TLDR
Risk factors, MD&A, revenue recognition policies, related party transactions, and non-GAAP financial measures are where the SEC staff spends 80% of its review time. If you can identify and fix the issues in these five sections before filing, you dramatically reduce your comment letter risk.
How the SEC Staff Reviews 10-Ks
The SEC Division of Corporation Finance does not read your 10-K the way your investors read it. Investors start with the executive summary and financial highlights. SEC staff reviewers start with the sections that have the highest probability of containing disclosure deficiencies. When I served in the Division of Enforcement, I observed that Corporation Finance staff developed highly efficient review methodologies that focused their attention on the five sections most likely to contain material disclosure issues.
Understanding this review methodology is the most practical thing an issuer can do to reduce comment letter risk. If you know where the staff spends its time, you can invest your disclosure preparation effort accordingly. The five sections that receive the most intensive staff attention are risk factors, Management Discussion and Analysis, revenue recognition policies, related party transactions, and non-GAAP financial measures. These five sections account for approximately 80% of all staff comments on 10-K filings across all industries.
Risk Factors: The Section That Gets Read First
Risk factors are the first section enforcement attorneys read when evaluating a company, and Corporation Finance staff frequently begins their review there as well. The reason is that risk factors establish the baseline of what the company disclosed it knew about its own risks. If a company experiences an adverse event and the risk factors did not adequately disclose the possibility of that event, the gap between the risk factor disclosure and the actual event creates the foundation for both a comment letter and potential enforcement exposure.
The most common risk factor deficiency is genericness. When risk factors read as though they could apply to any company in any industry, the SEC staff concludes that management has not actually evaluated the company's specific risks. For cannabis companies, generic regulatory risk factors that do not specifically address federal illegality, IRC 280E, or banking limitations are insufficient. For AI companies, generic technology risk factors that do not address algorithmic bias, data governance, or model accuracy are inadequate. For cryptocurrency companies, generic regulatory risk factors that do not address token classification, SEC enforcement trends, or custody requirements fail the specificity test.
MD&A: Where Most Comment Letters Start
Management Discussion and Analysis generates the highest volume of SEC staff comments because it is the section where disclosure failures are most readily identified. The SEC staff reads the MD&A and then compares it against the financial statements. Every material change in financial results that is not explained in the MD&A, every trend identified in the financials that is not discussed in the narrative, and every known uncertainty that is not addressed becomes a potential comment.
The standard for MD&A adequacy is whether the narrative provides investors with sufficient information to understand the company's financial condition and results of operations through the eyes of management. The Division of Enforcement looks for MD&A failures where management knew about a material trend or uncertainty but chose not to disclose it. The comment letter process catches some of these failures before they become enforcement issues, but companies that produce genuinely informative MD&A from the start avoid both comment letters and enforcement exposure.
Revenue Recognition Policies Under the Microscope
Revenue recognition is the area of financial reporting most associated with restatements and enforcement actions, and the SEC staff reviews revenue recognition policies with corresponding attention. Under ASC 606, the staff evaluates whether the company has adequately described its performance obligations, the timing of revenue recognition, the treatment of variable consideration, and the impact of significant judgments on revenue timing and amounts.
The most common deficiency is disclosure that restates ASC 606 requirements in general terms without explaining how the company specifically applies those requirements to its arrangements. When the SEC staff reads a revenue recognition policy that could apply to any company, they issue comments requesting company-specific disclosure. Companies that anticipate these comments by drafting revenue recognition policies that describe their actual arrangements and judgment processes avoid the most common comment letter topic.
Non-GAAP Financial Measures
The SEC staff's attention to non-GAAP financial measures has intensified significantly. Under Regulation G and Item 10(e) of Regulation S-K, companies that present non-GAAP measures must provide a reconciliation to the most directly comparable GAAP measure, must not present non-GAAP measures with greater prominence than GAAP measures, and must explain why the non-GAAP measure is useful to investors.
The most common deficiency is adjusting for recurring expenses. When a company labels restructuring charges, stock-based compensation, or acquisition-related costs as non-recurring and excludes them from its non-GAAP measures, the SEC staff evaluates whether those charges are actually non-recurring or whether they represent normal operating costs that the company is excluding to present a more favorable picture of financial performance. Companies that exclude charges that recur regularly face enforcement action for misleading non-GAAP presentations.
How to Self-Audit Before Filing
The most cost-effective approach to reducing comment letter risk is a pre-filing self-audit that evaluates the 10-K against the five focus areas before submission. This self-audit should compare risk factors against known risks and recent developments, evaluate MD&A for consistency with financial statement trends, review revenue recognition disclosure for company-specific detail, confirm completeness of related party transaction disclosure, and verify non-GAAP measure reconciliation and presentation.
