Connie Valencia Principal Elevate

Keri Dawson VP of ComplianceOnline Advisory Services MetricStream, Inc.

In response to a few major corporate and accounting scandals affecting companies such as Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the Sarbanes–Oxley Act was enacted as the United States federal law on July 30, 2002. These scandals cost investors billions of dollars when the share prices of the affected companies tumbled apart from impacting public confidence in the nation's securities markets severely.

Named after its architects, US Senator Paul Sarbanes and US Representative Michael G. Oxley, and commonly known as SOX, the act introduced major changes to the regulation of financial practice and corporate governance. It set enhanced standards for all US public company boards, management and public accounting firms. The act consists of 11 sections that define specific mandates and requirements for financial reporting and cover areas such as corporate fraud accountability, auditor independence, financial disclosures, conflicts of interest and more. The Securities and Exchange Commission (SEC) is required to implement verdicts on compliance requirements for the law.

From a compliance perspective, the most important sections are often considered to be 302, 401, 404, 409, 802 and 906.

Which companies need to comply with various sections of SOX and how

Complying with Section 404: The objective of Section 404 of SOX is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources. This internal control report requirement applies to companies filing annual reports with the SEC under either Section 13(a) or 15(d) of the SEC Act of 1934. 

Though Section 404 is an annual evaluation of internal controls, it is advisable to perform 404 testing on a quarterly basis, preferably in the latter portion of the year – near the third and fourth quarter. 

Complying with Section 404 as a foreign company: Foreign filers (including Canadian issuers) must comply with Section 404.  The final rules on Section 404 also reaffirm that foreign private issuers are required to evaluate and disclose their conclusions regarding the effectiveness of their internal controls over financial reporting disclosure controls and procedures only in their annual report and not on a quarterly basis.  Foreign filers are not subject to quarterly reporting requirements under the exchange act.

Complying with SOX reporting and internal controls as an unlisted company with public debt: Unlisted companies with public debt must comply with the reporting requirements of SEC, including those for the executive certification (302 and 906 certifications) and the internal control (404 certification), in the fiscal year when the registration statements for such debt are declared effective.  Following that period, if at the end of any fiscal year there are fewer than 300 record holders of the debt outstanding, the company may elect to discontinue filing periodic reports with the SEC. In that event, if the company is no longer filing their reports with the SEC, they are no longer required to comply with SOX.

Obtaining external opinion on financial controls: Non-accelerated filers (with less than $75 million) in market cap do not have to obtain an external opinion from their external auditors over the effectiveness of their financial controls.  However, all publically traded companies are required to comply with the law and certify under sections 302 and 906 that the information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer. 

How often do companies need to comply with SOX - annually or quarterly?

All publicly traded companies must comply with SOX both annually and quarterly. Section 404 is an annual evaluation of internal controls which requires annual compliance, whereas Section 302 and 906 are both quarterly certification requirements. 

Is compliance with Sections 302 and 906 overlapping?

Though Sections 302 and 906 appeared from different facets of the legislative process, they have a significant overlap.  The primary differences between the two sections are:

• Section 906 expressly imposes criminal penalties, whereas Section 302 relies on the general criminal penalty provision that applies to all violations of the Exchange Act.
• Section 906 is a shorter representation stating that the periodic report containing the financial statements fully complies with the requirements of Section 13(a) or 15(d) of the Exchange Act.

SOX compliance framework

The SEC requires companies to adopt and declare a SOX compliance framework. This framework is used to define and assess internal controls. The SEC demands that the criteria on which management’s evaluation of SOX compliance is based must be derived from a suitable, well-recognized control framework. The framework must be established by a body or a group that has followed due-process procedures, including the broad distribution of the framework for public comment.  As defined by SEC, a ‘suitable framework’ must:

• Remain free from bias
• Permit reasonable and consistent qualitative as well as quantitative measurements of a company’s internal controls
• Stand sufficiently complete and not omit those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls
• Stay relevant to an evaluation of internal control over financial reporting

The SEC points out in the final rule that the COSO Internal Control Integrated Framework satisfies this requirement. Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued guidance for reporting on internal control over financial reporting, in a further effort to provide direction to companies looking at compliance. COSO, primarily intended for financial processes, is an integrated framework providing specific guidance on implementing and maintaining internal controls. Endorsed by the SEC, COSO is the most widely adopted company-wide control framework. However, by no means is the COSO mandatory to comply with SOX.

Control Objectives for Information and related Technologies (COBIT) is an IT framework that maps to COSO. COBIT is another framework adopted by companies in their effort to achieve SOX compliance. Other generally accepted frameworks include: Criteria of Control (CoCo) framework, Turnbull framework, King framework and more. 

However, among these, COSO remains the most popular framework for American publically traded companies. 

