Did Sarbanes-Oxley outlaw fraud and imbue corporate America with enlightened honesty? Of course not. For all players in the financial reporting arena, the Act simply raised the stakes for acting badly. It mandated changes for auditors that made their oversight more painful by putting them under the thumb of the Public Company Accounting Oversight Board. It required companies to install basic accounting controls that allowed earlier detection of aberrant behavior and made life harder for fraudsters — in total, demanding the kind of infrastructure nobody really cares about when they’re high on the thrill of building a company through deal after deal.

The stakes were painfully raised for CEOs and CFOs, who now had to certify in the financial statements that they’re responsible for establishing and maintaining such controls, and that those controls ensure that material information about the company and its subsidiaries gets to the right officers within the firm. There probably isn’t a CEO or CFO in the country who hasn’t flinched at least once when signing that certification — and that requirement is probably making Citigroup’s CEO Michael Corbat grind his teeth down to the gumline.

MORE: Citi CEO says employees broke the rules

Citi’s (C) fourth-quarter after-tax earnings restatement of $235 million didn’t matter according to the market: The stock closed a mere six cents lower on Friday when news broke of the scandal at the bank’s Mexican subsidiary, Banamex. Yet the announcement contained a couple of peculiarities, one related to Sarbanes-Oxley, and one that shows how companies need to go beyond that law’s requirements.

Thus far, Citi has ascertained that the fraud amounted to $400 million of bogus receivables financed by its Banamex subsidiary for Oceanografia S.A., a Mexican oil services company, ostensibly to help speed up cash flow from OSA’s customer, Pemex, the Mexican state-owned oil company. This accounts receivable financing program took place over several years — but Citigroup apparently became suspicious only when it learned of OSA’s suspension from bidding on new Pemex contracts. If the SarbOx-style internal controls were in place to ensure that material information in the firm was getting to the right officers, should it really take years to find out that $400 million of receivables are worthless?

Sarbanes-Oxley provided disincentives for managers to behave badly, but there’s an incentive issue at work in the Citi episode that counters good internal controls. The company’s press release notes that while Banamex’s airy loans amounted to $400 million, the pretax charge was reduced by “an offset to compensation expense of approximately $40 million associated with the Banamex variable compensation plan.” In other words, some Banamex employees could earn a 10% bonus for making poor loans and keeping them on the books, or maybe even by making loans out of thin air. Evidently there was an incentive at work to present false financial information, and not enough of a disincentive to prevent bad behavior.

MORE: Why Google should acquire Tesla

No doubt, Mr. Corbat will make some very visible examples of the managers who allowed this to happen. It’s hard not to expect this kind of thing to erupt again, though — maybe at Citi, maybe at another giant bank. These banks push the limits of the span of control that managers can actually handle. They’re not just too big to fail — they might be too big to manage, too.

Jack T. Ciesielski is president of R.G. Associates, Inc., an asset management and research firm in Baltimore that publishes The Analyst’s Accounting Observer, a research service for institutional investors.