The $1.2 Million Tell
Stay ahead of audit red flags with practical insights and real-world tips to fix internal control weaknesses before they’re found.
Welcome to this edition (week ending June 26, 2026) of Zero Material Weakness (ZMW) - a newsletter built for CFOs and controllers who want to stay ahead of material weaknesses before they become audit red flags. Whether you’re preparing for SOX compliance, managing IPO-readiness, or just tightening up your internal control environment, this newsletter brings practical insights, industry trends, and real-world examples straight to your inbox. Our goal? Help you fix what’s weak, before the auditors find it.
News this week:
AeroVironment (NASDAQ: AVAV) discloses a brand-new material weakness tied to a $89.4M goodwill miscalculation
Filed: 8-K dated June 16, 2026; Audit Committee non-reliance determination June 17, 2026
AeroVironment’s Audit Committee determined its Q3 FY26 financials (period ended Jan 31, 2026) could no longer be relied upon after finding an error in the goodwill impairment test for its Space reporting unit — the carrying value omitted goodwill tied to acquired deferred tax assets/liabilities. The fix increased the goodwill impairment charge by $89.4M, pushing the nine-month net loss to $328.3M. Management concluded this was a newly identified material weaknessrelated to “preparation and review of the goodwill impairment analysis,” and disclosure controls were ineffective as of Jan 31, 2026. The error was non-cash (no impact on revenue, cash, or Adjusted EBITDA), but the stock still dropped 4–11% on the news, and two board members resigned the same week (unrelated, per their letters). Auditor: Deloitte & Touche.
Why it matters: This is a textbook “complex estimate” failure, goodwill impairment math involving deferred taxes is exactly the kind of judgment-heavy area where review controls break down, especially after a big acquisition (AeroVironment just closed the $3.48B BlueHalo deal). Good reminder for any CFO/controller integrating an acquisition: review controls over impairment models need re-testing post-close, not just at year-end.
Coherus Oncology (NASDAQ: CHRS) confirms remediation of its 2024 material weakness - and swaps auditors at the same time
Filed: 8-K dated June 12, 2026; EY’s confirmation letter dated June 15, 2026
Coherus’s Audit Committee dismissed Ernst & Young as auditor (effective June 12) and appointed PwC for FY2026. Buried in the routine Item 4.01 disclosure: the company’s previously reported material weakness, inadequate documentation and review of inventory account reconciliations, first disclosed in the FY2024 10-K, was confirmed remediated as of year-end 2025, with EY raising no disagreements over the conclusion.
Why it matters: This is the “good news” counterpart to AeroVironment, a clean remediation cycle (identify → fix → confirm effective in the very next annual cycle) plus a same-week auditor transition with zero red flags (no adverse opinions, no disagreements). It’s a useful template for what a well-run remediation should look like on paper, and a reminder that auditor changes immediately following a remediated material weakness invite extra scrutiny from investors, worth getting the narrative tight.
CFTC and SEC jointly seek comment on harmonizing swap data reporting requirements
Released: June 18, 2026 (Release No. 9257-26)
CFTC Chairman Michael Selig and SEC Chairman Paul Atkins issued a joint request for public comment on aligning, modernizing, and streamlining data reporting requirements across the swap and security based swap markets. The request specifically asks for input on harmonization across frameworks, transparency and data quality, operational complexity, standardized identifiers and reference data, and implementation considerations. Comment period is open 60 days from Federal Register publication.
Why it matters: if your company reports swaps to a swap data repository (commodity hedges, interest rate swaps, FX derivatives) and also has security based swap exposure, you’re currently dealing with two separate reporting regimes with different field names, identifiers, and timing rules. Data reconciliation gaps between these regimes are exactly the kind of control weakness that tends to surface during an audit when management can’t tie derivative position reports to the general ledger. This is a good moment for treasury and accounting teams to flag where manual reconciliation between swap reporting and ASC 815 hedge documentation already creates friction, since this comment window is the chance to get it addressed at the regulatory level.
