- Zero Material Weakness
- Posts
- Welcome to Zero Material Weakness!
Welcome to Zero Material Weakness!
Stay ahead of audit red flags with practical insights and real-world tips to fix internal control weaknesses before they’re found.
Norm Osumi
June 12, 2025
Welcome to this edition (week ending June 12, 2025) of ZMW (Zero Material Weakness)— a newsletter built for CFOs and controllers who want to stay ahead of material weaknesses before they become audit red flags. Whether you're preparing for SOX compliance, managing IPO-readiness, or just tightening up your internal control environment, this newsletter brings practical insights, industry trends, and real-world examples straight to your inbox. Our goal? Help you fix what’s weak, before the auditors find it.
News this week
Investor Advisory Committee spotlight on pass-through voting & non-GAAP (June 5 2025)
At its June 5 public meeting, the SEC’s Investor Advisory Committee ran twin panels on empowering fund shareholders to direct proxy votes and on market reliance on non-GAAP performance metrics. Although advisory, the Committee’s recommendations often seed rule proposals; reforms here could realign proxy-season outcomes and tighten alternative-metric disclosures.Medallion Financial enforcement wrap-up (Final Judgments, June 6 2025)
A federal court on June 6 2025 entered final consent judgments resolving the SEC’s 2021 stock-promotion suit against Medallion Financial, President Andrew Murstein, consultant Lawrence Meyers and their company, Ichabod’s Cranium. Penalties: $3 million (company), $1 million (Murstein), $100 000 (Meyers), plus an independent compliance consultant and new chief compliance officer—underscoring governance reforms alongside monetary fines.CFPB asks court to scrap its own open-banking rule
On June 5 2025 the CFPB asked a Kentucky federal court to vacate its 2024 Section 1033 “open-banking” rule, branding the mandate ultra vires, arbitrary, and risky for consumer privacy. The motion signals a wholesale retreat from compulsory data-sharing and would erase compliance timelines banks and fintechs have been planning for.Acting Comptroller Hood outlines 2025 regulatory agenda (News Release 2025-51)
Acting Comptroller Rodney E. Hood, speaking at the U.S. Chamber Capital Markets Summit on June 3 2025, laid out a four-pillar agenda: accelerate bank-fintech partnerships, clarify digital-asset authorities, advance financial inclusion, and streamline rules. His remarks foreshadow guidance and rulemakings that will steer OCC supervisory priorities through 2025.$9.4 billion rescission package to Congress (June 3 2025)
On June 3 2025 OMB sent lawmakers a $9.4 billion rescission request covering 22 aid and media accounts, promising one-for-one deficit cuts. If approved within 45 days, funding for targeted UN, global-health, and broadcasting programs would be clawed back immediately, reshaping FY 2025 spending.Institutionalizing the Department of Government Efficiency (DOGE) (June 4 2025 testimony)
Director Vought told House appropriators he will embed DOGE as a permanent, cross-agency consultancy, financed by $45 million from OMB’s IT Oversight account plus reimbursable staff costs. The unit would scale Musk-era waste-cutting pilots into an enduring program to hunt duplicative spending across the federal enterprise.
A thought from our Author Norm Osumi
Aggregate deficiency rates fell to 39 % in 2024 (Big Four down to 20 %) - an improvement, but still “unacceptably high,” per the PCAOB. (Source)
Here is a list of call-to-action items to help you prepare for your next audit:
Re-confirm ICFR scoping – Ensure auditors’ control selections reflect your current system architecture and any post-pandemic process changes.
Demand richer fraud-risk analytics – Require root-cause rationale for journal-entry selections and leverage AI/ML anomaly detection where possible.
Tighten independence oversight – Update your audit-committee calendar to review non-audit services and partner rotation well before year-end.
Crypto readiness – If you hold or service digital assets, commission a private-key custody audit and validate all third-party SOC 1 & 2 reports.
Component-auditor governance – Map geopolitical exposure; require the lead auditor to document supervision plans and verify Form AP accuracy.
Data-quality proof-points – Have IT produce evidence that critical IPC reports are both complete and accurate; maintain a central log for auditor review.
Board communication cadence – Adopt quarterly sessions where auditors brief audit-committee and key executives on evolving PCAOB inspection themes.
Area | What inspectors found | Quick action for execs |
|---|---|---|
ICFR testing | Auditors picked the wrong controls or tested them too lightly. | Ask which controls they’ll test and how. |
Audit-committee talks | Auditors didn’t always share key risks or issues. | Put “risks & findings” on every agenda and get written updates. |
Fraud procedures | Brainstorming and journal-entry testing were weak. | Make sure fraud workshops fit your business; give clean GL data. |
Estimates & valuations | Little work on big estimates and fair-value numbers. | Provide clear, supportable forecast models. |
Crypto audits | Poor checks on private keys, crypto revenue, and custodians. | Document wallet controls and third-party SOC reports. |
Multi-location audits | Mistakes in tracking how much work overseas teams did. | Map all locations and insist the lead auditor reviews each one. |
Auditor independence | Non-audit work slipped through without approval; outdated restricted lists. | Tighten pre-approval rules and watch non-audit spend. |
Company data given to auditors | Accuracy of company-generated reports often untested. | Own data quality and give proof of report integrity. |
Ask the PCAOB Whisperer
Q: The SEC just settled its Medallion Financial stock-promotion case: $3 million from the company, $1 million from its president, and a court-appointed compliance monitor. We’re not in the taxi-loan business, why should a CFO or controller care?
A: Because the enforcement theory - pay-to-praise without clear disclosure equals securities fraud, which applies to every public issuer:
Hidden promo = material misstatement. Medallion paid bloggers to pump its stock while posing as independent voices. The SEC called that “illegal touting.” Any paid article, podcast placement, or influencer post must carry a conspicuous “sponsored” or “paid by [Company]” tag.
Personal liability is real. The president paid $1 million out of pocket and is now subject to outside compliance oversight. Senior execs who direct stealth campaigns can’t hide behind the corporate veil.
Governance add-ons are now standard. Expect settlements to bundle cash penalties with board-level fixes—monitors, new CCO roles, enhanced policies. Get ahead by documenting your IR/marketing approval workflow and audit trail today.
Action checklist:
Inventory all third-party PR, SEO, and social-media vendors.
Insert clear “no ghost-promotion” clauses and require disclosure language.
Train execs and spokespeople on Reg FD & anti-touting rules.
Review your investor-relations calendar for any compensated content and label it.
Weekly Podcasts
We want to keep you engaged with meaningful topics, so we create weekly podcasts and host periodic webinars.
On the latest episode of ReportingNorms, Norm Osumi breaks down the game-changing Circle IPO - how it shook up the NYSE, what it means for stablecoins like USDC, and why AI-powered compliance is setting new auditing standards. Ready to find out how Circle is reshaping the payments industry and what the Genius Act could mean for crypto regulation?
Tune in to get all the insights and see why this IPO might be the start of a new financial era! Listen to the full episode now and stay ahead of the curve.Tune in to hear more.
Here’s the audio version:
To watch more podcasts, visit and follow us on ReportingNorms.ai.
Like what you see? Subscribe now and join a growing network of finance leaders building stronger, audit-ready companies.
Reply