Because internal controls do protect the integrity of financial
statements, large companies have become highly regulated in their
implementation. In addition to Section 404 of the SOX, which
addresses reporting and testing requirements for internal controls,
there are other sections of the act that govern management
responsibility for internal controls. Although the auditor reviews
internal controls and advises on the improvement of controls,
ultimate responsibility for the controls is on the management of
the company. Under SOX Section 302, in order to provide additional
assurance to the financial markets, the chief executive
officer (CEO), who is the executive within a company with
the highest-ranking title and the overall responsibility for
management of the company, and the chief financial officer
(CFO), who is the corporation officer who reports to the
CEO and oversees all of the accounting and finance concerns of a
company, must personally certify that (1) they have reviewed the
internal control report provided by the auditor; (2) the report
does not contain any inaccurate information; and (3) they believe
that all financial information fairly states the financial
conditions, income, and cash flows of the entity. The sign-off
under Section 302 makes the CEO and CFO personally responsible for
financial reporting as well as internal control structure.
While the executive sign-offs seem like they would be just a
formality, they actually have a great deal of power in court cases.
Prior to SOX, when an executive swore in court that he or she was
not aware of the occurrence of some type of malfeasance, either
committed by his or her firm or against his or her firm, the
executive would claim a lack of knowledge of specific
circumstances. The typical response was, “I can’t be expected to
know everything.” In fact, in virtually all of the trials involving
potential malfeasance, this claim was made and often was successful
in a not-guilty verdict.
The initial response to the new SOX requirements by many people
was that there was already sufficient affirmation by the CEO and
CFO and other executives to the accuracy and fairness of the
financial statements and that the SOX requirements were
unnecessary. However, it was determined that the SOX requirements
provided a degree of legal responsibility that previously might
have been assumed but not actually stated.
Even if a company is not public and not governed by the SOX, it
is important to note that the tone is set at the managerial level,
called the tone at the top. If
management respects the internal control system and emphasizes the
importance of maintaining proper internal controls, the rest of the
staff will follow and create a cohesive environment. A proper tone
at the top demonstrates management’s commitment toward openness,
honesty, integrity, and ethical behavior.
YOUR TURN
Defending the Sarbanes-Oxley Act
You are having a conversation with the CFO of a public company.
Imagine that the CFO complains that there is no benefit to Sections
302 and 404 of the Sarbanes-Oxley Act relative to the cost, as “our
company has always valued internal controls before this regulation
and never had an issue.” He believes that this regulation is an
unnecessary overstep. How would you respond and defend the need for
Sections 302 and 404 of the Sarbanes-Oxley Act?
Solution
I would tell the CFO the following:
- Everyone says that they have always valued internal controls,
even those who did not.
- Better security for the public is worth the cost.
- The cost of compliance is more than recovered in the company’s
market price for its stock.
THINK IT THROUGH
Personal Internal Controls
Technology plays a very important role in internal controls. One
recent significant security breach through technology was the
Equifax breach. What is an
internal control that you can personally implement to protect your
personal data as a result of this breach, or any other future
breach?