SARBANES OXLEY ACT (SOA)

What?

Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and

restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US
Representative Michael Oxley. Sarbanes-Oxley law passed in response to a number of
major corporate and accounting scandals involving prominent companies in the United
States. These scandals resulted in a loss of public trust in accounting and reporting
practices. Legislation is wide ranging and establishes new or enhanced standards for all
US public company Boards, Management, and public accounting firms. Sarbanes-
Oxley law contains 11 titles, or sections, ranging from additional Corporate Board
responsibilities to criminal penalties. It requires Security and Exchange Commission
(SEC) to implement rulings on requirements to comply with the new law.

When?

The Sarbanes Oxley Act of 2002 was passed by U.S. Congress in July 2002, although
the SEC has primary responsibility for converting SOX to enforceable rules. Shortly after
the Act was passed, the SEC issued the final rule for Section 302; the Commission issued
the final rule for Section 404 in June 2003.
In October 2003, the Public Company Accounting Oversight Board issued an exposure
draft of the guidance for companies and external auditors on the standards to be applied
for Section 404 audit opinions. This guidance, titled "An Audit of Internal Control over
Financial Reporting Performed in Conjunction with an Audit of Financial Statements," was
issued in final on March 9, 2004. Also known as Auditing Standard No. 2, it is perhaps the
most important of all of these documents, as it is the standard that public accountants
must use to audit and report on representations on control effectiveness from public
company CEOs and CFOs

Purpose/The goals ?

Increase public confidence in capital markets

Improve corporate governance
Provide greater accountability by making board members and executives
personally responsible for financial statements
Improve audit quality
Place greater emphasis and structure around efforts to prevent, detect, investigate
and remediate fraud and misconduct

For whom/adresses ?
Establishes new standards for Corporate Boards and Audit Committees
Establishes new accountability standards and criminal penalties for Corporate
Management
Establishes new independence standards for External Auditors
Establishes a Public Company Accounting Oversight Board (PCAOB) under the
Security and Exchange Commission (SEC) to oversee public accounting firms and
issue accounting standards

Important contents ?
Section 302 requires managementspecifically, the CEO and CFOto sign off on
financial statement fairness and internal control effectiveness, and have been in full force
since August of 2003.
Section 404 requires a separate management report on internal control effectiveness
and audit by the financial statement auditor. It becomes effective for large companies
starting with years ended after Nov. 15, 2004. Effective dates for smaller companies and
foreign companies governed by the SEC commence in 2005.
Section 906 is related to Sections 302 and 404, and requires that CEOs and CFOs
ensure all financial reportingincluding annual and periodic reports fairly presents, in
all material respects, the financial condition and results of operations of the issuer and
that they conform and comply with the Act. It also provides for significant criminal
penalties for non-compliance.

The Four Pillars of SOX 302, 404 And 906

To comply with the three sections, companies must demonstrate conclusively that they
have four key SOX 302/404/906 "pillars" in place:
1. Macro Level Anti-Fraud Analysis;
2. Macro Level Assessment against a Control Model;
3. Sufficiency of IT General Controls; and
4. Reliable 10-K, 10-Q Accounts, Notes and Supplemental Disclosures.

Pillar No. 1Macro Level Anti-Fraud Analysis

The SEC has stressed the importance of this step, and the PCAOB has made it very
clear that external auditors must carefully assess the existence, quality and effectiveness
of the controls in place to prevent the issuance of fraudulent and/or misleading external
disclosures.
This pillar includes a critical assessment of a range of important anti-fraud controls
including the audit committee; whistle blowing mechanisms, codes of conduct, external
auditor independence, internal auditors, fraud policy, ethics compliance mechanisms,
hiring/firing practices, and much more. The best, and perhaps most stringent, guidance to
date we have seen in this areas was issued as a white paper titled Key Elements of
Antifraud Programs and Controls," authored by PricewaterhouseCoopers.
Anti-fraud controls is also a key area of attention for companies that want to be able to
demonstrate conclusively that they have met due diligence expectations expected in
Section 906 and as defined in the U.S. Federal Sentencing Guidelines. This is particularly
true if they want sentence and jail term mitigation in the unfortunate event of a SOX
conviction. For example, being able to demonstrate that a strong SOX compliance
program was operational during the period may make the difference between a CEO
and/or CFO going to jail for three weeks vs. four years and/or the difference between a
$500,000 fine and a $40 million fine. Amendments to Chapter 8 of the U.S. Federal
Sentencing Guidelines scheduled for enactment later this year raise the standards of care
expected by the courts even higher.

