Professional Documents
Culture Documents
What?
When?
The Sarbanes Oxley Act of 2002 was passed by U.S. Congress in July 2002, although
the SEC has primary responsibility for converting SOX to enforceable rules. Shortly after
the Act was passed, the SEC issued the final rule for Section 302; the Commission issued
the final rule for Section 404 in June 2003.
In October 2003, the Public Company Accounting Oversight Board issued an exposure
draft of the guidance for companies and external auditors on the standards to be applied
for Section 404 audit opinions. This guidance, titled "An Audit of Internal Control over
Financial Reporting Performed in Conjunction with an Audit of Financial Statements," was
issued in final on March 9, 2004. Also known as Auditing Standard No. 2, it is perhaps the
most important of all of these documents, as it is the standard that public accountants
must use to audit and report on representations on control effectiveness from public
company CEOs and CFOs
Purpose/The goals ?
For whom/adresses ?
Establishes new standards for Corporate Boards and Audit Committees
Establishes new accountability standards and criminal penalties for Corporate
Management
Establishes new independence standards for External Auditors
Establishes a Public Company Accounting Oversight Board (PCAOB) under the
Security and Exchange Commission (SEC) to oversee public accounting firms and
issue accounting standards
Important contents ?
Section 302 requires managementspecifically, the CEO and CFOto sign off on
financial statement fairness and internal control effectiveness, and have been in full force
since August of 2003.
Section 404 requires a separate management report on internal control effectiveness
and audit by the financial statement auditor. It becomes effective for large companies
starting with years ended after Nov. 15, 2004. Effective dates for smaller companies and
foreign companies governed by the SEC commence in 2005.
Section 906 is related to Sections 302 and 404, and requires that CEOs and CFOs
ensure all financial reportingincluding annual and periodic reports fairly presents, in
all material respects, the financial condition and results of operations of the issuer and
that they conform and comply with the Act. It also provides for significant criminal
penalties for non-compliance.
Pillar No. 4Assessment Of The Risks And Controls In Place To Ensure That
External Disclosures Are Reliable
Companies must formally document and maintain assessments of the risks that threaten
the reliability of specific external disclosures in 10-Ks and 10-Qs, the controls in place to
mitigate those risks, and the acceptability of the current residual risk status (i.e.
information on how well the controls are working and the impact of non-achievement).
This can be done using a well designed and continuously maintained compliance-based
(i.e. checklist type) approach; a process-centric assessment approach that is specifically
linked to all disclosures; or the objective centric assessment methodology promoted by
the COSO ERM framework scheduled for release this summer.
The goal is to determine whether there are any reportable conditions in any of these
disclosure objectives/processes that meet the definitions of a "material weakness" or
"significant deficiency" according to the SEC and PCAOB.
How to assess the effectiveness of internal controls?
1. Document the procedures and controls then map risks to controls to see if there
appear to be weaknesses in the design. Then test the controls individually to
establish if each is actually operating and being carried out correctly.
2. Take a look at the actual results of the controls, such as current backlogs of
processing, suspense item levels, and errors found and corrected. Interview the
Controller to see if he/she actually knows about these.
As an experienced from some auditor who has tried both can tell that the second option
is by far the best, and the ideal approach would be a blend of the two. Why?
The first evaluation is theoretical. If we correctly assess the risks, and if we correctly
assess the effectiveness of each individual control, and if we can combine this
information accurately, then our conclusions about overall effectiveness of controls will be
correct. In practice such accuracy is impossible and theoretical assessment is unreliable.
In practice it is not appropriate to look for direct indicators of controls effectiveness for all
processes and all risks, so some initial decisions have to be made about what
assessment techniques to use where. Also, gaps in the indicators have to be identified
and compensated for. Once the assessment has been done there may be a need for
control improvements, and repeated assessments can be better focused if drivers are
used. All these points are reflected in the following process for evaluating controls
effectiveness.
STEP 1: Draw up an integrated annual cycle for assessment activities to meet all
requirements
For most organizations in most countries the requirements for various evaluations of
internal controls are so numerous that only an integrated process makes sense. For
example, as far as possible, evidence from s302 assessments should feed into s404
assessments.
The objective of this step is to list the processes, not to describe them, which would
require much more work. This is simply a list for planning purposes. All the usual
considerations about materiality, locations, risk, etc apply when you decide what to cover
and what to leave out.
The need for controls, and constraints on what types of control are economic and
culturally appropriate, is driven by a number of factors for each process. These shape the
control system, and when they change so too should the control system. Consider
potential drivers under the following headings:
This may seem like a long list but almost all this information is common knowledge in
companies and so is easy to research/gather data on. Besides, for many of the headings
there will be nothing interesting.
It is not necessary to complete this monitoring before carrying out the first control
evaluations, but once drivers are being monitored it is possible to target controls
evaluation and make it still more efficient. Variations in any of the drivers listed in the
previous step have implications for the controls required.
Another reason for doing this monitoring is that it is explicitly required by the Sarbanes-
Oxley Act in section 302, which says you must comment on any factors that might have
affected the effectiveness of your control system since the last evaluation.
STEP 5: Decide what type of evaluation to use for each process and type of risk
The type of evaluation depends on the nature of the process and the type of risk. It is
essential to consider the coverage of the indicators used. If there are significant gaps
they will need to be compensated for by mapping and testing controls. The one thing that
can never been shown in statistics is the undiscovered error, which of course is the risk
we are concerned with. The judgment of controls effectiveness is based on the principle
that undiscovered errors are more likely where:
A well controlled business process or accounting cycle will have a process monitoring
report which is used frequently by the process owners to manage the health of the
process. This report will show workload and resources used, plus error and backlog
statistics, and system support, preferably using graphs to show clearly what is going on.
There will also be a section on projected future changes so that risks can be managed in
advance.
If this kind of report already exists for a process then evaluating the effectiveness of
controls is going on whenever the report is used and meeting Sarbanes-Oxley
requirements for the process is easy. Extra work is only needed for the rare risks of major
fraud and disasters.
If this kind of report does not exist and the process is a major one then a process
monitoring report should be implemented immediately! Now that the SEC have given
companies more time to comply it should be possible to get these reports in place for
more processes.
In areas where risks and controls have to be mapped because of a lack of direct
indicators it is possible to waste a lot of time by choosing the wrong style of matrix. For
details on how to do this correctly I offer my paper on control matrices "The easiest and
best matrices for documenting internal controls".
Where your evaluation is a theoretical one based on the design of controls and their
individual operation then the location of the weakness is obvious. Either it's a design fault,
or failed operation, or a combination of both.
However, if problems have shown up in process health statistics extra work is needed to
find out what the weakness is and whether it is design or operation. This is needed if you
are to fix the fault, and also appears to be required by the new SEC rules.