Fraudulent Practices and Sarbanes Oley Act - Essay Example

Introduction The SOX as it is called came into being on June 30th 2002. This was put into practice as a result of fraudulent practices in companieslike World Com, Global Crossing and Enron. These companies were caught and eventually went on to admitting their misrepresentation of financial statements by billions and billions of dollars. An investigation was launched to look into these frauds following which the Senate approved the SOX act in an attempt to prevent the history from repeating itself. Background: About SOX It is referred to as the Sarbanes -Oley Act of 2002. The act is also called the Public Company Accounting Reform and Investor Protection Act and the Corporate and Auditing Accountability and Responsibility Act. Inside the houses of the Senate, it is commonly called the Sarbanes-Oxley, Sarbox or is a United States Federal law which was enacted on July 30th, 2002. The act came into being because of a number of scandals that went on to affect a number of major corporate big shots. These included the Enron, Tyco International, Adelphia, Peregrine System and WorldCom. The scandals resulted in a loss of billions and billions of dollars and trampled share prices of the companies that were affected. Inadvertently, this followed by a major confidence lapse on security exchanges where the investors were concerned. The act has been named after a U.S Senator and a US Representative-Paul Sarbanes and Michael G. Oxley and was approved by a vote of 423-3 and by the Senate 99-0. While signing it and approving it President George W Bush, called it one of the most far reaching reforms of American business practices ever since Franklin D. Roosevelt. The legislation marked the beginning of new and enhanced standards for most U.S public company boards and accounting firms. Privately held companies are not stipulated to comply with the act. It is home some 11 titles and section which vary immensely and cater to additional corporate board responsibilities to criminal penalties. It is the responsibilities of the Securities and Exchange Commission to implement the requirements to comply with the new law. This was done under the supervision of Harvey Pitt who ensured the adoption of a dozen other rules to implement the Sarbanes-Oxley Act. However this is not the end and be it of all. There is still a lot of debate and argument in place over the prospect benefits of SOX. Supporters believe that the legislation has been extremely affective in restoring public confidence in the nation's capital markets and has helped strengthened corporate accounting controls. On the other hand, the opponents of the bill are of the view that this bill has taken away the competitive edge that the United States had against other financial markets. Sarbanes-Oxley comprises of 11 sections each of which prescribe specific mandates and features essential for financial reporting. These sections are titled as follows: 1. Public Company Accounting Oversight Board (PCAOB) 2. Auditor Independence 3. Corporate Responsibility 4. Enhanced Financial Disclosures 5. Analyst Conflicts of Interest 6. Commission Resources and Authority 7. Studies and Reports 8. Corporate and Criminal Fraud Accountability 9. White Collar Crime Penalty Enhancement 10. Corporate Tax Returns 11. Corporate Fraud Accountability Compliance plan The need to establish internal controls for the purposes of financial reporting and operational integrity has been specifically mentioned in the Sections 302 and 404 of the Sarbanes-Oxley act. An effective internal control system is essential to comply with Sarbanes-Oxley. An internal control system helps prevent the company from non compliance and will keep it updated about any failures in its system that may have to be addressed on an immediate basis. Internal controls can be of both types i.e. detective and preventive and are incumbent in deterring if regulatory requirements are being met. Henceforth, enough though and consideration must be plugged in, in developing and maintaining those controls. The following can be used as a guide to help develop just that. It is an eight step process and if implemented in its entirety can be very effective in making the company regulate and implement SOX. When the compliance plan is structured this way, the journey to compliance is easy and the whole system can be easily implemented and traced. Eight steps need to be infused and inducted properly and they are as following: 1. First of all a compliance committee should be made. 2. Any risks involved assessed 3. The reporting objectives chalked out and set accordingly. 4. A formal implementation plan elaborated over. 5. Communicate the current ongoing procedures to everyone. 6. Ensure adequate training is provided. 7. Document everything done especially risk management 8. Continuously evaluate. Establishing a Compliance Committee: A compliance committee would involve the following mandatory members 1. CEO 2. CFO 3. Major Business Unit Heads 4. Any other recommended members may also be added 5. Executives from most functional areas comprising of the finance head, the marketing head, the auditing department head, Legal entities and the IT head. It is expected of the members to be completely committed to the SOX compliance. They must have enough capability and potential to take companywide analysis where risk identification is concerned and propose any viable solutions in the process. The focus of the committee would be central to communicating and informing any program objectives and initiatives to the concerned employees. They will also be asked to manage the overall process and activities, arrange for any training needed, assessment tools and resources. It is also incumbent upon the committee to ensure that all departments have co-ordinate identified any possible risks and solutions. The goals of the committee at the end of the day should be visible and compelling. Assessing risks: The primary objective of this step is identifying and analyzing any risks involved in both the internal and its external environment. These risks may suffice to be a major threat to company's goals and objectives. The risk assessment can be performed at any organizational level. It doesn't matter if it is performed on the organization level or on specific applications and