Missing Gold: Misappropriation by SPAC CFO Underscores Importance of Internal Controls

Misappropriation by African Gold’s CFO

African Gold, a special purpose acquisition company (“SPAC”), closed its initial public offering (“IPO”) on March 2, 2021. Shortly after the IPO, African Gold had approximately $1.5 million in its operating bank account to fund its search for a business combination target. Over the course of the next year, the SEC alleged, African Gold’s former CFO, Cooper J. Morgenthau, misappropriated “nearly all” of the money in African Gold’s operating bank account and used the funds for his personal use.² Morgenthau allegedly also altered African Gold’s bank account statements to conceal his unauthorized transactions and to “fabricate the balance” in the operating bank account.³ Accordingly, African Gold’s Forms 10-Q materially misstated the amount of cash available in its operating bank account to search for a business combination target — the primary purpose of African Gold.

The SEC Order & African Gold’s Internal Control Failures

The SEC concluded that African Gold violated the Exchange Act. According to the SEC, since the closing of its IPO on March 2, 2021 until late 2022, African Gold failed to maintain: (1) sufficient recordkeeping; (2) a sufficient system of internal accounting controls; and (3) internal control over financial reporting and disclosure controls and procedures. The SEC concluded that these failures enabled Morgenthau to misappropriate funds and to conceal his misappropriation from others at African Gold. Specifically, the SEC highlighted the following control failures:

• Controls Related to the Operating Account: African Gold failed to establish sufficient segregation of duties and monitoring controls over its operating bank account because no other employees were required to monitor account activity, reconcile bank account activity, or maintain responsibility for recordkeeping of its assets;
• Controls Related to Cash Disbursements: African Gold failed to establish sufficient segregation of duties and monitoring controls over its cash disbursements because all responsibility and control over cash disbursements was delegated to Morgenthau. Though African Gold had a policy that payments over $50,000 required the approval of an employee other than Morgenthau, the SEC deemed this policy “largely ineffective . . . given the nature of African Gold’s limited activities and expenses, as well as the lack of restrictions on the aggregate amounts” that Morgenthau could transfer without oversight;⁴
• Controls Related to Financial Reporting and Disclosure Controls and Procedures: The SEC deemed African Gold’s internal control over financial reporting and disclosure controls and procedures insufficient because African Gold delegated all aspects of its financial reporting processes to Morgenthau without any established monitoring controls or involvement by other African Gold personnel, which enabled him to provide accountants and African Gold’s external auditor with false information.

These failures led to serial misstatements in the cash balance reported in African Gold’s Forms 10-Q throughout 2021 and early 2022.

African Gold agreed to pay a civil monetary penalty of $103,591 to settle the Exchange Act claims. Specifically, the SEC concluded that African Gold violated Section 13(a) of the Exchange Act and Rules 13a-1, 13a-13, and 12b-20 thereunder, which require issuers to file complete and accurate annual and quarterly reports. The SEC similarly concluded that African Gold violated Section 13(b)(2)(A) of the Exchange Act due to its failure to maintain books, records, and accounts that accurately and fairly reflected its transactions and dispositions of assets. Further, African Gold’s failure to maintain sufficient internal accounting controls violated Section 13(b)(2)(B) of the Exchange Act, while its failure to maintain internal control over financial reporting and disclosure controls and procedures violated Exchange Act Rules 13a-15(a) and 13a-15(b).

Key Takeaways

Robust internal controls don’t just protect against employee misappropriation. Indeed the situation here — blatant misappropriation by the CFO — is not a realistic scenario for most issuers. But robust controls also protect issuers from a wide variety of much more realistic scenarios — including the ever-increasing threat of business email compromise (“BEC”).

BEC is a form of social engineering attack in which a bad actor uses psychological manipulation to trick employees into, for example, transferring funds to the attacker or disclosing confidential information. The bad actor may gather data over a period of time that can be used to make their messages to employees more convincing and to trick employees into making incorrect snap judgments.

In the typical BEC involving a misdirected wire transfer, for instance, the bad actor might gain access to a company’s networks and quietly monitor activity until they encounter an email with wire instructions and information on a related transaction. The bad actor will then interject themselves in the middle of the email communications, often using a email domain similar to the company’s email domain (e.g., compamy.com as compared to company.com) and substitute fraudulent wire instructions for the legitimate wire instructions.⁵ The bad actor often appeals to authority (by making it seem that the CEO or CFO has approved the transaction and that confidentiality is required) or urgency (by making it seem that an impending deal will fall apart if the wire payment doesn’t issue immediately). This perceived urgency can lead to the circumvention of internal controls. Robust internal controls over disbursements offer important lines of defense against both intentional misappropriation and BEC.

¹In the Matter of African Gold Acquisition Corp., Exchange Act Release No. 96960, Accounting and Auditing Enforcement Release No. 4377 (Feb. 22, 2023); see also Press Release, Sec. & Exch. Comm’n, SEC Charges African Gold Acquisition Corp. with Internal Controls, Reporting, and Recordkeeping Failures (Feb. 22, 2023), https://www.sec.gov/news/press-release/2023-36.
²Order at 2. The SEC separately charged Morgenthau with several violations of the federal securities laws related to his conduct and the Court entered a consent judgment enjoining him from further violations. Order at 2 n.2; see Sec. and Exch. Comm’n v. Morgenthau, 23-cv-00022-NRB (S.D.N.Y. filed Jan. 3, 2023). Morgenthau likewise pleaded guilty to one count of wire fraud in violation of 18 U.S.C. § 1343. Order at 2 n.2; see United States v. Morgenthau, 1:23-cr-00002 (S.D.N.Y. filed Jan. 3, 2023).
³Order at 3.
⁴Order 4.
⁵See, e.g., Press Release, U.S. Attorney’s Office, District of Arizona, Nigerian Nationals Victimize U.S. Persons Through Cyber-Enabled Fraud Schemes (Feb. 3, 2023), https://www.justice.gov/usao-az/pr/nigerian-nationals-victimize-us-persons-through-cyber-enabled-fraud-schemes; see also Business Email Compromise, Fed. Bureau of Investigation, https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise.