Sarbanes Oxley Act Section 404: effective internal controls or overriding internal controls?
Subject: Gas transmission industry (Accounting and auditing)
Auditors (Surveys)
Corporate governance
Internal auditing
Business ethics
Authors: Hurley, Diarmuid A.
Boyd, David
Pub Date: 06/22/2007
Publication: Name: The Forensic Examiner Publisher: American College of Forensic Examiners Audience: Professional Format: Magazine/Journal Subject: Health; Law; Science and technology Copyright: COPYRIGHT 2007 American College of Forensic Examiners ISSN: 1084-5569
Issue: Date: Summer, 2007 Source Volume: 16 Source Issue: 2
Topic: Event Code: 800 Capital funds & cash flow; 200 Management dynamics Computer Subject: Company business management
Product: Product Code: 9101322 Fraud; 9900010 Corporations; 9919300 Business Ethics NAICS Code: 92212 Police Protection SIC Code: 4922 Natural gas transmission
Organization: Company Name: Enron Corp.; Enron Corp. Ticker Symbol: ENRNQ
Geographic: Geographic Scope: United States
Accession Number: 165192828
Full Text: Abstract

The principal objectives of the Sarbanes Oxley Act (SOX) are to minimize the possibility of financial statement fraud in publicly traded corporations and to minimize the possibility of external auditors endorsing falsified financial statements. Implementation of the act has gone well with the exception of Section 404, which was intended to create greater accountability of top management. It has, instead, morphed into a detailed, cost-prohibitive, and ineffective bureaucracy. External auditors are focusing on the risk of fraud occurring when the focus should be on determining if override of internal controls has occurred. The spirit of SOX Section 404 could be better served in a more cost-effective manner through the skilled evaluation of trend analysis, vertical analysis, and ratios.

Key Words: Sarbanes Oxley Act, SOX Section 404, fraud, external auditor, audit, trend analysis, financial statement deception


Effective Internal Controls or Overriding Internal Controls?

The principal objectives of the U.S. Sarbanes Oxley Act (SOX) are twofold. The first objective is to minimize the possibility of financial statement fraud occurring within publicly traded corporations. The second objective is to minimize the possibility of external auditors endorsing falsified financial statements.

SOX focuses on four areas: corporate governance, regulating external auditing, confidential reporting of financial statement fraud by employees, and internal control over financial reporting. The principle corporate governance mandate calls for strengthening the powers of audit committees (AC) through measures such as having the external auditors report to the AC chairperson as well as mandating CEOs and CFOs to sign quarterly and annual financial statements. Regulating the external auditor revolves around creating the Public Company Accounting Oversight Board (PCAOB) and mandating that companies hire external auditors to provide one service only--the yearly external audit--as opposed to providing multiple services such as audit, consulting, and tax services. The principle SOX confidential reporting of financial statement fraud measure directs that public companies make confidential reporting mechanisms available to all employees.

SOX Section 404 addresses internal control over financial reporting. Management must conduct an annual assessment of the design and operating effectiveness of internal controls over financial reporting. The external auditor is required to annually audit and report on the effectiveness of these controls.

Most occupational fraud experts agree that the SOX corporate governance, regulation of external auditing, and confidential reporting mandates go a long way toward deterring financial statement fraud. Compliance with SOX Section 404 has, however, caused great controversy. According to Ronald Kruszewski, CEO of Stifel Financial Corporation, "Section 404 is a case study of unintended consequences. The spirit of what Sarbanes-Oxley intended to do, which was to create greater accountability, has morphed into a very detailed, very cost prohibitive, very ineffective bureaucracy" (as cited in Nicklaus, 2005, p. C01). CEOs and CFOs of publicly traded companies have been on the defensive and are reluctant to speak out. More and more executives are, however, asking if SOX Section 404 has turned into an expensive emperor with no clothes. When SOX was introduced in 2002, the U.S. Securities and Exchange Commission (SEC) forecasted an average cost of around $90,000 per company for each annual review of internal control over financial reporting. According to CRA International's 2005 survey, the average cost for larger companies (market capital $700 mil +) during the first year of Section 404 compliance was $8.5 mil.

