What is Sarbanes Oxley                                                                Sarbanes Oxley Training
Sarbanes Oxley Act                                                                        Sarbanes Oxley Association
Sarbanes Oxley and the Board of Directors                                 Sarbanes Oxley Certification
Sarbanes Oxley 404                                                                       Sarbanes Oxley Jobs
Sarbanes Oxley Software                                                               European Sarbanes Oxley 
Sarbanes Oxley Books                                                                    Japanese Sarbanes Oxley
Sarbanes Oxley Forum                                                                   Compliance Training Portal  
Basel ii Portal                                                                                  Contact Us
 
 
 

Sarbanes Oxley Act, Section 404: The real challenge.
What the CEOs and CFOs have signed 

The Sarbanes-Oxley 404 certification and the 404 http error messages are very similar in something: Both do not explain what to do.

The 404 http standard response code indicates that the client was able to communicate with the server but either the server can not find what was requested, or it is configured not to fulfil the request and not reveal the reason why.


After reading section 404 of the Sarbanes-Oxley Act, we feel that either we do not find what was requested, or it is configured to give us opportunities not to fulfill the request and not to reveal the reason why.

Section 404 is small, just 173 words.

The CEOs spent $6.1 billion on complying with it during 2005, just to explain to the shareholders that they take the Sarbanes-Oxley Act seriously.

These 173 words put U.S. capital markets at a competitive disadvantage, driving initial public offerings away from the New York Stock Exchange to the London exchange that is advertising that is "SOX free".

Let’s read a 404 certification:

CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANT TO SECTION 404MANAGEMENT’S ANNUAL REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING

The management of (company’s name) is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the Securities Exchange Act of 1934) for the company.

The company’s internal controls over financial reporting is designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements

(A). Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate (B) because of changes in condition or the deterioration of compliance with procedures or policies.

The management of (our company’s name) performed an evaluation as of December 31, 2007 of the effectiveness of the company’s internal control over financial reporting based on the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework.

Based on the review performed, management believes that as of December 31, 2007 (our company’s name) internal control over financial reporting was effective.

The independent registered public accounting firm (one of the big four) as auditors of the consolidated financial statements of (our company’s name) has issued an attestation report on management’s assessment of (our company’s name) internal control over financial reporting. Ohh!

(A) Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements: It is quite funny, we promise very few things.

On one hand, the CEO accepts responsibility for establishing and maintaining adequate internal control over financial reporting.

On the other hand, the CEO explains that these internal controls have inherent limitations, so they may not prevent or detect misstatements.

It means that the financial statements may be accurate, but perhaps not.

How can he do something like that? After March 2004, we can read at the Auditing Standard No 2: "Internal control over financial reporting cannot provide absolute assurance of achieving financial reporting objectives because of its inherent limitations.

Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures.

Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements may not be prevented or detected on a timely basis by internal control over financial reporting." We can find exactly the same paragraph at the Auditing Standard No. 5.

This standard agrees also with the previous ones about the ability of the auditors to find what is wrong: "Just as there are inherent limitations on the assurance that effective internal control over financial reporting can provide, there are limitations on the amount of assurance the auditor can obtain as a result of performing his or her audit of internal control over financial reporting.

Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment."

(B) Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate: The CEO signs that the controls are adequate today.

Tomorrow is another day; he can not promise that the controls will continue to be effective. So, if there is a material misstatement, perhaps has happened after the day he signed that the controls were adequate.

Do you know that future plans are not controls, so plans are out of the Scope of Sarbanes-Oxley?

According to the Auditing Standard No 2: "Management's plans that could potentially affect financial reporting in future periods are not controls.

For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data.

Therefore, a company's business continuity or contingency planning is not part of internal control over financial reporting."

Be careful: Future plans, business continuity plans and disaster recovery plans are out of the scope of Sarbanes-Oxley, but other elements of business continuity are in the scope. Backups and off-site storage of tapes are very important internal controls that must be tested and documented.

(C) The management performed an evaluation of the effectiveness of the company’s internal control over financial reporting based on the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework: COSO stands for the "Committee Of Sponsoring Organizations" (the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants, now the Institute of Management Accountants).

They developed in 1992 the leading framework for evaluating the effectiveness of internal controls.


 

Receive the New Member Orientation Newsletters
You will have the opportunity lo learn what members registered before you have already learned. Understand better the Sarbanes Oxley environment, projects, careers, challenges and opportunities.

 


Free E-book: 100 Job Descriptions in Risk and Compliance Management


 
Certified Sarbanes-Oxley Expert
 
A. The official presentations we use in our instructor-led classes
 
Course Synopsis:
www.sarbanes-oxley-association.com/CSOE_Course_Synopsis.htm
 
B. Up to 3 Online Exams
 
There is only one exam you need to pass, in order to become a Certified Sarbanes-Oxley Expert (CSOE).
If you fail, you must study again the official presentations, but you do not need to spend money to try again. Up to 3 exams are included in the price.
 
To learn more you may visit:
www.sarbanes-oxley-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf
www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdf
 
C. Personalized Certificate printed in full color
 
Processing, printing, packing and posting to your office or home
 
To learn more:
www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm