​​​How Not to Get Fined $200 M​illion by the SEC for SOX the Way JPMorgan Chase Was

Comments Views

​You need to read the SEC order (PDF) that details the facts, admitted by JPMorgan Chase, behind its US $200 million fine.

You can skim a Wall Street Journal article, "Sarbanes-Oxley Harpoons the Whale," which is a decent attempt by a lay person to explain what happened. However, as explained by my friend Francine McKenna in her re: The Auditors blog (which those of you interested in the CPA firms will find of general interest), the Journal didn't get it quite right.

Francine's piece has some good technical background. But there is more to understand and learn from this case.

This case has been coming for some time. In my SOX Master Classes (training for experienced SOX managers looking to optimize their program), I have been explaining that too many companies have been paying insufficient attention to the requirements of SOX s302. Somebody was going to get caught and JPMorgan Chase now has. (I will explain in a minute.)

Here is what the certification required by s302 says:

"4. The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

(b) Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

(d) Disclosed in this report any change in the registrant's ICFR that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and

"5. The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting."

This is how the SEC explains disclosure controls:

"…controls and other procedures that are designed to ensure that information required to be disclosed by the company in its Exchange Act reports is recorded, processed, summarized, and reported within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by the company in its Exchange Act reports is accumulated and communicated to the company's management (including its principal executive and financial officers) for timely assessment and disclosure pursuant to the SEC's rules and regulations."

Why have I been predicting that somebody was going to get caught?

Companies have been assessing their system of internal control for SOX compliance purposes (the assessment as of year-end required by section 404 of the Act) for quite a few years. Testing is performed through the year and deficiencies assessed.

Some of the deficiencies identified by the early testing are potential material weaknesses (the kind that prevent you from assessing internal control as effective): potential, because there is still time to fix them before the year-end assessment is completed.

But if testing is performed in June and identifies potential material weaknesses, doesn't this mean that the system of internal control as of the end of June (when the second quarter's filing with the SEC is made on form 10-Q, which includes a section 302 certification) is ineffective?

Companies are not making this assessment. Their s302 certification says that internal control is effective. The "excuse" is often that the deficiency has not been formally assessed as a material weakness, because the assessment is only made at the end of the year and considers all the relevant facts and circumstances at that time.

Now think of the companies that assess their internal control at the end of the year as ineffective, with one or more material weaknesses. How many had previously reported, in their quarterly s302 certifications, that they had these material weaknesses? Yet, it is clear when you read the s404 disclosure that the weaknesses existed in earlier quarters.

The SEC fined JPMorgan Chase for inaccurate filings, specifically of its March 31st 10-Q, because the s302 certification was wrong.

10. As a result of its failure to maintain effective internal control over financial reporting as of March 31, 2012, and disclosure controls and procedures, and as a result of its filing of inaccurate reports with the Commission (specifically, the Form 8-K filed on April 13, 2012, and the Form 10-Q filed on May 10, 2012), JPMorgan violated Sections 13(a), 13(b)(2)(A), and 13(b)(2)(B) of the Exchange Act and Rules 13a-11, 13a-13, and 13a-15 thereunder.

29. As discussed below, between late April and May 10, 2012, JPMorgan engaged in an extensive process involving work performed by the Controller's office, the Internal Audit department ("Internal Audit"), valuation experts from the Investment Banking Division ("IB"), and in-house and outside counsel in an effort to evaluate the SCP's quarter-end marks and to understand the CIO valuation control process and the differences between that process and the valuation control process of the IB. As a result, by May 10, various executives and employees of the firm had learned of deficiencies as of March 31, 2012 in CIO's internal controls. Due to failures to timely escalate information and instructions that had the effect of hindering the sharing of information, not all of these deficiencies had been escalated to JPMorgan Senior Management prior to May 10, 2012. And, as to the information that was escalated, JPMorgan Senior Management did not make a considered assessment as to whether critical facts existed — including any significant deficiency or material weakness in internal controls — that had to be disclosed to the Audit Committee. Consequently, JPMorgan Senior Management did not disclose the existence of any significant deficiencies or material weaknesses to the Audit Committee before JPMorgan filed its quarterly report on May 10, 2012.

As a result of the conduct described above, JPMorgan violated Sections 13(a), 13(b)(2)(A), and 13(b)(2)(B) of the Exchange Act and Rules 13a-11, 13a-13, and 13a-15 thereunder.

In view of the foregoing, the Commission deems it appropriate to impose the sanctions agreed to in JPMorgan's Offer.

Accordingly, pursuant to Section 21C of the Exchange Act, it is hereby ORDERED that:

A. JPMorgan cease and desist from committing or causing any violations and any future violations of Sections 13(a), 13(b)(2)(A), and 13(b)(2)(B) of the Exchange Act and Rules 13a-11, 13a-13, and 13a-15 thereunder.

B. JPMorgan shall, within ten (10) business days of the entry of this Order, pay a civil money penalty in the amount of $200,000,000 to the Securities and Exchange Commission.

JPMorgan Chase filed an amended 10-Q in August. It not only restated results for the quarter, but corrected its March 31st s302 assessment.

I mentioned earlier that I cover this in my SOX book (an update is coming soon that incorporates guidance on how to use a top-down and risk-based approach that is consistent with the updated (2013) COSO Internal Control–Integrated Framework). This is an excerpt from the book with my suggested approach.

Prudence suggests that management:

  • Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
    • I suggest that this can be included in the activities of the company's disclosure committee, which most of the larger companies have established.
    • The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management's assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
    • As discussed below, the system of [internal control over financial reporting] must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes material.
    • The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
  • Confirms that the external auditors do not disagree with management's quarterly assessment.
  • Understands — which requires an appropriate process to gather the necessary information — whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.




Comment on this article

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3





A Risk Assessment Tool for Auditors and Risk Officershttps://iaonline.theiia.org/blogs/marks/archive/Pages/A-Risk-Assessment-Tool-for-Auditors-and-Risk-Officers.aspxA Risk Assessment Tool for Auditors and Risk Officers
Audit Committee Priorities Remain Risk, Compliance, and Technologyhttps://iaonline.theiia.org/blogs/marks/archive/Pages/Audit-Committee-Priorities-Remain-Risk,-Compliance,-and-Technology.aspxAudit Committee Priorities Remain Risk, Compliance, and Technology
Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controlshttps://iaonline.theiia.org/blogs/marks/archive/Pages/Building-the-Audit-Plan-Around-Assurance-on-Governance,-Risk-Management,-and-Related-Controls.aspxBuilding the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls
Data at Riskhttps://iaonline.theiia.org/2018/Pages/Data-at-Risk.aspxData at Risk