Companies that conduct this self-audit consistently report fewer comment letters, shorter comment letter exchanges, and lower overall compliance costs. The self-audit is most effective when conducted by securities counsel with SEC staff experience who can apply the staff's review methodology to the filing before the staff does. This anticipatory approach converts the comment letter process from a reactive exercise into a quality assurance step that demonstrates the company's commitment to disclosure excellence.
Industry-Specific Review Patterns
The SEC assigns 10-K filings to industry-specific review teams within the Division of Corporation Finance. These teams develop deep familiarity with industry-specific disclosure issues and apply that knowledge to their reviews. Cannabis companies are reviewed by staff with expertise in federal regulatory conflict, tax implications, and banking limitations. AI and technology companies are reviewed by staff who understand technology capability claims and development-stage risk. Cryptocurrency companies are reviewed by staff familiar with digital asset classification, custody requirements, and multi-regulator oversight.
This industry-specific expertise means that the SEC staff is increasingly capable of identifying disclosure deficiencies that generalist securities counsel might miss. Companies in regulated and emerging industries benefit significantly from engaging securities counsel with both SEC experience and industry-specific knowledge, because that combination enables counsel to anticipate the specific questions the industry-focused staff will ask and address them in the original filing.
10 Key Points
- 1.The SEC staff spends 80% of its 10-K review time on five specific sections: risk factors, MD&A, revenue recognition, related party transactions, and non-GAAP measures.
- 2.Risk factors are read first by enforcement staff because they establish the baseline of what the company disclosed it knew about its own risks.
- 3.MD&A is where most comment letters originate because the SEC staff compares the narrative discussion against the financial statements for consistency.
- 4.Revenue recognition policy disclosure is scrutinized for specificity, and generic GAAP language without company-specific application triggers comment letters.
- 5.Related party transactions are evaluated for completeness and disclosure adequacy, and undisclosed related party relationships are among the most common enforcement triggers.
- 6.Non-GAAP financial measures must be reconciled to GAAP, must not be given greater prominence than GAAP measures, and must not exclude recurring charges in a misleading way.
- 7.Self-auditing the 10-K before filing against these five focus areas can reduce comment letter probability by identifying and fixing the issues the staff will question.
- 8.Cannabis companies receive particular attention on risk factor adequacy regarding federal illegality, banking limitations, and IRC 280E tax impact.
- 9.AI companies face scrutiny on technology capability claims in the business description and MD&A that are inconsistent with financial performance.
- 10.Cryptocurrency companies are evaluated on the adequacy of regulatory uncertainty disclosure, token classification analysis, and custody risk disclosure.
Frequently Asked Questions
How does the SEC decide which 10-K filings to review?
The SEC Division of Corporation Finance reviews every company's filing at least once every three years as required by Sarbanes-Oxley. Beyond that minimum, the staff selects filings for review based on several factors including restatements, material changes in financial results, significant corporate events, industry-wide issues, tips and referrals, and algorithmic screening that identifies unusual patterns in financial data.
What are the most common 10-K comment letter topics?
Based on SEC staff data, the most frequent comment letter topics are MD&A discussion adequacy, revenue recognition policy disclosure, non-GAAP financial measure reconciliation, risk factor specificity, segment reporting, goodwill impairment testing, and related party transaction disclosure. These topics consistently represent the majority of staff comments across all industries.
How should risk factors be drafted to avoid comment letters?
Risk factors should be specific to the company's actual risks rather than generic industry risks. Each risk factor should identify the specific risk, explain how it could affect the company's business and financial condition, and describe what the company is doing to mitigate the risk. The SEC staff rejects boilerplate risk factors that could apply to any company in any industry.
What does the SEC look for in MD&A?
The SEC staff evaluates MD&A for completeness of discussion of material trends, events, and uncertainties; consistency between the narrative and the financial statements; adequacy of discussion of known material trends that are reasonably likely to affect future results; and comparison of current period results against prior periods with meaningful explanation of material changes.
Why does revenue recognition trigger so many comment letters?
Revenue recognition is the financial statement area most susceptible to management judgment and most frequently associated with restatements and enforcement actions. The SEC staff evaluates whether the company's revenue recognition policies are described with sufficient specificity to enable investors to understand how management applies judgment, particularly for multiple-element arrangements, long-term contracts, and arrangements with variable consideration.
What are related party transaction disclosure requirements?
Regulation S-K Item 404 requires disclosure of transactions exceeding $120,000 involving the company and any related person, including directors, officers, 5% shareholders, and their immediate family members. The SEC staff looks for completeness of disclosure, adequacy of description of the terms and business purpose, and whether the transaction was conducted on terms comparable to arm's length transactions.
How does the SEC evaluate non-GAAP financial measures?
The SEC staff applies Regulation G and Item 10(e) of Regulation S-K to evaluate whether non-GAAP measures are properly reconciled to GAAP, whether they are given greater prominence than GAAP measures, whether adjustments exclude normal recurring operating expenses in a misleading way, and whether the presentation misleads investors about the company's financial performance.
