By Michael Crimmins, who has worked on risk management and Sarbanes Oxley compliance for major banks

JP Morgan’s jawdropping revelations in its Friday earnings call don’t seem to be attracting the attention they deserve. The market may have shrugged off the size of the losses and the corporate governance modifications plans, but the announcement opens the door wide for the next phase of this scandal. The biggest question is whether Jamie Dimon should keep his job.

The first stunner, that JP Morgan was restating the first quarter financials, should have caused a deafening ringing of alarm bells. For a company of JP Morgan’s stature to be compelled to restate prior period financials is a very clear signal of bigger problems with their overall financial reporting. In isolation we would normally expect to see a massive selloff with an event of that seriousness. Analysts and reporters may have missed the significance since it was dropped into a footnote and overshadowed by the other disclosures.

Add in the magnitude of the restatement which increased the CIO losses by a massive 90% over the previously reported losses and you’d expect to see further panic. The original 1Q12 results included a loss of $718 million. The restated results added another $660 million , bringing the total first quarter loss to $1.4 billion.

But the real cause for alarm is the reason for the restatement. JPM was forced to disclose that it relied on its traders to provide honest and accurate valuations for its financial statement disclosures. That’s like putting the foxes in charge of not just the henhouse, but the entire farm. Much to its chagrin that was a costly choice. Note that was not a mistake, but a conscious choice.

That Stone Age policy has been extinct for a generation at every financial institution that signs a SOX internal controls certification. Oops, I’m wrong there. AIG relied on their trader marks too, but their external auditors finally had had enough and forced them to disclose ‘material weaknesses’ in internal controls. The stock dropped like a stone with that revelation.

Every firm that I’ve worked at has an independent valuation unit that resides outside the business unit. In JP Morgan’s case it seems that unit reported to the business, which is a serious deviation from good practice. (There is a remarkable new story up at Bloomberg which has former JP Morgan executives acting as if there was nothing amiss about having traders mark their own positions or having the valuation unit for the CIO sit within the CIO. This is in fact a troubling sign about the acceptance at senior level in JP Morgan of deficient controls as “normal”). History has shown that staffers preparing the valuation will be subject to pressure from the unit leaders, particularly if the business has losses that the producers hope can be reversed. Additionally, most major trading operations have a valuation committee that includes the corporate CFO to challenge (and memorialize the analysis of) the valuations and the valuation process. The activity of this committee is generally reviewed by (and in many cases attended by) the external auditors, especially since the beginning of the crisis.

It appears that JPM is attempting to make the case that rogue traders, with criminal intent, mismarked the books. That may be so and relevant criminal charges against those traders should be pursued. But that strategy does not protect management. If there was mismarking, especially to the extent that occurred here, it is the responsibility of management to know or have procedures in place to alert them to the potential for fraud. Step one in that control process: Don’t let your traders mark their own books. If you do you have no excuse. Your controls are worthless and as CEO, you are responsible for ignoring that fundamental control gap. Full stop.

Which leads to the second underreported stunner.

It is a very big deal when a firm is compelled to disclose a material weakness in internal controls. That’s the worst level of internal control failure a going conern can report. In JP Morgan’s case its more damning since Dimon, as recently as May 10, 2012, certified that all was well with internal controls as of the end of 1Q2012.

That assessment means that it is impossible for the firm’s external auditor to sign off on the financial statements until and unless the control breakdowns are remediated sufficiently for the auditor to provide assurance. The description of the control weaknesses at JP Morgan appear to be design flaws, so it’s likely the weaknesses existed in periods earlier than the first quarter of 2012, when it was ‘discovered’. The fact that the unit with the weaknesses by all accounts was under the direct control of the CEO throws doubt on the validity of his prior certifications about the quality of the internal controls. The external auditors will be under extreme pressure to either support or refute the earlier certifications. Falsifying the certification is the worst Sarbanes Oxley violation there is, so Dimon is going to have to come up with an airtight rebuttal.

JP Morgan has apparently reassured the market that it will take the appropriate steps to mediate the control gaps, but they do not speak for the external auditors. They may not be as sanguine as the market that JP Morgan’s proposed remediations will be sufficient, and the fixes won’t resolve pre-existing conditions. The very real possibility that JP Morgan will not be able to produce adequately certified financial statements in the future should focus JP Morgan’s Board on the adequacy of the remediations and Jamie Dimon’s continuing role as CEO.

JP Morgan’s control weaknesses, like AIG’s, leave us all guessing to the true value of the CIO portfolio today, as well as the true value of the portfolio in the past. If the 1Q 2012 restatement is a guide, it seems plausible that the earlier reported valuations from the CIO group are unreliable.

Which leads us to the clawback issue.

It appears that JP Morgan is in the middle of a perfect storm from the standpoint of Sarbanes Oxley violations. They have material weaknesses, the prior certifications are suspect, and the reliability of the financials going forward is uncertain. The size of the losses and the extent of the control shortcomings at JP Morgan far exceed anything that has been previously disclosed. Their auditors should be about ready to throw them under the bus, even if just to protect their reputation and limit their liability. The SEC should be under enormous pressure to finally do something, and this looks like a slam dunk case of a false Sarbanes Oxley certification.

Congress has been demanding clawbacks. JP Morgan has announced that they will apply clawback provisions dictated by their corporate policies. They have floated a few clawback trial balloons, most notably against Ina Drew, but the details are still being negotiated internally at JP Morgan.

The SEC can demand clawbacks under Sarbanes Oxley, so JP Morgan’s clawback posturing may be moot if the SEC steps in and excercizes its authority. That authority extends to the CEO, so Jamie Dimon is facing an external as well as internal claims against his compensation. The SEC may be satisfied with self-imposed clawbacks that conform with the clawbacks it could demand, but they should intercede at this point and remind JP Morgan, and the rest of us, how much they could demand and from whom if they were to use their Sarbanes Oxley authority. Even the editors at Bloomberg agree.

Sarbanes Oxley is a sledgehammer, by design. Properly enforced it is meant to strip C-suite executives of immunity from frauds taking place in their firms under their watch. It’s clear there were many frauds that occurred and are continuing to occur at many financial institutions. Hopefully the various abuses will be prosecuted under the relevant statutes they violated. In the meantime it becomes clearer each day that the CEOs and CFOs were aware, and are required to be aware, of the potential frauds taking place in their institutions. To certify that there are adequate controls in place even as the frauds continue strains credulity.

Dimon’s “fortress balance sheet” claims are empty when the accuracy of JP Morgan’s financial statements and the integrity of its controls are in doubt. The time is past due for regulators and the JP Morgan board to hold him accountable for the abject failures that have occurred on his watch.