4.4 SOX & Management’s Responsibility for Maintaining Control

Because internal controls do protect the integrity of financial statements, large companies have become highly regulated in their implementation. In addition to Section 404 of the SOX, which addresses reporting and testing requirements for internal controls, there are other sections of the act that govern management responsibility for internal controls. Although the auditor reviews internal controls and advises on the improvement of controls, ultimate responsibility for the controls is on the management of the company. Under SOX Section 302, in order to provide additional assurance to the financial markets, the chief executive officer (CEO), who is the executive within a company with the highest-ranking title and the overall responsibility for management of the company, and the chief financial officer (CFO), who is the corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company, must personally certify that (1) they have reviewed the internal control report provided by the auditor; (2) the report does not contain any inaccurate information; and (3) they believe that all financial information fairly states the financial conditions, income, and cash flows of the entity. The sign-off under Section 302 makes the CEO and CFO personally responsible for financial reporting as well as internal control structure.

While the executive sign-offs seem like they would be just a formality, they actually have a great deal of power in court cases. Prior to SOX, when an executive swore in court that he or she was not aware of the occurrence of some type of malfeasance, either committed by his or her firm or against his or her firm, the executive would claim a lack of knowledge of specific circumstances. The typical response was, “I can’t be expected to know everything.” In fact, in virtually all of the trials involving potential malfeasance, this claim was made and often was successful in a not-guilty verdict.

The initial response to the new SOX requirements by many people was that there was already sufficient affirmation by the CEO and CFO and other executives to the accuracy and fairness of the financial statements and that the SOX requirements were unnecessary. However, it was determined that the SOX requirements provided a degree of legal responsibility that previously might have been assumed but not actually stated.

Even if a company is not public and not governed by the SOX, it is important to note that the tone is set at the managerial level, called the tone at the top. If management respects the internal control system and emphasizes the importance of maintaining proper internal controls, the rest of the staff will follow and create a cohesive environment. A proper tone at the top demonstrates management’s commitment toward openness, honesty, integrity, and ethical behavior.



Defending the Sarbanes-Oxley Act

You are having a conversation with the CFO of a public company. Imagine that the CFO complains that there is no benefit to Sections 302 and 404 of the Sarbanes-Oxley Act relative to the cost, as “our company has always valued internal controls before this regulation and never had an issue.” He believes that this regulation is an unnecessary overstep. How would you respond and defend the need for Sections 302 and 404 of the Sarbanes-Oxley Act?


I would tell the CFO the following:

  1. Everyone says that they have always valued internal controls, even those who did not.
  2. Better security for the public is worth the cost.
  3. The cost of compliance is more than recovered in the company’s market price for its stock.

Financial statements are the end result of an accountant’s work and are the responsibility of management. Proper internal controls help the accountant determine that the financial statements fairly present the financial position and performance of a company. Financial statement fraud occurs when the financial statements are used to conceal the actual financial condition of a company or to hide specific transactions that may be illegal. Financial statement fraud may take on many different methods, but it is generally called cooking the books. This issue may occur for many purposes.

A common reason to cook the books is to create a false set of a company’s books used to convince investors or lenders to provide money to the company. Investors and lenders rely on a properly prepared set of financial statements in making their decision to provide the company with money. Another reason to misstate a set of financial statements is to hide corporate looting such as excessive retirement perks of top executives, unpaid loans to top executives, improper stock options, and any other wrongful financial action. Yet another reason to misreport a company’s financial data is to drive the stock price higher. Internal controls assist the accountant in locating and identifying when management of a company wants to mislead the inventors or lenders.

The financial accountant or members of management who set out to cook the books are intentionally attempting to deceive the user of the financial statements. The actions of upper management are being concealed, and in most cases, the entire financial position of the company is being purposely misreported. Regardless of the reason for misstating the true condition of a company’s financial position, doing so misleads any person using the financial statements of a company to evaluate the company and its operations.

How Companies Cook the Books to Misrepresent Their Financial Condition

One of the most common ways companies cook the books is by manipulating revenue accounts or accounts receivables. Proper revenue recognition involves accounting for revenue when the company has met its obligation on a contract. Financial statement fraud involves early revenue recognition, or recognizing revue that does not exist, and receivable accountings, used in tandem with false revenue reporting. HealthSouth used a combination of false revenue accounts and misstated accounts receivable in a direct manipulation of the revenue accounts to commit a multibillion-dollar fraud between 1996 and 2002. Several chief financial officers and other company officials went to prison as a result.4