CFTC and SEC seek comment to clarify and harmonize derivatives product definitions
Released: June 18, 2026 (Release No. 9258-26)
The same day, the two agencies issued a second joint request, this one focused on updating and clarifying definitions under Title VII of Dodd Frank, including the scope of exclusions from the swap definition, treatment of mixed swaps, treatment of novel or emerging products, and jurisdictional lines between CFTC and SEC authority. Atkins called clarification “long overdue,” particularly for event based products.
Why it matters: classification questions (is this a swap, a forward, a security based swap, or something excluded entirely) drive accounting treatment, not just regulatory reporting. Misclassifying a derivative, or missing the “normal purchase normal sale” exclusion analysis, is a recurring root cause behind derivative related restatements and material weaknesses, especially for companies that hedge commodities or use structured products. If your hedging program touches anything novel (digital assets, event contracts, embedded features), this is worth tracking closely as it develops.
CFTC resolves its enforcement action against Celsius founder Alexander Mashinsky
Released: June 18, 2026 (Release No. 9256-26)
The U.S. District Court for the Southern District of New York entered a consent order resolving the CFTC’s 2023 case against Mashinsky, permanently banning him from trading and registration and enjoining further anti fraud violations. The underlying case alleged that Mashinsky and Celsius misrepresented the safety and regulatory compliance of its platform to customers while engaging in increasingly risky, uncollateralized lending and unregulated DeFi strategies to meet promised yields, ultimately leading to Celsius’s collapse with roughly $20 billion in customer funds at stake. Mashinsky pled guilty to commodities and securities fraud in December 2024 and was sentenced to 12 years in prison in May 2025.
Why it matters: this is a closing chapter rather than new news, but it is a clean case study for the newsletter on what happens when risk oversight and disclosure controls fail completely. The pattern here, public statements about safety and stability that diverged sharply from what risk management actually knew about the underlying portfolio, is the same pattern that shows up in smaller form in disclosure controls failures: management telling stakeholders one story while internal risk reporting tells another. Worth using as the “what total control breakdown looks like at the extreme end” anchor story, with the AeroVironment and Coherus items from the SEC roundup as the more everyday counterpart.
DC Circuit sends CFPB’s own restructuring fight back to the district court
Dated: June 19, 2026
The en banc US Court of Appeals for the DC Circuit issued an order in National Treasury Employees Union v. Vought, the case challenging Acting Director Russell Vought’s effort to shrink the Bureau. The court granted a limited remand, sending the case back to Judge Amy Berman Jackson to decide whether her existing injunction against mass layoffs should be modified in light of the CFPB’s revised reduction in force plan, which would cut the Bureau’s headcount from roughly 1,174 to about 556 employees, with the deepest cuts concentrated in supervision, enforcement, and operations. The court declined to put a 45 day deadline on Judge Jackson and kept jurisdiction over the appeal for itself.
Why it matters for your audience: regardless of which side eventually wins, a CFPB running at half strength in supervision and enforcement means slower exam cycles, slower complaint resolution, and less predictable timing on guidance. For CFOs and controllers at CFPB regulated entities (banks, fintechs, mortgage servicers, debt collectors), this is the thing to watch most closely this year, since it directly affects how much warning you’ll get before an exam finding becomes a public enforcement matter.
Fallout from the CFPB’s website and guidance purge kept intensifying through the week
Context spans mid-May through late June 2026; actively discussed in weekly trackers published June 17 and June 23, 2026
This isn’t a single dated action, so treat it as a developing story rather than a discrete news item. Starting in mid-May, the CFPB deleted roughly 2,200 to 3,800 webpages from its site, including all 35 Supervisory Highlights reports, press releases predating February 2025, and consumer guidance documents going back to the Bureau’s founding in 2010. The deletions kept expanding into early June. By the week of June 15, law firm trackers were still actively flagging the issue as unresolved, and Senate Democrats sent a formal letter pressing Acting Director Vought for an explanation shortly after.
