Welcome to Zero Material Weakness

Stay ahead of audit red flags with practical insights and real-world tips to fix internal control weaknesses before they’re found.

Author

Norm Osumi
May 22, 2025

Welcome to this edition (week ending May22, 2025) of ZMW — a newsletter built for CFOs and controllers who want to stay ahead of material weaknesses before they become audit red flags. Whether you're preparing for SOX compliance, managing IPO-readiness, or just tightening up your internal control environment, this newsletter brings practical insights, industry trends, and real-world examples straight to your inbox. Our goal? Help you fix what’s weak, before the auditors find it.

Featured Sponsor

Financial-Close – Consark.ai
Move from Manual To a Fully Automated Close Process

Is ELC, PLC bothering you? Talk to us.

consark.ai/financial-close

News this week

  • SEC – Withdrawal of 2019 crypto-custody statement
    On May 15 2025 the SEC’s Division of Trading and Markets rescinded the 2019 Joint Staff Statement that had informally limited broker-dealers’ custody of digital-asset securities. The withdrawal restores reliance on Rule 15c3-3 (Rule 15c3-3 requires carrying broker-dealers to safeguard customer assets by maintaining possession/control of fully-paid and excess-margin securities and by depositing the net customer cash owed (calculated at least weekly—daily for large firms) into a segregated “Special Reserve Bank Account,” ensuring funds and securities remain protected even if the firm fails), reduces legal ambiguity, and signals forthcoming formal rule-making, unlocking wider tokenization and crypto-custody services for registered broker-dealers nationwide.

  • CFTC – Pham responds to court sanctions
    After a federal court sanctioned the CFTC for willful discovery abuses in CFTC v. Traders Global on May 13, Acting Chair Caroline Pham publicly acknowledged institutional failings and outlined immediate reforms: new enforcement-review panels, mandatory ethics training, case-team rotation, and enhanced transparency—changes likely to delay, but strengthen, pending digital-asset investigations and compliance.

  • PCAOB – Spotlight on audit-committee interviews
    The PCAOB’s May 15 Spotlight distills interviews with 272 audit-committee chairs, flagging three themes: auditors’ burgeoning use of AI, control-environment stress from cost-cutting, and macroeconomic uncertainty. These insights will guide 2025 inspection priorities, so issuers should bolster documentation, rethink technology-related controls, and prepare for deeper going-concern scrutiny in upcoming audits.

  • CFPB rescinds 67 guidance documents (effective May 12, 2025)
    On May 12, 2025, the CFPB published a Federal Register notice revoking 67 circulars, bulletins, advisory opinions and interpretive rules issued since 2014. Acting Director Russell Vought said the Bureau will lean on formal rulemaking and case-by-case adjudication, immediately lifting many compliance expectations and signaling sharply reduced enforcement going forward.

  • CFTC – Alert on “Imposter-Recovery” Scam

    On May 14 the CFTC’s Release 9075-25 warns of an imposter-recovery scam: fraudsters pose as agency officials, promising to reclaim lost funds for prior victims while demanding upfront payments, personal data, or wallet keys. Firms should reinforce customer education, update fraud-response scripts, and remind clients regulators never request money or sensitive credentials.

A thought from our Author Norm Osumi 

Regulators just reset the game—and smart finance teams will make the next move before the competition blinks.

  • Now that the SEC has withdrawn its 2019 crypto-custody curb. Expect tokenization projects to accelerate, but only for firms that have already mapped Rule 15c3-3 protections to their control matrix.

  • The CFTC’s public mea culpa and ethics overhaul, plus the CFPB’s mass rescission of legacy guidance, signal a shift from ‘policy by blog post’ to fewer, cleaner rules backed by tougher process reviews. Ensure that your documentation on your judgment calls is in order contemporneously; they should be Exhibit A to your memos.

  • If your auditors are experimenting with GenAI while your own team trims headcount, make sure the remaining evidence trail is audit-proof.

    Pro-tip: adopt Gen AI RAG’s to review your own documentation before the auditors review or audit.

  • OCC peer stats give you a fresh benchmark for ALCO limits, while the CFTC’s imposter-recovery alert is a reminder to tighten client communication scripts.

Taken together, these moves can either widen—or wipe out—potentially, material weaknesses. Let’s think about them as a 90-day head start to strengthen documentation, refresh risk limits, and embed digital-asset safeguards before the rules harden. Staying proactive here isn’t just compliance; it’s good business hygiene.

Featured Sponsor

Financial-Close – Consark.ai
AI-Powered Flux Analysis Platform

Use the power of AI for a faster and more accurate Flux Analysis. Talk to us.

consark.ai/flux-management

Ask the PCAOB Whisperer

Q: “Do we really need a data-governance policy for bots?”

A: Yes—think of it as a seatbelt for your AI. Bots now touch purchase orders, journal entries, even customer chats. Without clear guardrails on data access, retention, and audit logging, you risk three headaches: (1) Control gaps—auditors can’t test what isn’t documented. (2) Regulatory whiplash—privacy rules (GDPR, CPRA) apply even when a bot, not a human, moves the data. (3) Model drift—bad inputs silently degrade bot accuracy and decision quality. A one-page policy is enough to spell out: who owns the bot, what data it may see, how exceptions are approved, and which logs are kept. Pair that with quarterly “bot health checks,” and you’ve turned a potential weakness into a strength—showing investors you automate responsibly while protecting the numbers.

Weekly Podcasts

We want to keep you engaged with meaningful topics, so we create weekly podcasts and host periodic webinars.

In our latest episode in ReportingNorms.ai, Yogita Parulekar dives into how streamlining infrastructure and security processes is transforming the way engineering and operations teams work. Discover how simplifying the essential tasks not only boosts productivity and time to market, but also gives teams the freedom to unleash their creativity—without getting bogged down in the technical weeds.

Tune in to hear more.

Yogita Parulekar on Empowering Security: From Oracle to Invi Grid Inc.’s Groundbreaking Platform

Reporting Norms · Episode

open.spotify.com/episode/2dfYg9UwJw8pIomS7MOap2?si=R3pZ5-EYTHKXk-qiMfHyYg

Yogita Parulekar on Empowering Security: From Oracle to Invi Grid Inc.’s Groundbreaking Platform

Podcast Episode · Reporting Norms · 14/05/2025 · 27m

podcasts.apple.com/cz/podcast/yogita-parulekar-on-empowering-security-from-oracle/id1788561175?i=1000708437635

To watch more podcasts, visit and follow us on ReportingNorms.ai.

 Featured Sponsor

Financial-Close – Consark.ai AI-Powered Transaction Matching

Are your Account Recons still on Excel? Talk to us.

consark.ai/transaction-matching

Norm Osumi

Norm is the CEO of HighIQ.ai, bringing 30+ years of executive leadership across startups, public, and private companies. A seasoned strategist, he's led global teams, major acquisitions, and digital transformations across the hardware and SaaS sectors. With deep expertise in finance, operations, and M&A—including key roles at VeriSign, Symantec, and NEC—Norm is now focused on driving innovation and AI-powered growth from Nashville, TN. Fluent in Japanese and shaped by global experience, he’s passionate about building high-performing teams and delivering lasting impact.

www.youtube.com/@ReportingNorms

Like what you see? Subscribe now and join a growing network of finance leaders building stronger, audit-ready companies.

Reply

or to participate.