Recapturing the SEC and AS5 guidance for financial reporting

In May 2007, within weeks from each other, the SEC and the Public Company Accounting Oversight Board (PCAOB) released their separate guidance for management and external auditors to evaluate controls for financial reporting. With minor variations both the documents are in line with each other.

The SEC issued new imperative guidance for management to evaluate the internal controls for financial reporting. This is based on two principals:

• Management should evaluate the design of control to address the risk that would prevent material misstatement.
• Management’s evaluation of evidence/testing about the operation of its controls should be based on risk assessment.

The SEC guidance is principles-based and directs more effort to higher risks of material misstatements. The guidance states that management’s process does not need to follow any one method or that of the independent auditors; however, the guidance does not replace control frameworks such as COSO. It allows evaluation process to be tailored to facts and circumstances. It provides guidance on supporting evidence and documentation and for evaluating deficiencies.

PCAOB issued new auditing standard AS5 (which superseded AS2) for independent external auditors to evaluate a company’s internal controls for financial reporting.

AS5 is also principles-based and provides for increased auditor judgment (which was lacking in AS2). The audit of internal control is not scoped differently from the audit of the financial statements – using integrated, top-down risk-based approach.

The auditor’s opinion is no longer dependent upon assessing the adequacy of management’s process and auditor has the ability to leverage Entity Level Controls (ELCs). The guidance recommends enhanced use of prior year knowledge and work of others. It also emphasizes the need to focus on fraud risk consideration.

Six easy steps to SOX compliance

Organizations can achieve SOX compliance by leveraging the governance and entity level controls. Auditors can enhance SOX testing by following these six easy steps:

Step One: Use a top-down risk-based assessment
Prior to SEC guidance, in many companies, management first started the financial processes, then looked at controls and then worked on risks. This ‘bottom-up’ approach did not have risk at its center and hence proved inefficient and ineffective.

Under the AS5 guidance, the ‘top-down’ approach suggests performing a risk assessment,  and commences with outlining business objectives and moves on to identifying risks associated with those objectives. Controls are designed to mitigate these risks and processes are put in place focusing on the highest risks. Fraud risk factors are considered while planning financial processes.

Step Two: Identify your multi-location scope

With SEC guidance, companies do not need to conduct coverage-based audits. For example: a food and beverage manufacturer with thousands of franchises across the globe does not need to visit 60% of stores for audit requirements, as before. This was an extraordinary amount of audit effort for a low level risk.

Adopting the risk-based approach, companies can focus on locations that pose material financial risk to their operations.  Also, the guidance allows consideration for qualitative as well as quantitative risk factors. This means, if a certain location or office has a fraud risk, or is inherently risky to the nature of the business or accounting transactions performed, regardless of the materiality of the operation, management may include that business unit into the scope.

For example, an organization just acquired a subsidiary in Latin America where the operations of the subsidiary are deemed immaterial to the corporate headquarters.  However, if the subsidiary is posing a great loss and has assets that need to be written down or poses impairment of assets,  this specific area may be tested at the subsidiary level, given the heightened level of risk the impaired assets may pose to the corporate headquarters.  Under the AS5 guidance, the company may want to take a look at those assets and check if they are impaired and examine the methodology the subsidiary is using to write down those impairments.

The SEC allows for the considerations of entity level controls and financial factors at each location. As alternative coverage methods for low or moderate risk, SEC allows testing of assets and suggests self-assessment and continuous monitoring of controls. In determining the multiple locations scope, companies must consider individual financial risks of each business unit.

Step Three: Use a top-down approach to identify your controls

In applying the top-down approach to identifying controls, companies should consider the entity level controls (ELCs: see Step Four for further discussion on ELCs). After the risk assessment is performed and the locations or materiality has been set, management should consider both fraud and material financial risks.  Typically, a fraud risk account is any account that has cash transactions.  Fraud risks are usually classified as:

• Inappropriate user access (lack of segregation of duties)
• Lack of controls around the cash conversion cycle (cash receipts, accounts receivable, purchasing, accounts payable, payroll)
• Significant estimates and judgments in financial Reporting (revenue recognition, investments, assets impairments, accruals, among others)

The remainder of financial risks includes the month end reporting process as well as the SEC financial reporting process. 

Step Four: Identify entity level controls

AS5 guidance classifies entity level controls into two categories: direct ELCs and precise ELCs.

Direct ELCs: Direct ELCs are the controls that have a direct relationship with the financial statement account. For example, if a company is looking at a control to review accrual and the controller reviews the accrual for the vacation payroll at the period end, the control has a direct relationship with vacation payroll accrual and it would be a direct ELC. In contrast, if the controller is reviewing the financial analysis of profit and loss (PNL), it does not have a direct relationship with any specific account, so that would not be considered a direct ELC.

