Impact of the Sarbanes-Oxley Act on the System of Internal Controls and IS Audit

(1)

of Internal Controls and IS Audit

Eva Šimková Hewlett-Packard s.r.o.

Vyskočilova 1/1410 14021 PRAHA eva.simkova@hp.com

Abstract:

The purpose of this paper is to briefly describe key features of the Sarbanes-Oxley Act (hereafter referred as SOX), its linkage to the IT environment and impact on the system of internal controls and IS audit. SOX is the U.S. law put in place as a reaction to the frauds discovered in companies accounting that significantly shaken investors’ confidence. The paper describes the circumstances which led to the SOX creation and its main sections. Furthermore sections relevant to IT environment (302 and 404) are described thoroughly to underpin its linkages to systems of internal controls. Strict sanctions have been declared for non compliance with the law hence U.S. public companies aim to fulfill the requirements.

At a first sight it may seem that SOX is relevant only for U.S. companies. To a large extent, this idea is right. Nevertheless there are conditions upon which SOX applies to Czech entities as well. The author intends to clarify to whom SOX applies and what has changed for internal audit controls after SOX, since there is still some ambiguity on what companies should do to be SOX compliant. Hence the paper focuses on describing main sections of SOX relevant to IT and furthermore approaches a company should take to prepare for the compliance scan.

All information within this document was gained either from the sources of companies performing audit (such as Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP), institutions defining the scope for SOX such as The Committee of Sponsoring Organizations of the Treadway Committee (COSO), The Information Systems Audit and Control Association &

Foundation (ISACA), U.S. Securities and Exchange Commission, Public Company Accounting Oversight Board and the Act itself (An Act To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes – U.S. law know as Sarbanes-Oxley Act of 2002). All resources are listed in Bibilography chapter. Furthermore a practical experience of the author of this paper from an SOX implementation project in Czech Republic was a basis for set of recommendations described below.

Keywords: SOX, Sarbanes-Oxley Act, PCAOB, GAAP, SEC, COSO, internal controls, audit, compliance

1. Sarbanes-Oxley Act (SOX)

Sarbanes-Oxley, or, more technically, the Public Company Accounting Reform and Investor Protection Act of 2002, is the result of federal legislation sponsored by Senator Paul Sarbanes and Representative Michael Oxley. It was developed in response to issues raised by fraudulent accounting practices, such as those involved in the Enron, Tyco, and WorldCom scandals, and the questions concerning governance in American corporations that arose in response to these events, threatening to shake investor confidence in the financial markets. The

(2)

93 scandals resulted in a loss of public trust in financial reporting and accounting practices and required immediate attention from legislators who recognized that, if left unaddressed, the loss of trust could have deepened. The Act, therefore, was meant to prevent future accounting scandals and rebuild the trust of the investing public. The legislation passed the U.S. Senate unanimously, after which it was approved in the House of Representatives and was signed into law on July 30, 2002.

In essence, Sarbanes-Oxley Act is concerned with information transparency and accountability, and presents new requirements for how public companies record, track, and disclose financial information. In the past, U.S. public companies were required to disclose information concerning specific events, such as incorporation and successive efforts to raise capital through the public markets. In contrast, Sarbanes-Oxley now demands on organizations to held accountancy for the broad range of day-to-day activities that can impact financial performance. This new attention to the tracking of information relating to day-to-day operations has public companies attuned to new levels of regulatory scrutiny that also extend beyond Sarbanes-Oxley.

The Sarbanes-Oxley Act has dramatically heightened standards for financial reporting for U.S. public companies with a market capitalization over $75 million.

For the past 18 years, COSO (The Committee of Sponsoring Organizations of the Treadway Commission) has been the accepted framework for implementing internal controls for financial reporting. IT processes and technology, however, are not addressed by COSO. Since the vast majority of financial data that makes up financial reports is generated by IT and its related processes, it is critical that the effectiveness of these processes can be checked. By having well defined standards and procedures that can be verified, CEO’s and CFO’s can be confident that the reports they are certifying came from well maintained and error free software applications.

As organizations begin to develop strategies to meet these and other new regulations, technology has a key role to play. Meeting the ongoing requirements of Sarbanes-Oxley requires technology that can simplify the auditing of internal controls and reduce the costs of compliance in the new regulatory environment.

The Sarbanes-Oxley Act presents significant implications for how U.S. public companies document their business processes and internal controls. Implementing strategies for SOX compliancy requires a lot of effort in designing and documenting the process, assessing risks, setting a control framework etc. To be able to keep all this up to date, the right support tool should be chosen.

Many European- and Asia/Pacific-headquartered companies are dually listed on two or more stock exchanges. Any company that is listed in the United States must comply with the terms of the Act. In addition, many European companies have a U.S.-based parent. The legislation is also being seen as a move to restore trust in corporate entities and thus to restore investor confidence. Complying with Sarbanes-Oxley is regarded as a move to instill a better brand of business ethics.

Foreign auditing firms, headquartered outside of the United States but working with U.S.-based companies, must also comply. Although enforcement of some of the sanctions of the act will be difficult, the effect of noncompliance will have an effect on winning business with U.S. customers.

