Professional Documents
Culture Documents
Sarbanes Oxley
Sarbanes Oxley
SOx now requires business managers to take personal responsibility for the
documentation, review, and testing of their enterprise’s internal controls. Both SOx and
COSO ERM have some important dependencies on one another, and today’s enterprise
manager must have a general understanding of both.
SARBANES-OXLEY BACKGROUND
Starting with the terrible case of Enron, the press, the SEC, and members of the U.S.
Congress all declared that auditing and corporate governance practices needed to be fixed.
The major outcome here was the passage of SOx in 2002. SOx established major new
regulatory rules for public accounting firms, financial auditing standards, and corporate
governance. Through SOx, the public accounting profession was transformed, the American
Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board lost its
responsibility for setting public corporation auditing standards, and the rules soon changed
for corporate senior executives, boards of directors, and their audit committees. A new entity,
the Public Company Accounting Oversight Board (PCAOB), was established under the SEC
to set financial reporting and auditing standards as well as to oversee individual public
accounting firms. Although not directly covered in that legislation, SOx also has very much
impacted enterprise risk management as well.
Launching the Section 404 Review: Organizing the Internal Control Review.
Compliance with SOx Section 404 places a major challenge on SEC-registered
enterprises. An effective internal audit function can play a very major role in helping an
enterprise get ready for SOx Section 404 compliance. External auditors will review and attest
to management’s internal financial control assessment report but cannot do the work
themselves. An internal audit function, another management team, or outside consultants
should begin their Section 404 compliance review process by launching a formal, special
project along the lines of project management processes. While details may vary, the project
could be launched following these steps:
1. Organize the Section 404 compliance project approach.
2. Develop a project plan
3. Select key processes for review
4. Document selected process transaction flows.
5. Identify, document, and test key internal controls
6. Assess selected process risks
7. Assess control effectiveness through appropriate test procedures.
8. Identify any control gaps.
9. Review compliance results with key stakeholders
10. Complete report on the effectiveness of the internal control structure.
At the present time in these still early years of SOx, there are still smaller, private, or non-
U.S. enterprises that have not fully adopted the COSO internal control framework. There are
many SEC-registered corporations today whose internal audit functions have performed some
internal control reviews but have not otherwise embraced a COSO-like internal control
framework throughout the enterprise.