Why it matters: if your compliance program has historically cited CFPB Supervisory Highlights, bulletins, or advisory opinions as part of its documented control rationale (a common practice in fair lending and UDAAP risk assessments), a chunk of that institutional record is no longer hosted on the Bureau’s own site. Compliance and internal audit teams should confirm they have their own archived copies of any CFPB guidance they rely on, rather than linking out to consumerfinance.gov, since some of that material is only accessible now through a third party archive maintained by the CFPB employees’ union.
A note on sourcing: items 1 and 2 are primary sourced from the Federal Register and the en banc court’s own order, cross checked against Ballard Spahr’s Consumer Finance Monitor and Troutman Pepper Locke’s weekly newsletter. Item 3 draws on American Banker, Americans for Financial Reform’s tracking, and the Senate Banking Committee’s public letter.
FINRA expels a firm over a six year supervisory failure to catch churning
Dated: June 17, 2026
FINRA expelled Reid & Rudiger LLC and permanently barred its cofounders, Clifford Reid and CEO Edward Rudiger Jr., for excessively trading and churning customer accounts in violation of Regulation Best Interest. Two supervisors, Marc Harrison and Kelli Mezzatesta, were separately suspended for three months and fined $5,000 each for failing to identify and act on red flags. The misconduct ran for nearly six years across 20 accounts, generating about $2 million in commissions and trading costs and causing roughly $2.7 million in customer losses. Some accounts carried annualized cost to equity ratios above 100 percent, meaning the account would have needed to more than double just to break even. FINRA’s enforcement chief, Bill St. Louis, was blunt about the root cause: the firm never built a supervisory system capable of catching this, and the supervisors who were in place did not use the exception reports already available to them.
Why it matters: this is the broker-dealer equivalent of an ICFR material weakness story. The findings read like a checklist of what regulators look for when assessing whether a control failure was a one-off or systemic: no monitoring of cost-to-equity ratios, no use of available exception reports, and supervisors who simply didn’t escalate obvious red flags over years, not weeks. If your firm (or a portfolio company) has supervisors with overlapping or unclear escalation duties, this is a useful case to circulate internally as a “what failure actually looks like” example.
FINRA’s Board approves rule modernization and signs off on the 2025 Annual Financial Report
Dated: June 17, 2026 (covering the Board’s June 3 to 4 meeting)
FINRA’s Board of Governors approved four rule proposals under its FINRA Forward modernization initiative: making the remote inspections pilot program permanent, moving toward more risk based supervisory approaches, tailoring continuing education requirements, and streamlining corporate financing rules. The Board also approved the 2025 Annual Financial Report (to be published later this month), was briefed on an external review of FINRA’s enforcement program ahead of a separate public report, and received an update on the Consolidated Audit Trail in light of the SEC’s ongoing concept release on CAT’s future.
Why it matters: the shift toward permanent remote inspections and risk based supervision changes how often and how your firm’s books, records, and supervisory controls actually get looked at by an examiner. That’s worth flagging to your compliance team now, since a lighter touch exam cadence in the near term does not lower the bar on what a deficiency looks like when it is found, it just changes when you find out.
OCC enforcement actions reveal a textbook case of management overriding internal controls to hide insolvency
Dated: June 18, 2026 (News Release 2026-48)
The OCC’s monthly enforcement roundup included an Order of Prohibition against Danny Seibel, the former President, CEO, and Director of The First National Bank of Lindsay in Oklahoma. The findings: Seibel extended loans without adequately assessing borrowers’ ability to repay, let customers run significant overdrafts without repayment, and concealed years of nonperforming loans by directly manipulating the bank’s core system to change maturity dates, payment due dates, and past due statuses. This misconduct caused the bank’s insolvency, and it was placed into receivership in October 2024. Seibel has since pled guilty to bank fraud. The same release also included an Order of Prohibition against a former Quontic Bank mortgage lending officer for concealing unapproved third-party broker relationships, and a batch of formal agreement terminations for banks that successfully remediated prior deficiencies, including the lifting of a 2022 cease and desist order against Bank of America.
