Sarbanes Oxley Act: Examining the internal controls

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


In answer to the companies' frauds, the U.S. Congress passed the Sarbanes Oxley Act 2002 as a strong deterrent to such unethical behaviour in the future. Highly publicised and quickly passed, the act has many requirements that affect AISs. One section, for example, prohibits corporation from making personal loans to directors (executives) - a requirement that outlaws the previous practice from depositing personal loans to executive - a requirement that outlaws the previous practice of transferring funds to officers who never paid back. Another section requires the (CEOs) of companies to personally vouch for the accuracy and neatnesness of its financial statements. The third section requires public companies to hire independent, new auditors to review its internal controls to determine compliance with other financial regulations. Section 404 requires management to implement and assess internal controls, and then the independent auditors have to evaluate management's assessment. This section of the law has created the most work for accountants and information systems auditors.

The Sarbanes-Oxley Act helped to restore investor confidence in the securities markets following the accounting scandals at companies like Aldephia, Global Crossing, Enron, WorldCom and other companies. The Sarbanes-Oxley Act made a new regulator for the auditing profession, the Public Company Accounting Oversight Board ("PCAOB"), and enhanced corporate responsibility and financial disclosures, provided more stringent standards for auditor independence, and significantly increased criminal fines for various types of fraud and white-collar crimes. The Sarbanes-Oxley Act led to numerous additional requirements for public companies, including executive certifications of financial statements, accelerated reporting requiremnts, and management reports and auditor attestation on internal controls over financial reporting, among many others.

Compliance with two provisions in the Sarbanes-Oxley Act of 2002 will partly depend on the effectiveness of internal controls within a public company:

Section 302: This section provides that the principal executive officers and principal financial officers (usually the CEO and CFO) in a public company are responsible for the internal controls that provide material information used in constructing financial reports. The officers are also responsible for evaluating the effectiveness of their internal controls and for reporting to the company's audit committee and internal auditors any (1) significant weaknesses in controls that can adversely affect the ability to produce accurate financial statements; (2) any fraudulent act by an employee who is significantly involved in the implementation of internal controls.

This responsibility may have been assumed to be a responsibility belonging to

departmnt heads and line managers prior to the Sarbanes-Oxley Act of 2002, but

is now a shared responsibility belonging to the CEO and CFO.

Financial reports issued by a public company must include a signed statemnt by

the principal officers characterising the results of the internal controls evaluation and

atesting to the accuracy of the financial reports. The principal officers must also

report if internal controls were significantly changed after an evaluation, including

any effort to correct significant weaknesses.

Section 404: This section repeats one of the themes showen in section 302,

requiring an assessment of the effectiveness of internal controls over financial reporting. In addition, this section provides that the public accounting firm auditing a public company's financial statements is also responsible for auditing the quality

of the internal controls assessment made by the principal officers. Main question - is the assessment by the principal officers credible? The public accounting firm should include a statement in the public company's financial report attesting

to the quality of the internal controls assessment, similar to the way the public

accounting firm attests to the quality of the financial reports.

Sections 302 and 404 . they account for a critical part of the Sarbanes-Oxley Act of 2002 that if not respected can cause the principal officers of a public company to be fined, imprisoned, or removed from their leadership positions (resulting from an SEC enforcement order). Clearly, the principal officers of a public company assume a huge personal share in ensuring that the Sarbanes-Oxley Act of 2002 is observed.

The requirement being put upon CEOs and CFOs to certify the quality of internal control over financial reports is a logical extension of a desire to ensure that financial disclosures are fair and acurate. The required certification forces a CEO and CFO to get actively involved in quality assurance and to assume personal responsibility for quality assurance problems (e.g.; resulting in the need for a public company to make a financial disclosure restatement).

To appreciate the monumental nature of this certification task, one only needs to contemplate three general ways in which quality problems can be introduced:

Accounting staff making poor decisions, resulting in transactions being recorded that are not in conformity with generally accepted accounting principles and introducing a material problem in the financial disclosure.

Accounting systems being poorly designed, that fails to collect data properly and result in financial reports that are not an accurate representation of the financial condition of the public company.

Security breaches that compromise the integrity of the information stored in

accounting systems.

So, the CEO and CFO before attesting that internal control is effective, should ask three basic questions:

How do I know that the accounting staff is making right decisions?

How do I know that the accounting systems are correctly designed?

How do I know that critical accounting information has not be corupted?

These are not easy questions to answer and the difficulty is only increased by several factors:

The requirement that a public accounting firm render an opinion on the whether

the principal officers have a reasonable basis to conclude that internal control over

financial reporting is effective.

The requirement that the Securities and Exchange Commission sets broad direction

on what constitutes "internal control" and what is expected from a principal officer before concluding that internal control over financial reporting is effective.

The requirement that the Public Company Accounting Oversight Board sets guidelines on how audit opinions are to be rendered and how public accounting firms should audit the effectiveness of internal controls.

A suitable internal control framework will consist of a well-defined structure and associated processes for keeping anything under control that can affect the quality of financial disclosures. Although the Securities and Exchange Commission did not endorse a specific control framework as a standard, the 1992 four-volume report entitled Internal Control - An Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), is identified as an example of a suitable control framework.

Whatever framework is selected, auditors from a registered public accounting firm will be required to validate the reasonableness of any conclusions reached by the principal officers about the effectiveness of the internal controls.

The COSO report defines "internal control" as a business process designed to provide reasonable assurance that the company: (a) is operating efficiently and effectively;

(b) is producing reliable financial reports and (c) is complying with applicable laws and

regulations. The COSO assurance methodology consists of five assurance components:

Institutionalising the concept of a control environment: usually characterised by the

development of a culture within a company, where employees value keeping activities

under control by following documented procedures that are proven to be effective.

