relationships, this unbiased report provides valuable information that will be relevant in many stages of the vendor lifecycle. These reports communicate the checks and balances a company is enforcing to root out inconsistencies and send a strong message to customers that you're paying attention to how policies and procedures are followed. No decision is ever completely risk-proof, but a SOC report will give you the context needed to determine the amount of risk involved.

Here are few definitions to know before diving into the different types of reports:

• Service organization: The organization being tested.
• User entity: The organization looking to outsource a business function to (or otherwise partner with) the service organization.
• Control: The auditable process or mechanism designed to prevent or detect unintended consequences (i.e. fraud, misreporting, etc.)