ConsultingConsultantsIT Consulting
Search 180systems.com       
News Letter Signup
Home
Portals
ERP
CPM
BPI
CRM
About Us
Our People
Business Consultants
References
Clients
Services
System Selection
Business Process Review
Corporate Diagnostic
Business Case
IT Audit
HR Management
IT Infrastructure
Strategic Planning
IT Project Management
Technology White Papers
Technology Seminars
News & Articles
180 Blog
ERP Systems1
BI2
PSA3
CRM4
SCM5
BPR6
Business Case
Sarbanes-Oxley
IT Strategy
IT Project Management
Office Productivity
Internet
IT Marketing
IT Security
HR
IT Humour
Buyers Guide
Software Selection
Business Case
Total Cost of Ownership
Software Implementation
Accounting Software
Distribution Software
Manufacturing Software
BI2
PSA3
CRM4
Implementation
Software Reviews
ERP Comparison1
ERP Reviews1
ERP Customer Survey1
BI Comparison2
BI Reviews2
PSA Comparison3
CRM Comparison4
Case Studies
Accounting Systems
Manufacturing Software
PSA3
CRM4
White Papers
ERP1
CPM7
Contact Us
Office
Careers
Site Map

Sarbanes-Oxley - News and Articles

Emerging Trends in Compliance

March 2007 from IT Compliance Institute: – In this article, the author discussed emerging trends which included:

“The first several years of SOX involved a mad dash to get needed IT controls in place to ensure compliance. Firms typically first instituted manual controls, and have been steadily replacing those controls with automated ones, to create more easily repeatable, demonstrable, and cost-effective compliance.

Unfortunately, many of these controls are actually ineffective, claims Forrester Research analyst Michael Rasmussen in a recent report. The problem: “In a rush to avoid being fitted for orange jumpsuits, firms don’t devote nearly enough consideration to the adequacy of the controls that compliance teams are implementing.” Rather, many companies rely on one-size-fits-all checklists of controls—“because firms all want a ‘get out of jail free’ card that assures their executives that if they do these three things in order, litigators and regulators will leave their companies alone.”

As a result, he says, “many compliance teams have implemented controls that may not make sense for their businesses.” Thus controls are either overblown, which siphons off valuable IT time and resources; or more often insufficient, which leaves organizations vulnerable to attack, as well as potentially noncompliant with regulations. Hence as regulations mature, expect auditors to take a much closer look at whether in-place controls actually do the job...”

“Increased security spending will also be needed to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 1.1, which was released in September 2006. The PCI DSS is a security standard that was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help mitigate emerging payment security risks, while facilitating the broad adoption of payment account data security. Simply put, PCI specifies minimum policies, procedures, data security, network architecture, and more for any merchant handling credit card data. Unlike SOX, which many deride as being so vague that many auditors aren’t even sure what it requires, experts say PCI is a model of clarity, clearly spelling out what companies must do…”

180 View – Hopefully it’s not as bad as Forrester claims. No doubt SOX has been expensive and in the end it’s unlikely that the benefits exceed the costs. However it’s another matter if the new SOX controls have been both ineffective and inefficient. We see a parallel in replacing ERP systems as a result of Y2K. The implementations were often done in a rush without consideration of optimizing business process at the same time, which is what ERP should be all about. In the same way, organizations rushed into compliance without concerns for efficiency and effectiveness. Expect a second wave of compliance to include business process improvement.

Shedding Light on Internal Control Requirements

February 2007 from Crowe Chizek – “Near the end of 2006, the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) took steps towards making significant changes in how the internal control provisions of the Sarbanes-Oxley Act of 2002 (SOX) are applied…”

180 View - The article discusses the history, problems, and potential changes to SOX. The PCAOB had invited comments on the proposed changes and the deadline for response has just passed. We could not find much yet about the responses except for the following:

February 27, 2007 from webCPA – “A flurry of e-mails and letters arrived just under the deadline for the Public Company Accounting Oversight Board’s 70-day comment period regarding proposed changes to the audit standard on internal controls over financial reporting.

Just before Christmas, the five-member board unanimously voted to circulate a proposal that would trim the amount of testing required for auditors to evaluate internal controls over the financial reporting process.

Through the weekend, the board had received 55 comment letters, and that total nearly doubled before the close of business Monday. By the day’s end, a total of 97 pieces of correspondence had been posted to the PCAOB’s Web site. The majority of the nearly 700 pages of comments were highly detailed in citing the specifics of what a number of organizations and individuals supported in the board’s proposal, as well as possible improvements that could be made to the guidance.

Broadly-speaking, many of the comments fell into two camps, similar to the views expressed during a recent meeting of the board’s Standing Advisory Group, and, for that matter, in the four years since passage of the Sarbanes-Oxley Act. Investor advocates worry that more leeway in the controls could lead to lax audits, while business concerns -- such as the U.S. Chamber of Commerce -- worry that still not enough has been done to tailor the original guidance to make it manageable, and cost efficient, for smaller companies...”

CEO challenge

January-February 2007 from CAmagazine – “Since 2004, three waves of CEO and CFO certification have washed over corporate Canada, and there are more to come. All are aimed at restoring investor confidence in financial reporting and related controls by improving accountability and transparency — terms seldom heard during the ’90s, a time of heady growth, but which, since 2001, have resurfaced as key business, governance and disclosure principles.

Certification was introduced to Canada in 2004 when the Canadian Securities Administrators (CSA) required the CEO and CFO of a reporting issuer to certify the financial information in quarterly and annual filings. In 2005, that was expanded to include certification about disclosure controls and procedures. Last year, the third wave arrived. It requires certifying officers of TSX and TSX-V issuers to file the full annual certificate for financial years ending on or after June 30, 2006 — which, for many reporting issuers, means the calendar year ended December 31, 2006.

The full annual certificate in CSA Multilateral Instrument 52-109 expands the certification to require CEOs and CFOs to state they have “designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.”

In addition, they are required to certify that the annual Management’s Discussion and Analysis (MD&A) discloses any changes in internal control over financial reporting (ICFR) that occurred in the latest interim reporting period that have materially affected, or could materially affect, the ICFR.

This third wave of certification applies only to the design of ICFR, not its operating effectiveness. That will be introduced in a fourth wave of certification, yet to come…"

The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR...

The September 2006 CICA publication Internal Control 2006: The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR.

180 View – Note that requirements kick in “for financial years ending on or after June 30, 2006”. Also note that the certification is limited to design and not operating effectiveness, which means that the most onerous work required in the US under Sarbanes-Oxley is not required in Canada – at least not yet. But because of the backlash by public companies related to the cost of Sarbanes-Oxley compliance, the U.S. may water down their compliance requirements to be similar to Canada.

The article later goes on to say “The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach.” Straightforward sounds great in principle, but it’s not clear what is meant by it. Risk-based leads to efficiency in that there is no point on spending time unnecessarily if risks are minimal. Business focus means “companies should view their assessment of ICFR (Internal Control over Financial Reporting) as a business improvement opportunity, not just a regulatory compliance task.”