(3)

Sarbanes-Oxley creates new or enhanced standards for corporate accountability and penalties for corporate wrongdoing. It contains 11 titles setting out auditor and corporate responsibilities, rules for financial disclosures and harsher penalties for

“white-collar” crimes. The two sections that should concern IT executives the most are 302 and 404(a) because they deal with the internal controls that a company has in place to ensure the accuracy of their data. This relates directly to the software systems that a company uses to control, transmit and calculate the data that is used in their financial reports. Misinformation is punishable by fines of up to $5 million and/or up to 20 years imprisonment.

Initially, a European Commission spokesman criticized the Sarbanes-Oxley Act as an ill-conceived overreaction to the wave of American corporate scandal. The Europeans had been working on a document, the "Report of the High Level Group of Company Law Experts on a Modern Regulatory Framework for Company Law in Europe," which covered some of the same ground as Sarbanes-Oxley, but is a policy advisory document only. Currently, there is no Europe wide legislation.

Despite the valid criticisms of Sarbanes-Oxley in Europe, it is widely expected that European corporate entities will comply with it, because they will not want to compromise their ability to do business in the North American market.

Today, many companies operate in numerous jurisdictions, potentially in different countries, and are subject to a wide range of enforcement standards. Frameworks such as the Enterprise Risk Management Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the U.S. and the Basel II Accords in Europe are now helping to drive business compliance activities worldwide.

1.1 Key sections of the Sarbanes-Oxley Act

Sarbanes-Oxley sets forth stricter guidelines for financial reporting and mandates obligations and accountability for CEOs, CFOs, and their accounting firms, with criminal penalties if financial reports are found to be fraudulent. The principal objective of the regulations was to renew investors’ trust in corporate executives and their financial reports. Toward this objective, one of its requirements is that public companies set up procedures for keeping track of all financial information from the moment of inception to the time it is submitted in an annual report to the SEC (U.S. Securities and Exchange Commission).

Because the SEC oversees the financial reporting process, they were given the responsibility of defining the rules for this particular section of Sarbanes-Oxley. The SEC, therefore, proposed a rule that would require each annual report issued by a company under the Exchange Act (Securities Exchange Act of 1934) to contain an internal control report that:

• States management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

• Identifies the framework used by management to evaluate the effectiveness of this internal control;

• Assesses the effectiveness of this internal control as of the end of the company's most recent fiscal year; and

• States that its auditor issued an attestation report on management's assessment.

(4)

95 In September 2003 the SEC recognized the COSO framework as the official framework for establishing internal controls over financial reporting. They said, “We recognize that our definition of the term ‘internal control over financial reporting’

reflected in the final rules encompasses the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives.”

However, Sarbanes-Oxley does not address the issue of IT controls specifically.

This does not mean IT can be ignored when performing the compliance reviews required by the act. The act is neutral with regard to technology, but the implication is clear that IT controls are critical to an organization’s overall system of internal controls. As IT controls address the secure, stable, and reliable performance of hardware, software, and personnel to ensure the reliability of financial applications, processes, and reporting, they must be a significant element of compliance reviews. Some key IT control areas have been interpreted as not being incorporated in Sarbanes-Oxley compliance. These include privacy, business continuity, business systems, data classification, and information not specific to financial processing and reporting. Therefore, any audit specifically limited to Sarbanes-Oxley compliance will not assess all the risks faced by the organization and must be supplemented to ensure full audit coverage of the organization’s risk management and internal controls.

1.1.1 Sarbanes-Oxley Sections Relevant to IT Controls

The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls.

Sections 103 Auditing, quality control, and independence standards and rules and 802 Criminal Penalties for altering documents

These sections establish rules for the public accounting firm relating to the audit and report. In particular, they require the board to establish standards for the audit work. They also require auditors to test the internal control structures and attest to the strength of those structures. This review must include a thorough examination of the IT controls that are fundamental to the system of internal control over financial reporting. One specific requirement relates to the retention of records “that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets.” This is influenced greatly by the way in which IT records are maintained and retained.

Section 201 Services outside the scope of the practice of auditors This section requires that external auditors are independent. This precludes them from performing work for a client in the capacity of IT consultants or providing outsourced internal audit services. Organizations that do not wish to employ their own internal IT auditors cannot outsource the work to their external auditors.

Section 301 Public company audit committees

Section 301 defines the need for audit committee members to be independent and precludes them from performing any other consulting work on behalf of the organization. It also requires audit committees to establish procedures to handle

“confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”. This would also relate to any issues arising from the control of IT.

(5)

Section 302 and 404

Section 302 Corporate responsibility for Financial Reports

Section 302 of the Act requires the CEO and CFO — who are responsible for financial information and the system of internal controls — to evaluate the system of internal controls every 90 days and report on their conclusions and any changes.

They must disclose:

• “All significant deficiencies in the design or operation of internal controls that could adversely affect the issuer’s ability to record, process, summarize, and report financial data and identify for the issuer’s auditors any material weaknesses in internal controls.”

• “Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls.”

They must certify a number of representations listed below:

1. They have viewed the report.

2. To the best of their knowledge, the report contains no untrue statement of a material fact and does not omit any material fact that would cause any statements to be misleading.

3. To the best of their knowledge, the financial statements and other financial information in the report fairly present, in all material aspects, the company’s financial position, results of operations and cash flows.

4. They accept responsibility for establishing and maintaining disclosure controls and procedures, and the report contains an evaluation of the effectiveness of these measures.