Internal Controls at HealthSouth

The fraud at HealthSouth was possible because some of the internal controls were ignored. The company failed to maintain standard segregation of duties and allowed management override of internal controls. The fraud required the collusion of the entire accounting department, concealing hundreds of thousands of fraudulent transactions through the use of falsified documents and fraudulent accounting schemes that included revenue recognition irregularities (such as recognizing accounts receivables to be recorded as revenue before collection), misclassification of expenses and asset acquisitions, and fraudulent merger and acquisition accounting. The result was billions of dollars of fraud. Simply implementing and following proper internal control procedures would have stopped this massive fraud.5

Many companies may go to great lengths to perpetuate financial statement fraud. Besides the direct manipulation of revenue accounts, there are many other ways fraudulent companies manipulate their financial statements. Companies with large inventory balances can misrepresent their inventory account balances and use this misrepresentation to overstate the amount of their assets to get larger loans or use the increased balance to entice investors through claims of exaggerated revenues. The inventory accounts can also be used to overstate income. Such inventory manipulations can include the following:

  • Channel stuffing: encouraging customers to buy products under favorable terms. These terms include allowing the customer to return or even not pick up goods sold, without a corresponding reserve to account for the returns.
  • Sham sales: sales that have not occurred and for which there are no customers.
  • Bill-and-hold sales: recognition of income before the title transfers to the buyer, and holding the inventory in the seller’s warehouse.
  • Improper cutoff: recording sales of inventory in the wrong period and before the inventory is sold; this is a type of early revenue recognition.
  • Round-tripping: selling items with the promise to buy the items back, usually on credit, so there is no economic benefit.

These are just a few examples of the way an organization might manipulate inventory or sales to create false revenue.

One of the most famous financial statement frauds involved Enron, as discussed previously. Enron started as an interstate pipeline company, but then branched out into many different ventures. In addition to the internal control deficiencies discussed earlier, the financial statement fraud started when the company began to attempt to hide its losses.

The fraudulent financial reporting schemes included building assets and immediately taking as income any projected profits on construction and hiding the losses from operating assets in an off-the-balance sheet transaction called special purpose entities, which are separate, often complicated legal entities that are often used to absorb risk for a corporation. Enron moved assets that were losing money off of its books and onto the books of the Special Purpose Entity. This way, Enron could hide its bad business decisions and continue to report a profit, even though its assets were losing money. Enron’s financial statement fraud created false revenues with the misstatement of assets and liability balances. This was further supported by inadequate balance sheet footnotes and the related disclosures. For example, required disclosures were ramped up as a result of these special purpose entities.

Sarbanes-Oxley Act Compliance Today

The Enron scandal and related financial statement frauds led to investors requiring that public companies maintain better internal controls and develop stronger governance systems, while auditors perform a better job at auditing public companies. These requirements, in turn, led to the regulations developed under SOX that were intended to protect the investing public.

Since SOX was first passed, it has adapted to changing technology and now requires public companies to protect their accounting and financial data from hackers and other outside or internal forces through stronger internal controls designed to protect the data. The Journal of Accountancy supported these new requirements and reported that the results of SOX have been positive for both companies and investors.

As discussed in the Journal of Accountancy article,6 there are three conditions that are increasingly affecting compliance with SOX requirements:

  • PCAOB requirements. The PCAOB has increased the requirements for inspection reports, with a greater emphasis on deficiency evaluation.
  • Revenue recognition. The Financial Accounting Standards Board has introduced a new standard for revenue recognition. This requirement has led to the need for companies to update control documentation.
  • CybersecurityCybersecurity is the practice of protecting software, hardware, and data from digital attacks. As would be expected in today’s environment, the number of recent cybersecurity disclosures has significantly grown.

Under current guidelines, instead of the SOX requiring compliance with just the financial component of reporting and internal control, the guidelines now allow application to information technology (IT) activities as well. A major change under the SOX guidelines involves the method of storage of a company’s electronic records. While the act did not specifically require a particular storage method, it did provide guidance on which records were to be stored and for how long they should be stored.

The SOX now requires that all business records, electronic records, and electronic messages must be stored for at least five years. The penalties for noncompliance include either imprisonment or fines, or a combination of the two options.


  • 4 Melinda Dickinson. “Former HealthSouth Boss Found Liable for $2.9 Billion.” Reuters. June 18, 2009. https://www.reuters.com/article/us-healthsouth-scrushy/former-healthsouth-boss-found-liable-for-2-9-billion-idUSTRE55H4IP20090618
  • 5 David McCann. “Two CFOs Tell a Tale of Fraud at HealthSouth.” CFO.com. March 27, 2017. .http://ww2.cfo.com/fraud/2017/03/two-cfos-tell-tale-fraud-healthsouth/
  • 6 Ken Tysiac. “Companies Spending More Time on SOX Compliance.” Journal of Accountancy. June 12, 2017. https://www.journalofaccountancy.com/news/2017/jun/companies-spending-more-time-on-sox-compliance-201716857.html


Share This Book