Enron’s Last Victim: American Markets

January 3, 2007 from the Cato Institute – “When the new Congress begins its session tomorrow, two familiar faces will not be present: Senator Paul S. Sarbanes and Representative Michael G. Oxley, who are both retiring. Mr. Sarbanes, a Maryland Democrat, has served for 30 years; Mr. Oxley, an Ohio Republican, for 26 — and their main legacy will be their joint attack on corporate corruption, the Sarbanes-Oxley Act of 2002.

The act, which was passed hastily in the wake of the Enron scandal, was surely well intentioned. But it has proven counterproductive in the extreme, and Congress would best honor the departing lawmakers by repealing it.

Sarbanes-Oxley has seriously harmed American corporations and financial markets without increasing investor confidence. The section of the law requiring companies to perform internal audits has turned out to be far more costly than proponents projected, especially for smaller firms. These costs have led some small companies to go private, hardly a victory for public oversight, and some foreign firms to withdraw their stocks from American exchanges.

In addition, the average "listing premium" — the benefit that companies receive by listing their stocks on American exchanges — has declined by 19 percentage points since 2002. This explains why the percentage of worldwide initial public offerings on our exchanges dropped to 5 percent last year, from 50 percent in 2000.

Other costs associated with the act may turn out to be more important. For example, more stringent financial regulations and increased penalties for accounting errors may make senior managers too risk-averse. Most chief executives are not accountants, so the requirement that they personally affirm their companies' accounts — at the risk of jail time should anything be amiss — may make them reluctant to partake in perfectly legitimate activities.

Paradoxically, Sarbanes-Oxley's strict rules on oversight by boards of directors would have been insufficient to prevent the collapse of Enron. By the act's standards, Enron had a model board; most members were distinguished professionals. The chairman of the audit committee was a former accounting professor and dean of the Stanford Business School.

Nor would the act's provisions to create a stronger Securities and Exchange Commission have made a difference. The commission had been aware of Enron's accounting techniques since 1992 and had never thought to question them.

Nor was Sarbanes-Oxley necessary in prosecuting the senior managers of Enron, WorldCom and other corporations where fraud was committed — all have been convicted of accounting fraud under laws predating the act.

The negative repercussions of the act on businesses might have been worth it if the act had achieved its primary goal: substantially increasing the confidence of investors in the accuracy of the accounts of firms listed on the exchanges. But that does not seem to have happened.

The best measure of investor confidence is the price-earnings ratio — the price that investors are willing to pay for each dollar of a company's reported earnings. The overall price-earnings ratio for the Standard & Poor's 500-stock index, however, has declined continuously since the Sarbanes-Oxley Act was being drafted in the spring of 2002.

Several leaders of the new Democratic Congressional majority have endorsed a relaxation of the audit requirements and other parts of the act. That is encouraging, but it is not enough. The basic structure of Sarbanes-Oxley is unsound.

One big problem is that the act nationalized the rules for corporate governance, reducing the value of the competition among the states for setting such rules. In addition, the act failed to resolve the major conflict of interest created when auditing firms are paid by the companies they audit. Rather than creating a regulation to change the system, Sarbanes-Oxley created an expensive and arguably unconstitutional new regulatory agency to regulate the audit firms' activities.

And, as is too often the case, Congress has rewarded the failures of the very bureaucracies that failed to keep up with Enron — doubling the budget of the Securities and Exchange Commission.

Tinkering is not enough. Sarbanes-Oxley continues to discourage smaller companies from trading publicly and foreign companies from listing their stocks on American exchanges. In the eyes of investors, it hasn't cleaned up any corruption, it has only forced companies to jump through hoops. As Senator Sarbanes and Representative Oxley drift into retirement, their act should retire with them.”

180 View – We think a risk-based approach to Sarbanes-Oxley coupled with a business focus (objective includes business improvement) would go a long way to restore the value in Sarbanes-Oxley.

Justice, SEC actions backpedal a bit on post-scandal rules

December 18, 2006 from Associated Press – “They were two early Christmas gifts for corporate America -- with potentially far-reaching effects for investors and the financial landscape. At the Justice Department and the Securities and Exchange Commission, separate actions last week both had the effect of easing landmark rules laid down in response to the 2002 crisis of corporate malfeasance.

Culminating an intense months long lobbying campaign by an array of companies, the five SEC commissioners voted at a public meeting Wednesday to propose a plan giving corporate managers more flexibility in assessing the strength of internal financial controls. It would especially benefit smaller companies.

The sweeping anti-fraud law known as Sarbanes-Oxley was enacted in 2002 amid the wave of scandals that engulfed Enron Corp., WorldCom Inc. and other big corporations. The law contains a key section requiring public companies to assess the strength of their internal safeguards to ensure that their financial statements are accurate. Companies have complained to the SEC that those rules are overly burdensome and costly, especially for smaller businesses…

Some business-friendly Democrats who are assuming power positions in January have expressed support for Sarbanes-Oxley relief for companies -- and their preference for the SEC to wield its regulatory scalpel as opposed to Congress' heavier hand of legislation.

The SEC move was a "reasonable approach" in light of the disproportionate burden of the financial-control rules on small companies, said James Cox, a professor at Duke University who also is a securities-law specialist.

Still, he said, with more leeway under the SEC plan -- allowing, for example, less stringent testing of internal controls for some companies, "Those (financial) numbers are going to be less trustworthy than they would be otherwise. ... Investor protection's going to suffer."

SEC officials insisted that would not happen. Agency Chairman Christopher Cox called the new plan "making Sarbanes-Oxley work for investors at the right price"…

180 View – We thought that the article was vague so we went to the source at http://www.sec.gov/rules/proposed/2006/33-8762.pdf released by the SEC on December 20, 2006.

“The proposed guidance is organized around two broad principles. The first principle is that management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. The guidance describes a top-down, risk-based approach to this principle, including the role of entity-level controls in assessing financial reporting risks and the adequacy of controls. The proposed guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement in its financial statements. There is no requirement in our guidance to identify every control in a process or document the business processes impacting ICFR. Rather, under the approach described herein, management focuses its evaluation process and the documentation supporting the assessment on those controls that it believes adequately address the risk of a material misstatement in the financial statements. For example, if management determines that the risks for a particular financial reporting element are adequately addressed by an entity-level control, no further evaluation of other controls is required.

The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The proposed guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting (i.e., whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas.

By following these two principles, we believe companies of all sizes and complexities will be able to implement our rules effectively and efficiently. As smaller public companies generally have less complex internal control systems than larger public companies, this top-down, risk-based approach should enable smaller public companies in particular to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances. We encourage smaller public companies to take advantage of the flexibility and scalability of this approach to conduct an efficient evaluation of internal control over financial reporting. Further, we believe the proposed guidance will assist companies of all sizes in completing the annual evaluation of ICFR in an effective and efficient manner by addressing a number of the common areas of concern that have been identified over the past two years.”