5. Any major deficiencies or material weaknesses in controls, and any control-related fraud, have been disclosed to the audit committee and external auditor.

6. The report discloses significant changes affecting internal controls that have occurred since the last report, and whether corrective actions have been taken.

Due to the potential civil and criminal penalties involved, CIO’s and IT executives should be concerned with Section 302. CEO’s and CFO’s will be placing an enormous amount of trust in the people and systems that produce their company’s financial data. Given the wide and deep spectrum of internal controls, it is a serious responsibility.

Section 404 Management Assessment of Internal Controls

Section 404 requires public companies to include with their annual report to the SEC a separate report on the assessment of the effectiveness of their internal controls. Additionally, the entity’s external auditors must annually attest to and report on the assessment made by management. Section 404 relies on a definition of internal controls offered by COSO.

From the standpoint of U.S. publicly traded companies, Section 404 of Sarbanes- Oxley requires that a company and its affiliates have a documented set of internal rules that control how data is generated, manipulated, recorded, and reported.

Specific to Section 404 compliance is the ability to document business processes and internal controls, which involves both the management of documentation and the testing of those internal controls. Consequently, Section 404 is likely to

(6)

97 represent the most time-consuming and costly of Sarbanes-Oxley compliance efforts.

Section 404 does not require senior management and business process owners merely to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.

Section 404 requires the CEO and CFO to produce an annual audit report that:

• Assesses the effectiveness of the internal control structure over financial reporting.

• Discloses all known internal control weaknesses.

• Discloses all known frauds.

This report will cover all applicable IT controls, including program logic and related change controls, access controls, and data protection. The PCAOB Auditing Standard No. 2 suggests the COSO Internal Control – Integrated Framework as a basis for Section 404 compliance management. References to Statement of Auditing Standards (SAS) 95 also emphasize the importance of IT and information security controls to Sarbanes-Oxley.

Section 409 Real time issues disclosures

Section 409 requires organizations to disclose any material changes to operations in real time and in plain English. Some declare these requirements establish a foundation or need for continuous monitoring, auditing, and assurance processes to become part of significant internal control processes.

2. Challenges of Sarbanes-Oxley Compliance

Not surprisingly, the initial passage of Sarbanes-Oxley created some confusion in the regulated community regarding the measures that would be required to ensure compliance. Organizations that had governance structures in place were uncertain as to their ability to adapt to the rapidly changing regulatory environment. For many of these companies, governance and compliance had been the responsibility of individual business units or departments, with multiple policies and procedures throughout the organization. Moreover, many of these business units and departments tended to rely on desktop productivity tools such as standalone spreadsheets to document their internal controls. In the new regulatory environment, these tools and the associated manual processes are not adequate to the task of Sarbanes-Oxley documentation of controls and processes.

Another challenge is the ongoing nature of Sarbanes-Oxley compliance. The effort involved in meeting the new financial reporting requirements is not a one-time event. While public companies are required to document their internal controls in the first year, they must also test these controls annually thereafter on an ongoing basis. Certainly the expenses of Year 1 Sarbanes-Oxley compliance are likely to be high; after all, most organizations have hundreds, potentially thousands, of controls to document and test in order to comply with Section 404. But Sarbanes-Oxley requires that organizations perform compliance work on a continual basis to annually document and attest to the effectiveness of their internal controls.

However, the most immediate challenge for organizations is meeting the deadline for initial compliance with Section 404. Once organizations have achieved the basic statutory requirement of documenting existing processes, the challenge, going forward, lies in continued testing of these processes, ensuring that management

(7)

continues to monitor and track compliance activities, and that employees continue to be apprised of their responsibilities to aid in the compliance process.

2.1 Compliance date

In 2003 and 2004, most companies focused on Section 404, and many have struggled to determine what will be required to implement the internal control assessment and reporting process. While there was general agreement that technology could play a central role, particularly with respect to Section 404 documentation requirements, there was considerably less consensus surrounding which technologies to invest in. In fact, many public companies chose to respond to the requirements of Sarbanes-Oxley regulations by taking a “wait-and-see”

approach: they decided to use existing tools to document their business processes and internal controls and thereby meet Sarbanes-Oxley Section 404 regulatory requirements.

Amid this uncertainty, and in response to initial feedback from the regulated community, the U.S. Securities and Exchange Commission (SEC) announced on February 25, 2004 that it is extending the deadline for compliance with section 404 of the Sarbanes-Oxley Act of 2002. Compliance with the section initially was set to be reflected in annual reports ending on or after June 15, 2004, but has been pushed to November 15 (the end of the 2004 fiscal year) for "accelerated filers."

SEC defined an "accelerated filer" as companies with "a public float of $75 million or more as of a date within no more than 60 and no less than 30 days before the end of the company's last fiscal year."

The initial deadline of April 15, 2005 has been pushed to July 15, 2005 for "non- accelerated filers" (smaller businesses and foreign owned companies). On March 2, 2005 the date was further extended to July 15, 2006.

Thus larger companies have finished their first filings under Sarbanes-Oxley;

smaller companies are now preparing for their first filings, and will soon be in a position to assess their needs for a more strategic approach to governance, risk, and compliance.

A number of experts view the extension as a sign of just how seriously authorities intend to enforce and monitor the new law.

