Sarbanes-Oxley Is a Warning System for Fraud


When Dain Donelson worked at IBM, the finance department once needed to get a multi-million dollar check written in a hurry. Because of its size, the check had to be signed by two separate vice presidents. And because it was 7 at night, that meant going to another department to find someone with the authority to provide a second signature.

It was a cumbersome procedure, but also a necessary one, to prevent embezzlement or other kinds of financial fraud. “It was a failsafe to make sure money didn’t get taken out of the business,” recalls Donelson. The experience helped spark a lifelong interest in fraud and how accounting controls could help prevent it.

In new research, Donelson and colleague John McInnis, both associate accounting professors at McCombs, look at audits of accounting controls, a controversial requirement imposed by Uncle Sam after Enron-era scandals. They find that the law, though unpopular on Wall Street, is doing its job: sounding an early warning of Enron-like financial fraud.

The provision in question: Section 404 of the Sarbanes-Oxley Act, which passed in 2002. Section 404 requires that auditors not only certify the numbers in a company’s financial statements but also understand the processes and controls that produced those numbers in the first place. Then the auditors have to certify that the firm’s internal accounting controls are adequate to prevent both accidental errors and intentional fraud.

“Internal controls auditors have to ask what processes are in place for recognizing revenues, receivables, billings, and bad debts,” explains McInnis, himself a former auditor, “then force companies to document these controls and processes.”

But financial firms have long complained that such extra auditing steps are too costly, and they’ve lobbied Congress to repeal the rule. In July, the president of the New York Stock Exchange blamed the requirement for helping to shrink the volume of initial public offerings and halve the number of public companies over the past 15 years.

Meanwhile, the law’s benefits have been murky, say the two professors. No research had ever documented that weak controls actually increased the risk of fraud, as supporters of Section 404 assumed, and no one had assessed whether the pricey audits actually flagged potential fraud. Now that the audits have been going on for more than a decade, it was time to find out.

From “Material Weakness” to Fraud Charges
With Matthew Ege of Texas A&M, the researchers looked at auditors’ opinions of companies with over $75 million in publicly-owned shares. From 2004, when the law took effect, to 2007, they found that 11 percent of all opinions uncovered material weaknesses in a firm’s internal controls – weaknesses serious enough to lead to inaccurate financial reports.

What the researchers wanted to know next was whether those weaknesses actually led to future charges of corporate fraud. The answer? Yes.

McInnis, Donelson, and Ege examined every class-action lawsuit and fraud allegation between 2005 and 2010 and found that companies cited for weak internal controls were 90 percent more likely than the average firm to be accused of accounting fraud in the future.

The lesson, says McInnis, is that stronger internal controls do discourage managers from meddling with accounts. “Having robust higher-level controls may not prevent all financial statement fraud,” he says, “but maybe it makes it harder.”

Does that mean Sarbanes-Oxley’s audit requirements are worth the expense? Maybe, maybe not, say both professors. Their study doesn’t weigh benefits against costs or suggest whether the law should be preserved or repealed.

Their study does, however, show where the biggest risks actually are. It turns out that the bulk of the fraud they reviewed didn’t come from lower-level procedural oversights, like not requiring two check-signers on a specific account. Instead, most fraud resulted from high-level bad practices, like not having an independent internal auditor who reports directly to a board of directors.

McInnis says that auditing standards have evolved in recent years to focus on these kinds of top-down risks, which has made auditing less expensive and perhaps more effective.

He also notes that even though weak controls double the rate of fraud, it’s still a rare event. Among firms with material weaknesses, only 3 percent were later accused of fraud.

“It’s like medical studies that say that if you eat red meat, it doubles your risk of a certain type of cancer,” McInnis says. “Even though you double the rate, the overall risk is still low.”

But though fraud may be uncommon, it can be costly when it does happen, Donelson adds. He hopes that besides contributing to policy debates, his research can aid individual investors.

“Getting out of Enron at the right time would have saved you tons of money,” he says. “When a material weakness in internal controls is reported, that should be a red flag. It’s not just an increased risk of messing up lease accounting by accident. It increases the risk, though it’s a small risk, that the CEO is cooking the books.”


"Internal Control Weaknesses and Financial Reporting Fraud" is published in Auditing: A Journal of Practice & Theory.


Faculty in this Article

Dain Donelson

Associate Professor, Accounting

Dain Donelson received his Ph.D. in accounting from the University of Illinois, his M.S. in finance from Boston College, and a J.D. from...

John McInnis

Associate Professor, Accounting

John McInnis received his Ph.D. from the University of Iowa and his BBA and MPA from the University of Texas. He teaches financial accounting in...

About The Author

Steve Brooks

In a quarter-century as a journalist, Steve Brooks has won two Neal awards for excellence in trade reporting and a Press Club of New Orleans award...

Leave a comment

We want to hear from you! To keep discussions on-topic and constructive, comments are moderated for relevance and for abusive or profane language.
Login or register to post comments