Did Sarbox Make Companies Cleaner?

December 13, 2006 from CFO.com – “On the eve of a highly anticipated Securities and Exchange Commission meeting that could bring about looser regulations for small businesses that have yet to comply with the Sarbanes-Oxley Act, a new study credits the 2002 law with cleaning up larger companies' internal controls and reducing the number of errors in financial statements.

In fact, the Glass Lewis & Co. report — released on Tuesday — says the number of restatements by larger companies fell 26 percent during the first nine months of 2006. The report's authors attribute this decline to the most contentious provision of Sarbox, Section 404, which requires management to attest that their company has adequate internal controls.

180 View – That’s good news. But the question still remains whether the benefit exceeded the cost.

Taming Sarbanes-Oxley

November 21, 2006 from Ventana Research – “Ventana Research believes public companies are the winners in the latest set of reforms regarding interpretation and enforcement of the Sarbanes-Oxley Act. This not to say the act is dead, but as we noted earlier this year, it is clear that the compliance pendulum is swinging away from stringent controls. The changes that the United States Securities and Exchange Commission (SEC) recently indicated it will make (or is seriously considering) will make compliance much less onerous for larger public companies, and it now appears likely that small public companies will be exempt from having to file.

Recently, the SEC indicated it would unveil major changes to rules governing implementation of the Sarbanes-Oxley Act (SOX). Calls for tossing out or implementing a major overhaul of SOX section 404 began in 2003, not long after Congress passed the law, as companies felt its impact on their annual auditing processes and the cost associated with compliance. Predictably, as memories of the financial scandals of the early decade fade and Sarbanes-Oxley opponents continue to blare their message, pressure has been building for reform. Most larger companies have gone through two cycles of audits under the law, and they have been lobbying heavily to change how it is enforced. In particular, many firms are dissatisfied with what they see as a nitpicking approach by their auditors. There seems to be general agreement that companies should be able to use a top-down, risk-based approach that matches risks with the cost of specific controls and other mitigation techniques. However, even after the Public Company Accounting Oversight Board (PCAOB) made it clear in its revisions to Accounting Standard 2 that auditors were to take steps to make the process less onerous, companies continue to report issues.

The SEC and PCAOB already have taken some steps to make the auditing process less time-consuming and expensive, and the issue now is how much further they will go in easing 404 compliance requirements. One mandate that appears likely to disappear is that companies periodically test and document their internal controls before their auditors examine them, a time-consuming and therefore expensive task. Another change will be explicit instructions to auditors that materiality matters. In auditing, “materiality” is the term used to describe the significance of financial statement information to decision-makers. Something is material if, through omission or misstatement, it is likely to influence or change a decision by, say, an investor or lender. A third change will be exemption of smaller companies (“non-accelerated filers” with market capitalization under $75 million) from 404 audits. Earlier this year, SEC Chairman Christopher Cox elected not to follow the advice of a committee that it should exempt these companies, but now it appears he will reverse his position.

Changes in Sarbanes-Oxley enforcement do not alter the basic requirement that companies must have well-controlled financial processes (and the IT systems to support them). However, with the emphasis shifting to a top-down, risk-based approach to controls, companies are likely to save staff time and external audit fees. In our view, the modifications also do not change the need for companies to simplify and rationalize their financial controls, to automate many of the repetitive tasks they now handle in spreadsheets and to control those that remain in use. Unfortunately, we expect most companies now will put off making many worthwhile process changes that they would have implemented if a comprehensive” audit approach had remained in force. How all of this will affect consultants and software vendors selling “Sarbanes-Oxley solutions” remains to be seen. We think those whose value proposition has been real business benefits beyond mere compliance will fare better than those perceived to be useful only for streamlining and documenting the internal audit. Sarbanes-Oxley still has life as a political football. We assert it never would have prevented fraud led by senior executives, such as occurred at Enron, Qwest and WorldCom. When the next high-level financial scandal erupts, though, we expect the current reforms will be blamed.

180 View – We said last month that “It’s about time that the auditors provided some real value in their review of internal controls.” It looks like they will soon have no choice if they expect to continue to offer this service.

What Questions do Database Auditors Ask?

This article is a plug for a product called SecureSphere, which was developed by the company providing the free article (after registration). However it does contain some useful insights

This paper presents five key questions that IT professionals must answer during a database audit to achieve compliance. These questions are as follows.

  1. Is the audit process independent from the database system being audited?
  2. Does the audit trail establish user accountability?
  3. Does the audit trail include appropriate detail?
  4. Does the audit trail identify material variances from baseline activity?
  5. Is the scope of the audit trail sufficient?

The answers to these questions vary depending upon the audit mechanism employed. Unfortunately, many database audit mechanisms were not designed to meet the requirements of regulatory auditors and therefore do not adequately address these questions. This paper examines the strengths and weaknesses of alternative audit mechanisms relative to these questions. The goal is to provide the reader with information necessary to make informed choices about which audit mechanisms to deploy to satisfy regulatory compliance audits.

1) Is the Audit Independent?
To ensure audit integrity, the entire process must be independent of the database server and database administrators being audited. Since database administrators and servers are both part of the system being audited, they should not be put in a position of auditing themselves. A rogue administrator, for example, with access to audit records may easily tamper with those records to cover his tracks. Similarly, a non-administrator may exploit a database vulnerability to elevate privileges and tamper with the audit trail. The requirement for independence has three immediate implications for the design of the audit system.

2) Who is Accountable?
The database audit trail must attribute each audited database transaction to specific users. For example, a SOX compliant audit mechanism must log each change to financial reporting data along with the name of the user making the change. However, when users access the database via Web applications (such as SAP, Oracle E-Business Suite, or PeopleSoft), native database software audit logs have no awareness of specific user identities. Therefore, when native audit logs reveal fraudulent database transactions, there is no link to the responsible user.

3) Do Audit Records Include Enough Detail?
To effectively reconstruct past database events, auditors require a detailed audit trail that extends to the level of the exact query and response attributes. Consider the following alternative hypothetical audit records for a call center customer service agent named “JOHN”.

  • JOHN requested DATA from the CUSTOMER database and the database returned DATA
  • JOHN requested FIRST NAMES, LAST NAMES, EMAIL ADDRESSES, PHONE NUMBERS, and CREDIT CARD NUMBERS for ALL customers from the CUSTOMER database and the database returned 634,577 records

Assuming that John is authorized to access individual customer records during the normal course of his work, the first less detailed audit trail (example A) does not reveal any unusual activity. However, the second more detailed audit trail (example B) makes it clear that a suspicious event has taken place. There is no reason to access the personal information (including credit card numbers) of 634,577 customers. To fully understand the transaction, the audit trail requires complete detail.

4) Does the Audit System Identify Material Variances?
It’s not enough for the audit system to simply provide a chronological listing of all database transactions. The volume of information generated in most database environments renders such a system useless as a tool for identifying fraudulent activity. An effective audit system should deliver prioritized views of events that separate material variances from legitimate or “baseline” user activity. However, most native and external audit approaches provide un-prioritized views, forcing staff into a costly manual log inspection process.