Precise ELCs: If a control is direct, it should also be precise. Precision is measured in predictability and granular level of detail. For example, if the control is a budget actual and there is a level of budget actual comparison with a specific and direct financial statement account, the control is considered precise if the budget number is updated and is reflective of current environment – for example, if the budget is approved in year 1 in November and the company is testing the control in year 2 in October based on the 11 month old budget, there is a chance that the control is not a true indicator of what the current expenses would be. If the budget was refreshed on a quarterly basis, then the numbers would be a good benchmark to use and the control would be precise.

Lower-Level Controls (LLC): Additionally, companies must identify Lower-Level Controls (LLC) for those financial reporting risks that are not sufficiently covered by direct and precise ELCs.

Automated and manual controls: Companies must prioritize identification of automated controls that address the financial reporting risks as opposed to manual controls because automated controls are more reliable and thus more efficient to test. If automated controls do not exist, then they must identify manual controls that address the financial reporting risks.

Objective and independent controls: Another requirement is that the control should be objective and independent. A control can be called objective and independent when, for example the controller has not performed the activity that created the numbers involved, but is merely reviewing the control.

For a stable and predictive account with low risk, it is sufficient to have ELCs in place that are precise and directly address the financial risk.

Companies must not mistake an ELC for a governance control. While a governance control may be an ELC, governance is only one type of an ELC.  Governance level controls are pervasive in nature and are not directly related to any specific financial account.  For example, the following are examples of governance controls:

• Taking minutes at board of director and committee  meetings 
• Periodic review of the whistleblower hotline
• Maintaining updated board charters and specific charters for board committees (audit committee and executive compensation)

Entity level controls cover much more than just governance and includes controls that are precise and directly related to financial accounts.  For example, the Accounts Payable weekly review of batched invoices could be considered an ELC given the level of precision to the control as well as the direct relationship the control has with the Accounts Payable account.

In contrast, the controller’s monthly account variance review could also be considered an ELC.  However, while precise, this control would not be considered direct as this control does not have a direct relationship with any specific financial statement account.

The SEC guidance encourages management to utilize a top-down approach for identification of controls that address financial reporting risks. A top-down approach allows management to take ‘credit’ first for any existing direct and precise ELCs.                 

Step Five: Leverage your IT applications and internal IT controls

The SEC guidance talks in great detail about the testing of general computer controls as well as application controls. IT has an important yet very indirect role in tracking and preventing material misstatement for the financials.

General computer controls include:

• Data center and network operations controls such as job scheduling, processing and monitoring, periodic data backups, physical security
• Information security and systems change control for applications, data bases, operating systems, and network
• Applications control for key financial applications such as general ledger system, revenue system, treasury system, inventory system, billing system, accounts receivable
• Transactions processing controls for hash totals, batch totals such as segregation of duties, restricted access, end-user computing

Certain IT controls can be benchmarked after the initial years in certain cases. This significantly reduces the IT work in subsequent years. For example, if a control is passed on the benchmarking test in year one, the company need not test it in year two.

Step Six: Revisit your testing methods

Testing can be performed by independent management (Internal Audit) or using ongoing monitoring activities. Self-assessments can be used as a measure of monitoring for ELCs that are direct but not precise or indirect. Direct assistance is allowed and independent management may test controls with lower level risks on behalf of the external auditors.

Neither the SEC nor AS5 provides guidance on ideal sample size. However, testing sample size is normally based on the frequency of the control: a sample of 45-30 for a daily control, 5-3 for a weekly control, 3-2 for a monthly control, 2-1 for a quarterly control, and 1 for an annual control. This, again, depends on various factors such as the culture of the organization, the mandate from the board, the extent to which the company leverages SOX for operational audit, and the external auditors’ expectations. A point to remember here is 80% or the identified controls result from 20% of the effort put into creating the framework.

Role of technology in SOX compliance

In the governance, risk and compliance (GRC) world, SOX compliance constitutes only a part of the overall GRC picture. Therefore, implementing an integrated GRC solution is the key aspect of not just SOX compliance, but of overall improvement in operational efficiency of an organization.

A GRC framework consists of many components: managing enterprise risk, SOX compliance, issues, policies and documents, internal audit. Therefore, it is important to have a technology solution that can communicate with all the operating components. It is also critical that the technology solution provides dashboards and reporting capability for greater visibility into all the GRC components as well as the overall GRC status of the enterprise.

