The Pressure of The Sarbanes Oxley Act - Case Study Example

CONTENTS Introduction 2 The Sarbanes Oxley Act 2 Establishment of Public Company Accounting Oversight Board (PCAOB) 3 Auditor Independence 3 Corporate Responsibility 3 Enhanced Financial Disclosure 4 SOX and Risk Management 5 COSO 5 COBIT 6 Conclusion 7 References 9 Introduction The corporate world in United States took severe setbacks when scandals were surfaced about many large and multinational organizations in late 20th century. The companies like Enron, Tyco, and WorldCom were all victims of incorrect, ambiguous, unethical and inappropriate practices which remained hidden for a long period before they were finally identified and brought to the attention of the world. This sequence of events negatively affected shareholders' and general public's trust over the reliability and accuracy of financial information as published by companies. A general feeling was that of distrust, disbelieve, doubt and annoyance with the audit and internal controls systems of organizations. This state of affairs triggered a requirement for a regulation that could establish legal requirements for companies to ensure that their systems are controlled and the information they publish conform to the actual status, and is not altered, modified or changed with an intention to deceive anyone. The Sarbanes Oxley Act The Sarbanes Oxley Act (also known as known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox (Wikipedia.org, 2007), was implemented in 2002 to regain public's trust in the accounting and reporting practices of companies in US, to reinforce investment confidence and protect investors by improving the accuracy and reliability of corporate information with regard to finance, operations and information systems. A brief description of key provision of SOX is provided below: Establishment of Public Company Accounting Oversight Board (PCAOB) A Public Company Accounting Oversight Board (PCAOB) was established as a result of the passage of the act, to ensure that interests of the investors in public companies are secured, and the audit reports are developed and represent true and fair opinion on the affairs of the company (FindLaw.com 2002). The key functions and duties of PCAOB as documented in the law are as follow: Register public accounting firms Establish or adopt auditing, quality control, ethics, independence, and other standards Conduct inspection of public companies Auditor Independence The 'independence' of the auditor is critical for performing any audit related activity for any client. ISACA (Information Systems Audit and Controls Association) (2006) requires auditors to be independent of auditee in both attitude and appearance (professional independence) and the entire audit function to be independent of the area or activity being reviewed to permit objective completion of the audit assignment. The SOX act requires the auditors to be independent. The law states that auditors should not have any operational and/or decision making role for the activity which they are auditing. Corporate Responsibility The act requires public companies to certify in their financial reports that a senior manager has reviewed the report and that the report does not have material misstatements. As per section 302 of the act, the senior management is responsible to develop and implement system of internal controls, and compliance systems. The act requires that the corporate financial statements should have following certifications: The signing officers have reviewed the report The report does not contain material misstatement or material omission or is misleading The financial statements and information fairly represent the factual position and health of the company The signing officers are responsible for internal controls and have reviewed internal controls in previous 90 days Significant changes to internal control environment The report should have a list of all deficiencies in the internal controls and information on any fraud involving employees Enhanced Financial Disclosure In order to prevent against the risks arising our of non-disclosure and/ or limited disclosure of information by companies like Tyco and Enron, SOX requires the companies to strictly follow Generally Accepted Accounting Principles (GAAP), and adequately disclose off balance sheet and hidden information of material value that can affect shareholders' money and investment decisions. SOX and Risk Management The provisions of SOX as described above provide a basis to carry out effective risk management, audit and control review for the organizations. As per the section 404, the Act requires a management assessment of internal controls, evaluation and reporting of internal control systems to top management, and to the shareholders through financial reports of the company. This ensures that company's management review and approve the financial statements' correctness, and reliability; since the shareholders make their investment decisions on the basis of published financial results. Compliance with SOX is a binding on all public companies in United States of America. In order to effectively meet the requirements of SOX act, several risk assessment and control standards are adopted by companies to develop a comprehensive system of internal controls