transactions. It is only when the risks have been identified can the solutions to those risks be made out. This is called risk management. Some of the risks that are normally short listed include changing operating environment, influx of new technology, any new or revamped information systems, infusion of new personnel, rapid growth, foreign operations, accounting pronouncements and corporate restricting. (Sarbanes-Oxley) The committee in this regard is expected to help by identifying the vulnerability of corporate to risk as defined by the board. This has to be a detailed evaluation elaborating on the scope and types of risks that the organization is facing. Done through reviewing board's risk guidelines and reviewing the communication process for the risk guidelines. To identify the risks existing within the organization the whole process is broken down to cater to specific kinds of risk. (SOX compliance , 2008) Some of the general categories in this regard are: Financial risks - for instance the risk associated with investing in new acquisitions or exchange rate fluctuations that may hamper international transactions. Human capital risks-the risk of losing valuable more capable staff due to improper recruitment or a low market compensation program. Legal and regulatory risks- risks associated with operating in a highly regulated industry such as nuclear power or merely operating on the edge. Strategic risks- any risks involved with operating aggressively that could be quick acquisitions and conservationists approach while operating. Operational risks- lack of documentation process, lack of agility or ability to respond quickly owing to strong central controls. Technological risks- failure to upgrade systems and take adequate steps to ensure system privacy. The committee is also expected to do a detailed analysis and research while quantifying the magnitude and potential impact of each risk and then develop an enterprise risk management framework accordingly. Controls and Testing: Management and organizational integrity has a huge impact on the control culture and of every person in that company. There are a few key control environment factors that need to be taken into account before establishing these controls. These factors include integrity and ethical values, commitment to competence, active participation of the board of directors and audit committee, management's philosophy and operating style, the structure of the organization, assignment of authority and responsibility and human resource policies and practices. Setting reporting objectives: The primary purpose of setting reporting objectives is to define decision rules to address any risks evaluated. It must be ensured that the internal control system is effective and it is done by making controls that are: Preventive-stop; Detective-catch; Corrective-fix. The areas of operations that require control objectives also have to be determined. Major areas where objectives for control and its subsequent testing needs to be ensured include the following: Personnel control: Duties should be separated and demarcated accordingly. This can be easily done through proper and careful hiring at the time or recruitment, assignment of duties, training and super vision. Performance reviews should be done on timely basis and each personnel appraised accordingly. System and resource controls: System and resource controls need to be implemented in three major areas i.e. Physical controls, Logistics controls and system controls Strategic Planning controls: They are implemented by establishing steering committees and identifying any opportunities provided by enterprise ERP systems. (Anand) Documenting everything done especially risk management: The controls have to document efficiently and diligently. Most systems require detailed analysis and description. The whole idea behind documenting the risks is to provide a detailed analysis of why the controls were put in place and to help assist in the identification of any new risks. Performing continuous evaluation: It is extremely important that after the internal controls have been established that they are continuously evaluated and modified according to changing needs of time and technology. Timeline and requirements for the organization: First week: In the first week a project team, a review team and a sponsor team should be assembled. The teams should include representatives from the audit department, the finance department, the IT department, legal department and the human resources department. Once the team has been established it is incumbent that the project objectives should be defined and a rationale made as to where the organization is with regard to the act currently. This should take another ten days. Key questions that need to be addressed in this regard include deterring how far the scope of the control is, do they address all the departments and not just the financial ones, what business units are they covering. The timeline needs to be evaluated even more carefully at this stage. (How Quality Managers can support SOX implementation) This is followed by developing a framework for assessing risk management. In the third week, the risk management guideline should not only be made but should also have been assessed accordingly. It is expected of the management to develop an internal ERM environment and enlighten all members of the organization, a set of guidelines. Some other key measures need to be taken into perspective at this step. This involves Developing plans to tackle the risks that had been found out in the initial stages. Consider various options for risk management while keeping in perspective its overall affect when risk has been encountered against the organization's response to the risk itself. Undertaking control activities at all functional levels of the organization. An information-communication plan needs to be chalked out that should aim at relaying the risk related information to the concerned people in the organization so that it is implemented accordingly... Develop ongoing risk management procedures. At the same time, all planned objectives need to be continuously reviewed with the co and the audit committee. Week -4: Identify and document main processes and controls: In this phase, a review approach needs to be adopted such that every process is included