5) Is the Scope of the Audit Sufficient?
The scope of the database audit trail should be broad enough to identify any attempt to exploit vulnerability in database platform software (application, operating system, etc.) or protocol implementations. SQL Slammer, Windows RPC vulnerabilities are two examples of the many such vulnerabilities that attackers have exploited to inflict serious damage upon database infrastructure around the world. Dedicated intrusion prevention systems (IPS) and protocol validation solutions are needed to identify such attacks. Therefore, to provide auditors with a complete picture of database activity, it’s necessary to integrate data collected from these sources into the audit trail.

180 View – IT audit demands knowledge of IT General Controls including hardware, operating systems, database management systems, networking, multimedia, etc., and the environment that houses and supports them that enable the processing of applications (such as a financial application from SAP). A database is critical to any application. The database not only stores data but also manages access and logs changes independent of an application.

The Unexpected Benefits of Sarbanes-Oxley

April 2006 form Harvard Business Review courtesy of Approva Corporation – This article is about:

  • Control environment (attitude, values, transparency…) is the 1st line of control defense
  • Reducing control testing based on risk of a particular process leading to material errors
  • Avoiding duplication of work when it comes to documenting business process. In one example, a company’s processes were being reviewed for Sarbanes-Oxley and for ISO 9000. There were 2 different teams documenting the identical business process
  • Standardization improves data consistency which reduces the potential for error. Another standardization benefit is that it can lead to efficiencies by streamlining processes. And the auditors only need to review one process rather than multiple processes
  • Manual controls are not as good as automated controls
  • Few companies have used Sarbanes-Oxley as a way to improve business process

180 View – It’s about time that the auditors provided more real value in their review of internal controls by identifying weaknesses in efficiency and effectiveness of business process.

Multilateral Instrument 52-109 and Bill 198

October 17, 2006 from Horwath Orenstein LLP – “In a noteworthy development, separate statements of claim have recently been filed by Marvin Neil Silver and Cliff Cohen, both would-be plaintiffs in a proposed class action against Imax Corporation and certain directors and officers of the company. Silver’s claim is the first (by a day – Cohen’s followed hard on its heels) to invoke the secondary- market liability provisions that were recently added to the Securities Act (Ontario) under Bill 198...

Multilateral Instrument 52-109 and proposed amendments setting out reporting criteria required for 2006, 2007, and beyond, combined with Bill 198, has significant implications for Audit Committees, Directors and senior management of reporting issuers. The intent of these new rules and regulations is to improve governance and rebuild corporate credibility through accurate, reliable, and timely communication of information to shareholders. The announcement of the above class action is evidence that Bill 198 is a reality, and public issuers must ensure that they have exercised due diligence with respect to the company’s “Disclosure Controls and Procedures” and “Internal Controls over Financial Reporting”, under the certification requirements of Multilateral Instrument 52-109.

Multilateral Instrument 52-109 requires CEOs and CFOs of all Canadian publicly listed companies to certify:
a) The design and implementation of “Disclosure Controls and Procedures” for both interim and annual filings on or after March 31, 2005
b) The design and implementation of “Internal Control over Financial Reporting” for both interim and annual filings on or after June 30, 2006 (subject to transitional rules)
c) The evaluation of the effectiveness of “Disclosure Controls and Procedures” and have concluded on their effectiveness in the Management Discussion and Analysis accompanying their annual report for year ends ending on or after March 31, 2005
d) The disclosure of material changes in the “Internal Control over Financial Reporting” that occurred during the most recent interim period in the Management Discussion and Analysis accompanying their interim or annual report for periods ending on or after June 30, 2006

In addition, for years ending on or after December 31, 2007, CEOs and CFOs are required to certify on the evaluation of “Internal Controls over Financial Reporting”, and provide their conclusions on their effectiveness, including a discussion on the method for evaluating their effectiveness in the Management Discussion and Analysis accompanying the annual report...”

IMA Releases Landmark Study Revealing Sarbanes-Oxley Compliance Issues

October 12, 2006 from Business Wire – “A lack of practical management implementation guidance and the incomplete nature of the COSO (Committee of Sponsoring Organizations) 1992 framework in assessing effectiveness of internal controls over financial reporting (ICoFR) are two of the key cost drivers for public companies complying with Sarbanes Oxley Section 404 (SOX) requirements, says a landmark research study released by the Institute of Management Accountants (IMA®). The research study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, was released today.

Conducted by Professor Parveen P. Gupta of Lehigh University, the study assessed the views of nearly 400 experienced CFOs, controllers, internal auditors, and SOX compliance specialists at publicly traded companies. The study was designed to determine the extent to which companies are using COSO’s 1992 internal controls framework and identify the factors which inhibit a successful and cost-effective SOX compliance outcome, including high-cost compliance activities, definition and use of “risk based” models, application of risk assessments (fraud, plausible, and inherent risk), integrated audits, IT controls assessments, skills gap issues, and other practical areas.

“IMA’s study is the first comprehensive study of its kind that goes beyond estimating the cost of compliance. This study helps to identify the real drivers of cost and provides actionable insights for policy makers, regulators and professional associations,” said Paul A. Sharman, president and CEO, IMA. “We have hypothesized for some time that current controls frameworks are inadequate, as they do not allow management practitioners to conduct cost-effective, risk-based assessments covering internal controls over financial reporting, fraud risk, general IT controls, and other areas.”

A sampling of key findings from the IMA research study includes:

Approximately two-thirds of the total respondents attributed two key factors as major cost drivers:

1. A lack of practical guidance from the SEC or other professional organizations on how to decide what constitutes an effective (or ineffective) internal control system

2. Redundant testing (between auditors and inside SOX compliance resources) due to a lack of collaboration to reduce the sample size. The data suggests that the original goal of achieving efficiencies via an integrated audit of internal control incremental to (not duplicative of) the traditional financial statement audit is still not a reality

  • More than half of respondents acknowledged that they did not use COSO 1992 to assess IT control effectiveness, in spite of indicating their control assessment was done in accordance with COSO 1992. Almost 52 percent of respondents used COBIT for this critical aspect of their ICoFR assessment
  • Forty-five percent of smaller public companies and 35 percent of larger public companies are using a “bottom-up” approach to internal controls, rather than a “risk-based” point-of-view. The higher percentage for smaller companies could suggest a skills gap issue in applying robust risk assessment methods
  • Only 38 percent of respondents indicated that the COSO 1992 controls framework, the predominant framework in use, was guiding their internal control assessments, while 62 percent primarily rely on Accounting Standard 2 (AS2). Due to the lack of practical guidance, AS2 has become the de facto assessment standard for company management
  • Fifty-seven percent of respondents did not believe that the COSO 1992 framework alone was sufficient guidance for determining the effectiveness of internal controls, strongly suggesting that practical assessment methodologies linked to the framework are necessary to assert to the SEC that an organization has an effective system of internal controls.

