With the Sarbanes-Oxley Act (SOX) over 20 years old, some may not realize that the point of SOX was to prevent fraudulent financial reporting at the executive level. We get caught up in the minutiae of testing, but this was not the act’s original intent. We do this to force completeness and accuracy from the bottom up to the aggregated accounts, and then we confirm the financial statement balances. However, the controls we should test ensure senior executives do not circumvent these established processes to manipulate the reports to fit a narrative they want to tell the market. This article reminds auditors of what led us to our current SOX practice and offers advice on remaining vigilant against executive-level fraud.
Corporate Fraud Led to SOX
The Sarbanes-Oxley Act of 2002 was enacted in the United States to protect investors from fraudulent financial reporting by corporations after a series of high-profile companies collapsed when fraud was uncovered. Accounting scandals at companies like Enron and WorldCom involved manipulation of financial reports to overstate profits and hide debt, sometimes with their external auditors aware of the practices. In the aftermath, SOX was established to prevent fraudulent financial reporting by focusing on corporate governance and internal control over financial reporting.
Corporate Governance Controls Against Fraud
SOX works against fraud through enterprise-level controls and process-level controls. At the enterprise level, SOX aims to establish an ethical culture that takes ownership of the accuracy of financial reporting. Under the act, the CEO and CFO have personal responsibility for the accuracy of financial reporting. They are also personally liable if the financial statements are found to be fraudulent. Next, publicly traded companies must establish an independent audit committee that oversees the company’s auditing process and ensures that the company’s financial statements are accurate. Finally, public corporations adopt a code of ethics that prohibits employees from engaging in fraudulent or unethical behavior and maintain an ethics hotline for people to report questionable actions.
Financial Reporting Process Controls Against Fraud
By far, the most recognizable feature of the SOX Act is the requirement to maintain internal controls over financial reporting that are designed to prevent and detect fraud. In practice, establishing these controls deals with ensuring the accuracy and completeness of financial statement balances by tracing the flow of information from when money enters or exits the company all the way through to the financial statements. Controls are put in place to prevent the data from being manipulated at any point while the data flows through the organization, by the business or the technology teams.
Remember the Point of SOX
Since we place so much attention on detailed process controls, some organizations are losing focus on the act’s original intent – executive manipulation of financial statements. The type of fraud that led to the collapse of major corporations occurred at the highest levels. We spend most of our time tracing transactions and ensuring proper separation of duties, but we should never forget to take a step back and look at the organization as a whole. Executive-level fraud does not follow the same patterns as typical occupational fraud. Executive fraud red flags all SOX professionals should know include:
- Ability to circumvent internal controls
- Unchecked spending privileges
- Nepotism (friends and family)
- False statements to external stakeholders
- Incidents of firing those who disagree
These are just a few red flags to consider, but trained auditors can quickly test for questionable practices in these areas that would lead to further investigation. The outcome of these practices could be the manipulation of financial reports to boost personal compensation or stock holdings.
Time to Re-evaluate Your SOX Program
SOX programs can become stale if we allow our companies to slip into a false sense of security from routine testing. Take a moment each year to critique your SOX program and ask whether your focus is on the right risk areas. If the entire focus of your SOX program is on process-level controls, it is time to consider the importance of strong enterprise-level controls, especially those over the executive team and their ability to influence financial reporting.