in the review. The financial reporting process should be identified; any key systems and supporting systems need to be marked out. Existing documentation should be reviewed; the nature and size of transactions that have to be reviewed should be defined. (SOX - Overview, Issues, Implementation, 2009)Other key elements in this phase involve: Deterring volume, size and homogeneity of every transaction that has been processed. Understand process transaction's susceptibility to error. The last and the most important element of this phase is reviewing the approach and timing with the eternal auditing team. This will ensure that the compliance committee is working in line with the requirements of the act at all levels. Week 5 onwards: Evaluating operational effectiveness: Once the documentation is complete and the plan underway, it is mandatory that the top brass of the organization ensures that it is being implemented properly (Shakespeare). (Butler)This involves the following main things: A standard needs to be established where reporting of the documentation is concerned alongside project reporting progress. Unless standards are not cemented, compliance is unlikely. For every process implemented, preliminary level reviews need to be conducted. These may be conducted by the following : Committee of the sponsoring Organizations Control objectives for information and related technology framework Sarbanes-Oley compliance Key enterprise technology (socket) Identifying and eliminating any weaknesses encountered: To ensure proper compliance of the plan, it is important that any items needing investigation be resolved and followed up accordingly. There are various kinds of weaknesses. One of them called the material weaknesses is defined as a "reportable condition in which the design or operation of one or more internal controls does not reduce to a relatively low level, the risk of misstatements caused by errors or fraud in amounts, that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions." These deficiencies and weaknesses are assessed by testing, by elaborating on the significance of the weakness, and determining the effects on financial reporting. This phase ends with consolidation of all work and preparation of a preliminary 404 report. Establishing Ongoing Audit and Monitoring procedures: Review process is very important for proper compliance with the act. If the review is not undertaken at appropriate levels, chances are likely that, the organization may go haywire. The primary purpose of monitoring is to ensure that all the controls established are adequate and producing the desired results and the same level of effectiveness. There areca various techniques that can be employed to ensure proper monitoring. Two of these are spot checks of transactions and basic sampling techniques. (Stephen M. Kohn, 2004)There are five basic components of internal that are established at the functional or unit level for evaluation. These include: Control environment Risk assessment Information and communication Monitoring Monitoring procedures can also be assisted by using the (Socket) which is Sarbanes Oley compliance key enterprise technology. It was designed keeping in perspective that most companies already possess the technology needed to achieve Sarbanes Oley compliance. It aims to assist the committee in various areas. Key points include: Visualizing and interpreting the entire IT infrastructure holistically Gaining insight and deterring the relationship of the IT infrastructure with that of Sarbanes and other financial business processes circulating within the organization. Conclusion The fact that the act is important to help eradicate fraudulent practices is widely understood amongst most business legislators and corporate companies. It helps keep a check on those billions of dollars that are lost as a result of fraudulent financial reporting. However the draw backs are such that the cost of implementation is huge. The biggest cost in this regard, is the cost incurred to update information systems in order for them to be able to comply with Sox and its reporting and financial control requirements. However for most companies the initial costs registers in millions of dollars as can be verified and tallied from the FEI survey in which 217 companies with revenues greater than 5 billion per year were analyzed. However in near future it is predicted that the costs of implementation may come down owing to more and more integration of the act within the nation. In the words of an auditor " For most companies, achieving compliance to the Sarbanes-Oxley Act (SOX) has proven to be more challenging, and more costly, than initially anticipated. In many cases, initial and second-year compliance efforts were found to have strained company resources, causing a shift of focus away from such areas as internal audit in order to meet SOX requirements." Thus it is important that all such issues and challenges are also kept into perspective before the actual implementation of the compliance procedures and the best way out figured out. If the company is too big, then all the investors should be taken into confidence and so should the current financial standing of the company be kept into perspective. Following this the compliance may be implemented using the eight step process described in the aforementioned paragraphs. Works Cited Anand, S. Sarbanes-guide for information technology and finance. John Wiley and Sons. Butler, H. N. (n.d.). The Sarbanes-Oxley Debacle. Retrieved 2009, from http://www.aei.org/book/855 How Quality Managers can support SOX implementation. (n.d.). Retrieved Oct 7th, 2009, from http://www4.asq.org/blogs/sarbanes-oxley/2005/10/how_quality_managers_can_suppo_1.html Sarbanes-Oxley. (n.d.). Retrieved May 06, 2009, from Sarbanes-Oxley: http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/ Shakespeare, C. Sarbanes-Oxley Act of 2002 Five Years On: What Have We Learned". SOX - Overview, Issues, Implementation. (2009, Mar 07th). Retrieved from http://mailman.ic.ac.uk/pipermail/xml-dev/1998-October/006816.html SOX compliance . (2008, feb). Retrieved oct 7th, 2009, from http://www.insidesarbanesoxley.com/2008/02/sox-life-blog-risk-based-sox.html Stephen M. Kohn, M. D. (2004). A Guide to Legal Protections for Corporate Employees. Praeger Publishers. whistle blower. Read More