Why it matters: this is about as direct a “material weakness becomes a felony” story as you’ll find. Falsifying past due statuses inside the core system to hide nonperforming loans is exactly the kind of management override of controls that auditors are trained to test for and that a real internal audit function with system access logging should catch long before it reaches receivership. Worth using as the anchor cautionary tale for this issue, with the Bank of America termination as the contrasting “remediation works” data point from the same release.
OCC clarifies when it can reject a bank filing as materially deficient
Dated: June 17, 2026 (News Release 2026-47 and Bulletin 2026-27)
The OCC issued a notice reminding the industry that filing decisions are governed by 12 CFR 5.13, under which the agency may approve, conditionally approve, deny, or return a filing as materially deficient if it lacks sufficient information to make a determination. The OCC framed this as a clarification of existing practice rather than a new standard.
Why it matters: if your company is pursuing a bank charter, merger, acquisition, or any other OCC filing, incomplete submissions can now be expected to bounce back faster and more explicitly as “materially deficient” rather than sitting in a review queue. For deal teams and controllers tracking M&A timelines involving OCC-regulated entities, this is a useful signal to tighten up filing packages before submission rather than relying on a back and forth review process to fill gaps.
A thought from our Author - Norm Osumi
Before you read: this issue comes with a companion CFO Control Checklist, organized by Critical, Important, and Best Practice priority. Pull it up alongside the analysis below.
ZERO MATERIAL WEAKNESS
When the Bet Knows the Outcome: Prediction Market Insider Trading Lands on the CFO's Desk
Why the CFTC's new event contract cases turn employee data access into a financial reporting control question
By Norm Osumi
I want to start with a number that should make you pause. One point two million dollars. That is what a software engineer allegedly cleared on a prediction market in about seven weeks, not by being a brilliant forecaster, but by knowing the answer before the rest of the market did. The Commodity Futures Trading Commission and the Southern District of New York say he had a front row seat to confidential corporate data and used it to place bets the market treated as near impossible. He was right almost every time. That is not luck. That is, according to the government, commodities fraud.
If you run finance at a company that generates valuable nonpublic information, and every company does, this case belongs on your radar. Not because your company is a prediction market, but because the people inside your walls now have a new, liquid, lightly understood venue to monetize what they know before you disclose it. The control environment that governs who can see what, and when, just became an insider trading question.
Let me walk you through how we got here, because the speed of this is the story.
Three moves in four months
In February 2026, the CFTC’s Division of Enforcement issued a prediction markets advisory. It described two episodes that a designated contract market, Kalshi, had already policed on its own: a political candidate who traded on his own race, and a video editor who traded on a channel’s results before they posted, using information he held through his job. The advisory’s message was quiet but firm. Event contracts are swaps. The anti-fraud provisions of the Commodity Exchange Act, Section 6(c)(1) and Regulation 180.1, apply with full force. An exchange handling a matter internally does not foreclose the Commission stepping in.
Two months later, in April, the agencies stopped describing and started charging. An active duty Army master sergeant faced parallel criminal and civil actions for trading event contracts tied to a classified military operation to capture Nicolas Maduro. He allegedly turned roughly thirty three thousand dollars of “Yes” shares into more than four hundred thousand in profit. This was the first insider trading case the CFTC has ever brought involving prediction markets, and the first time it reached for the so called Eddie Murphy Rule, the statute barring use of nonpublic government information for personal gain.
Then in May came the case that should concern you most, because it involves ordinary corporate information rather than classified secrets. The government alleges a Google engineer accessed an internal tool, learned the company’s not yet public “Year in Search” rankings, and across at least twenty three contracts bet with near perfect accuracy on outcomes the market priced as unlikely. He allegedly moved the proceeds through cryptocurrency privacy services. The charges are commodities fraud, wire fraud, and money laundering.
Notice what changed across these three moves. The source of the information shifted from a candidate’s own conduct, to classified government data, to ordinary confidential corporate data. The legal theory did not change at all. It is misappropriation: someone with material nonpublic information, obtained through a duty of trust and confidence, used it to trade. That is the exact theory the SEC has used in securities markets for decades, now running on commodity rails.
