# Internal controls, SOX & the CFO's personal accountability
On May 25, 2006, a federal jury in Houston convicted Jeffrey Skilling on 19 counts and Kenneth Lay on 10. Lay died six weeks later before sentencing; Skilling served 12 years in federal prison. But the verdict that should haunt every sitting CFO came four years earlier, when Scott Sullivan, WorldCom's CFO, pleaded guilty to securities fraud after capitalizing $3.8 billion in line costs as assets. He served five years. His CEO, Bernie Ebbers, died in prison. The Sarbanes-Oxley Act of 2002 was Congress's response, and it did something American corporate law had rarely done before: it put the CFO's signature, and the CFO's freedom, on the line for the numbers.
Twenty-four years later, in 2026, that signature still matters. In the past eighteen months alone, the SEC has brought enforcement actions against finance executives at Newell Brands, View Inc., and a string of SPAC sponsors for control failures and certification issues. The fines are corporate. The criminal exposure is personal.
Section 302 of Sarbanes-Oxley requires the CEO and CFO to personally certify, in every 10-Q and 10-KKThe average number of new users each existing user generates through referrals. Above 1.0, growth compounds on itself and becomes exponential.Voir la définition complète →, that they have reviewed the report, that it contains no material misstatements, that the financial statements fairly present the company's condition, and, critically, that they are responsible for establishing and maintaining internal controls and have disclosed any material weaknesses to the auditors and audit committee.
Section 906 goes further. A knowing false certification carries up to $1 million in fines and 10 years in prison. A willful false certification: $5 million and 20 years. These are not theoretical penalties. In 2018, the CFO of Hertz, Elyse Douglas, and other executives settled with the SEC for clawbacks under SOX Section 304 after the company restated $235 million in earnings from 2012-2014. Douglas personally repaid over $200,000 in bonuses, and she was never charged with fraud. SOX 304 has a strict-liability hook: if there's a material restatement due to misconduct, the CFO disgorges bonuses earned during the relevant period, *even if the CFO didn't commit the misconduct*.
Read that twice. You can lose compensation for someone else's fraud if the restatement involves misconduct at the company. That is the design of SOX: it makes the CFO the human firewall.
When a CFO signs a 10-KKThe average number of new users each existing user generates through referrals. Above 1.0, growth compounds on itself and becomes exponential.Voir la définition complète →, they are making three distinct attestations that many finance executives conflate:
1. The numbers are right (Section 302(a)(2), (3)), fair presentation, not just GAAP compliance.
2. The controls work (Section 302(a)(4) and Section 404), disclosure controls and ICFR are designed and operating effectively.
3. You've told the auditors everything (Section 302(a)(5)), all significant deficiencies, material weaknesses, and any fraud involving management have been disclosed.
The third one is where careers end. The SEC's 2023 case against View Inc. involved a CFO who allegedly failed to disclose a known warranty liability accrual issue to the audit committee. The company restated. The CFO was charged personally.
The Committee of Sponsoring Organizations (COSO) framework, last updated in 2013 and now under revision for cyber and ESG integration in 2026, is the de facto standard for ICFR design. Every Big Four auditor uses it. Every PCAOB inspection assumes it. If you can't speak COSO fluently, you cannot run an audit committee meeting.
The framework has five components and 17 principles. Memorize the five. Know the 17 exist.
1. Control Environment. This is "tone at the top," but more concretely: the integrity, ethical values, and competence of the people. After the 2020 Wirecard collapse, where €1.9 billion in cash simply did not exist in Philippine bank accounts, the post-mortem found that EY had not independently confirmed bank balances for three years. The control environment had decayed because nobody believed the controls mattered. Wirecard's CEO Markus Braun is now serving a multi-year sentence; CFO Burkhard Ley was arrested.
2. Risk Assessment. This is where COSO meets your enterprise risk register. The principle: you cannot control what you have not identified as a risk. In 2026, with OECD Pillar Two GloBE rules now operational across 140+ jurisdictions and CSRD reporting in its second full year for large EU entities, the universe of financial reporting risks has expanded materially. If your risk assessment hasn't been refreshed since IFRS 16 lease accounting was implemented, it is stale.
3. Control Activities. The actual controls, reconciliations, approvals, segregation of duties, system access controls. These break into preventive (purchase requisition approvals) and detective (month-end variance analysisvariance analysisVariance analysis compares actual financial results against budgeted or planned figures to quantify differences and explain why they occurred.Voir la définition complète →).
4. Information & Communication. The plumbing, how financial data flows from source systems to the GL to the disclosures. Post-COVID, with remote close processes now permanent at most firms, this component has been re-stressed. The SEC's 2024 guidance on AI-generated disclosures added another dimension.
5. Monitoring Activities. Internal audit, management self-assessments, continuous controls monitoring. This is what tells you the other four are working.
