Sarbanes Oxley Act, Section 404: The real challenge.
What the CEOs and CFOs have signed
The Sarbanes-Oxley 404 certification and the 404 http error messages
are very similar in something:
Both do not explain what to do.
404 http standard response code indicates that the client was
able to communicate with the server but either the server can not
find what was requested, or it is configured not to fulfil the
request and not reveal the reason why.
section 404 of the Sarbanes-Oxley Act,
we feel that
either we do not find what was requested, or it is configured to
give us opportunities not to fulfill the request and not to reveal
the reason why.
Section 404 is small, just 173 words.
The CEOs spent $6.1 billion on complying with it during
2005, just to explain to the shareholders that they take the
Sarbanes-Oxley Act seriously.
These 173 words put U.S.
capital markets at a competitive disadvantage, driving initial
public offerings away from the New York Stock Exchange to the
London exchange that is advertising that is "SOX free".
Let’s read a 404 certification:
CERTIFICATION OF CHIEF
EXECUTIVE OFFICER PURSUANT TO SECTION 404MANAGEMENT’S ANNUAL
REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING
management of (company’s name) is responsible for establishing
and maintaining adequate internal control over financial
reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the
Securities Exchange Act of 1934) for the company.
company’s internal controls over financial reporting is designed
to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements
for external purposes in accordance with generally accepted
Because of its inherent
limitations, internal control over financial reporting may not
prevent or detect misstatements
(A). Also, projections
of any evaluation of effectiveness to future periods are subject
to the risk that controls may become inadequate (B) because of
changes in condition or the deterioration of compliance with
procedures or policies.
The management of (our company’s
name) performed an evaluation as of December 31, 2007 of the
effectiveness of the company’s internal control over financial
reporting based on the Committee of Sponsoring Organizations of
the Treadway Commission’s (COSO’s) Internal Control – Integrated
Based on the review performed, management
believes that as of December 31, 2007 (our company’s name)
internal control over financial reporting was effective.
The independent registered public accounting firm (one of
the big four) as auditors of the consolidated financial
statements of (our company’s name) has issued an attestation
report on management’s assessment of (our company’s name)
internal control over financial reporting. Ohh!
Because of its inherent limitations, internal control over
financial reporting may not prevent or detect misstatements: It
is quite funny, we promise very few things.
On one hand,
the CEO accepts responsibility for establishing and maintaining
adequate internal control over financial reporting.
the other hand, the CEO explains that these internal controls
have inherent limitations, so they may not prevent or detect
It means that the financial statements
may be accurate, but perhaps not.
How can he do something
like that? After March 2004, we can read at the Auditing
Standard No 2: "Internal control over financial reporting cannot
provide absolute assurance of achieving financial reporting
objectives because of its inherent limitations.
control over financial reporting is a process that involves
human diligence and compliance and is subject to lapses in
judgment and breakdowns resulting from human failures.
Internal control over financial reporting also can be
circumvented by collusion or improper management override.
Because of such limitations, there is a risk that material
misstatements may not be prevented or detected on a timely basis
by internal control over financial reporting." We can find
exactly the same paragraph at the Auditing Standard No. 5.
This standard agrees also with the previous ones about the
ability of the auditors to find what is wrong: "Just as there
are inherent limitations on the assurance that effective
internal control over financial reporting can provide, there are
limitations on the amount of assurance the auditor can obtain as
a result of performing his or her audit of internal control over
Limitations arise because an audit
is conducted on a test basis and requires the exercise of
(B) Projections of any
evaluation of effectiveness to future periods are subject to the
risk that controls may become inadequate: The CEO signs that the
controls are adequate today.
Tomorrow is another day; he
can not promise that the controls will continue to be effective.
So, if there is a material misstatement, perhaps has happened
after the day he signed that the controls were adequate.
Do you know that future plans are not controls, so plans are
out of the Scope of Sarbanes-Oxley?
According to the
Auditing Standard No 2: "Management's plans that could
potentially affect financial reporting in future periods are not
For example, a company's business continuity
or contingency planning has no effect on the company's current
abilities to initiate, authorize, record, process, or report
Therefore, a company's business
continuity or contingency planning is not part of internal
control over financial reporting."
Be careful: Future
plans, business continuity plans and disaster recovery plans are
out of the scope of Sarbanes-Oxley, but other elements of
business continuity are in the scope. Backups and off-site
storage of tapes are very important internal controls that must
be tested and documented.
(C) The management performed
an evaluation of the effectiveness of the company’s internal
control over financial reporting based on the Committee of
Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Internal Control – Integrated Framework: COSO stands for the
"Committee Of Sponsoring Organizations" (the American Accounting
Association, the American Institute of Certified Public
Accountants, the Financial Executives International, the
Institute of Internal Auditors, and the National Association of
Accountants, now the Institute of Management Accountants).
They developed in 1992 the leading framework for evaluating
the effectiveness of internal controls.
Receive the New Member Orientation
You will have the
opportunity lo learn what members registered before you have
already learned. Understand better the Sarbanes Oxley environment,
projects, careers, challenges and opportunities.
Free E-book: 100 Job Descriptions in Risk and Compliance Management
The official presentations we use in our
instructor-led classes (1015 slides)
Up to 3 Online Exams
There is only
one exam you need to pass, in order to become
Sarbanes-Oxley Expert (CSOE).
If you fail, you must study again
the official presentations, but you do not
need to spend money to try again. Up to 3 exams are included in
learn more you may visit:
Personalized Certificate printed in full
packing and posting to your office or home