Accidental non-compliance penalties? 1991



  • I’m reading through the Sarbanes-Oxley Act provisions looking for anything that spells out what the penalties/consequences are for ‘accidental’ noncompliance with the Act, but have yet found nothing. The only things I have found relate to willful noncompliance.
    Does anyone know what–if any–penalties there are for accidental (‘innocent’) noncompliance? I’m finding it hard to believe there would be actual penalties for innocent mistakes.



  • Hi,
    Can you clarify whether or not you are referring to accidental non-compliance to internal controls documented by your company or to non-compliance with Section 404 of the Sarbanes Oxley act.
    These can mean two entirely different things when it comes to penalties…



  • Hi,
    Can you clarify whether or not you are referring to accidental non-compliance to internal controls documented by your company or to non-compliance with Section 404 of the Sarbanes Oxley act.
    These can mean two entirely different things when it comes to penalties…
    Accidental noncompliance with Sec. 404, I believe. I’m thinking that with the rapid change in technology, no manager responsible for attesting to adequate internal controls can ever be 100-percent certain that they’ve done everything they could to create solid internal control mechanisms. On the other hand, I’m wondering about accidental noncompliance to internal controls documented by the company. I mean, a manager can attest to the soundness of internal controls only to have them undermined by subordinates inadvertently. Will the manager be held responsible for this?
    Sorry for my non-techie way of trying to explain this; Sarbanes-Oxley complaince issues aren’t normally something I work on.



  • From what you are saying, you are trying to work out the penalties for non-compliance with internal controls as a process owner/ manager. Where a controlcannot be evidenced as having taken place, it is common known by SOx people as a deficiency.
    Corporate penalities for such failures will depend on significance and potentila impact on materiality either alone or inaggregate with other deficiencies.
    If the Corporation has a material deficiency, then this could given rise to an adverse opinion by your auditors and could even deem other internal controls as ineffective.
    Where the deficiency is determined inconsequential, you may find that the manager or process owner will still have to take the responsibility for failing the control as they are responsible for ensuring that their subordinates follow what is required. Any penalties incurred by the process owner would be determined internally.
    The real significance of the process owners role is to ensure that controls deficiencies do not occur so as to avoid misstatements to the account, fraud, and the risk that the corporation might find a material weakness when deficiencies for the group are taken in aggregate.



  • Hi - I agree with EMM, that any related actions by the SEC would be most likely be proportional to the specific areas of violation and scope of the infractions. Certainly innocent minor mistakes or misinterpretrations differ from a failure to thoroughly research requirements and perform ‘due diligence’ in ensuring proper compliancy.
    Still, SOX compliancy is almost analogous to the traffic violation of speeding, where ‘ignorance of the law is no excuse’. The police officer would certainly enforce major violations but may give folks a break on very minor infractions.



  • I don’t believe that accidental non-compliance can exist. You are compliant if you follow the regulations and established guidelines. If you properly test your controls and find them to be operating effectively, you have passed section 404 of the SOX regulations. Remember that if you follow the COSO guidelines, you have ‘reasonable assurance’ that risks are mitigated.
    If a control later is deemed to have failed, then you deal with that going forward. You also will have the external auditors testing your controls. If they find something that you missed, they will let you know and you can adjust your year-end controls assertion, if necessary. There are no compliance penalties for disclosing that controls are not effective, only the investing marketplace’s reaction which can be mitigated somewhat through good PR (pro-active communications of issues and planned remediations).



  • Hi,%0A Can you clarify whether or not you are referring to accidental non-compliance to internal controls documented by your company or to non-compliance with Section 404 of the Sarbanes Oxley act.%0AThese can mean two entirely different things when it comes to penalties… %0AAccidental noncompliance with Sec. 404, I believe. I’m thinking that with the rapid change in technology, no manager responsible for attesting to adequate internal controls can ever be 100-percent certain that they’ve done everything they could to create solid internal control mechanisms . On the other hand, I’m wondering about accidental noncompliance to internal controls documented by the company. I mean, a manager can attest to the soundness of internal controls only to have them undermined by subordinates inadvertently. Will the manager be held responsible for this?%0ASorry for my non-techie way of trying to explain this; Sarbanes-Oxley complaince issues aren’t normally something I work on. %0ANo one is being asked to attest with 100% confidence. Approaches to SOX should be top-down and risk-based and you are basically asserting to having an adequate system of internal control.%0AThis does not mean that errors cannot happen as there is no such thing as a foolproof system. People are allowed to make mistakes in day to day control processes without being penalised and this does not consitute non-compliance with SOX. Although we would look for the system of internal control to pick up these mistakes/errors/deficiencies and report them where material or significant.



  • This is a 404 - please read to see that nobody is talking about absolute assurance
    *** CORP.
    MANAGEMENT’S ANNUAL REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING
    The management of *** Corp. is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the Securities Exchange Act of 1934) for the company.
    *** Corp.'s internal control over financial reporting is designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements.
    Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in condition or the deterioration of compliance with procedures or policies.
    The management of *** Corp. performed an evaluation as of December 31, 20** of the effectiveness of the company’s internal control over financial reporting based on the Committee of Sponsoring Organizations of
    the Treadway Commission’s (COSO’s) Internal Control Integrated Framework. Based on the review performed, management believes that as of December 31, 20** *** Corp.'s internal control over financial
    reporting was effective.
    The independent registered public accounting firm of Deloitte and Touche LLP as auditors of the consolidated financial statements of *** Corp. has issued an attestation report on management’s assessment of *** Corp.'s internal control over financial reporting.


Log in to reply