Sarbanes-Oxley Act

From Citizendium
Revision as of 16:13, 10 November 2009 by imported>Howard C. Berkowitz (New page: {{TOC|right}} The '''Sarbanes-Oxley Act (SOX)''' is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. The Act, relatively s...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Sarbanes-Oxley Act (SOX) is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. The Act, relatively speaking, tries to be neutral between the demands of regulation and the costs of additional internal control measures. There is a sense in the industry that the initial learning curve was steep and expensive, but costs drop considerably when affected firms continue to run with its regulations, especially Section 404, which covers ICT. Other sections that companies find challenging include 303 on debt and credit management, and 409 on prompt disclosure of changes to their financial positions The Securities and Exchange Commission (SEC), which administers SOX, requires [SEC33-8238] several statements that must come from the management reporting system:

  • Management acknowledgement that it is responsible for internal control; Section 302 makes the CEO and CFO personally and criminally liable for inaccurate reporting
  • Management identification of the framework that will be used to evaluate the efficacy of the internal controls over financial reporting,
  • An assessment, by management, of how well the internal controls have worked in the most recent fiscal year, and a binary statement of whether it was effective or not. If it was not effective, the statement must identify any "material weaknesses" in the process. Management cannot state the controls were effective if there were any material weaknesses.

Identity

SOX requires that top managers certify that no one has tampered with their financial reports. Since the major financial scandals of recent years have come from employee chicanery, classic security requirements come into play:

  • knowing who your people really are,
  • establishing mechanisms by which they identify themselves to computer systems and the systems authenticate that claim of identity,
  • giving authenticated users a set of credentials defining what they are allowed to access and do.

SOX requirements are a subset of the field of identity management/ Section 802 specifies, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object … shall be fined under this title, imprisoned not more than 20 years, or both." Claiming a false identity is a rather elementary form of covering up. Over the years, financial institutions have developed other safeguards, such as insisting employees take vacation so that they cannot continue to cover embezzlements.

Not only do you dentification and authentication needed during operations, identity verification must be done on new hires, and on contractors in sensitive roles. The more sensitive the job in SOX terms, the tighter the verification may need to be.

Restrictions on Practice

Many enterprises had accounting systems provided or built by the consulting arm of large accounting firms, which indeed have much experience. As a result of scandals such as Enron, where the outside accounting firm made more revenue from management reporting and tax services as from its presumably neutral role as an external auditor, the American Instute of Certified Public Accountants (AICPA) and others have mandated, essentially, that the roles of external auditor and of a firm supplying other services are incompatible. Prior to the Act, major accounting firms were implementing large financial software systems and other procedures that their audit practice might then have to inspect. While, in principle, there was a "Chinese Wal]l between auditors and other employees, both auditors and consultants on an engagement tended to report to the same firm executive, who had profit and& loss responsibility for the account. Now, the issue may be to buy systems from a spinoff of the accounting firm, or build them in-house.

Besides the restrictions on obvious conflicts of interest, the accounting profession formalized procedures about best practice in internal reporting. The auditing firm would verify these controls are in effect. Do note that a different accounting firm, which has no audit responsibility, is free to set up controls and supporting software. With the storm of mergers and acquisitions in public accounting, what might be separate companies today could become a single one tomorrow, and the new firm would need to divest tasks that lead to the appearance of conflict of interest.

In like manner, there are restrictions on internal auditors, who cannot build or operate the systems whose output they monitor. They do have the responsibility of recommending improvements.

Designing Internal Control

The Act created the Public Company Accounting Oversight Board (PCAOB), which is quasi-public, in the sense that various financial regulators such as the FDIC are quasi-public. PCAOB actually oversees auditors of public companies, rather than the companies themselves, including regulation and discipline. SOX further creates requirements for strong internal financial control, independence of outside auditors, and greater top management responsibilities for financial disclosure.

Financial scandals in the 1970s led to the Foreign Corrupt Practices Act of 1977 (FCPA), and eventually to the 1985 creation of the National Commission on Fraudulent Financial Reporting, called the Treadway Commission after its first chair. Its first report, issued in 1987, recommended that the Committee of Sponsoring Organizations (COSO), made up of five professional associations concerned with auditing, create integrated guidance on internal control. They contracted with a major accounting firm and drafted the first framework for COSO-approved internal control, published in 1992 as Internal Control: Integrated Framework. Let us hope your customer works on faster timelines than these.

This report presented a common definition of internal control (IC) and provided a framework against which IC systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA. COSO's framework defines the IC program that underlies SOX. This program has four principles and five components. COSO In addition, COSO defines the three goals of internal control as:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

The Principles establish the expectations of IC, while the Components deal with how to execute IC. COSO recognizes real-world constraints, and, in its Principles, both accepts that no IC system is perfect, but also requires due diligence in attempting to find problems not covered by IC.

  1. The first Principle emphasizes that IC is a process that is a means to an end, which end being accurate financial reporting. It is not an end in itself.
  2. With all the documentation in the world, it is still going to stand or fail based on the work of people at all levels of the enterprise.
  3. It is imperfect. It provides warnings to upper management and the board, but the people of the enterprise must always be proactive about financial reporting.
  4. IC is oriented to objectives, which may overlap.

  1. The foundation for all else is the control environment, which makes its personnel conscious of the need for, and value of, control. Providing discipline and structure for the other components, it must be consistent with ethical management, based on integrity. Organizations constantly build their own control organizations through appropriate delegation of authority and staff development.
  2. Before risk assessment, the organization must define its objectives, to which it will then assign risks and approaches to risk management.
  3. Where information and communications are the technical enablers, control activities are the rules and guidance for the people executing control and risk management. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  4. Information and communications systems are essential to the actual functioning of IC systems. They produce information about operations, finance, and regulatory compliance. Producing information is not enough; the information must flow up, down, and across the enterprise, and, where appropriate, to external stakeholders such as customers, suppliers, regulators, financial analysts and reporters, and shareholders.
  5. Monitoring IC systems, that are meant to monitor enterprise finances, must themselves be monitored.is required Monitoring is feedback into the architectural systems, and the architectural process, subject to accounting and legal oversight, must constantly improve the system. There are caveats that changes in reporting may need external approval, and that they may need to be changed at specific points in time, such as quarterly or at the end of the fiscal year. Changing analysis methods such that a given period has calculations with different methods can make tax and financial reporting inconsistent.

References