The SEC considered the particular challenges facing non-accelerated filers and foreign private issuers in determining to grant this extension. Many foreign companies are facing regulatory and reporting challenges in addition to internal control reporting as companies incorporated in a European Union member country are required to prepare their financial statements for 2005 in accordance with new International Financial Reporting Standards. Two initiatives also are underway that may affect non-accelerated filers. First, the Commission has established an SEC Advisory Committee on Smaller Public Companies to assist the Commission in evaluating the current securities regulatory system relating to smaller public companies, including the internal control requirements. Second, the Committee of Sponsoring Organizations (COSO) has developed new guidance for smaller companies.

(8)

99

2.2 An Enterprise Approach to Compliance

In this new regulatory environment, how can an organization effectively manage the concerns and the costs of governance, risk, and compliance? Just as important, how can an organization derive value from its investment in compliance?

Sarbanes-Oxley has given rise to a new conception of the compliance function – one that requires an operational and technology foundation capable of driving consistency throughout an organization’s processes and controls. As such, Sarbanes-Oxley presents a number of challenges involving processes and documents and the consistency with which they are handled across an organization. Specifically, Sarbanes-Oxley requires that organizations or their accounting firms do:

• Control the way they process, distribute, retain, and access key financial information and supporting documentation in their day-to-day operations

• Institute controls that enhance the transparency of communications, bringing to light any material deficiencies and highlighting key information that may be material to compliance

• Establish a compliance program that informs employees of their responsibilities

• Establish and maintain processes to ensure that the compliance program is followed, with periodic program review

• Maintain all work papers and information related to audit reports

Together, these requirements underscore one of the central principles of the Sarbanes-Oxley regulations: while ultimate accountability rests with corporate officers, the responsibility for compliance also extends to line of business operations and to the wider range of personnel who engage in business activities that have an impact on financial operations.

One consequence is that the governance concerns stated by Sarbanes-Oxley and other new regulations are having considerable impact on corporate culture, as organizations work to evaluate and enhance their existing policies, and to develop and document new procedures and controls. But, to emphasize, the increased demands for personal accountability and responsibility that lie at the heart of Sarbanes-Oxley require a consistency of approach to business practices. For many companies, this means a new vision of business conduct – one that integrates good governance practices into a company’s core business processes and thus into its culture, and that does so enterprise-wide.

2.2.1 Requirements on reports and documentation

With the requirements for Sarbanes-Oxley compliance arises many questions about how much documentation is necessary to support organization’s internal control program, and in what form it should be retained. In responding to this query, it is important to consider the communications from the SEC and the PCAOB as well as those that will likely guide independent auditors in their certification efforts.

There is no defined format of documentation required by Sarbanes-Oxley. Nor the extent of the documentation is specified, thus the detail and complexity of the documentation may vary, depending upon the size and structure of the organization.

The documentation may include:

(9)

• IT policy and procedures,

• Company wide policies and procedures relevant for IT,

• Process flowcharts,

• Decision tables,

• Completed questionnaires,

• Meeting minutes.

For most organizations, documentation should be, at a minimum, prepared for proving definition of the process and system of its usage, including the following:

• Company level

o Statement of control and approach to confirming its existence and continued effectiveness over time

• Activity level

o Description of the processes and related sub processes (may be in narrative form; however, it may be more effective to illustrate as a flowchart)

o Description of the risk associated with the process or sub process, including an analysis of its impact and probability of occur- rence. Consideration should be given to the size and complexity of the process or sub process and its impact on the organization’s financial reporting process.

o Statement of the control objective designed to reduce the risk of the process or sub process to an acceptable level and a description of its alignment to the COSO framework

o Description of the control activity(ies) designed and performed to satisfy the control objective related to the process or sub process o Description of the approach followed to confirm (test) the exis-

tence and operational effectiveness of the control activities o Conclusions reached about the effectiveness of controls, as a re-

sult of testing

Audit reports issued by external auditor should include tests of controls, results of the tests and the auditor’s opinion on operating service effectiveness to be deemed as sufficient for purposes of Sarbanes-Oxley compliance.

2.3 The Role of Technology

Storage and archival of financial information and related content is central to the mandates of Sarbanes-Oxley Section 404. Management of this content (including supporting documents and internal and external communications) is thus a key component of compliance. With their ability to manage and track the flow of information, enterprise content management technology solutions provide the critical capabilities to help meet the requirements of Sarbanes-Oxley Section 404 compliance.

Compliance with Section 404 requires that organizations document and assess a wide variety of business processes: sales, billing, cash receipts, financial reporting, and purchasing, among others. These processes must be documented and internal control processes tested. Compliance thus requires a means of effectively capturing documents so they can be incorporated into the financial reporting process, and to allow documents to be accessed to highlight potentially material

(10)

101 For some organizations, the new level of regulatory scrutiny under Sarbanes- Oxley may mean developing formalized policies and processes where none existed previously. For other companies, compliance will require the formalization of a set of previously ad hoc practices or agreement on a standard to replace multiple approaches to a problem. For all U.S. public companies, however, it requires that organizations formally document the set of policies and processes and ensure that personnel are aware of their responsibilities, both individually and collectively, in line with their respective roles within the organization. This includes training and any proof of taking part in it. For purposes of Year 1 Sarbanes-Oxley compliance, many companies have chosen to approach the documentation of their internal controls using the desktop productivity tools they have always used – tools such as spreadsheets, word processing files, and flowcharts. While these tools are functional and familiar to users, the documentation they generate will quickly become unmanageable in the face of the ongoing nature of Sarbanes-Oxley compliance requirements. Solutions based on enterprise content management facilitate the management of the documentation required for Section 404 compliance.

