When I was running a public company, every three months my controller would send me a stack of financial statements to sign. The ask was always very simple: “Hi Tien. Please sign these. Thanks, Ron.” And I always signed the documents, like a good CEO. Docusign makes everything so easy: click, click, click.
But every time I did it, there was a tiny voice in the back of my mind saying: “If there’s something wrong with these files, I’m screwed. I’m going to jail. Even if it’s an honest mistake, I’m going to be in trouble. I’m going to be hiring lawyers. All thanks to Mr. Oxley.”
So what to do? Between you and me, it’s not like I’m poring through every single line in these documents! It’s not realistic to spend all my time tracing the journey of every dollar we make. I certainly trust my CFO, but no one in my organization has a galaxy-brain view of all this stuff.
Ronald Reagan had a famous quote: “Trust, but verify.” Well, how can anyone verify all this information? The answer is: they can’t. So who – or what – can?
Think about it: How does an auto manufacturer ensure that one of their cars doesn’t explode into flames after it rolls off the assembly line? How does a pharmaceutical company make sure one of its products doesn’t kill someone? Good Lord, could you imagine the stress of being the CEO of a company that makes products for infants?
They all rely on quality controls.
It’s the same principle with finance. Except instead of quality controls, they’re called financial controls. The dozens and dozens of rigorous processes and procedures (most of them automated) that ensure accuracy and legal compliance in our financial reporting.
How do I know that the numbers are right in the document I’m signing? Because we rely on systems that guarantee our product (in this case, our financial reports) are safe for public consumption. If something doesn’t line up or doesn’t check out, the problem gets flagged way before it goes out the door.
Not many people know this, but when you present your financial reports to your auditor, you also have to present your controls. You have to show measurements of their materiality. Because PwC, Deloitte, EY or KPMG aren’t really interested in the managers. They want to inspect the factory. They wanted to make sure you have the right systems in place.
Now, it wasn’t always like this – hence the wave of frauds we covered in Part I. But when it comes to modern financial controls, we have a few people to thank, none of whom were initially looked upon favorably by their superiors. These people disobeyed orders. They prevaricated. And they wound up helping to save this country’s financial system. They put the “Verify” in “Trust, but verify.”
Ready for the thrilling conclusion of our Story of SOX?
In the spring of 2002, deep inside a cubicle at WorldCom’s Mississippi headquarters, internal auditor Gene Morse stumbled across a $500 million entry for computer expenses. But something didn’t add up.
There were no invoices, no documentation, and no reasonable explanation. He brought the anomaly to his boss, Cynthia Cooper, the company’s VP of internal audit. That one suspicious entry would unravel into one of the largest corporate frauds in U.S. history.
As whispers of financial manipulation began to take shape, Cooper, Morse, and fellow auditor Glyn Smith quietly launched an unsanctioned internal investigation, driven by gut instinct, accounting know-how, and a growing sense of moral obligation. Think of them as the real-life versions of Anna Kendrick and Ben Affleck.
What they found was staggering: over $3.8 billion in operating expenses had been quietly shifted into capital accounts — an accounting sleight-of-hand that dramatically inflated the company’s profits. The trio worked in secret, poring through hundreds of thousands of transactions, sometimes crashing WorldCom’s computer systems under the weight of their data pulls. They were stonewalled by top executives, ignored by external auditor Arthur Andersen, and pressured to stand down by CFO Scott Sullivan.
Instead, they pushed forward, copying evidence onto CDs and holding late-night strategy sessions, haunted by the growing realization that the very foundation of their company was rotten.
Despite the mounting pressure and real fear of retaliation, Cooper brought the findings to WorldCom’s audit committee and new external auditors at KPMG. Sullivan tried to buy time, promising explanations that never came. Ultimately, he was fired, and Controller David Myers resigned.
On June 25, 2002, WorldCom publicly admitted to inflating its earnings by nearly $4 billion over five quarters. The company’s stock collapsed, the SEC filed charges, and what remained of its reputation was obliterated.
The fraud would eventually swell to more than $7 billion, marking the company’s spectacular fall from grace — and triggering one of the largest bankruptcies in American history.
While executives faced indictments and guilty pleas, the three internal auditors remained at their posts, thrust reluctantly into the national spotlight as corporate truth-tellers. Cynthia Cooper, once described as quiet and strong-willed, had led a rebellion against institutional corruption, risking her career to protect the integrity of the financial system.
Their story wasn’t just about numbers. It was about courage, persistence, and the audacity to challenge power from within. In a corporate culture built on silence and complicity, three unlikely sleuths chose to speak up. And the world listened.
Cynthia Cooper was later called “The Mother of 404,” after the section of SOX that required public companies to establish and maintain adequate internal controls, have management assess their effectiveness, and have external auditors attest to the management’s assessment.
So hats off to Cynthia Cooper and her colleagues! Thank you for restoring trust in financial statements, and thank you for keeping me out of jail for all those years.
Thus concludes my Story of SOX! With finance in such a state of flux these days (usage complexity, rapid automation, AI blowing up invoicing, etc.), I’m always looking for compelling narratives to help set things in context. If there are any other accounting stories that you think are worth investigating, please leave a comment!