Pillar No. 2Macro Level Assessment against A Control Model

SOX section 404 requires CEOs and CFOs represent that they have an effective system
of control in accordance with a recognized control model starting with fiscal years ending
after Nov. 15, 2004. This is a new and radical requirement that the world has only limited
experience coping with to date. CEOs and
CFOs must opine against, per SEC and PCAOB criteria, a generally accepted control
frameworkone whose creation follows an exposure draft and due-process procedure.
Acceptable frameworks for purposes of this representation arguably include the old
COSO framework issued in 1992, the new COSO ERM framework scheduled for release
in final in July, the Canadian Criteria of Control framework issued in Canada in 1995
(commonly known as "CoCo"), the Cadbury framework issued in Britain in 1994, the
Modern U.S. Comptrollership model issued by the Treasury Board Secretariat of the
Canadian Federal Government in 2001, and other frameworks that meet the
SEC/PCAOB criteria.
The requirement that CEOs and CFOs opine against a control framework is likely the
most problematic of all the SOX requirements at this point in time because the old COSO
1992 framework was not designed to support a "pass/fail" assessment. Further, COSO
1992 and COSO-ERM contain a mixture of control objectives that relate to financial
reporting and disclosure and operational efficiency, where "operational efficiency" is
outside of the SOX's scope. This just adds to the confusion. The same comments also
apply to CobIT re: information technology general controls.

Pillar No. 3Assessment Of The Sufficiency Of IT General Controls Over Any

System That Feeds 10-K And 10-Q Disclosures
SEC and PCAOB regulations require that all companies bound by SOX 302/404/906
rules must complete and continuously maintain an assessment of IT general and
application controls over any and all systems that provide disclosure information used in
10-K and 10-Q filings. SAS No. 99 and the PCAOB audit standard extend the IT general
and application control assessment to include IT fraud risk and fraud detection.
The best guidance issued to date on this requirement is a paper titled IT Control
Objectives for Sarbanes-Oxley, issued by the IT Governance Institute. This SOX
302/404/906 pillar is creating, and will continue to create in the future, significant
problems world-wide as many companies have significantly underestimated this
requirement. Compounding this problem, there is a limited number of audit professionals
with the necessary training and experience to competently form opinions on the
adequacy/effectiveness of IT general and application controls over external disclosures.
This requirement will be particularly problematic for the external audit firms that must give
SOX 404 opinions, as many of the external audit team members have limited training and
experience evaluating IT controls. This is true despite the past requirement in SAS No. 78
for external audit firms to document IT general and application controls regardless of
whether they will be relied on or not to reduce the extent of account balance testing.
Many companies have failed to recognize that this assessment must cover any and all
automated systems that provide data for 10-K and 10-Q disclosures, not only the general
ledger accounting systems. Many of these same companies have also failed to complete
fraud risk and detection scenario assessments in their general and application IT control
reviews.

Pillar No. 4Assessment Of The Risks And Controls In Place To Ensure That
External Disclosures Are Reliable

Companies must formally document and maintain assessments of the risks that threaten
the reliability of specific external disclosures in 10-Ks and 10-Qs, the controls in place to
mitigate those risks, and the acceptability of the current residual risk status (i.e.
information on how well the controls are working and the impact of non-achievement).
This can be done using a well designed and continuously maintained compliance-based
(i.e. checklist type) approach; a process-centric assessment approach that is specifically
linked to all disclosures; or the objective centric assessment methodology promoted by
the COSO ERM framework scheduled for release this summer.
The goal is to determine whether there are any reportable conditions in any of these
disclosure objectives/processes that meet the definitions of a "material weakness" or
"significant deficiency" according to the SEC and PCAOB.
How to assess the effectiveness of internal controls?

There are two approaches to evaluate whether an accounting department is under

control or not.

1. Document the procedures and controls then map risks to controls to see if there
appear to be weaknesses in the design. Then test the controls individually to
establish if each is actually operating and being carried out correctly.
2. Take a look at the actual results of the controls, such as current backlogs of
processing, suspense item levels, and errors found and corrected. Interview the
Controller to see if he/she actually knows about these.

As an experienced from some auditor who has tried both can tell that the second option
is by far the best, and the ideal approach would be a blend of the two. Why?

The first evaluation is theoretical. If we correctly assess the risks, and if we correctly
assess the effectiveness of each individual control, and if we can combine this
information accurately, then our conclusions about overall effectiveness of controls will be
correct. In practice such accuracy is impossible and theoretical assessment is unreliable.

Theoretical assessment is also time consuming. Gathering and documenting the

information takes many interviews. The risk-control mapping stage requires skill that few
people have so there is much iteration. The final weighing of apparent weaknesses
involves much discussion but in truth it is beyond human judgment to evaluate accurately
the complex probabilities involved.

Benchmarking or relying on "best practice" is not solutions to this problem. The

differences in error and fraud rates between organizations with different people, systems,
procedures, etc are so large that "standard" or "best practice" control schemes cannot be
considered reliable. They always need to be adapted to fit the requirements correctly.

In contrast, the second type of evaluation involves looking at direct evidence of

effectiveness. It is not necessary to analyze the controls or risks fully. Just go straight to
the results of the controls instead of trying to guess them from what went before.

