Sarbanes Oxley Act or SOX is a US law which was passed in 2002.It was passed in the wake of a myriad of corporate scandals that broke as a result of skewed reporting of selected financial transactions.It was a US Government response to companies such as Enron, WorldCom and Tyco who covered up and misrepresented a variety of questionable transactions,resulting in huge losses to stakeholders and a crisis in investor confidence. The Act aims to strengthen corporate governance and restore investor confidence.The Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
SOX requires Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.It contains in all eleven Titles given below:
Title I –Public Company Accounting Oversight Board (PCAOB)
Title II –Auditor Independence
Title III –Corporate Responsibility
Title IV –Enhanced Financial Disclosures
Title V –Analyst Conflicts of Interest
Title VI –Commission Resources and Authority
Title VII –Studies and Reports
Title VIII –Corporate and Criminal Fraud Accountability
Title IX –White Collar Crime Penalty
Title X –Corporate Tax Returns
Title XI –Corporate Fraud and Accountability
This law is primarily applicable to those accounting firms that are auditors of companies that are listed in the US market, the firms which play a substantial part in such audits and provide material services could also be covered by the law by virtue of Section 106. |
| |
| Objectives of Control Requirements in SOX: |
The Sarbanes Oxley Act or SOX brings out the following areas to be addressed: |
1. |
Improvement of corporate governance and promotion of ethical business practices and thereby restoring and maintaining public interest,trust and confidence in public securities market;. |
2. |
Enhancing transparency and completeness of financial statements and related disclosures and holding the company ’s management responsible for material information filed with SEC and released to the investors; |
3. |
Establishment of new independence standards for external auditors; |
4. |
Establishment of PCAOB to oversee public accounting firms and issue auditing standards. |
|
| |
| SOX Section 404 – What’s all about:
|
Of all the requirements of SOX,section 404 is the most important and much talked about section.The Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting.This statement shall also include the assessment of the effectiveness of such internal controls and procedures.The accounting firm registered with PCAOB shall,in the same report, attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting.
Section 404 of SOX required the SEC to develop and publish rules for a management assessment of internal control over financial reporting.Those rules were completed in June 2003,and the PCAOB followed with its Auditing Standard 2 – An Audit of Internal Control Over Financial Reporting,,which was approved by the SEC in June 2004.The various requirements are summarized below: |
| |
1. |
The company ’s management has to assert annually that it is its responsibility to establish and maintain adequate internal control structure and procedure in relation to financial reporting; |
2. |
The company ’s management has also to conduct annually an assessment of the effectiveness of the company ’s internal controls structure and procedures over financial reporting;. |
3. |
Section 404 also requires the independent external auditor to attest the company ’s management assertions regarding internal control structure and procedures over financial reporting in the form of a report.Such attestation is required to be made under some framework for enterprise risk management such COSO (Committee of Sponsoring Organisations) framework;
|
4. |
Further,the independent external auditor has to carry out an evaluation of whether the company ’s internal control structure and procedures |
| |
| a. |
include records that are accurately and fairly maintained so as to reflect the transactions and the dispositions of the assets of the company;
|
| b. |
provide reasonable assurance that all the receipts and expenditure are under proper authorization of management and/or directors; and |
| c. |
provide reasonable assurance that transactions are recorded in such a manner that will permit the preparation of financial statements in accordance with the applicable laws and GAAP |
|
|
| |
| Implementing Section 404: |
The process used by the management of public companies to assess the effectiveness of internal control over financial reporting as required by Section 404 of SOX 404 can be divided into the following four stages:
1.Planning Stage;
2.Test of Design (ToD)Stage;
3.Test of Effectiveness (ToE)Stage;
4.Continuous Monitoring Stage.
