Understandably, most executives wondered why they should be subjected to the same compliance burdens as those who had been negligent or dishonest. But what exactly is a control structure composed of? A control is a practice established to help ensure that business processes are carried out consistently, safely, with the proper authorization, and in the manner prescribed.
Take, for example, the objective of keeping information secure. Controls to achieve this objective might be as straightforward as locking a file cabinet or as elaborate as encrypting computer data. Sarbanes-Oxley was enacted to improve the reliability of financial reporting; therefore, most of the controls adopted pursuant to the Act concern themselves with the timeliness, integrity, and accuracy of financial data.
Controls fall into two broad categories. Preventive controls are intended to eliminate lapses, either intentional or inadvertent. An example would be the segregation of duties in an accounts payable department, so that one person approves an invoice, another prepares the payment, and a third signs the check. In this way an unauthorized payment is kept from being issued. Detective controls are designed to identify errors and irregularities that have already occurred. Monthly reconciliation of cash accounts, for example, is undertaken to ferret out such conditions.
An essential element of any Sarbanes-Oxley compliance program is the testing of controls. In some cases, the matters being tested were too unimportant to contribute to a material misstatement in the financial reports. Such controls are tested more frequently; less essential ones may be deemed to fall outside the scope of the testing plan entirely.
Many companies have achieved cost savings in the second year of SOX compliance, without any reduction in control effectiveness, by rationalizing their controls in this manner.
Yet in the course of providing compliance advice to executives, we discovered a small subset who approached the new law with something like gratitude. They were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions. While providing compliance advice to executives, we discovered a small subset who approached Sarbanes-Oxley with something like gratitude.
However, the burdens of implementing SOX for the first time, in , were so great that this more forward-thinking group could give little time to developing and adopting policies and practices that went beyond literal compliance. As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.
In any era, the enactment of a law like SOX would probably have prompted a similar stocktaking. It is no wonder that actual and reported performance at a number of companies diverged. Year two of compliance is now complete at most large U. Is the parking lot still full of unimplemented change plans? At many organizations, it is. In year two, a number of companies have begun to standardize and consolidate key financial processes often in shared service centers ; eliminate redundant information systems and unify multiple platforms; minimize inconsistencies in data definitions; automate manual processes; reduce the number of handoffs; better integrate far-flung offices and acquisitions; bring new employees up to speed faster; broaden responsibility for controls; and eliminate unnecessary controls.
Moreover, SOX-inspired procedures are beginning to serve as a template for compliance with other statutory regimes. Good governance is a mixture of the enforceable and the intangible. Organizations with strong governance provide discipline and structure; instill ethical values in employees and train them in the proper procedures; and exhibit behavior at the board and executive levels that the rest of the organization will want to emulate.
These are all components of the control environment, which forms the foundation of internal control. A proper control environment is one factor an external auditor considers when called upon to evaluate internal control over financial reporting pursuant to Section Rather, they contribute to the mass of evidence weighed by the external auditor. If a company can demonstrate a strong control environment, then it can reduce the overall scope of its internal-control evaluation.
Reduced scope can mean the company need not carry out as many internal tests and the auditor may do less corroborating, resulting in lower compliance costs. Testing scope is a matter of judgment and perhaps negotiation between the auditor and the company.
PepsiCo uses an annual survey of about senior executives to demonstrate the condition of its control culture. The training is administered via an interactive package that includes scenarios of ethical dilemmas one might encounter dealing with customers, suppliers, and colleagues and suggests possible solutions.
About 25, managers receive the training. Records of this training may be reviewed by the auditors. The Securities Act of regulated securities until It required companies to publish a prospectus about any publicly-traded stocks it issued. The corporation and its investment bank were legally responsible for telling the truth. That included audited financial statements.
Although the corporations were legally responsible, the CEOs were not. So, it was difficult to prosecute them. The rewards of "cooking the books" far outweighed the risks to any individual.
Congress responded to the Enron media fallout, a lagging stock market, and looming reelections. The Sarbanes-Oxley Act was passed by Congress to curb widespread fraudulence in corporate financial reports, scandals that rocked the early s.
Whistleblowing employees are given protection. More stringent auditing standards are followed. These are just a few of the SOX stipulations. Some critics though believe SOX is an expensive compliance, particularly for small companies. But its focus on high auditing quality has restored and strengthened investor confidence in U. Securities and Exchange Commission. United States Department of Labor.
Government Publishing Office. Accessed May 13, CFA Institute. The Big 4 Accounting Firms. Section amended 15 U. Also, in recognition of the role of whistleblowers in exposing the accounting scandals of the earlys, Congress passed Section , codified 18 U. The U. Supreme Court in Lawson v.
One major criticism of SOX is the cost that greater disclosure and internal control requirements poses on smaller firms seeking to raise public funds.
Determining materiality. The auditor does a determination of materiality to decide where to focus. The auditor will look at transactions that went into determining the values of material accounts.
The auditor will seek to understand financial reporting risks in those accounts: what could go wrong? What could be subject to misrepresentation? Identify SOX controls. When determining materiality, the auditors will also look at the controls that protect the integrity of those numbers. Controls may include things such as making sure conflicting duties are segregated. People who post invoices should not have authority to approve invoices.
Fraud risk assessment. SOX was passed largely in response to some very high profile cases of massive fraud. The auditors will be looking to see if internal controls are adequate to detect fraud early. In addition to segregation of duties mentioned above, periodic bank account reconciliation is an important fraud detection tool. One common fraud vehicle is employees making reimbursement claims for fictitious expenses; the auditors will want to see that there are controls in place that would catch such activity.
Controls documentation. Auditors will want to see that controls are properly documented and communicated. Compliance software can be helpful to auditors as it can allow them to access information and review the impact throughout the organization.
Testing key controls. The auditors will want to make sure the key controls actually work the way they are designed to work. Auditors may interview process owners, watch the process at work, etc. Assessing deficiencies. The auditors will be on the lookout for ways that SOX compliance can be improved. In some case the control may need to be changed, in others it may mean staff needs better training or a process needs to be adjusted.
At the end of the control testing, management delivers its assessment of the internal controls, including the assessment made by the independent auditor. Conclusion The Sarbanes-Oxley Act has been widely praised as having helped improve corporate governance, transparency, and accountability in corporate America. Back in , only a few years after SOX was enacted, former Federal Reserve Chairman Alan Greenspan said, I am surprised that the Sarbanes—Oxley Act, so rapidly developed and enacted, has functioned as well as it has … the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use.
Are you SOX compliant in ?
0コメント