SOX and internal audit

SOX compliance leads to a dramatic increase in the workload of the internal audit (IA) team. By implementing a technology solution that integrates SOX with other GRC components including IA, the activities can be balanced and streamlined. The IA team can evaluate risk management process, fraud detection systems, internal controls, and self-assessment. These streamlined activities allow IA to

• Identify risks
• Develop the ERM framework
• Define risk management processes
• Report key risks
• Manage financial reporting
• Define and assess internal controls
• Define job profiles
• Conduct continuous quality assurance

Integrated SOX solution

A typical SOX solution should include various roles with different responsibilities in the organization, for example: program manager to monitor the SOX program, process owner to provide process certification, designer to maintain control hierarchy, tester to test design and execution, test reviewer to review test results and close testing, issue moderator for remediation, action plan approver to approve the compliance plan, action plan owner to implement and complete the SOX compliance program.

The technology solution must:

• Allow the adoption of industry compliance standards
• Provide capability for automated controls and automated disclosures
• Support closed-loop remediation
• Facilitate migration of control hierarchy
• Provide workflow capability
• Ensure collaborative environment for various teams to work in harmony
• Provide complete visibility of the compliance process
• Have a track record of successful large-scale installations in multiple industries

The ideal SOX technology solution needs to be configurable where existing application data model, workflows, reporting capabilities can be modified to map specific business processes. The teams should be able to extend the solution to develop new reports and analytics, workflows and implement additional GRC applications in a phased manner. As business needs grow or change, the technology solution should have the capacity to scale. Multi-level security and access controls form a crucial part of reliability and safety of the solution. The solution must support multiple layers of hierarchy, business units spanning geographies. Various integration mechanisms such as Web services, file upload, database integration, message bus, etc. can widen the reach of the solution.

Latest update – impact of Dodd Frank Act on SOX

The Sarbanes-Oxley act focuses on internal controls and having independent audit committee members.   The Dodd Frank act focuses on Board Composition and Executive Compensation. 

Claw back policies

The Dodd Frank act emphasizes on Incentive Compensation Claw Back Policies.  The listing rules require the company to have and to disclose a Claw Back policy.  Dodd-Frank claw back requirements are much broader than SOX.  Under this policy, if financial statements must be restated due to material non-compliance with financial reporting requirements, the company must recover from current and former executive officers.  This means that the new act involves not just the named executives, but any prior executives who may have received incentive compensation (including stock options awards) based on erroneous data. This applies to the three-year period before the date on which the company is required to prepare the restatement and in addition to the amount that would have been paid if calculated under the restatement.

So what do the companies do with their existing agreements? How do they go back?  Will this claw-back action violate the contract?  What about the cost benefits?  What if it costs $10,000 to sue a former officer for $2,000? However, going forward, companies must ensure that any future compensation plans or awards have claw back provisions.

Before Section 954 of the Dodd Frank act, Section 304 of SOX provided the SEC with the means for recouping incentive compensation in the event of a restatement involving misconduct.  Several years went by before the SEC started using that particular SOX provision in enforcement proceedings, perhaps recognizing the legal uncertainties involved with the statute.  To date, the SEC has sought claw back compensation under Section 304 in only a handful of cases.  At the same time, Section 304 has no doubt inspired quite a few companies to adopt compensation recoupment policies in one form or another.  Therefore, several companies are already in compliance with this provision. 

It remains to be seen whether the implementation of Section 954 of the Dodd-Frank Act will reduce the need for the SEC to use its claw-back authority, given that listed companies will now be mandated to recover previously paid compensation under a broader set of circumstances.

Whistleblower incentives and protections

Other SOX amendments include section 922, Whistleblower Incentives and Protections.  Rewards by the SEC granted to whistleblowers extend to any enforcement case including those relating to the Foreign Corrupt Protection Act. If the total claim is above $1 million, the whistleblower may be eligible to receive 10-30% of the total amount collected.  There is also enhanced protection against retaliation.  Whistleblower cases now can go to federal court, not bound by pre-dispute arbitration. 

Dodd Frank Act expands the coverage of SOX whistleblower provisions to expressly cover both publicly-traded companies and "any subsidiary or affiliate whose financial information is included in the consolidated financials of the company”. Now SOX too covers any nationally-recognized statistical rating organization.

This indicates that the parent company of a foreign subsidiary should be aware that employees of the foreign subsidiary may be potential whistleblowers under SOX. Companies are advised to keep all reports / claims by employees confidential, and fully investigate all reports.

The non-accelerated filers do not have to comply with SOX 404(b). The Dodd Frank act amended Section 404 of SOX to exempt smaller issuers from the requirement to obtain an auditor’s attestation report on the company’s internal controls for financial reporting. Prior to the Dodd Frank act, the SEC had extended the compliance deadline for smaller issuers under SOX 404(b), acknowledging that the costs associated with compliance were “significantly higher than were projected in the SEC’s original rules implementing Sarbanes-Oxley.” However, the Dodd Frank act requires the Comptroller General of the United States to study the potential impact of this exemption.  As a heads-up, the amendment may not be the final word on Section 404 reporting for smaller companies.