What your CEO and CFO have signed - 404 Certification

The Sarbanes-Oxley 404 certification and the 404 http error messages are very similar in something: Both do not explain what we should do.

The 404 http standard response code indicates that the client was able to communicate with the server but either the server can not find what was requested, or it is configured not to fulfill the request and not reveal the reason why.

Section 404 is small, just 173 words. The CEOs spent $6.1 billion on complying with it during 2005, just to explain to the shareholders that they take the Sarbanes-Oxley Act seriously. These 173 words put U.S. capital markets at a competitive disadvantage, driving initial public offerings away from the New York Stock Exchange to the London exchange that is advertising that is "SOX free".

Let’s read a 404 certification:

CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANT TO SECTION 404

 MANAGEMENT’S ANNUAL REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING

The management of (company’s name) is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the Securities Exchange Act of 1934) for the company. The company’s internal controls over financial reporting is designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements (A). Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate (B) because of changes in condition or the deterioration of compliance with procedures or policies.

control over financial reporting based on the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework (C). Based on the review performed, management believes that as of December 31, 2007 (our company’s name) internal control over financial reporting was effective.

The independent registered public accounting firm (one of the big four) as auditors of the consolidated financial statements of (our company’s name) has issued an attestation report on management’s assessment of (our company’s name) internal control over financial reporting.

Ohh!

(A) Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements: It is quite funny, we promise very few things.

On one hand, the CEO accepts responsibility for establishing and maintaining adequate internal control over financial reporting.

On the other hand, the CEO explains that these internal controls have inherent limitations, so they may not prevent or detect misstatements. It means that the financial statements may be accurate, but perhaps not.

We can find exactly the same paragraph at the Auditing Standard No. 5. This standard agrees also with the previous ones about the ability of the auditors to find what is wrong: "Just as there are inherent limitations on the assurance that effective internal control over financial reporting can provide, there are limitations on the amount of assurance the auditor can obtain as a result of performing his or her audit of internal control over financial reporting. Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment."

(B) Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate: The CEO signs that the controls are adequate today. Tomorrow is another day; he can not promise that the controls will continue to be effective. So, if there is a material misstatement, perhaps has happened after the day he signed that the controls were adequate.

Do you know that future plans are not controls, so plans are out of the Scope of Sarbanes-Oxley?

According to the Auditing Standard No 2: "Management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company's business continuity or contingency planning is not part of internal control over financial reporting."

Be careful: Future plans, business continuity plans and disaster recovery plans are out of the scope of Sarbanes-Oxley, but other elements of business continuity are in the scope. Backups and off-site storage of tapes are very important internal controls that must be tested and documented.