What is the SEC's approach to cannabis company 10-Ks?
When I reviewed filings involving cannabis companies, the SEC staff applied heightened attention to risk factor adequacy regarding federal illegality, the completeness of IRC 280E tax disclosure, banking limitation disclosure, going concern analysis, state licensing compliance disclosure, and the consistency between the business description and the legal risk disclosure. Cannabis companies that use generic risk factor language face particularly detailed comment letters.
How should AI companies handle technology disclosure in the 10-K?
AI companies should ensure that technology capabilities described in the business description are consistent with the financial results discussed in MD&A. If the technology is described as transformative but revenue from AI products is minimal, the SEC staff will ask for reconciliation. Technology claims should be specific, measurable, and supported by the company's actual operating results.
What happens after a company receives a 10-K comment letter?
The company has typically 10 business days to respond. The response should directly address each comment, provide revised disclosure language where appropriate, and explain any position where the company disagrees with the staff's suggestion. The process typically involves 2-3 rounds of comments and responses before resolution. The entire comment letter correspondence becomes public 20 business days after the review is completed.
Can comment letters lead to enforcement action?
Yes. When the Division of Corporation Finance staff identifies potential fraud, material misrepresentation, or significant disclosure failures during the comment letter process, they can refer the matter to the Division of Enforcement. Referrals are most common when the company's responses reveal inconsistencies, when the staff discovers undisclosed material information, or when the company fails to respond adequately to staff comments.
How does the SEC review cryptocurrency company 10-Ks?
Cryptocurrency companies face scrutiny on token classification analysis and the basis for concluding that tokens are not securities, regulatory uncertainty disclosure across SEC, CFTC, FinCEN, and state regulators, custody and safeguarding of digital assets, cybersecurity risk disclosure, and the adequacy of financial statement presentation for digital asset transactions.
What is the SEC's view on boilerplate disclosure?
The SEC staff consistently rejects boilerplate disclosure that is generic enough to apply to any company. Risk factors, MD&A, and business descriptions that use standardized language without company-specific detail trigger comment letters requesting more specific disclosure. The staff looks for evidence that management has actually evaluated the company's specific circumstances rather than copying disclosure from templates.
How often should risk factors be updated?
Risk factors should be reviewed and updated with every periodic filing. New risks should be added as they emerge, resolved risks should be removed, and existing risk factors should be updated to reflect changes in their nature or severity. The SEC staff compares risk factors across filing periods and will question material risks that appear without prior disclosure or risks that remain unchanged despite material business developments.
What is the role of the audit committee in 10-K compliance?
The audit committee is responsible for overseeing the financial reporting process including the accuracy and completeness of the 10-K. This includes reviewing the financial statements, discussing accounting policies with management and auditors, evaluating the adequacy of disclosure, and ensuring that the company's disclosure controls and procedures are effective.
How do segment reporting issues affect 10-K review?
The SEC staff evaluates whether the company has properly identified its operating segments under ASC 280, whether segment-level disclosure is adequate, whether aggregation of segments is appropriate, and whether the company's segment reporting is consistent with how management actually operates the business. Disagreements about segment identification are among the most contentious comment letter issues.
What goodwill impairment testing disclosure does the SEC require?
The SEC staff expects disclosure of the methodology used for goodwill impairment testing, the key assumptions underlying the fair value determination, the sensitivity of the analysis to changes in key assumptions, the amount by which fair value exceeds carrying value for reporting units at risk, and any qualitative factors that could affect the impairment assessment.
Should companies disclose SEC comment letter correspondence?
While companies are not required to disclose the fact that they received a comment letter, the correspondence becomes publicly available on EDGAR 20 business days after the review is completed. Companies should be aware that their responses will be publicly available and draft responses accordingly. Some companies choose to disclose material comment letter issues in subsequent periodic filings.
How does flat-fee counsel help with annual report compliance?
Flat-fee counsel enables ongoing 10-K disclosure review and improvement without the cost uncertainty of hourly billing. Under flat-fee arrangements, counsel can review draft 10-K sections as they are prepared, identify potential comment letter issues before filing, and provide ongoing disclosure quality assurance throughout the year rather than conducting a compressed review immediately before filing.
What technology does the SEC use to review 10-K filings?
The SEC uses EDGAR filing analysis tools, financial data comparison systems, text analytics that identify disclosure changes between filing periods, and industry benchmarking tools that compare a company's disclosure against peer companies. These systems can identify unusual patterns, material changes in disclosure language, and financial data anomalies that may not be apparent from a manual review of a single filing.
This article was written by Frederick M. Lehrer, Esq., a former SEC Division of Enforcement Staff Attorney and Special Assistant United States Attorney (Southern District of Florida) with over 30 years of securities law experience. Florida Bar No. 888400.