Just like Y2K was the hot topic before the new millennium, the new
millennium will be remembered for its high profile corporate
collapses…globally. HIH in Australia, Enron in the US, Pramalat in Europe,
just to name a few.
In response to failures of US corporate giants and one of the largest
accounting firms, a struggling US economy, political pressure from investors
and the media resulted in passing of the Sarbanes-Oxley Act in 2002 (SOX)
which aimed at mending investor confidence by improving disclosure controls
and procedures and broaden the concept of internal control over financial
is Sarbanes-Oxley Act
Sarbanes-Oxley Act of 2002 required the CEO’s and the CFO’s of public
companies to personally certify that the financial statements fairly present
in all material aspects the company’s operations and financial condition.
404 of Sarbanes-Oxley requires each company’s annual report to include an
internal control report that contains an assessment, as of the end of the
most recent fiscal year, of the effectiveness of the company’s internal
control structure and procedures for financial reporting.
addition, Section 404 requires each company's auditor to attest to and
report on management's internal control assessment. It may be possible for
a company to receive an unqualified audit report and a qualified auditors
opinion on internal controls.
does it affect?
404 applies to large public companies with financial years ending after
November 15, 2004. For foreign issuers as well as smaller companies, this
rule is effective from July 15, 2005.
many US based companies are ‘voluntarily’ adopting Sarbanes-Oxley regime
because they believe it helps strengthen their financial reporting systems
and non-public companies can be compared to their listed peers.
Australia and around the world, subsidiaries and branch offices of US based
companies are also adopting the Sarbanes-Oxley regime.
to ensure Sarbanes-Oxley compliance.
Complying with the Sarbanes-Oxley Act means committing time, money and
resources. Therefore good planning and effective implementation is
Understand the context of Sarbanes-Oxley to your business
first step and the key to effective and efficient implementation. Remember,
the focus is on the existence, effectiveness and verification of internal
controls over financial management and reporting.
where many companies went wrong. Many started documenting financial
controls, neglecting operational controls that had financial implications.
This resulted in delayed filings, re-work and additional cost.
Good planning is essential
identifying your key activities, key business processes, high level/key
internal controls and significant financial accounts at a macro level.
Sarbanes-Oxley framework to glue all the pieces together including key
dates, resources, documentation requirements, testing strategies.
documentation is important because your internal controls are subject to
external audit opinion. You need to have effective version management,
review and sign-off strategies in place for your key documents. These will
include your process maps, risk and control documents, audit plans, audit
work papers and audit results.
review and evaluation of risks and controls is necessary to ensure your
internal control framework is working effectively.
find untreated risks or control weaknesses, develop action plans for prompt
strategies will ensure that you are effectively evaluating your internal
controls. Testing should provide reasonable assurance that the internal
controls are effective to reduce financial risks.
controls may expose more internal control weaknesses. Again you will need
develop action plans for prompt corrective action.
of your Sarbanes-Oxley compliance program is dependant on the effectiveness
of your planning and implementation. You will need to continually monitor
risks, controls, audit results, action plans, outstanding issues at macro
and micro level.
What are the SOX compliance danger signs?
will shareholders and regulators know that you are having problems meeting
your SOX requirements? They will be looking out for the following red
Restatements of financial statements
filings of financial statements
Difficulties complying with CEO/CFO certification rules (Sarbanes-Oxley
staff turnover in finance, audit and other control functions
How to keep SOX costs under control
The bad news is even the best Sarbanes-Oxley compliance program will require
considerable upfront investment. The good news is that everything being
equal, costs should reduce and eventually flatten after 2 years.
Don’t outsource everything:
Using consultants in the first few years is good, but ultimately it is the
company’s responsibility. Sarbanes-Oxley is hear to stay, so overtime, you
need to develop and retain good people.
Use existing resources:
Many organisations already have a pool of good people. These people may
come from finance, audit and IT and could be the backbone of your compliance
team. They will have most of the skills required to get the job done and
keep costs down.
Larger organisations tend to have different policies and procedures for
different regions and products when in fact the process is the same.
Streamlining documentation and discarding duplicated documentation will mean
there is less documentation to main
Develop more prevent controls:
Because Sarbanes-Oxley revolves around internal controls, having suitable
controls will improve both effectiveness and efficiency. How? Detective
controls will require sample testing which takes time, whilst prevent
controls are usually system controls that are tested once.
Focus on continuous improvement:
Always ask how your Sarbanes-Oxley program can be improved. Invite
suggestions from senior management, audit and compliance staff. Work
closely with similar companies to benchmark yourself and promote new ideas.
Use technology where appropriate:
Technology will not automatically lead to success. However, if you have
established good foundations (framework, resources, processes, documentation
etc), you should be able to use technology to deliver real efficiencies and
the right technology
Because SOX requirements are ongoing, many organisations choose to invest in
technology to gain long term benefits. But what is the right technology for
Technology will ensure your SOX program is consistent, effective and
efficient. Basically, the right technology needs to be able to document all
internal controls over the various financial risks and allow an effective
periodic review and independent audit of controls.
The technology should allow users to
the various internal control properties such as:
Effectiveness of control:
An assessment of whether the control is effective or not.
Type of control:
whether the control is a detective, preventive or corrective control.
The person responsible for ensuring the control is in place and working.
Frequency of control:
When the control is executed, such as month end, annually etc
Whether the control is dependant on an IT system or not
Financial statement assertion:
accuracy, relevance, timeliness and completeness of financial information.
The technology should also allow users to update information in a controlled
manner, periodically. Where information has not been updated by users,
Senior Management should be able to quickly remediate the problem
Once internal controls have been identified, independent audit procedures
should be developed and assigned to the various internal controls.
Therefore, SOX technology should have a very powerful audit features. At
minimum, we recommend the following features:
Audit planning module integrated with email:
The audit planning will allow you to select the type and date of an audit
and integration with your email system will enable a reminder when the audit
Electronic work papers:
The system should have electronic work paper capabilities to document the
audit testing results. Electronic work papers within the risk and control
framework will allow comprehensive reporting and issues tracking.
Audit quality control:
Because the results of the audit are so critical, technology should have
various quality control features built in to reduce the ‘audit risk’.
Audit result impact analysis and remediation:
This involves the technology being able to record the result of the audit
and track problems to remediation. Where an internal control is not
working, the system should be able to record the problem, assess the
problem, record managements remedial action, set a date for completion and
then update the actual date of completion.
Guardian Risk Management System
is used by organisations to manage risk, monitor and audit controls. It can
support and replace many documents used to ensure compliance with SOX. It
will also produce a range of reports for risk owners, risk and assurance
managers and the board to monitor their internal controls.
Naturally technology will not guarantee compliance. Implemented correctly,
technology will improve the internal control environment through greater
transparency, consistency and efficiency.
Whilst the Sarbanes-Oxley Act is relatively new, the principle objectives of
the Act are not new. The importance of effective internal control over
financial processes has always been an important management objective for
organisation. SOX simply makes this legal because non compliance could
result in up o 20 years jail. Using technology will help ensure your SOX
program is efficient.