“These results suggest that our hypotheses have been proven to a reasonable degree. Now it is time to develop the long awaited assessment guidance so desperately needed by American businesses to cost-effectively comply with SOX while protecting shareholder interests,” added Sharman.

The study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, includes an Executive Summary that is available free of charge. The full study is available for purchase from IMA. Please visit https://www.imanet.org/research_sox_study.asp for complete details.”

180 View – We think there's no excuse for not providing an efficient SOX compliance reveiw.

Greenspan: Dump SarbOx

September 26, 2006 from eWeek.com – “The Sarbanes-Oxley Act is doing more harm than good and must be overhauled, Alan Greenspan told a technology audience here.

"One good thing: Sarbox requires the CEO to certify the financial statement. That's new and that's helpful. Having said that, the rest we could do without. Section 404 is a nightmare." Greenspan's remarks came at a meeting of the Massachusetts Technology Leadership Council here on Sept. 25. Greenspan was Chairman of the Federal Reserve board for 18 years, having retired in early 2006.

He said the evidence is clear that Sarbanes-Oxley strictures are driving initial public stock offerings away from the New York Stock Exchange and to the London Stock Exchange. Increasingly, he said, people recognize that Sarbanes-Oxley must be changed. "The pressure on getting 404 significantly altered is rising and is taking on a critical mass." But he added, "You do not get a bill altered when the two names [Sarbanes and Oxley] are in the process of retiring. People are waiting until they are gone. Then, hopefully, changes will be made. Any bill that passes both houses almost unanimously, cannot be a good piece of legislation."

180 View – We think it’s time Sarbox (or the equivalent) reviews include efficiency (achieve the desired result with the minimum use of resources) and effectiveness (achieve the desired result). Then we are talking about value for the money.

Internal Controls-A Review of Current Developments

August 2006 from International Federation of Accountants - This review summarizes key internal control frameworks, highlights recent legislation, and discusses the role of internal control in enhancing corporate governance. It is a 19 page document and we will just quote some of the more interesting paragraphs "… As the severity of high-profile corporate accounting failures has increased steadily over the last decade, there has been a corresponding increase in the development of new legislation,
standards, codes and guidelines to assist organizations in improving their corporate governance.
While these standards and guidelines originated from a variety of sources, they share a core
principle: that good governance, by its nature, demands effective systems of internal control.

Recognition of the critical importance of internal control is evident in the key frameworks and
guidelines on the subject. In the 1990s internal control frameworks such as the COSO1 (USA),
Turnbull2 (UK) and CoCo3 (Canada) emerged, some of which have recently been reviewed and
updated or supplemented. In addition, there are many other publications on the theory and
benefits of internal control…

As internal control frameworks, COSO, Turnbull and CoCo complement each other. They each
see internal control as a process/set of processes designed to facilitate and support the
achievement of business objectives. Each of the frameworks takes the wider approach to internal
control covering consideration of significant risks in operations, compliance and financial
reporting. Objectives such as improving business effectiveness are included, as are compliance
and reporting objectives. The narrow approach to internal control is usually restricted to internal
control over financial reporting…

SOX focuses on one specific aspect of internal control, that related to internal control over
financial reporting whereas, as been previously noted, the key internal control frameworks such
as COSO, Turnbull and CoCo take a wider business-led approach and cover all controls.
Assessments of internal control using the SOX definition are less likely to focus on the business
benefits that can result from a review of the wider aspects of internal control and the related
processes for risk management…

By covering all material controls and linking internal control to risk management, it allowed
companies to focus on the most significant risks facing them. By setting out high-level principles
rather than detailed processes, it required boards to think broadly about their company's risks and
enabled them to apply the guidance in a way that suited the circumstances of their company."

180 View - We believe that internal control should consider business effectiveness. In this way, the control review will provide more value. As well, there should not be a significant increase in time spent as long as the reviewer has the expertise in compliance as well as efficiency and effectiveness.

S.E.C. looks to cut costs of meeting audit rules and new guidance for smaller public companies

July 12, 2006 from The New York Times - "The Securities and Exchange Commission, scrambling to find ways to cut the costs of complying with the Sarbanes-Oxley Act without gutting the act, said yesterday that it expected to propose a rule aimed at curbing costs.

The commission published a "concept release," setting forth numerous questions regarding both how the carrying out of the law had proceeded and what should be done now. It asked for comments on those questions over the next two months.

At issue is Section 404 of the law, which requires public companies to assess the adequacy of their internal financial controls and to have that assessment reviewed by external auditors. That provision of the law was based on a law passed in 1991 requiring banks to certify their internal controls and was expected to add little in the way of costs.

But there have been widespread complaints that the cost has been excessive. An S.E.C. advisory committee recommended that smaller companies, which have not yet been required to comply with the section of the law, be exempt. A bill introduced in Congress proposed going further and exempting the vast majority of companies.

"Our goal is to develop practical guidance for companies to help improve the reliability of financial reporting and to make Section 404 implementation more efficient and cost effective for investors," said the commission's chairman, Christopher Cox.

The commission gave little firm indication of what a new rule would say, but in numerous sections it indicated impatience and concern that the process had proved so costly and expensive. It noted that some companies had complained of excessive documentation being required by auditors and added, "We have anecdotally heard that this documentation, in many cases, substantially exceeded that normally produced by financial institutions," even though the Sarbanes-Oxley Act and the 1991 law were similarly worded.
The commission indicated that it suspected that audit firms had done too much work, saying it was "skeptical of the large number of internal controls that some companies have identified, documented and tested." It said it thought one cause of problems might have been an "overly conservative" interpretation of the rules by auditors.

The commission pointed to a document issued yesterday by a group of accounting organizations, known as the Council of Sponsoring Organizations, aimed at providing a simplified framework for smaller companies to assess their financial controls.

"What we are saying is no company is exempted from good internal controls,'' said David Richards, the president of the Institute of Internal Auditors, one organization in the group. "It does not matter what your size is."

He said the document was aimed in part at helping companies identify a relatively small number of controls that needed to be carefully checked because of their importance to accurate financial reporting.

Despite widespread complaints about cost, Section 404 does appear to have had some benefits. In the first year, about one of six companies reported material weaknesses in their controls, while that figure was down to about one in 15 during the second year.

A report by Grant Thornton, an accounting firm, noted that about 10 percent of banks had such problems, even though they had been complying with the 1991 law, which did not require external auditors to monitor the assessment. It said that indicated that auditor review was critical to assuring adequate controls.

The S.E.C. said earlier this year that it was beginning to consider how to modify the carrying out of Section 404. Yesterday's announcement may have been most significant in that it indicated that the commission thought a new rule, rather than increased guidance, would probably be necessary.

Also significant, however, was the renewed endorsement of Section 404 itself.

"Quality financial reporting is a critical cornerstone to our capital markets, and investors are entitled to rely upon it,'' said John W. White, director of the commission's Division of Corporation Finance, in announcing the new action. "Section 404 has a key role to play in enhancing the reliability of public companies' financial statements."