The key words of Section 404 are internal control over financial reporting. External audit firms appear to interpret the words to refer to internal controls in general. The CRA study (2005) cited earlier in this article found external auditors reviewed on average 669 internal controls within audited companies, including controls on petty cash, travel expense, and other relatively minor line items. Reviewing internal controls is an excellent idea if the objective is to minimize the risk of occupational fraud occurring within a particular area. Reviewing internal controls, however, has little or no value if the objective is to prevent financial statement fraud. Financial statement deception is not a result of defective internal controls. Financial statement fraud is a result of management overriding effective internal controls already in place. The internal controls in place at Enron and WorldCom were effective. Most of the financial reporting at both companies was correct. The problem was that management overrode internal controls in order to carry out periodic and selective financial statement falsifications. The issue is not the risk of a breakdown in internal controls; the issue is management override of effective internal controls already in place.

Imagine for a moment that SOX was initiated prior to the WorldCom bankruptcy. Based on current experience, the external auditors at WorldCom would have interpreted Section 404 to mean a thorough review of all internal controls. The external auditors would likely have found that the WorldCom internal controls were effective. Section 404, as currently interpreted, will not prevent another Enron or WorldCom. The emphasis should not be on the risk of fraud occurring. The emphasis should be on the detection of financial statement cheating that has already occurred. External audit firms should consider including a financial statement fraud audit as the principal component of their review of internal controls over financial reporting. Such an audit would greatly improve the probability of detecting irregularities in the books. A review of internal controls without a fraud audit may raise red flags that financial statement fraud could occur, but it gives no indication that such a fraud has occurred.

A financial statement fraud audit is much less time consuming than an internal control review, and it requires fewer auditors to carry it out. The financial statement fraud audit's cost would be much closer to the SEC's original $90,000 per company estimate for Section 404 compliance.

Financial Statement Fraud Audit

Occupational fraud is likely to occur when four elements come together in the mind of the fraud perpetrator: pressure, rationalization, opportunity, and a perception of impunity. Financial statement deception is an occupational fraud. Only the highest-level employees, however, have the opportunity to carry out this type of deception. They are in a position to order a subordinate to post false accounting entries. CEOs and CFOs can come under tremendous pressure to get positive results. They can rationalize to themselves that their deception is buying time to ultimately save the company from financial ruin, thinking things will get better in the future. Or, as is often the case, they are buying time to provide themselves with enough financial gain by selling off their own shares in the company. Anyone in a top management position is vulnerable. Perhaps the straw that breaks the camel's back is the final element: the perception that they can get away with it, which sometimes comes with the office. A certain sense of omnipotence develops.

Fraud has always been a difficult issue. No amount of internal controls will stop the resolute manager bent on fraud from accomplishing his or her mission. Measuring the risk that management override could occur is, at best, not very effective or accurate. Imagine that external auditors find that the CEO is an arrogant, dictatorial type and that the company being audited is going through some difficult times. Consequently, the external auditors report to the AC Chairperson that the tone at the top leaves much to be desired, and there is a high risk that the CEO may practice financial statement fraud. The AC Chairperson is likely to reply, "I understand the risk, but is the CEO actually practicing financial statement fraud?" The AC chairs do not want to hear suppositions; they want hard facts and concrete evidence.

People tend to shy away from the word fraud. The topic is embarrassing, perhaps due to everyone's use of deception at one time or another. Occupational fraud can be as non-consequential as deliberately taking a pencil home from work to the financial statement deception at Enron and WorldCom. External auditors, like everyone else, tend to keep the fraud word at bay. However, they are deceiving themselves if they think that a review of internal controls will mitigate the risk of a major financial statement deception occurring in the future. If they continue to focus only on internal controls, external audit firms must accept a high probability of being sued by angry stakeholders when financial statement fraud that escaped their detection is revealed.

The standard audit of a company's financial statements verifies the fair presentation of the data and compliance with Generally Accepted Accounting Principles (GAAP). Searching the financial data for anomalies, deviations from the norm, and outliers seems to have become a lost art among external auditors. External auditors need to explore the possibility of management override of internal controls. They should consider the need to conduct a financial statement fraud audit. The fraud audit involves requesting all the financial statements and footnotes from management for several years. The financial statements would not be the standard reports compiled for public issue. These contain too many opportunities for concealing fraudulent numbers in summary totals and lengthy footnotes. Instead, the auditor should receive and work with the detailed financial information prepared for management decision makers. The auditor should then perform a vertical and horizontal analysis of the numbers including appropriate ratios calculation. Special attention should be given to the footnotes. A similar analysis should be conducted on quarterly financial statements. The audit's extent would depend on the degree of risk the auditor perceived. How the auditor perceived the tone at the top would weigh heavily in determining the extent of the financial statement audit.

