"I believe that the SEC will be focused on going after the high-level executives, and you see that currently with the type of prosecution against Koslowski of Tyco, and Kenneth Lay of Enron. The SEC is very focused on the heavy-hitters. Sarbox certainly reflects that with the requirement that the CEOs and the CFOs evaluate and attest to the company’s internal controls," explains Victor.

Could it be construed then, that worrying about compliance isn’t something one should be doing? It begs the question of complacence. How can any organization be sure that it won’t experience some type of fraudulent action that requires an investigation? To put it simply, they can’t.

"The key is to be able to uncover wrong-doing inside of the company and cooperate with law enforcement and regulatory authorities to limit corporate liability. You don’t often know whether someone’s committing fraud, misappropriating company assets, or stealing your intellectual property until it’s happened. You have choices though you can find out it’s happened after you’ve suffered a huge loss, or you can intercept it when it’s happening. You don’t want to find out 2 years from now that someone in finance has been placing millions of dollars in offshore bank accounts," says Victor.


It was my understanding that the executives of these corporations are culpable for what occurs under their watch. It is actually more nuanced than that, and it is these nuances that underscore the importance of having a cohesive response plan in place.

As Victor illustrates, "First of all, the things that you have been seeing since 1999 (Enron, Tyco, etc.), involved executives who were actively taking part in the fraud of their companies, and were therefore held responsible. However, under Sarbox executives are culpable in that the CEOs and CFOs are signing off on the financial statements, essentially saying that they have evaluated the company’s internal controls and they are effective. If it turns out that they didn’t have good internal controls, they are going to be held accountable for having misstated the truth. I don’t want to tie it only to executives though. The Board of Directors and the audit committee, specifically, are tasked with being able to investigate complaints about corporate fraud and accounting problems. Certainly the Board has a responsibility as well. To the extent that complaints are coming in, and the company is unable to investigate them effectively, unable to uncover what’s going on, and at the same time the CEOs and CFOs are signing off that they have an adequate control structure, I think those executives are at great risk."

What about the companies that aren’t necessarily large enough to report their finances to the SEC? Isn’t it important to implement an incident response process and be in compliance with these regulations?