Why this is your problem, not just compliance’s
Here is the connective tissue to coverage we have built in prior issues. When the CFTC withdrew Staff Advisory 23-07 last year, I argued that removing prescriptive crypto guidance did not lower the control burden, it shifted that burden onto management. Prediction market enforcement is the same dynamic from the other direction. There is still no detailed rulebook for how an ordinary company should govern employee trading on event contracts. The CFTC has an advance notice of proposed rulemaking open, but the framework today is enforcement first. You are expected to build the controls before anyone tells you exactly what they must look like.
There is a harmonization angle too. The theories here mirror SEC insider trading doctrine almost exactly, and where an event contract is tied to a security’s performance, or the misappropriated information concerns a security, the SEC may assert its own jurisdiction. Two regulators, one fact pattern, parallel criminal exposure. Your insider trading policy can no longer stop at securities.
And there is an artificial intelligence dimension that is easy to miss. The Google case turned on access to an internal data system. The most valuable nonpublic information in many companies now lives inside analytics platforms, model outputs, search and usage trends, and internal AI tools, exactly the kind of signal that resolves a prediction market. Every system that aggregates predictive data is now a potential information leak point. Least privilege, access logging, and monitoring over those tools are not just data governance hygiene. They are insider trading controls.
Companion document in this issue
Pair this article with the Prediction Market Insider Trading: CFO Control Checklist, a tiered, ready to use set of control steps across policy, access, surveillance, and governance. Use it to brief your audit committee and to update your SOX documentation.
What a material weakness could look like here
Walk the chain the way an auditor would. If an employee can reach nonpublic, market moving data without a logged, need-to-know justification, that is a segregation of duties and access control gap. If your code of conduct and insider trading policy do not name event contracts, your control design does not cover a known, charged risk. If you have no surveillance for employee conduct that could constitute fraud tied to company information, your monitoring control has a hole. None of these is exotic. They are the familiar COSO control activities and information components, pointed at a new fact pattern.
Sample policy language: event contracts and prediction markets
Prohibited Trading in Event Contracts and Prediction Markets. No employee, officer, director, or contractor may buy, sell, or hold any event contract, prediction market position, or similar instrument whose outcome could be determined, in whole or in part, by material nonpublic information of the Company or of any third party to whom the individual owes a duty of confidentiality. This prohibition applies regardless of the platform used, the jurisdiction in which it operates, or whether the position is held through a centralized exchange or a decentralized, blockchain based venue. Conduct of this kind may constitute commodities fraud, wire fraud, and money laundering under federal law and will be treated as a serious breach of this Code.
My CFO action framework
First, expand the definition. Update your insider trading policy and code of conduct so the prohibition on trading while in possession of material nonpublic information explicitly includes event contracts and prediction markets, on any platform and in any jurisdiction. A bet placed offshore on a blockchain platform is still charged in Manhattan.
Second, map the data. Identify the internal systems, dashboards, and AI or analytics tools that hold information capable of resolving an event contract, and confirm access is least privilege, logged, and reviewed. The control question is not whether someone could leak this, it is whether someone could trade on it.
Third, brief the audit committee. Frame prediction market enforcement as what it is, a fraud and conduct risk with parallel criminal exposure for individuals, and document the briefing in the minutes. Gatekeeper attention is itself a control.
Fourth, coordinate, do not silo. Treat this as one risk owned jointly by legal, compliance, and finance, with the CFO accountable for the financial reporting control implications. The companion checklist in this issue gives you the tiered version of these steps.
The regulators have told you, three times in four months, that they view this as a top priority. The window to build the controls quietly, before you need them, is the one you are in right now.
See the companion Prediction Market Insider Trading: CFO Control Checklist in this issue for the tiered, audit ready version of this framework.
Zero Material Weakness is published for CFOs, controllers, and senior finance professionals. Content is informational and does not constitute professional accounting or legal advice.
PS - Ready to act? Here’s the link to the DISE readiness checklist:
The DISE Readiness Checklist translates everything above into specific control updates, sample disclosure language, and audit-committee briefing points, organized so you can hand it to your team today.