Current technology permits maintenance of financial data in spreadsheet form. As a result, most companies maintain their records in a standardized format that is easily transferred into a worksheet for analysis and generation of internal reports. The data input could be carried out by junior members of the audit team. It should be a short, easy step to copy and paste the data into an auditor-generated worksheet using a template to maintain consistency in form. Subroutines could be created to generate vertical and horizontal analyses, ratios, and graphs as the data is entered. Based on this initial standard output, further analysis could be generated on line-items deemed critical to the audit.

After the data is assembled in the worksheet in a standardized form, analysis of it is limited only by the imagination and needs of the analyst/auditor. A diligent senior auditor experienced in reviewing financial statements and interpreting the changing numbers and ratios should conduct the output analysis. Ultimately, there is no substitute for the human factor. Knowledgeable interpretation of the output is vital to success in detecting fraud. Perhaps the operative term to apply to the fraud audit would be vigilance.

Auditors, both senior and junior, should be ever alert and wary. When line-item increases or decreases do not make sense, they should solicit explanations from the appropriate management. Their answers should be combined with examination of the accounting records and source documents. If this does not satisfy the auditor, he or she should consider conducting a financial statement fraud assessment interview. He or she should first conduct interviews with lower-level financial employees who posted or approved questionable accounting transactions. The questionable transactions and interviews may indicate the need to conduct further interviews with higher-level management, all the way to the top if necessary. The financial statement fraud assessment interview phase is critical. Interviewers must be experienced accountants, but they also need to be experienced fraud assessment interviewers.

A capable, high-level manager intent on committing fraud will search for ways to beat the financial statement audit program. When collusion occurs, as with Enron and WorldCom, no amount of internal controls can prevent the commission of a crime. Financial statement fraud audits conducted at regular intervals should, however, detect fraud and minimize the damage caused by an unprincipled manager. External auditors should keep the audit program flexible and unpredictable. They could consider, for example, asking management for up to ten prior periods of financial statements and footnotes. The extent of the actual analysis could vary over time and would depend on the risk the auditor perceived. For any given audit year, analysis might begin with the most recent 3 years. If examination of the results raises unanswered questions, the analysis can be extended to cover whatever time period deemed necessary.


External auditors currently interpret SOX Section 404 to mean a thorough general review of internal controls. Section 404 could, more appropriately perhaps, be interpreted as a review to determine if top management has overridden existing, effective, internal controls. The cost of the latter to the audited company is only a fraction of the cost of an extensive audit of internal controls. Revival of the lost art of financial analysis through a financial statement fraud audit would satisfy SOX 404 and be more cost effective.

This article is approved by the following for continuing education credit:

(ACFEI) The American College of Forensic Examiners International provides this continuing education credit for Diplomates.

(CR.FA) The American College of Forensic Examiners International provides this continuing education credit for

Certified Forensic Accountants.


Nicklaus, D. (2006, January 26). Businesses are pushing against requirements of Sarbanes-Oxley act. St. Louis Post Dispatch, p. C01.

By Diarmuid A. Hurley, MBA, Cr.FA, and David Boyd, CPA, CMA, CFM, CR.FA

Diarmuid Hurley, MBA, Cr.FA, is a forensic accountant based in Mexico. His background is primarily internal auditing with various multinationals. He has taught fraud prevention at the Tec de Monterrey Mexico City campus. He owns and operates a forensic auditing firm, Sullivan Miranda, S.C. (, which he founded in 1998.

David Boyd, CPA, CMA, CFM, Cr.FA, is professor of accounting and finance at Jacksonville University, in Jacksonville, Florida. He has published in numerous journals and is active in several professional organizations. Dr. Boyd has taught at universities in the United States, Europe, and the Caribbean. He and his wife, Cendy, operated a public accounting practice for several years before he resumed his teaching career.
Gale Copyright: Copyright 2007 Gale, Cengage Learning. All rights reserved.