180 View - Every problem is an opportunity for someone. Y2K was a huge opportunity for ERP software developers such as SAP and Oracle. Sarbanes-Oxley has been a huge opportunity for auditors. It seems that some have been overzealous in their work as they rack up their fees. It seems to us that fees would go down dramatically if the auditors applied more common sense. If the absence of a control does not cause material risk, why document and test it? As well, there may be a myriad of controls that contribute to a particular business process. However if one of the controls is sufficient, why bother documenting and testing all the secondary controls?

The article makes reference the Council of Sponsoring Organizations (COSO) providing a simplified framework for smaller companies to assess their financial controls. The American Institute of Certified Public Accountants (AICPA) and the Institute of Management Accountants have both affirmed support for new guidance for smaller public companies released during a webcast on July 11 by COSO. Click here for the webcast.

A survey of Canadian decision makers on business performance and regulatory compliance in the Finance function

July 2006 form KPMG - "KPMG's Advisory practice conducted a survey of 170 of Canada's senior executives to determine how their Finance functions have responded to the new regulatory mandates, and how successful they have been in maintaining the balance between activities supporting compliance and those supporting business performance. In an effort to focus on the views of Finance functions' key customers and stakeholders, the survey included Chief Executive Officers, Presidents, and Chief Operating Officers, but specifically excluded Chief Financial Officers themselves…

Business leaders are concerned that regulatory requirements have caused the Finance function to focus on compliance at the expense of other areas of its mandate. Three-quarters of respondents believe that corporate growth and profitability have suffered as a result of the Finance function's focus on compliance. Management reporting, budgets and forecasts, corporate finance, risk management, and strategic planning represent areas of opportunity for Finance departments to rebalance their activities and improve contribution to the business. Decision makers are prepared to make investments to rebalance the activities of their organizations' Finance function."

180 View - We think that compliance auditors should provide value related to business performance at the same time. By identifying inefficient and ineffective business processes, compliance auditors would support business performance. Inefficient business processes do the job with the least amount of resources. Re-keying or duplication should be easy to spot. However effective business processes are more difficult to identify. Effectiveness requires knowledge of CSFs (Critical Success Factors are what an organization must do well in order to be successful). If the business process does not support the CSF, then it's not effective.

Sarbanes-Oxley - A Tough Act to Follow

March 15, 2006 from CFO Magazine - "The costs are indeed substantial. AMR Research estimates that, by year-end, U.S. businesses will have spent $20 billion on Sarbox compliance since the law was enacted. On average, AMR estimates that companies are laying out about $1 million on Sarbox compliance for every $1 billion in revenues.

CFO's survey shows an even greater hit to income. Finance managers at companies with annual revenues of $500 million or more indicated that Sarbox compliance had taken an average yearly earnings bite of more than 2 percent. Smaller companies were worse off. Respondents at businesses with sales of under $500 million said Sarbox compliance was devouring 4.5 percent of their earnings each year...

The major flashpoint of the argument is the way auditors attack 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No. 2, which instructs engagement partners on how to check their clients' internal-controls reviews. As a result, CFOs say auditors test and retest internal controls to ensure their sign-offs are beyond question. Finance managers contend the prospect of auditor nit-picking forces clients into indiscriminate documentation of internal controls.

The PCAOB appears to be aware of the situation. In a November 2005 report on the initial implementation of AS2, the board criticized auditors who "did not alter the nature, timing, and extent of their testing to reflect the level of risk."

By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles of individual companies. "As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas," the board stated, noting that "in some cases, a higher-risk area should have received more audit attention than it did." For the rest of the article, click here.

180 View - Not only should accountants consider the risks, but they should also not waste time on non-critical controls. Certain controls over completeness or accuracy can be marginally helpful - what's the point of testing them?

The Long Arm of Compliance

January 16, 2006 from BPM Today - "When one hears the word compliance, the initial thought that often comes to mind is of laws and regulations that guide well-known, publicly held companies. The reality is that compliance reaches farther than large, public companies. It affects business of all sizes in various industries, including both publicly held and private small and medium-sized businesses (SMBs)...

By asking a few simple questions, an SMB can determine if it is meeting some of the basic compliance elements; identify compliance areas that it needs to address; and establish a starting point for action.

  • Do you know what will happen to your business operations if parts of your networks or systems fail?
  • Are your systems and networks protected against viruses and other malware?
  • Do you have ways to authenticate everyone who accesses your information systems and data?
  • Can you monitor how your I.T. network is used and by whom?
  • Do you have the means to track security incidents?
  • Is your data tamper-proof?
  • Is your key data backed up off-site?
  • Have you protected "unstructured" data -- that is, the e-mails, spreadsheets, and other documents on your employees' desktop systems?
  • Do you have companywide e-mail archiving capability?
  • How long does your data need to be archived and how quickly must you be able to retrieve it?
  • Can you show/prove that you are in compliance?

For the rest of the article, click here

Compliance for Less

February 13, 2006 from WallStreet Technology - "When it comes to compliance on a shoestring, small firms face some big challenges. From a technology standpoint, most compliance systems are expensive and difficult to manage. Unlike large financial services firms that have the money and manpower to support these systems, small firms face the burdens of meager budgets and skeletal IT staffs that often are already overwhelmed managing multiple projects. Lisa Schmidt, chief compliance officer and vice president of Perkins Capital Management, a Wayzata, Minn.-based investment advisory firm with 16 employees, claims that organizations like hers must overcome some unique obstacles in order to comply with regulatory mandates. "The very first challenge would be cost—the cost for hiring additional workers, the cost for the new technology," says Schmidt. "Time, too, is a big issue," she adds.

While most small firms, such as Schmidt's, have at least one function solely dedicated to compliance, the responsibilities associated with meeting both internal and external compliance requirements also must be shared by other employees throughout the organization. According to a recent survey by IBM Business Consulting of more than 200 financial services firms globally, sales and operations personnel who are not formally in compliance roles are spending 20 percent to 30 percent of their time on compliance-related functions." For the rest of the article, click here.

Rounding Up the Best SOX Applications

December 23, 2005 from CIO Today - "In 2005, many companies got their first real taste of compliance as they worked to meet all of the financial-disclosure mandates of the Sarbanes-Oxley Act of 2002. SOX requires public companies to create, monitor, and manage controls over many aspects of their financial reporting. Some companies have found that such transparency doesn't come easily. The rules require not only new processes, but also fresh tools that can determine whether systems and reporting standards are up to snuff.

According to a recent report from AMR Research, companies are taking a long-term approach to compliance. More than 80 percent of the roughly 300 companies surveyed said they plan to add to or improve SOX compliance in 2006, with the biggest areas of investment expected to be compliance-management software and continuous controls-monitoring software. The need for such tools has led to a boom in software development geared to helping companies with SOX. By some estimates, there are tens of thousands of products available that promise some form of SOX assistance. To make navigation among the options easier, here is a look at five of the most-popular brands" by clicking here.

