Because internal controls do protect the integrity of financial statements, large companies have become highly regulated in their implementation. In addition to Section 404 of the SOX, which addresses reporting and testing requirements for internal controls, there are other sections of the act that govern management responsibility for internal controls. Although the auditor reviews internal controls and advises on the improvement of controls, ultimate responsibility for the controls is on the management of the company. Under SOX Section 302, in order to provide additional assurance to the financial markets, the chief executive officer (CEO), who is the executive within a company with the highest-ranking title and the overall responsibility for management of the company, and the chief financial officer (CFO), who is the corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company, must personally certify that (1) they have reviewed the internal control report provided by the auditor; (2) the report does not contain any inaccurate information; and (3) they believe that all financial information fairly states the financial conditions, income, and cash flows of the entity. The sign-off under Section 302 makes the CEO and CFO personally responsible for financial reporting as well as internal control structure.
While the executive sign-offs seem like they would be just a formality, they actually have a great deal of power in court cases. Prior to SOX, when an executive swore in court that he or she was not aware of the occurrence of some type of malfeasance, either committed by his or her firm or against his or her firm, the executive would claim a lack of knowledge of specific circumstances. The typical response was, “I can’t be expected to know everything.” In fact, in virtually all of the trials involving potential malfeasance, this claim was made and often was successful in a not-guilty verdict.
The initial response to the new SOX requirements by many people was that there was already sufficient affirmation by the CEO and CFO and other executives to the accuracy and fairness of the financial statements and that the SOX requirements were unnecessary. However, it was determined that the SOX requirements provided a degree of legal responsibility that previously might have been assumed but not actually stated.
Even if a company is not public and not governed by the SOX, it is important to note that the tone is set at the managerial level, called the tone at the top. If management respects the internal control system and emphasizes the importance of maintaining proper internal controls, the rest of the staff will follow and create a cohesive environment. A proper tone at the top demonstrates management’s commitment toward openness, honesty, integrity, and ethical behavior.
Defending the Sarbanes-Oxley Act
You are having a conversation with the CFO of a public company. Imagine that the CFO complains that there is no benefit to Sections 302 and 404 of the Sarbanes-Oxley Act relative to the cost, as “our company has always valued internal controls before this regulation and never had an issue.” He believes that this regulation is an unnecessary overstep. How would you respond and defend the need for Sections 302 and 404 of the Sarbanes-Oxley Act?
I would tell the CFO the following:
- Everyone says that they have always valued internal controls, even those who did not.
- Better security for the public is worth the cost.
- The cost of compliance is more than recovered in the company’s market price for its stock.
Personal Internal Controls
Technology plays a very important role in internal controls. One recent significant security breach through technology was the Equifax breach. What is an internal control that you can personally implement to protect your personal data as a result of this breach, or any other future breach?