The Justice Department and the Securities and Exchange Commission have dedicated more time and energy to understanding a company’s internal controls and enforcing basic requirements that companies maintain effective internal controls. For prosecutors, companies often fall short when it comes to following their internal controls.

If you follow my blog, you know that I have often predicted that DOJ will eventually prosecute criminally an individual for circumventing internal controls. The implications of such a prosecution will be significant.

In 2002, the Sarbanes-Oxley Act was a watershed moment in the history of internal controls regulation. Section 404 of the Sarbanes-Oxley Act requires that companies certify to the effectiveness of their internal controls over financial reporting.

Under Section 404, issuers are required to report on the effectiveness of their internal controls. In addition, the independent auditor must attest to the overall effectiveness of the company’s internal controls over financial reporting. SEC regulations require the independent auditor to report publicly on the overall effectiveness of a company’s internal controls. A company’s internal controls include detection and prevention of illegal acts, including fraud and bribery that may result in a material misstatement of a company’s financial statements.

The Sarbanes-Oxley Act and related regulations transformed corporate financial reporting and related financial auditing services. The financial auditing profession grew in terms of scope and responsibility for the accuracy for a company’s financial statements.

Companies focused on internal controls with a laser-like focus. Audit committees became even more important in the corporate governance world. Senior executives were required to certify to the accuracy of the company’s financial statements under the threat of criminal prosecution. The quarterly financial reports required detailed certifications from managers throughout a company and careful analysis of internal controls to justify a company’s certification as to the effectiveness of the company’s internal controls.

It is also understandable that a company’s Chief Financial Officer assumed responsibility for this new and important function, as well as overall compliance with the auditing requirements and oversight of internal controls. At the same time, companies expanded the role of their internal auditors as an important check to the effectiveness of their internal controls.

In this new world, the CFO and his or her underlings were responsible for crafting and maintaining a company’s internal controls. All of this makes sense, except for one important point – the theory does not really match the reality.

In fact, the design and implementation of internal controls in many companies appear to be more haphazard. A clear demarcation of responsibility has not been established nor followed. Financial officers are involved in a number of internal controls, but many companies have created, crafted and implemented internal controls as part of corporate operations not just financial operations.

Instead, companies have designed internal controls that may not be consistent but are created in response to a specific need or problem. In these situations, the design of controls is done to accomplish a limited task without consideration of consistency with a larger set of controls.

A further complication to the design and implementation of effective internal controls is the fact that a company’s compliance program is a distinct and critical part of a company’s internal controls. A company with no compliance program cannot, by definition, have effective internal controls.

When reviewing a company’s internal controls, an auditor is likely to find a haphazard set of documents that reflects the input and design from three distinct sources – financial, compliance and operations. It is rare to find that these three authors of internal controls collaborate or ensure consistency among their distinct functions and responsibilities. As a consequence, the government’s assumption that a company maintains a uniform and consistent set of internal controls is rarely true. There are exceptions and I do not mean to condemn all corporate internal controls but companies do not pay sufficient attention to this issue.

In the context of a new enforcement world where individuals can be criminally prosecuted for circumventing a specific internal control, the implications of this are far-reaching. A company crafts its own internal controls that can then be used against the company and an individual who may circumvent the specific internal control. Think of it this way – if you could write your own laws and then make sure you comply with them, don’t you think it would be important to make sure that you craft the laws carefully so that they do not apply to unintended situations or conduct.