Compliance Dominates IT Spending

December 14, 2005 from E-Business News - "If you think that the big wave of compliance-driven IT spending is over, think again. Research continues to indicate that compliance and governance are growing in importance, with a new estimate from Gartner putting their share of 2006 enterprise IT spending at between 10 and 15 percent. Gartner based this estimate on its 2005 Financial Compliance Management Survey of 326 professionals in North America and Western Europe. The survey further indicated that compliance and governance claimed only 5 percent of 2004 enterprise IT budgets." For the article, click here.

How to Cut Costs Without Compromising Compliance

From Deloitte - "Poll any random sampling of public company CFOs, and a probable majority will tell you that Sarbanes-Oxley has placed enormous pressure on their organizations. Many of these executives will also divulge a corollary fact: Much of the stress falls directly on their shoulders...Compliance costs, in general, are seen by many as placing U.S. companies at a competitive disadvantage; therefore Sarbanes-Oxley-related costs are on the radar screens of most CEOs. The message is clear: Achieving compliance was too expensive! And the mandate is unambiguous : Reduce the cost of compliance!..."

Deloitte recommends a Control Rationalization program that is based on two principles: a top-down, risk-based approach and a lean and balanced control design. A top-down, risk-based approach is founded on the premise that not all accounts, transactions, and risks are equally important. One should not only consider the relative significance of these items, but also factor in a number of related concerns, including the nature of the business; the inherent riskiness of transactions, processes, controls, and technologies; and the effectiveness of the organization’s human resources. For example, it would be difficult for a sales order clerk to defraud the company by creating fictitious customers if the company has only four large customers (as opposed to thousands); thus, control resources would be more efficiently focused on areas of greater risk, such as management override, manual journal entries, and estimates." For the rest of the article, click here.

180 View - The top down approach makes a lot of sense and it's a wonder that compliance auditors have not already adopted this strategy. One problem is that auditors generally don't concern themselves with efficiency and effectiveness. This is a shame as they could address these important issues at the same time as they do their compliance auditing.

The Sarbanes-Oxley Act is at the top of many IT agendas

From ComputerWorld - “I have other aspirations, like growing the company, satisfying the customer, increasing operational efficiencies. I don’t want to be spending on this. It’s a necessary evil, chewing up resources we’d rather spend on something else.” Moreover, the laws and regulations tend to be vaguely worded, which makes it hard for IT folks to do the right thing even when they want to. On the other hand, helping the company comply with regulations — and keeping the CEO out of jail — could make the CIO seem more like part of the executive team. Similarly, helping the company comply with privacy regulations — and keeping the company out of PR disasters — could be just as important as that new CRM system in terms of retaining customers.

The Sarbanes-Oxley Act of 2002, the U.S. government’s attempt to bring honesty, clarity and speed to corporate financial reporting, may ultimately require costly overhauls of budgeting, reporting and decision-support systems. The combined weight of Sarbanes-Oxley and other new regulations is expected to result in major systems changes at some companies. “We’re looking at a whole
series of governance and compliance issues related to IT for Sarbanes-Oxley.” For the rest of the article (and there's lots more), click here.

Sarbanes-Oxley White Paper

2005 from the IT Compliance Institute - "The Sarbanes-Oxley Act (SOX) was passed in 2002. Most public companies must comply by June 15, 2004; smaller U.S. businesses and foreign companies must comply by April 2005. By providing strict guidelines for publicly traded company corporate governance, this act addresses several aspects regarding:
• Security and controls of accounting and auditing processes.
• Oversight of accounting and audit practices.
• Financial record retention.

The most important parts of SOX for IT revolve around sections 302 and 404, which require organizations to disclose their internal financial reporting controls as well as an assessment of how well those controls are working. But what that actually means for IT isn’t well understood. As recently as January 2004 one of the “Law, Public Policy and Standards Experts” at SearchSecurity.com was asked what this all means for an IT infrastructure. In an overly vague answer, he stated that the “wise IT administrator would implement as many best practices as possible,” and then named several IT security frameworks (NIST, ISO 17799, NSA Gold Standard) that could be used as guidance. Other “experts” are just as in the dark about what to do relating to internal control objectives. Why is that so?

The answer lies in the broad-term verbiage that the SOX act uses to define internal controls, the somewhat less broad-term verbiage that the Securities and Exchange Commission (SEC) as well as the Public Company Accounting Oversight Board (PCAOB, the folks who watch the auditors who watch the companies) uses, and the fact that they all point to a set of massive tomes that serve as security frameworks, such as:
• COSO (Committee of Sponsoring Organizations of the Treadway Commission), which released the Enterprise Risk Management (ERM) framework that provides information on enterprise risk management for all organizations. The framework also identifes the interrelationships between enterprise risk management and internal control.
• CobiT (Control Objectives for Information and Related Technology), published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), which provides an in-depth governance model for IT operations.
• ISO-17799, which provides a framework for implementing an information security program through its de.nition of a variety of security controls and risk management approach."

For the rest of this 35 page white paper, click here. (requires free registration)

Can Small Companies Benefit From Sarbanes-Oxley?

July 26, 2005 from darwin - "What can small businesses learn from Sarbanes-Oxley (SOX)? And how can we apply the lessons learned by public companies to our smaller, privately-held companies? The Sarbanes-Oxley Act was designed, in the wake of Enron, Arthur Anderson and WorldCom, to protect investors by improving the accuracy and reliability of corporate disclosures. The Act itself is really about strong processes, auditor independence and corporate responsibility...

Here are a few key areas where private companies can benefit from a system of strong internal controls:

Build it in on the front end: If you've developed best practices, how do you know they are being implemented and followed? The best way is to build controls as critical parts of processes. Regular audits, whether performed informally or formally (by an internal auditor an outside audit firm) ensure that procedures you've developed are followed. Jason Claycomb, president of INARMA, a controls consulting firm, advises business owners to "make sure the controls are part of the process." As examples, he says, "all accounts payable checks should be matched against invoices and approved by the appropriate person inside the company. Another example is to make sure only authorized employees can make changes in the payroll system so that you know you are paying the right amount to employees.

Seek objectivity. Checks and balances are important to every business, advises Larry Rieger, an executive in charge of risk and Sarbanes-Oxley consulting for Crowe Chizek, a national accounting and consulting firm. "Sarbanes-Oxley stresses the importance of objectivity from your service providers," said Rieger. "In other words, don't hire the same firm for audit as you would for IT security. You don't ever want to create a situation where a vendor is auditing itself."
Network security makes you stronger. According to Patti Suarez, a Global Information Security Manager with the Wm. Wrigley Jr. Company, "network security is about more than just viruses - it means you are taking time to think about the things your business values and building processes to protect those things. It doesn't matter if you are a big or a small company. What matters most is that your processes instill confidence with your employees, vendors and customers."