Here is what no textbook tells you: SOX compliance is not about documenting every control. It's about identifying key controls, typically 150-400 in a mid-cap, 800+ in a large multinational, that materially mitigate risks of misstatement in significant accounts and disclosures.
The PCAOB's Auditing Standard 2201 requires auditors to use a top-down, risk-based approach. Your job as CFO is to ensure your SOX team is doing the same. Three diagnostic questions for Monday morning:
Vérification des acquis
1. Under Section 906 of Sarbanes-Oxley, what is the maximum criminal penalty for a CFO who willfully signs a false certification?
2. What specific accounting manipulation did WorldCom CFO Scott Sullivan plead guilty to that helped trigger the passage of Sarbanes-Oxley?
3. Under SOX Section 304, what specific remedy did the SEC pursue against former Hertz CFO Elyse Douglas following the company's $235 million restatement?
4. Select ALL correct answers about what Section 302 of Sarbanes-Oxley requires the CEO and CFO to personally certify in each 10-Q and 10-K.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about the enforcement landscape facing CFOs in 2026 as described in the lesson.
Sélectionnez toutes les réponses correctes.
A material weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. Disclose one in your 10-KKThe average number of new users each existing user generates through referrals. Above 1.0, growth compounds on itself and becomes exponential.Voir la définition complète →, and three things happen within 48 hours: your stock drops 3-6% on average (Audit Analytics, 2024 data), your D&O insurance premium rises at renewal, and your audit fees increase by 15-30% the following year.
Between Q3 2015 and Q4 2016, Under Armour's then-CFO Chip Molloy and senior finance leadership engaged in what the SEC eventually called "pull-forward" sales, accelerating $408 million of sales from future quarters into current quarters to meet analyst expectations. In May 2021, the SEC settled with the company for $9 million. Under Armour did not admit wrongdoing.
But the control story is the lesson. Under Armour's controls over revenue cutoff and customer accommodation tracking were not designed to detect the pattern of management override at the top of the sales organization. The controls existed on paper. They were not designed for the actual risk.
This is the trap. You can have a fully documented SOX program, an unqualified ICFR opinion, and still have a material control failure, because the controls weren't aimed at the right risks. The SEC has been clear since the 2020 SolarWinds-era guidance that boilerplate disclosure controls will not satisfy the standard.
In November 2024, Macy's disclosed that a single employee had hidden up to $154 million in delivery expenses over nearly three years by making erroneous accounting entries. The fraud was discovered during routine reconciliation work, not by the control system. Macy's had to delay its Q3 earnings release, the stock dropped 3.5% on the announcement, and the company launched an independent investigation.
What's striking: this was not a billion-dollar Enron. This was one mid-level employee, one expense category, undetected for nearly three years. The control gap was simple, insufficient review of journal entries below a materiality threshold the employee understood. Every CFO reading this should ask: what is our threshold for manual journal entry review, and does the perpetrator profile of the fraud literature tell us our threshold is too high?
Theory is cheap. Here is what a CFO actually does to make SOX a live discipline rather than a compliance checkbox.
Section 302 makes you sign. But you cannot personally verify everything. Best-practice CFOs operate a sub-certification cascade: every controller, every business unit finance lead, and every key process owner signs a quarterly sub-certification that rolls up to yours. The sub-cert should include explicit questions: Are you aware of any fraud? Any control failures? Any management override? Any related-party transactions not yet disclosed?
If you sign 302 without a sub-cert pyramid beneath you, you are exposed.
The SEC requires disclosure controls and procedures (DCPs), the controls over what gets *said*, not just what gets *counted*. A disclosure committee meeting before each filing, with legal, IR, FP&A, technical accounting, and internal audit, is now table stakes. Minutes should be kept. Decisions should be documented.
Section 301 requires an anonymous reporting mechanism for accounting concerns. The Dodd-Frank whistleblower program has paid out over $2 billion to tipsters since 2012, with awards as high as $279 million. The SEC's data shows that tips are now the single largest source of accounting fraud enforcement actions. If your hotline received zero tips last year in a company of 10,000 employees, you have a culture problem, not a clean record.
SAB 99 and SAB 108 require both quantitative and qualitative materiality assessments. CFOs who delegate this entirely to the controller are missing one of the highest-judgment areas in financial reporting. A $5 million error may be quantitatively immaterial against a $500 million net income but qualitatively material if it converts a loss into a profit, hits a debt covenant, or affects management compensation.
In 2026, with cyber-driven restatement risk rising and securities class action filing rates against finance executives still elevated, your D&O coverage should be reviewed annually against your personal exposure under SOX 302, 304, 906, and the SEC's expanded clawback rule under Section 10D-1 (effective for fiscal years starting after October 2023). Side A coverage, which p