LO 8.5 Discuss Management Responsibilities for Maintaining Internal Controls within an Organization
Because internal controls do protect the integrity of financial statements, large companies have become highly regulated in their implementation. In addition to Section 404 of the SOX, which addresses reporting and testing requirements for internal controls, there are other sections of the act that govern management responsibility for internal controls. Although the auditor reviews internal controls and advises on the improvement of controls, ultimate responsibility for the controls is on the management of the company. Under SOX Section 302, in order to provide additional assurance to the financial markets, the chief executive officer (CEO), who is the executive within a company with the highest-ranking title and the overall responsibility for management of the company, and the chief financial officer (CFO), who is the corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company, must personally certify that (1) they have reviewed the internal control report provided by the auditor; (2) the report does not contain any inaccurate information; and (3) they believe that all financial information fairly states the financial conditions, income, and cash flows of the entity. The sign-off under Section 302 makes the CEO and CFO personally responsible for financial reporting as well as internal control structure.
While the executive sign-offs seem like they would be just a formality, they actually have a great deal of power in court cases. Prior to SOX, when an executive swore in court that he or she was not aware of the occurrence of some type of malfeasance, either committed by his or her firm or against his or her firm, the executive would claim a lack of knowledge of specific circumstances. The typical response was, “I can’t be expected to know everything.” In fact, in virtually all of the trials involving potential malfeasance, this claim was made and often was successful in a not-guilty verdict.
The initial response to the new SOX requirements by many people was that there was already sufficient affirmation by the CEO and CFO and other executives to the accuracy and fairness of the financial statements and that the SOX requirements were unnecessary. However, it was determined that the SOX requirements provided a degree of legal responsibility that previously might have been assumed but not actually stated.
Even if a company is not public and not governed by the SOX, it is important to note that the tone is set at the managerial level, called the tone at the top. If management respects the internal control system and emphasizes the importance of maintaining proper internal controls, the rest of the staff will follow and create a cohesive environment. A proper tone at the top demonstrates management’s commitment toward openness, honesty, integrity, and ethical behavior.
YOUR TURN
You are having a conversation with the CFO of a public company. Imagine that the CFO complains that there is no benefit to Sections 302 and 404 of the Sarbanes-Oxley Act relative to the cost, as “our company has always valued internal controls before this regulation and never had an issue.” He believes that this regulation is an unnecessary overstep. How would you respond and defend the need for Sections 302 and 404 of the Sarbanes-Oxley Act?
Solution
I would tell the CFO the following:
- Everyone says that they have always valued internal controls, even those who did not.
- Better security for the public is worth the cost.
- The cost of compliance is more than recovered in the company’s market price for its stock.
THINK IT THROUGH
Technology plays a very important role in internal controls. One recent significant security breach through technology was the Equifax breach. What is an internal control that you can personally implement to protect your personal data as a result of this breach, or any other future breach?
KEY TAKEAWAYS
Key Concepts and Summary
- It is the responsibility of management to assure that internal controls of a company are effective and in place.
- Though management has always had responsibility over internal controls, the Sarbanes-Oxley Act has added additional assurances that management takes this responsibility seriously, and placed sanctions against corporate officers and boards of directors who do not take appropriate responsibility.
- Sarbanes-Oxley only applies to public companies. Even though the rules of this act only apply to public companies, proper internal controls are an important aspect of all businesses of any size. Tone at the top is a key component of a proper internal control system.
Glossary
- chief executive officer (CEO)
- executive within a company with the highest ranking title who has the overall responsibility for the management of a company; reports to the board of directors
- chief financial officer (CFO)
- corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company
Adapted from Principles of Accounting, Volume 1: Financial Accounting (c) 2010 by Open Stax. The textbook content was produced by Open Stax and is licensed under a Creative Commons BY-NC-SA 4.0 license. Download for free at https://openstax.org/details/books/principles-financial-accounting
executive within a company with the highest ranking title who has the overall responsibility for the management of a company; reports to the board of directors
corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company