Burying, lying, or otherwise misrepresenting the state of these controls to a company officer whose signature represents their proper function to the SEC is not a good thing.

Misrepresentation of controls could cascade to other areas of regulatory noncompliance, causing assertions such as a SOX compliance letter or a SAS-70 audit report to become suspect. Worse, I've seen a fearful but conscientious IT organization change the report that goes to the auditors or officers of the company, but send unmodified vulnerability information to development or operations so the problem can be quietly fixed.

That, my geeky friends, is what our financial counterparts refer to as keeping double books.

Once that road is taken, it can be extremely difficult to go back and fix.

Doing so may require technical changes to be put into production outside of the change control systems, surreptitious report modifications, and deepening lies if someone with an overly honest streak starts inquiring.