Sarbanes-Oxley Section 404 also requires that organizations identify any processes with weak internal controls. The ability to automate such processes using workflow technology enables an organization to strengthen its internal controls and facilitate the ongoing annual testing of internal processes.

2.4 What Sarbanes-Oxley Means to IT Executives

Understandably, CEO’s and CFO’s are taking Sarbanes-Oxley very seriously given the potential penalties for non-compliance. There is a tremendous amount of data that they will have to monitor to make sure the financial statements are accurate.

From the point of view of an IT person, it is a given that IT will be relied upon to collect, store and compile this data from all areas of the company and transmit it to the appropriate people.

CIO’s must be proactive in getting the attention of their CFO’s so that they understand how important IT systems are to data integrity. One way to do this is by demonstrating a detailed understanding of Sarbanes-Oxley and the part they can play in achieving compliance – without claiming that IT holds all the answers. CIOs can explain the business value of technology changes, but they are also able to review potential IT work in the context of the broader business needs. From a departmental perspective, be prepared for greater audit scrutiny. The financial reporting process depends heavily on internal software systems to generate and transmit the necessary financial data. IT processes, therefore, can be considered an “internal control” that must be audited to ensure compliance with the law and, equally important, that they are secure, comprehensive and repeatable. The benefits of such an audit extend beyond compliance with the law to the overall quality and reliability of company’s systems.

2.5 Sarbanes-Oxley Audits

The Act requires all financial reports to include an internal control report. This is designed to show that not only are the company's financial data accurate, but the company has confidence in them because adequate controls are in place to

(11)

safeguard financial data. Year-end financial reports must contain an assessment of the effectiveness of the internal controls. The issuer's auditing firm is required to attest to that assessment. The auditing firm does this after reviewing controls, policies, and procedures during a Section 4040 audit, conducted along with a traditional financial audit.

2.6 IT Governance and Auditing

The pervasiveness of IT in today’s business environment points to its potentially critical role in regulatory compliance, especially Sarbanes-Oxley. This includes software and hardware, but more importantly the processes that govern their use.

Luckily, there are some good methodologies and guidelines that already exist to help bring your IT processes under control so they are ready to be audited. ISO 9000 is a well known generic management system standard, which means it is concerned with the way an organization goes about its work, and not directly the result of this work. This standard can be applied to any organization, large or small, whatever its product or service in any sector of activity, including business, public administration, or government. If you consider financial reports as internal end products, then ISO standards can be helpful for achieving a high level of quality, but they do not specifically address financial reporting or IT processes. For that, frameworks specially designed for these purposes should be consulted.

2.6.1 Standards important for compliance audit

Based on the experience of the author of this paper the following standards and frameworks or methodologies are a good starting point for achieving compliancy efforts.

• Sarbanes-Oxley Act of 2002

• IT Control Objectives for Sarbanes-Oxley (IT Governance Institute)

• GAAP (Generally Accepted Accounting Principles)

• COSO - a framework for establishing internal controls over financial reporting,

• CobiT - an IT governance framework that can be applied to the entire IT area and its processes in general,

• CMM - Maturity models (such as CMM – Capability Maturity Model) represent a more detailed and granular approach to controlling individual processes within the IT area.

• ITIL – IT Infrastructure Library – a set of best practices for IT Service Management

These standards, frameworks and methodologies should be implemented pursuant to the company size, maturity and processes. Some of the frameworks may be regarded just as a guideline. They should by no means be implemented without respecting the specifics of the company hence this would lead to ineffective bureaucratic processes which will be abandoned or circumvented soon after (or maybe even before) the compliance check.

2.7 Impact of SOX 404 on Czech entities

If a Czech company is a subsidiary of a U.S. based SEC registered company, it is a

(12)

103 experience of the author the implementation process is complex and time consuming. Therefore Czech subsidiaries should be now at least in the process of detailed project planning. By the end of 2005 it should be probably completing the internal control management process, testing it and preparing a process for assessment and for reporting the results to the parent company. It is the decision of the parent company management as to whether the local entity will be included in the process, based on its size and significance within the group. If a Czech entity is significant for the group, the auditors will be involved in the process to express their opinion on the effectiveness of the internal control over the financial reporting.

Although other Czech companies are not affected by SOX 404, watching the developments relating to implementation of SOX 404 may be beneficial.

Methodologies developed in response to SOX 404 bring a systematic approach to the assessment of internal control and many of them are publicly available. It is a very good basis for thinking about the internal control systems of Czech companies.

Companies that do not need to comply with SOX 404 have the option to select only the most practical elements of the internal control assessment methodologies.

2.8 What benefits will SOX 404 bring?

The main objective is to improve investor confidence in financial reporting. It is too early to say whether this objective will be achieved. 2004 is the first year in which the U.S. based SEC registered companies had to comply with SOX 404 and the deadline is extended to 2006 for non-U.S. based companies. In the initial years of implementation the focus will be on documenting the internal control system, identification of the main deficiencies and probably correction of the most significant ones. The real value will come in the long term, as new and corrected internal control elements will be implemented in the day-to-day operations of companies.