Conducting risk assessments: to identify and analyze events that can occur that will

interfere with the ability to meet objectives.

Implementing control activities: the policies and procedures designed to carry out

management directives. Control activities are used to mitigate risks that desired

objectives may not be achieved.

Information and Communication: Procedures designed to facilitate collecting and

disseminating information in a manner that permits business entities to conduct

business effectively.

Monitoring: The process of evaluating and monitoring the system of internal controls

over a period of time to ensure that the controls remain effective.

Expressing a warm and fuzzy feeling that an internal control system is effective will not be enough. As a result of the PCAOB embracing the Attestation Standards of the American Institute of Certified Public Accountants Auditing Standards Board, public companies can expect a more rigorous internal control audit1. A typical audit will involve,

Reviewing the design of controls (technical , procedural, administrative).

Reviewing documented procedures.

Evaluating detailed records/evidence to confirm that procedures are being followed.

Selectively testing procedures to confirm that they are effective.

The audit will include analyzing how well the control framework is integrated into the company's operations. Is there adequate awareness about the control framework? Is

there a structure in place to ensure that the framework is respected? Is the control

framework methodology adequately documented? Are control procedures adequately

documented? Are records retained to illustrate that procedures are being followed? Are

procedures in place to document significant weaknesses in controls and are documented

remediation plans prepared to address any significant weaknesses? The bar has been

raised. It will not be enough to "believe that financial reporting is under control" - this

belief has to be supported with evidence of control.

It is interesting to note that a public company could compose fair and accurate financial disclosures and still fail to "prove" that they have effective internal controls, esp. in those cases where there is no formal control framework in effect. The public accounting firm that is auditing the public companys financial statements can attest to the quality of the particular statements being examined. The controls do not satisfy quality assurance tests.

For many companies, the effort to put in place a formal control framework will be substantial, which led Scott Taub, Deputy Chief Accountant at the SEC to offer the following advice in a speech given to the University of Southern California Leventhal School of Accounting on May 29, 2003 (

"Having described the reasons for the time extension on these rules, I want to

offer some advice to public companies. If you have not yet started to prepare

for the internal control evaluation, begin working on it immediately. The need to document the existing internal controls, consider whether other controls should

be added, and design and perform tests of controls, indicates that a lot of time

is necessary in order for management to be in a position to conclude as to the

effectiveness of the company's internal controls over financial reporting."

SOX iMPACT on FIRMS OPERATING in the city of london

Adrian Giles, senior partner of UK-based business venture specialists Venesis, examines how the Sarbanes-Oxley legislation will affect companies in the UK, says:-

"Regularity compliance has always been an important part of the cost of running a business. Most market sectors, from healthcare and financial services to industrial manufacturing, are all subject to compliance and regulation by legislation and statute laws that impose demands on how they should conduct business and clearly state the penalties for non-compliance.

However, against a whole wave of financial scandals driven by fraudulent accounting practices that involved major US corporations such as Worldcom and Enron and Tyco, the US Senate and House of Representatives passed the Sarbanes-Oxley Act on 30th July 2002 to restore investor confidence and underwrite the integrity of financial information. One of the key sections is Section 404, although only 169 words in length, it lays out the requirement for the management of a US public company to report annually on the operational effectiveness of the company's internal controls over financial reporting. Additionally, the company's auditors must attest to and report on the management's assertion over the effectiveness of internal financial controls. Consequently, the legislation has the potential to have a profound impact on the governance and behaviour of any business with a US listing, including 470 non-US companies. "

Sarbanes-Oxley Act is responsible and accountable for the tracking of information for full daytoday activities that have an impact upon financial performance very clearly on the shoulders of the management teams of the businesses with teeth that bite - the CEO and CFO can be fined up to £ 3- £ 4 million or go to prison for up to 20 years or both.

Compliance with Section 404 demands that businesses have to document and attest for the operational effectiveness of a wide range of processes that have an impact upon the accuracy of their annual financial performance and reporting. These include traditional financial processes such as accounts payable and receivable but also covers those that have an indirect financial impact, for banking and financial institutions which include the processes around the movement of funds and customer funds such as DD, cheque clearing and the procedures for opening or closing accounts.

Even with using the accepted standards frameworks like that of COSO developed by the Committee of Sponsoring Organisations of the Treadway Commission in America, the complexity and rigour required for preparing a business for compliance with Sarbanes Oxley is very high. The process is turning out to be far more difficult and time consuming and expensive than originally forecast or budgeted for. The average cost of compatability with Section 404 for the first year of compliance alone for a major business in the UK is estimated to be between £10-20 million and consume approximately 20 FTE-years of internal time.

In spite of these huge costs, there are predictions that between 10%-20% of the companies will fail to fully comply in the first year and will have to report that they have material weaknesses in their financial reporting processes. However because all the Sarbanes Oxley provisions are subject to further clarification by the SEC there is an expectation that auditors will be less critical with their findings.


In conclusion this paper introduced the Sarbanes Oxley Act of 2002 and showed

the role of system monitoring in aiding public companies to comply with the Sarbanes-

Oxley Act of 2002. My paper proposes that the importance of system monitoring could

be elevated due to the condition that principal executive officers (CEOs and CFOs)

certify the speed and effectiveness of internal control over financial reporting. Achieving internal control will involve various of control activities to make sure that accounting information is delivered effectively to produce accurate financial disclosures. The paper discussed activities that can cause accounting information to be compromised thereby

jeopardising the ability of principal CEOs to meet regulatory requirements.

System monitoring is presented as a source of means of recognising certain kinds of subversive activities minimising the risk that compromised accounting information will go unspotted and reducing the threat that financial disclosures will be erroneous.