in order to mitigate the risks of non-compliance with SOX regulations, lack of control for the issues identified in SOX and for overall benefit of the company as a whole. Two most popular risk management standards are COSO (Committee of Sponsoring Organizations), and COBIT (Control Objectives for Information Technology). A description of these two is provided below: COSO COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (COSO.org n.d.). COSO provides an integrated enterprise risk management framework that is used by many organizations to carry out effective risk assessment and management (COSO 2004, v); in order to comply with section 404 (management assessment of internal controls) requirements of SOX act. The COSO ERM (Enterprise Risk Management) framework categorizes the entire operations of an organization into five categories (The Institute of Internal Auditors, n.d. p. 17-18), namely Control Environment (sets the tone of the organization; include factors like integrity, ethical values, management philosophy, operating style etc.), Control Activities (policies and procedures to ensure that management objectives are achieved, directives are carried out satisfactorily, and effective actions are taken to control risks in the organization; consists of factors like approvals, authorizations, verification, segregation etc.), Risk Assessment (the process of identification and analysis of risks in order to take appropriate steps to resolve these either through acceptance, transfer or mitigation using appropriate controls), Monitoring (ongoing monitoring is required to constantly keep a watch of the level of risks, to verify the desired operations of controls and to identify variances in the processes), and Information and Communication (there needs to be effective communication across all levels and all directions in an organization desirous to implement the SOX requirements to conform with the Act; these communication lines should be used to inform about strategies, policies and procedures from top-down, and feedback, comments and suggestions should also flow from bottom-up). The PCAOB also recommends using COSO to perform risk based audit of a company in order to ensure that it conforms to the requirements of SOX act. COBIT In the contemporary world, most of the companies use computerized information systems like Enterprise Resource Planning (ERP) software for book keeping, financial transactions and generating financial statements. This requires a risk assessment of the software package itself and the external controls environment in which the system operates. COBIT has emerged as a benchmark standard for IT related risk assessment and controls. It is used by many auditors as a guide to perform audit of IT based financial and operational controls. COBIT has four domains which are further divided into 34 control objectives that collectively assign a rating to the organization, which shows the level of compliance with COBIT. These four domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitoring and Evaluation. These four domains provide guidance to strengthen the internal controls framework of organizations. COBIT has been used by organization to conform to the requirement 302 and 404 of the SOX act. Specifically, 12 control objectives from COBIT are aligned with the PCAOB Accounting Standard Number 2, are defined to meet SOX requirements (IT Governance Institute, 2006, p.9). Conclusion The Sarbanes Oxley act provided a strong message from regulatory bodies to organizations around the country that the events like Tyco and others will not be allowed to be repeated again. The SOX act has established a set of comprehensive legal requirements to ensure that financial statements present true picture of the organizations' activities and performance. This allows the shareholders and other public to become aware of the accurate and correct status about the performance of various companies in order to make informed decision about their existing and/ or potential new investments into a company. However, the companies need to quickly adapt to the standards and guidelines as stated above in order to undertake comprehensive risk assessment exercises for their systems so that all of the risks can be suitably documented and optimally dealt with. Implementing SOX is a costly endeavor; it requires expertise, resources and budget. Hence, organizations need to carry out risk assessment process with utmost care in order to identify material risks in their businesses, which can then be addressed using appropriate risk management procedure. References COSO. (2004). Enterprise Risk Management Integrated Framework: Executive Summary. COSO. (n.d.). The Committee of Sponsoring Organizations of the Tradeway Commission [Internet]. Available from: [Accessed 21 March 2007]. FindLaw.com. (2004). One Hundred Seventh Congress of the United States of America [Internet]. Available from: [Accessed 20 March 2007]. Institute of Internal Auditors. (n.d.). Sarbanes Oxley Section 404: A Guide for Management By Internal Controls Practitioners. ISBN 0-89413-593-7. IT Governance Institute. (2006). IT Control Objectives for Sarbanes Oxley, 2nd Edition. United States of America. Wikipedia.org. (2007). Sarbanes Oxley Act [Internet]. Available from: [Accessed 19 March 2007]. Read More