Based on a practical experience from a SOX implementing project, the author emphasizes a significant risk of SOX 404 projects - they lead to volumes or megabytes of extra documentation about the internal control system and overloading of those personnel who work on the internal control assessment in addition to their normal responsibilities. Improving internal controls is not particularly motivating for most employees. Understanding the benefits for investors and for the company is necessary at the beginning of the implementation project.

Training and motivation programs are crucial for success. Adequate resources must be allocated to the project and internal audit should take a significant part in the work.

As the practical implementation has shown, if the project is focused not only on documentation and compliance with the law but also on improvement of internal controls, it can bring:

• improved understanding of the links between risks, internal control elements and effects on financial reporting,

• standardization of internal controls within the organization,

• an increased awareness of internal control,

• more reliable financial reports for management.

(13)

3. SOX and Internal Controls

The new requirements will enhance companies’ internal control over financial reporting by enabling more timely identification and remediation of weaknesses.

Many believe that through the creation of an ongoing management requirement, companies will learn from their evaluation process and remediate identified deficiencies on an ongoing basis, which should result in more reliable financial reporting and greater investor confidence.

Even with these new requirements in place, it is possible that management fraud or errors will occur and not be detected. Internal control over financial reporting is intended to provide reasonable assurance about the reliability of financial reporting.

This is a high level of assurance, but it is not absolute. As the PCAOB standard recognizes, no system of internal control is absolutely safe from human error or from manipulation and collusion. Even effective internal control over financial reporting cannot offer absolute assurance that a company is free of fraud or that misstatements in financial reporting will always be prevented or detected on a timely basis. Investors and other financial statement users should also understand that the reports on internal control over financial reporting issued by management and the independent auditor do not provide any form of assurance on the soundness of a company’s business strategies or its ability to achieve financial goals.

3.1 Roles and Responsibilities – Internal Control over Finan- cial Reporting

Management

Designs and implements the system of internal control over financial reporting;

evaluates the effectiveness of the company’s internal control over financial reporting and provides a public report on that assessment; prepares the financial statements.

Audit Committee

Has responsibility for oversight of the company’s financial reporting process.

Independent Auditor

Performs an audit of internal control over financial reporting and issues a report on management’s assessment of internal control over financial reporting and on the effectiveness of internal control over financial reporting; also performs an audit of the company’s financial statements.

3.2 Internal control report

Companies are required to include in their annual reports an internal control report with three elements:

• A statement of management’s responsibilities for establishing and maintaining adequate “internal controls and procedures for financial reporting.”

• An assessment of the effectiveness of the company’s internal controls and procedures for financial reporting based on management’s evaluation as of the end of the most recent fiscal year.

(14)

105

• A statement that the company’s public accounting firm has attested to and reported on management’s assertion of effectiveness.

Uniform language is not required for all companies. Instead, the reports would be tailored to each company’s circumstances. The requirement applies to annual reports for fiscal years ending. The annual reports would have to include the public accounting firm’s attestation report.

The attestation report would require additional work by the company’s auditors, because an internal-control examination is different from a financial-statement audit. Opinions in audit reports do not provide assurance on the effectiveness of the reporting entity’s internal controls. There is some overlap in work, but only in an internal-control examination does the auditor gather sufficient evidence from analysis and testing to evaluate the operating effectiveness of all significant controls in the financial-reporting process.

The requirements are described in detail within Section 302 and 404. Under the Section 302 certification requirement, management must evaluate a U.S.

company’s disclosure controls and procedures quarterly and a non-U.S. company’s annually. The rules require those evaluations to cover the company’s internal controls and procedures for financial reporting and amend the currently required certification on controls by the principal executive and financial officers. Thus, under these requirements, management has to evaluate the effectiveness of the design and operation of the company’s internal controls and procedures for financial reporting and its disclosure controls and procedures. The required evaluations for the certifications would be amended to apply to both definitions of controls. The evaluations would focus on the effectiveness of the design and operation of the controls and procedures as of the end of the period covered by the quarterly or annual report (in place of being carried out within the 90-day period prior to the filing date of the report). The certification requirement would be modified in two other ways. One would clarify that the certifying officers caused the controls and procedures to be designed under their supervision, and the other would clarify that “material weaknesses” as well as “significant deficiencies” should be disclosed to both the audit committee and independent auditors.

3.3 Audit Committee Expertise

Companies have to disclose in annual reports whether they have audit-committee members considered by the board of directors to be “financial experts,” their names, whether they are independent, and why they are not independent if that is the case. Companies without any “financial experts” on their audit committees have to explain why. The Sarbanes-Oxley Act implies that at least one financial expert should be on each registrant’s audit committee. A financial expert would be defined to include all the following qualifications, acquired through education and experience as a public-company auditor, controller, principal financial or accounting officer, or equivalent.

• An understanding of GAAP, the financial statements of SEC registrants, and audit committee functions;

• Experience in preparing or auditing the financial statements of a comparable company, including experience in accounting for estimates, accruals, and reserves generally comparable to those used in the company’s financial statements; and

(15)

• Experience with internal controls and procedures for financial reporting.

