In 2002, the United States Congress passed the Sarbanes-Oxley Act (the “Act”) of 2002 to combat corporate and accounting fraud.[1] The Act was passed in response to a series of corporate bankruptcies and other scandals that occurred in previous years, the Enron scandal for example.[2] Under section 404 of the Act, the Securities Exchange Commission (“SEC”) had to adopt rules requiring that each annual report submitted by a company include an internal control report.[3] This internal control report should contain:

(1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting.[4]

The internal control report should also include “a statement that its auditor has issued an attestation report on management's assessment.”[5] However, a challenge that has emerged from these requirements is figuring out what constitutes “adequate internal controls,” especially when it involves safeguarding information during SEC blackout periods.

Maintaining adequate internal controls is a task that has proven difficult for some companies. In 2019, the SEC settled charges with certain companies for failing to maintain adequate internal controls over their financial reporting (“ICFR”).[6] The companies had not been charged with making false or inaccurate statements because they had always disclosed weaknesses in their ICFR.[7] However, according to the SEC’s statement, “[d]isclosure of material weaknesses is not enough without meaningful remediation. . .. Companies cannot hide behind disclosures as a way to meet their ICFR obligations.” [8]

Internal Control Over Financial Reporting

Internal control over financial reporting is defined as “[a] process designed . . . to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”[9] Internal control over financial reporting is meant to help companies prepare reliable financial statements that are materially accurate.[10] Through their internal controls, companies can identify weaknesses that could cause their financial statements to be inaccurate.[11] Also, these procedures can help them detect and deter fraudulent financial accounting practices.[12]

The SEC staff is tasked with evaluating whether a company’s internal controls are adequate and serve their purpose. The SEC, however, has not specified or made available to the general public how it evaluates these controls or the exact criteria it uses. Even though the SEC has not shared this information, it has provided some recommendations for companies to ensure they have adequate and effective internal controls. The SEC staff recommends that a company’s management use its own experience and judgment to determine the company’s needs and risks to design an assessment process that is effective and appropriate.[13] Another recommendation is for the assessment process to focus on controls related to processes and transactions that are “most likely to have a material impact on the company’s financial statement.”[14]   

Evaluating Internal Controls  

When it comes to the preparation of supplementary material, the staff clarified that internal controls are also required to ensure their accuracy and management must assess their effectiveness regularly.[15] Finally, when evaluating internal control deficiencies, management should take into account all the facts and circumstances.[16] This shall include considering the “the probability of occurrence in light of the assessed effectiveness of the company's internal control, keeping in mind that internal control over financial reporting is defined as operating at the level of ‘reasonable assurance.’”[17]

Reporting issuers and their management should make a genuine effort to establish internal controls that are sufficiently probative and effective in identifying and executing necessary remediation measures that comply with the SEC’s rules. These internal controls should be evaluated regularly and any deficiencies should be corrected. Companies which simply disclose their deficiencies without following up with any change or remediation are not in compliance with the regulations.[18] Although disclosure is important, disclosure alone will not exempt companies from facing charges with the SEC.


[1] See Stephen C. Gara & Craig J. Langstraat, The Sarbanes-Oxley Act of 2002: A New Ballgame for Accountants, 34 U. Mem. L. Rev. 73, 74 (2003); SARBANES-OXLEY ACT OF 2002, MNYMGUIDE ¶ 117. [2] See Gara & Langstraat, supra note 1; Peter Bondarenko, Enron scandal, Britannica, (last visited Sept. 5, 2020) (“Enron scandal, series of events that resulted in the bankruptcy of the U.S. energy, commodities, and services company Enron Corporation and the dissolution of Arthur Andersen LLP, which had been one of the largest auditing and accounting companies in the world. The collapse of Enron, which held more than $60 billion in assets, involved one of the biggest bankruptcy filings in the history of the United States, and it generated much debate as well as legislation designed to improve accounting standards and practices, with long-lasting repercussions in the financial world.”). [3] Press Release, U.S. Sec. & Exch. Comm’n, SEC Implements Control Provisions of Sarbanes-Oxley Act; Adopts Investment Company R&D Safe Harbor (May 27, 2003), [hereinafter SEC Internal Control Provisions]; 15 U.S.C.A. § 7262 (Westlaw through P.L. 116-150). [4] SEC Internal Control Provisions, supra note 3. [5] Id. [6] Nicolas Grabar et al., SEC Enforcement for Internal Control Failures, Harv. L. Sch. F. Corp. Governance (Mar. 7, 2019), [7] Id. [8] Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Four Public Companies With Longstanding ICFR Failures, (Jan. 29, 2019), [hereinafter SEC Charges Four Public Companies]. [9] Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, U.S. Sec. & Exch. Comm’n, (last visited Sept. 5, 2020).  [10] Staff Statement on Management's Report on Internal Control Over Financial Reporting, U.S. Sec. & Exch. Comm’n (May 16, 2005), [hereinafter Staff Statement].  [11] Id. [12] Id. [13] Id. [14] Id. [15] Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, U.S. Sec. & Exch. Comm’n, (last visited Sept. 8,2020). [16] Staff Statement, supra note 11. [17] Id. [18] SEC Charges Four Public Companies, supra note 8.