|
Sarbanes Oxley Act, Section 404: The real challenge.
What the CEOs and CFOs have signed
The Sarbanes-Oxley 404 certification and the 404 http error messages
are very similar in something: Both do not explain what we should
do.
The 404 http standard response code indicates that the client was
able to communicate with the server but either the server can not
find what was requested, or it is configured not to fulfil the
request and not reveal the reason why.
After reading section 404 of the Sarbanes-Oxley Act, we feel that
either we do not find what was requested, or it is configured to
give us opportunities not to fulfill the request and not to reveal
the reason why. 6
Section 404 is small, just 173 words.
The CEOs spent $6.1 billion on complying with it during 2005, just
to explain to the shareholders that they take the Sarbanes-Oxley Act
seriously. These 173 words put U.S. capital markets at a competitive
disadvantage, driving initial public offerings away from the New
York Stock Exchange to the London exchange that is advertising that
is "SOX free".
Let’s read a 404 certification:
CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANT TO SECTION 404
MANAGEMENT’S
ANNUAL REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING
The management of (company’s name)
is responsible
for establishing and maintaining adequate internal control over
financial reporting (as defined in Rules 13a-15(f) and 15d-15(f)
under the Securities Exchange Act of 1934) for the company.
The company’s internal controls over financial reporting is designed
to provide
reasonable assurance
regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with
generally accepted accounting principles.
Because
of its inherent limitations,
internal control over financial reporting may not prevent or detect
misstatements (A). Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that
controls may become inadequate (B) because of changes in condition
or the deterioration of compliance with procedures or policies.
The management of (our company’s name) performed an evaluation as of
December 31, 2007 of the effectiveness of the company’s internal
control over financial reporting based on the Committee of
Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Internal Control – Integrated Framework.
Based on the review
performed, management believes that as of December 31, 2007 (our
company’s name) internal control over financial reporting was
effective.
The independent registered public accounting firm (one of the big
four) as auditors of the consolidated financial statements of (our
company’s name) has issued an attestation report on management’s
assessment of (our company’s name) internal control over financial
reporting.
Ohh!
(A) Because of its inherent limitations, internal control over
financial reporting may not prevent or detect misstatements: It is
quite funny, we promise very few things.
On one hand, the CEO accepts responsibility for establishing and
maintaining adequate internal control over financial reporting.
On the other hand, the CEO explains that these internal controls
have inherent limitations, so they may not prevent or detect
misstatements.
It means that the financial statements may be accurate, but perhaps
not.
How can he do something like that? After March 2004, we can read at
the
Auditing Standard No 2:
"Internal control over financial reporting cannot provide absolute
assurance of achieving financial reporting objectives because of its
inherent limitations.
Internal control over financial reporting is a process that involves
human diligence and compliance and is subject to lapses in judgment
and breakdowns resulting from human failures.
Internal control over financial reporting also can be circumvented
by collusion or improper management override.
Because of such limitations, there is a risk that material
misstatements may not be prevented or detected on a timely basis by
internal control over financial reporting."
We can find exactly the same paragraph at the
Auditing Standard No. 5.
This standard agrees also with the previous ones about the ability
of the auditors to find what is wrong:
"Just as there are inherent limitations on the assurance that
effective internal control over financial reporting can provide,
there are limitations on the amount of assurance the auditor can
obtain as a result of performing his or her audit of internal
control over financial reporting. Limitations arise because an audit
is conducted on a test basis and requires the exercise of
professional judgment."
(B) Projections of any evaluation of effectiveness to future periods
are subject to the risk that controls may become inadequate: The CEO
signs that the controls are adequate today.
Tomorrow is another day; he can not promise that the controls will
continue to be effective. So, if there is a material misstatement,
perhaps has happened after the day he signed that the controls were
adequate.
Do you know that future plans are not controls, so plans are out of
the Scope of Sarbanes-Oxley?
According to the
Auditing Standard No 2:
"Management's plans that could potentially affect financial
reporting in future periods are not controls. For example, a
company's business continuity or contingency planning has no effect
on the company's current abilities to initiate, authorize, record,
process, or report financial data. Therefore, a company's business
continuity or contingency planning is not part of internal control
over financial reporting."
Be careful: Future plans, business continuity plans and disaster
recovery plans are out of the scope of Sarbanes-Oxley, but other
elements of business continuity are in the scope.
Backups and off-site storage of tapes are very important internal
controls that must be tested and documented.
(C) The management performed an evaluation of the effectiveness of
the company’s internal control over financial reporting based on the
Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Internal Control – Integrated Framework:
COSO stands for the
"Committee Of Sponsoring Organizations" (the American Accounting
Association, the American Institute of Certified Public Accountants,
the Financial Executives International, the Institute of Internal
Auditors, and the National Association of Accountants, now the
Institute of Management Accountants). They developed in 1992 the
leading framework for evaluating the effectiveness of internal
controls.
Free E-book: 100 Job Descriptions in Risk and Compliance Management
Certified
Sarbanes-Oxley Expert (CSOE)
distance learning and
online certification program
The
Cost:
US$
147
What is included in this
price:
A.
The
official presentations we use in our
instructor-led classes (1015 slides)
Course Synopsis:
www.sarbanes-oxley-association.com/CSOE_Course_Synopsis.htm
B.
Up to
3 Online Exams
There is only
one exam you need to pass, in order to become
a
Certified
Sarbanes-Oxley Expert (CSOE).
If you fail, you must study again
the official presentations, but you do not
need to spend money to try again. Up to 3 exams are included in
the price.
To
learn more you may visit:
www.sarbanes-oxley-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf
www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdf
C.
Personalized Membership Certificate printed in full colour
Processing, printing,
packing and posting to your office or home
To
learn more:
www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm
| 