Each of these stages are discussed in the forthcoming paragraphs. |
| |
| Planning Stage:
|
The management needs to focus on the following activities |
1. |
First of all,the management should identify the framework within which the evaluation activities are to be carried out.For example,the company ’s management may follow COSO framework on internal control;
|
2. |
Secondly,there is a need to identify significant accounts and disclosures.It should be noted that an account is significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others,could be material. Accounts also may be significant based on qualitative factors,such as susceptibility of loss due to errors or fraud, complexity of transactions,etc.; |
3. |
The relevant financial statement assertion(s)and the significant accounting processes also need be identified because these might have a material impact on whether an account or disclosure is fairly stated; |
|
| |
Test of Design Stage:
|
This stage involves the documentation of processes and controls activities that will enable the management to: |
| |
1. |
understand the flow of transactions within the process; |
2. |
identify phases within the process where a misstatement could arise; |
3. |
identify controls that have been implemented to address potential misstatements; .
|
4. |
identify controls that have been implemented over the prevention or timely detection of unauthorized acquisition, use or disposition of assets.
|
|
The documented procedures can be used in performing a walkthrough of a transaction from its very authorization to its inclusion in the financial statements.The ToD exercise will enable the company ’s management in answering “would the controls,if complied with,prevent or quickly detect errors and/or frauds that could result in material misstatement of the financial statements.” |
| |
| Test of Effectiveness Stage:
|
This stage is concerned with testing the operating effectiveness of internal controls.When testing the operating effectiveness of controls determinations need to be made as to whether the control is operating as designed,and whether the person performing the control function possesses the necessary authority and qualifications.Management ’s assessment of operating effectiveness begins with identifyingwhich controls to test.Although it is not necessary to test all controls,it is important to select controls that cover all relevant assertions related to all significant accounts and disclosures.It is also important to test both preventive (e.g.use of check lists,proper authorizations.segregation of duties,etc.)and detective (e.g.preparation of reconciliation statements, exception reports,taking periodic inventories,etc.)controls. |
| |
| Continuous Monitoring Stage: |
| |
This stage essentially involves the controlling of all the previous stages.That is,there should be a ongoing monitoring exercise involving updating documentation previously prepared,conducting ongoing tests of operating effectiveness, conducting separate evaluations as deemed appropriate, determining internal audit interaction and last but not the least correcting control deficiencies.
We have noted above that auditors must evaluate the documentation of internal controls over financial reporting. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures would be a deficiency in the company ’s internal control over financial reporting.Thus,it can very well be concluded that the auditor should not assist in preparing the company ’s documentation. |
| |
| Auditor’s Attestation: |
Auditing Standard 2 of PCAOB describes an integrated audit of the financial statements and internal control over financial reporting,resulting in two separate objectives: |
| |
1. |
To express an opinion on whether the financial statements are fairly stated |
2. |
To express an opinion on management ’s assessment of the effectiveness of the company ’s internal control over financial reporting |
|
| |
The auditor ’s conclusion about management ’s assessment will be related directly to whether the auditor can agree with management that internal control is effective,and not just to the adequacy of management ’s process for determining whether internal control is effective.In the event of a material weakness,the auditor could express an unqualified opinion on management ’s assessment,so long as management properly identified the material weakness and concluded in their assessment that internal control was not effective.If the auditor concludes a material weakness exists but management does not makes the conclusion in its assessment that internal control is effective,the auditor would give an adverse opinion on management ’s assessment.Prior to the issuance of the report,the auditor should communicate,in writing,directly to management and the audit committee any significant deficiency or material weakness that has been identified by the auditor and has not previously been communicated to management and the audit committee,in writing,by the auditor,the internal auditor or others within the entity.
|
| |
| Conclusion: |
planning and documenting internal controls to their assessment and communication,it may,at the same time be appreciated that the Indian Chartered Accountants can take up this work with all the proficiency because of their training and the used to nature of ICAI ’s various guidelines and auditing standards,such as AAS-3 on Documentation,AAS-6 on Risk Assessment and Internal Controls,AAS-8 on Audit Planning,AAS-13 on Audit Materiality,AAS 29 – Auditing in a Computer Information System Environment and so on.This way Indian accounting firm(s)can play a substantial part in such audits and provide material services pertaining to section 404 audit exercises.
The author is a member of the Institute and the views expressed herein are his personal views and do not necessarily represent the views of the Regional Council
|
| |