Each board of directors is responsible to decide whether its audit committee has one or more financial experts. It should not be assumed that designation as a financial expert would impose a higher degree of responsibility on an individual and that the financial-expert designation is intended to reduce the obligations of other audit-committee members or the board of directors. These are behavioral and legal issues, to be determined in the end by how audit committee-members perform under the new requirements and how the litigation environment responds to new conditions. These and other issues could affect the willingness of qualified financial experts to serve on audit committees, which in turn could affect a company’s ability to comply with the requirements. For example, the requirement for accounting experience with comparable companies might be more difficult to apply if fewer financial-expert candidates are available. Changes in accounting requirements could affect whether knowledge and experience acquired in prior years are currently applicable to an otherwise comparable company. Comparable experience levels for service on the audit committees of foreign private issuers might be harder to obtain than for service on the audit committees of U.S. companies. The individuals would have to be experienced with the national or IAS GAAP of the primary financial statements and with reconciliations to U.S. GAAP.

One of the most visible changes that investors will notice is the new reports by management and the independent auditor on a company’s internal control over financial reporting.

3.4 Effective Internal Control over Financial Reporting

Internal control over financial reporting is a process designed and maintained by a company’s management to provide reasonable assurance about the reliability of financial reporting. Effective internal control over financial reporting is vital to the proper recording of transactions and the preparation of reliable financial reports. An effective internal control process is comprehensive and involves people at all levels throughout a company, including those who keep accounting records, prepare and disseminate policies, and monitor systems, as well as people in a variety of operating roles. In addition, the process is influenced by a company’s board of directors and its audit committee, which has responsibility for oversight of the financial reporting process. Under Section 404, a company’s management must assess the effectiveness of internal control over financial reporting as of the company’s fiscal year-end. The independent auditor will then report on management’s assessment, and on the effectiveness of the company’s internal control over financial reporting.

3.4.1 The New Reports

Section 404 institutes a new reporting model that will require management’s assessment of internal control over financial reporting and the related auditor’s report on internal control over financial reporting to be included in a company’s annual report filed with the SEC. The SEC strongly encourages registrants to include the internal control reports in annual reports to shareholders as well, and has indicated that there will be rulemaking in this area. The new reports that investors will see are the following:

(16)

107

• Management’s report. Management will state its responsibility for main- taining adequate internal control over financial reporting and give its assessment of whether or not internal control over financial reporting is effective. According to the rules, management cannot state that internal control over financial reporting is effective if even one material weakness ex- ists at year-end.

• Auditor’s report. The independent auditor will evaluate and report on the fairness of management’s assessment. The auditor also will perform an independent audit of internal control over financial reporting and will issue an opinion on whether internal control is operating effectively as of the assessment date (i.e., the company’s fiscal year-end). If one or more material weaknesses exist at the company’s fiscal year-end, the auditor cannot conclude that internal control over financial reporting is effective.

As in the past, the independent auditor will also issue an opinion on whether the company’s published financial statements are presented fairly in all material respects in accordance with generally accepted accounting principles (GAAP). This report may be combined with the auditor’s report on internal control over financial reporting, or it may be presented separately.

What Management’s Report Will Include

Under the SEC rules, management’s report on internal control over financial reporting should include the following information:

• Statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting.

• Statement identifying the framework used by management to evaluate the effectiveness of internal control over financial reporting.

• Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that control is effective and disclosing any material weakness identified by management in that control.

• Statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s internal control assessment.

The Independent Auditor’s Opinion

The content of the auditor’s report is prescribed by the PCAOB standard, and there are many nuances to the auditor’s reporting. The most common opinions on the effectiveness of internal control over financial reporting will be:

• Unqualified Opinion - An opinion that internal control over financial reporting is effective: no material weaknesses in internal control over financial reporting exist as of the fiscal year-end assessment date.

• Adverse Opinion - An opinion that internal control over financial reporting is not effective: one or more material weaknesses exist as of the fiscal year-end assessment date.

• Disclaimer of Opinion - A report stating that restrictions on the scope of the auditor’s work prevent the auditor from expressing an opinion on the company’s internal control over financial reporting.

(17)

3.5 Control Deficiencies and What They Mean

When an internal control deficiency is identified, management and the independent auditor will evaluate its significance and determine whether it constitutes a control deficiency, a significant deficiency, or a material weakness. Deficiencies that are less serious than a material weakness (i.e., control deficiencies and significant deficiencies) are required to be disclosed to the audit committee and/or management, and management and the independent auditor must evaluate less serious weaknesses to determine whether, when taken together, they result in a material weakness. All identified material weaknesses that exist at the company’s fiscal year-end must be disclosed in the public reports issued by management and the auditor. Although not required by Section 404, some companies may also choose to disclose significant deficiencies. If one or more material weaknesses exist at the company’s fiscal year-end, management and the auditor must conclude that internal control over financial reporting is not effective.

The PCAOB has defined a material weakness as a “significant control deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” A material weakness does not mean that a material misstatement has occurred or will occur, but that it could occur.

Although the law and rules require that management disclose material weaknesses, they provide no specific guidance about the content of those disclosures. However, both the SEC chief accountant and the PCAOB chairman have stated publicly that they expect management’s report to disclose the nature of any material weakness, in sufficient detail to enable investors and other financial statement users to understand the weakness and evaluate the circumstances underlying it. The PCAOB standard also requires that the independent auditor’s report provide specific information about the nature of any material weakness and the actual and potential effect on the company’s financial statements. Investors and other financial statement users should evaluate each material weakness to understand the nature, cause, and potential implications of the weakness.