Get real advisors. Don't shortchange the idea of a real board of advisors - a group of people you respect that will tell you what you don't necessarily want to hear. "No employee wants to tell the emperor that he has no clothes," says Maryann Correnti, a risk management practice leader for American Express Tax and Business Advisory Services, "Building a strong outside advisory board, a group of peers, people that you trust, not a committee that rubber-stamps all your decisions can help you improve controls and grow your business."

For the article, click here.

First CEO charged under Sarbanes-Oxley, also becomes the first CEO acquitted

June 28, 2005 from IT Compliance Institute - "Former HealthSouth CEO Richard Scrushy, the first CEO tried under Sarbanes-Oxley, has been acquitted of all charges brought against him. "This is a stunning defeat for the government," said former federal prosecutor Robert Mintz.

Federal prosecutors, with the cooperation of HealthSouth CFOs, tried to prove that Scrushy had masterminded a $2.7 billion accounting fraud at his former company. Scrushy's defense maintained that the fraud at HealthSouth was committed by Scrushy's subordinates, without his knowledge." Click here for the article.

Sarbanes-Oxley - A price worth paying?

May 19, 2005 from The Economist - This article had too many interesting points to keep the extract short - "The Sarbanes-Oxley statute, which the United States enacted in an atmosphere of extraordinary agitation in 2002, is one of the most influential—and controversial—pieces of corporate legislation ever to have hit a statute book. Its original aim, on the face of it, was modest: to improve the accountability of managers to shareholders, and hence to calm the raging crisis of confidence in American capitalism aroused by the scandals at Enron, WorldCom and other companies. The law's methods, however, were anything but modest, and its implications, for good or ill, are going to be far-reaching...

The cost of all this is steep. According to one study that has attracted a lot of attention, the net private cost amounts to $1.4 trillion. This astonishing figure comes from a paper by Ivy Xiying Zhang of the William E. Simon Graduate School of Business Administration at the University of Rochester. It is an econometric estimate of “the loss in total market value around the most significant legislative events”—ie, the costs minus the benefits as perceived by the stockmarket as the new rules were enacted. In principle, this ought to reflect all the anticipated costs and benefits, direct and indirect, that impinge on company values. If this number were true, SOX would have to prevent an awful lot of unforeseen losses due to fraud before it could be judged a good buy.

To help see whether the estimate is plausible, can any more light be shed on different categories of costs? Direct costs are much the easiest to measure. A survey by the FEI, an association of top financial executives, found that companies paid an average of $2.4m more for their audits last year than they had anticipated (and far more than the statute's designers had envisaged). Deloitte, a big accounting firm, has said that large firms have on average spent nearly 70,000 additional man-hours complying with the new law.

This underlines a notable unintended consequence of the legislation: it has provided a bonanza for accountants and auditors—a profession thought to be much at fault in the scandals that inspired the law, and which the statute sought to rein in and supervise. The demand for accountants has surged to such an extent that the PCAOB has had to curb its own growth plans. In January, Thomas Hohman, the agency's CFO, told Accounting Today, “We would like more [experienced auditors], but we recognize this is a very tight employment market.” This shortage of personnel in a profession on whose shoulders the law has placed heavy new responsibilities is one of the uncertainties hanging over the act's future effectiveness.

Already reduced in number by consolidation and the demise of Arthur Andersen, the big accounting firms are now known more often as the Final Four than the Big Four, since any further reduction is thought unlikely. Section 701 of the new law instructed the General Accounting Office (GAO), the investigative arm of Congress, to look into the concentration of the accounting industry and its impact. The GAO, in its findings published in July 2003, said that there was a potentially unhealthy degree of concentration.

The Final Four—Ernst & Young, Deloitte, PricewaterhouseCoopers (PwC) and KPMG—audit 97% of all large companies in America. The GAO also noted that smaller accounting firms face “significant barriers to entry” and that “market forces are not likely to result in the expansion of the Big Four”. The American Electronics Association (AeA), which represents 2,500 companies and is an outspoken critic of the law, maintains that lack of competition “is significantly increasing the costs of section 404 certification”.

Last year a number of big companies switched to smaller auditors. AuditAnalytics.com, an online research company, reckons that the big firms lost more clients last year than they gained. After 25 years with PwC, Scientific Technologies, an instrument-maker with a turnover of $58m, switched to BDO, the largest of the pack pursuing the Final Four auditors. The company reckoned that the switch could cut its audit fees by 25-50%. Many firms have seen much bigger increases than that. According to AuditAnalytics.com, the fees paid by Advanced Micro Devices more than trebled last year. Bristol-Myers Squibb paid fees of $27.4m in 2004, more than twice as much as the year before...

Less visible costs have also been incurred. Far harder to measure, these may be even larger than the direct costs—and would certainly have to be, if the total, net of private benefits, were ever to amount to anything like $1.4 trillion. Some non-American companies have threatened not to list in New York because of the cost of the legislation; others that have recently delisted from an American stock exchange are said to have done so partly because of Sarbanes-Oxley; and some 20% of public companies in a study by Foley & Lardner, a law firm, said that they were considering going private to avoid the costs of the act. It would be regrettable if a law intended to improve the quantity and quality of financial information available to investors led many companies to seek relatively unregulated forms or jurisdictions—but that does seem to be happening.

Another hidden cost which many business leaders complain of is the effect which the law will have in discouraging risk. Steps to discourage risks of the kind taken by Enron might seem entirely warranted—indeed, you might argue, that was the whole point of the law—but many of the statute's critics say that in threatening (as they see it) to criminalize ordinary business mistakes it goes too far. Small firms, put at a particular disadvantage by the added regulatory burden, also tend to be more inclined than big ones to take risks...

But will the law really help reduce financial fraud in corporate America—and by enough to justify its formidable costs? It might. It has certainly been a salutary reminder to corporate leaders that they are paid a lot of money because they are responsible for a lot of things—in particular, for ensuring that their companies' accounts provide investors with as honest a view as possible of the state of their organization. At the end of April, Dennis Nally, the chairman of PwC (admittedly not a disinterested observer), said that he believes, over time, America will see “fewer incidents involving accounting fraud”.

Time will tell. But it is also possible that Sarbanes-Oxley will come to be seen as both too much and too little. In due course it might well be argued that the act was right to make the relationship between auditors and their “clients” more distanced and adversarial—but then went far beyond what was necessary in that respect by, among other things, imposing responsibilities on CEOs that they are not, in fact, in a position to discharge. At the same time, this argument might go, the underlying failures at Enron and the others were not accounting irregularities as such but other kinds of corporate-governance failure altogether, not even addressed by Sarbanes-Oxley. The first great post-SOX corporate scandal—you can bet there will be one—should be very revealing."

For the article, click here.
 
1enterprise resource planning | 2business intelligence | 3professional services automation
4customer relationship management | 5supply chain management | 6business process re-engineering | 7corporate performance management
  © 2004 One Hundred & Eighty Degrees Systems Limited. All Rights Reserved
Web Site optimized by Toronto Search Engine Optimization | resources