Complying with the Sarbanes-Oxley Act  

In response to failures of US corporate giants and one of the largest accounting firms, a struggling US economy, political pressure from investors and the media resulted in passing of the Sarbanes-Oxley Act in 2002 (SOX) which aimed at mending investor confidence by improving disclosure controls and procedures and broaden the concept of internal control over financial reporting. 

What is Sarbanes-Oxley Act

Sarbanes-Oxley Act of 2002 required the CEO’s and the CFO’s of public companies to personally certify that the financial statements fairly present in all material aspects the company’s operations and financial condition.

Section 404 of Sarbanes-Oxley requires each company’s annual report to include an internal control report that contains an assessment, as of the end of the most recent fiscal year, of the effectiveness of the company’s internal control structure and procedures for financial reporting.

In addition, Section 404 requires each company's auditor to attest to and report on management's internal control assessment.  It may be possible for a company to receive an unqualified audit report and a qualified auditors opinion on internal controls. 

Who does it affect?

Section 404 applies to large public companies with financial years ending after November 15, 2004. For foreign issuers as well as smaller companies, this rule is effective from July 15, 2005.

However, many US based companies are ‘voluntarily’ adopting Sarbanes-Oxley regime because they believe it helps strengthen their financial reporting systems and non-public companies can be compared to their listed peers.

In Australia and around the world, subsidiaries and branch offices of US based companies are also adopting the Sarbanes-Oxley regime.

How to ensure Sarbanes-Oxley compliance.

Complying with the Sarbanes-Oxley Act means committing time, money and resources.   Therefore good planning and effective implementation is important.

1. Understand the context of Sarbanes-Oxley to your business

A critical first step and the key to effective and efficient implementation.  Remember, the focus is on the existence, effectiveness and verification of internal controls over financial management and reporting.

This is where many companies went wrong.  Many started documenting financial controls, neglecting operational controls that had financial implications.  This resulted in delayed filings, re-work and additional cost.

2. Good planning is essential

Start by identifying your key activities, key business processes, high level/key internal controls and significant financial accounts at a macro level.

Develop a Sarbanes-Oxley framework to glue all the pieces together including key dates, resources, documentation requirements, testing strategies.

3. Effective implementation

Good documentation is important because your internal controls are subject to external audit opinion.  You need to have effective version management, review and sign-off strategies in place for your key documents.  These will include your process maps, risk and control documents, audit plans, audit work papers and audit results. 

Periodic review and evaluation of risks and controls is necessary to ensure your internal control framework is working effectively.

When you find untreated risks or control weaknesses, develop action plans for prompt corrective action.

Testing strategies will ensure that you are effectively evaluating your internal controls.  Testing should provide reasonable assurance that the internal controls are effective to reduce financial risks.

Testing controls may expose more internal control weaknesses.  Again you will need develop action plans for prompt corrective action.

4. Ongoing Monitoring

The success of your Sarbanes-Oxley compliance program is dependant on the effectiveness of your planning and implementation.  You will need to continually monitor risks, controls, audit results, action plans, outstanding issues at macro and micro level.

What are the SOX compliance danger signs?

So when will shareholders and regulators know that you are having problems meeting your SOX requirements?  They will be looking out for the following red flags:

- Qualified auditor’s opinions

- Restatements of financial statements

- Late filings of financial statements

- Difficulties complying with CEO/CFO certification rules (Sarbanes-Oxley Section 302)

- High staff turnover in finance, audit and other control functions

How to keep SOX costs under control

The bad news is even the best Sarbanes-Oxley compliance program will require considerable upfront investment.  The good news is that everything being equal, costs should reduce and eventually flatten after 2 years. 

Use existing resources: Many organisations already have a pool of good people.  These people may come from finance, audit and IT and could be the backbone of your compliance team.  They will have most of the skills required to get the job done and keep costs down.

Streamline documents: Larger organisations tend to have different policies and procedures for different regions and products when in fact the process is the same.  Streamlining documentation and discarding duplicated documentation will mean there is less documentation to main

Develop more prevent controls: Because Sarbanes-Oxley revolves around internal controls, having suitable controls will improve both effectiveness and efficiency.  How?  Detective controls will require sample testing which takes time, whilst prevent controls are usually system controls that are tested once.  

Focus on continuous improvement: Always ask how your Sarbanes-Oxley program can be improved.  Invite suggestions from senior management, audit and compliance staff.  Work closely with similar companies to benchmark yourself and promote new ideas.

Use technology where appropriate: Technology will not automatically lead to success.  However, if you have established good foundations (framework, resources, processes, documentation etc), you should be able to use technology to deliver real efficiencies and dollar savings.

Selecting the right technology

Because SOX requirements are ongoing, many organisations choose to invest in technology to gain long term benefits.  But what is the right technology for SOX compliance? 

Technology will ensure your SOX program is consistent, effective and efficient.  Basically, the right technology needs to be able to document all internal controls over the various financial risks and allow an effective periodic review and independent audit of controls.

The technology should allow users to analyse the various internal control properties such as:

Effectiveness of control: An assessment of whether the control is effective or not.

Type of control: whether the control is a detective, preventive or corrective control.

Control owner: The person responsible for ensuring the control is in place and working.

Frequency of control: When the control is executed, such as month end, annually etc

IT dependency: Whether the control is dependant on an IT system or not

Financial statement assertion: accuracy, relevance, timeliness and completeness of financial information.

The technology should also allow users to update information in a controlled manner, periodically.  Where information has not been updated by users, Senior Management should be able to quickly remediate the problem

Once internal controls have been identified, independent audit procedures should be developed and assigned to the various internal controls.  Therefore, SOX technology should have a very powerful audit features.  At minimum, we recommend the following features:

Audit planning module integrated with email: The audit planning will allow you to select the type and date of an audit and integration with your email system will enable a reminder when the audit is due.

Electronic work papers: The system should have electronic work paper capabilities to document the audit testing results.   Electronic work papers within the risk and control framework will allow comprehensive reporting and issues tracking.

Audit quality control:  Because the results of the audit are so critical, technology should have various quality control features built in to reduce the ‘audit risk’.

Audit result impact analysis and remediation: This involves the technology being able to record the result of the audit and track problems to remediation.  Where an internal control is not working, the system should be able to record the problem, assess the problem, record managements remedial action, set a date for completion and then update the actual date of completion.

InConsult’s Guardian Risk Management System is used by organisations to manage risk, monitor and audit controls.  It can support and replace many documents used to ensure compliance with SOX.  It will also produce a range of reports for risk owners, risk and assurance managers and the board to monitor their internal controls.

Naturally technology will not guarantee compliance.  Implemented correctly, technology will improve the internal control environment through greater transparency, consistency and efficiency.

Whilst the Sarbanes-Oxley Act is relatively new, the principle objectives of the Act are not new.  The importance of effective internal control over financial processes has always been an important management objective for organisation.  SOX simply makes this legal because non compliance could result in up o 20 years jail.  Using technology will help ensure your SOX program is efficient.