SEC Chief Accountant Donald T. Nicolaisen has publicly commented that preliminary reactions from investor groups indicate that not all material weaknesses will be viewed as equally significant:

“Some material weaknesses may have a greater or lesser impact on an investor’s decision-making process. In many cases, this decision will likely be influenced by the fullness of management’s disclosure, the underlying causes of the material weakness, and management’s actions to address the material weakness. This is intended to be an open process whereby investors can evaluate both the weakness as well as management’s actions to improve controls.”

4. The Role of Internal Auditing in Sections 302 and 404 of the SOX

As companies have begun the process of implementing compliance with the reporting requirements of Sections 302 and 404 of the U.S. Sarbanes-Oxley Act of 2002 (Act), internal auditors have been confronted with a range of questions and issues related to their role and involvement in these initiatives. Section 404 of

(18)

109 procedures and controls for making their required assertion about the adequacy of internal controls over financial reporting, as well as the required attestation by an external auditor of management s assertion. Section 302 requires management s quarterly certification of not only financial reporting controls, but also disclosure controls and procedures.

It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organizations Sarbanes-Oxley project can be significant, but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.

The Institute of Internal Auditors (IIA) definition of internal auditing is: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) specifies that the chief audit executive (CAE) establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization s goals. Internal auditors should consider Sarbanes-Oxley noncompliance as a risk to the organization, along with all other risks, in their risk assessment process for determining internal audit plans and focus of their efforts. This audit risk assessment should also be reevaluated each year and audit s assessment results should be disclosed to and discussed with the audit committee.

The CAE should ensure that the audit committee is kept up to date on the role and activities of internal audit in the company s efforts to comply with Section 404.

Instances where independence or objectivity will be impaired by the role that internal audit activity assumes should be discussed with the audit committee prior to assuming this role. In addition, the implications, as well as any impact on both current and future audit plans because of devoting resources to assisting in Section 404 compliance efforts, should be discussed with the audit committee. Where the internal audit activity’s objectivity is impaired, the CAE and the board should consider how this impairment affects the ability to perform future internal audit engagements. An organization with an established internal audit function operating in full compliance with the definition of internal auditing and its accompanying standards is already well equipped to meet the challenge of good governance and transparency of internal control effectiveness and efficiency. This delicate but essential balance between management’s responsibility regarding internal control monitoring and disclosure and the internal audit mission and its efforts has been successfully experienced for many years in industries and countries worldwide where similar regulations have been in place for some time. Sarbanes-Oxley promotes risk management and governance processes within an organization over

(19)

which, according to the Standards, internal audit should be in a position to provide assurance and consulting without impairing objectivity and independence.

Management is responsible for developing the processes needed to ensure the company is in compliance with Sarbanes-Oxley. Internal audit’s role should ideally be one of support through consulting and assurance.

5. Conclusion and Summary

The Public Company Accounting Reform and Investor Protection Act of 2002 know also as Sarbanes-Oxley act (SOX) according to names of its founders is an U.S.

legislation countermeasure in the reaction to a fraudulent behaving of some U.S.

companies where accounting frauds were disclosed. In order to renew the investors’ confidence this law was put in place defining strict requirement on internal controls and audit. Since IT creates a technical baseline for accounting tools, it is also impacted (mainly with the section 404). Therefore companies to which this law applies (U.S. public listed companies and its worldwide subsidiaries) must evolve some effort to be ready for the compliance scan. This paper briefly described the key mission of the Act and pointed out IT relevant sections.

Furthermore the impact of SOX on the system of internal controls was described.

The author of this paper tried to highlight main issues of the implementation in the chapter Chalenges of Sarbanes-Oxley Compliance. This was based both, on the literature and author’s own practical experience.

Although SOX is relevant to a relatively small number of companies in the Czech Republic nowadays, it should not be overseen since its impact in the business and investment area may be higher in the next future.

Bibliography

[1] The Committee of Sponsoring Organizations of the Treadway Committee (COSO) - http://www.coso.org/

[2] The Information Systems Audit and Control Association & Foundation (ISACA) - http://www.isaca.org

[3] IT Governance Portal – http://www.itgovernance.org/

[4] Sarbanes-Oxley Information Center – http://www.sarbanes-oxley.com [5] U.S. Securities and Exchange Commission - http://www.sec.gov [6] Public Company Accounting Oversight Board - http://www.pcaobus.org [7] Information portal about internal controls and SOX - http://www.s-

oxinternalcontrolinfo.com

[8] The institute of internal auditors http://www.theiia.org [9] Protiviti - http://protiviti.com

[9] Deloitte & Touche LLP – http://www.deloitte.com [10] Ernst & Young LLP – http://www.ey.com [11] KPMG LLP – http://www.kpmg.com

[12] PricewaterhouseCoopers LLP – http://www.pwc.com

[13] The Vendor-Neutral Sarbanes-Oxley Site http://www.sox-online.com

(20)

111 [15] An Act To protect investors by improving the accuracy and reliability of

corporate disclosures made pursuant to the securities laws, and for other purposes – U.S. law know as Sarbanes-Oxley Act of 2002

[16] CobiT 3rd Edition Management Guidelines, IT Governance Institute [17] CobiT 3rd Edition Control Objectives, IT Governance Institute [18] CobiT 3rd Edition Audit Guidelines, IT Governance Institute