A process for evaluating effectiveness

In practice it is not appropriate to look for direct indicators of controls effectiveness for all
processes and all risks, so some initial decisions have to be made about what
assessment techniques to use where. Also, gaps in the indicators have to be identified
and compensated for. Once the assessment has been done there may be a need for
control improvements, and repeated assessments can be better focused if drivers are
used. All these points are reflected in the following process for evaluating controls
effectiveness.
STEP 1: Draw up an integrated annual cycle for assessment activities to meet all
requirements

For most organizations in most countries the requirements for various evaluations of
internal controls are so numerous that only an integrated process makes sense. For
example, as far as possible, evidence from s302 assessments should feed into s404
assessments.

STEP 2: Identify processes whose controls need evaluation

The objective of this step is to list the processes, not to describe them, which would
require much more work. This is simply a list for planning purposes. All the usual
considerations about materiality, locations, risk, etc apply when you decide what to cover
and what to leave out.

STEP 3: Identify risk and control requirement drivers

The need for controls, and constraints on what types of control are economic and
culturally appropriate, is driven by a number of factors for each process. These shape the
control system, and when they change so too should the control system. Consider
potential drivers under the following headings:

1. Control performance requirements

o Speed of processing required.
o Flexibility of processing required.
o Maximum tolerable level of hassle to the customer.
o Precision of timing required.
o Reliability of service to the customer required.
o Target cost of processing required.
o Level of regulation of activity (e.g. selling financial services).
2. Cultural features
o Culture/behavioral norms encouraging fraud/theft. Patterns of crime
already established.
o Company wishes to promote empowerment.
o Process management vs functional silos.
o Standard of the control environment.
3. Data features
o Data is standing data or transaction data.
o Complexity of the data.
o Volumes of data.
o Predictability of data values.
o Whether or not transactions can be divided into sub-populations which are
highly predictable or at least have very common characteristics.
o Maximum value of individual items.
o Whether data about private individuals is held.
o The extent to which it is a very abstract business based on rules,
definitions, possibilities.
4. Process features
o Complexity of the process.
o Who captures the data e.g. employees, customers, suppliers.
o Level of automation.
 o Ease with which assets can be disposed of if stolen.
o Amount of money paid out.
o Number of languages spoken by people in the process.
o International/geographic distribution.
o Number of separate databases and interfaces.
o Quality of existing business process controls.
o Whether the immediate environment of the process is within the
organization.
5. Workload features
o Rate of increase/decrease in workload.
o Variability of workload.
o Continuous work is required vs periodic work only vs slow response only is
required.
o Environment is very fast changing or very stable.
o Level of change in processes, systems, or people.
o Proportion of work in the process that is controls.
6. Project features (i.e. implementation of the process/system)
o Project health (e.g. wobbly sponsorship, politics, unclear or shifting
requirements, over-ambitious objectives and impossible timetables).

This may seem like a long list but almost all this information is common knowledge in
companies and so is easy to research/gather data on. Besides, for many of the headings
there will be nothing interesting.

STEP 4: Collect and monitor driver data/news

It is not necessary to complete this monitoring before carrying out the first control
evaluations, but once drivers are being monitored it is possible to target controls
evaluation and make it still more efficient. Variations in any of the drivers listed in the
previous step have implications for the controls required.

Another reason for doing this monitoring is that it is explicitly required by the Sarbanes-
Oxley Act in section 302, which says you must comment on any factors that might have
affected the effectiveness of your control system since the last evaluation.

STEP 5: Decide what type of evaluation to use for each process and type of risk

The type of evaluation depends on the nature of the process and the type of risk. It is
essential to consider the coverage of the indicators used. If there are significant gaps
they will need to be compensated for by mapping and testing controls. The one thing that
can never been shown in statistics is the undiscovered error, which of course is the risk
we are concerned with. The judgment of controls effectiveness is based on the principle
that undiscovered errors are more likely where:

not enough checking is done; and/or

Checking is done and reveals a high rate of original error and/or extensive
backlogs.
STEP 6: Perform evaluations

A well controlled business process or accounting cycle will have a process monitoring
report which is used frequently by the process owners to manage the health of the
process. This report will show workload and resources used, plus error and backlog
statistics, and system support, preferably using graphs to show clearly what is going on.
There will also be a section on projected future changes so that risks can be managed in
advance.

If this kind of report already exists for a process then evaluating the effectiveness of
controls is going on whenever the report is used and meeting Sarbanes-Oxley
requirements for the process is easy. Extra work is only needed for the rare risks of major
fraud and disasters.

If this kind of report does not exist and the process is a major one then a process
monitoring report should be implemented immediately! Now that the SEC have given
companies more time to comply it should be possible to get these reports in place for
more processes.

In areas where risks and controls have to be mapped because of a lack of direct
indicators it is possible to waste a lot of time by choosing the wrong style of matrix. For
details on how to do this correctly I offer my paper on control matrices "The easiest and
best matrices for documenting internal controls".

STEP 7: Identify the causes of weaknesses

Where your evaluation is a theoretical one based on the design of controls and their
individual operation then the location of the weakness is obvious. Either it's a design fault,
or failed operation, or a combination of both.

However, if problems have shown up in process health statistics extra work is needed to
find out what the weakness is and whether it is design or operation. This is needed if you
are to fix the fault, and also appears to be required by the new SEC rules.