SARBANES-OXLEY AND COSO ERM

SOx now requires business managers to take personal responsibility for the
documentation, review, and testing of their enterprise’s internal controls. Both SOx and
COSO ERM have some important dependencies on one another, and today’s enterprise
manager must have a general understanding of both.

SARBANES-OXLEY BACKGROUND
Starting with the terrible case of Enron, the press, the SEC, and members of the U.S.
Congress all declared that auditing and corporate governance practices needed to be fixed.
The major outcome here was the passage of SOx in 2002. SOx established major new
regulatory rules for public accounting firms, financial auditing standards, and corporate
governance. Through SOx, the public accounting profession was transformed, the American
Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board lost its
responsibility for setting public corporation auditing standards, and the rules soon changed
for corporate senior executives, boards of directors, and their audit committees. A new entity,
the Public Company Accounting Oversight Board (PCAOB), was established under the SEC
to set financial reporting and auditing standards as well as to oversee individual public
accounting firms. Although not directly covered in that legislation, SOx also has very much
impacted enterprise risk management as well.

SOX LEGISLATION OVERVIEW

This section discusses this very significant public accounting standards-setting and
corporate governance legislation, SOx, with an emphasis on its aspects that are most
important for enterprise risk management. SOx and the PCAOB represent the major changes
to public accounting, financial reporting, and corporate governance rules since the SEC was
launched in the 1930s. SOx is the most important financial legislation passed in the United
States since the early 1930s, and it has caused changes for financial managers, internal
auditors, external auditors, and corporate governance administrators in all corporations. the
overall SOx rules are very important to all parties involved with implementing and effective
ERM program in their enterprise.

Setting the Rules: The Public Company Accounting Oversight Board

For many years, the AICPA had review responsibility for public accounting firms
through their administration of the certified public accountant (CPA) test and the restriction
of AICPA membership then only to CPAs. Auditing standards were based on what was called
generally accepted auditing standards (GAAS) along with a series of specific numbered
auditing standards called Statements of Auditing Standards (SAS). GAAS rules govern
auditing, while generally accepted accounting principles (GAAP) define the accounting rules.
The post-Enron-era financial failures introduced some major changes to what had
been well-established financial auditing standards and practices. to say about its peers. SOx
has brought many changes to the auditing standards-setting process. The AICPA’s Auditing
Standards Board has lost its responsibility for setting auditing standards, and the rules have
changed for corporate senior executives, boards of directors, and their audit committees. A
new entity, the Public Company Accounting Oversight Board (PCAOB but sometimes call
“Peek-a-Boo”) has been established, as part of SOx and under the SEC to set public
accounting auditing standards and to oversee individual public accounting firms. SOx
represents the most important set of new rules for auditing and internal auditing today. The
effective internal auditor and risk manager should have a good understanding of these new
rules and how they apply to today’s practice of auditing and financial reporting. The PCAOB
is now the independent entity that governs and regulates the public accounting industry and
establishes financial auditing standards.

Section 404: Management’s Assessment of Internal Controls

SOx Section 404 requires that each SEC annual report filing must contain an internal
control report that states management’s responsibility for establishing and maintaining an
adequate system of internal controls as well as management’s assessment, as of that fiscal
year ending date, of the effectiveness of those installed internal control procedures. The
external auditors are to attest to and report on the internal control assessments made by
management. SOx Section 404 requires that all impacted enterprises must document and
describe their key internal controls and then must test those controls to determine if they are
operating effectively as defined and also must identify any material weaknesses in those
internal controls. Simply put, management is now required to report on the quality of their
internal controls, and the public accounting firm responsible for the financial statement audit
must attest to the adequacy and accuracy of that management-prepared internal accounting
controls report.

Launching the Section 404 Compliance Review: Identifying Key Processes.

Every enterprise uses multiple processes to conduct its normal business activities. The
monthly financial accounting close is an example of the latter. a very early step is for an
enterprise to define and describe their major processes, including making certain all parties
have a clear understanding of what is meant by this closing process. A process is a series of
actions that have clearly defined starting points, consistent operational steps, and defined
output points. Internal audit or the risk management function can be a major help here in
assisting an enterprise in defining its key processes.

Launching the Section 404 Review: Organizing the Internal Control Review.
Compliance with SOx Section 404 places a major challenge on SEC-registered
enterprises. An effective internal audit function can play a very major role in helping an
enterprise get ready for SOx Section 404 compliance. External auditors will review and attest
to management’s internal financial control assessment report but cannot do the work
themselves. An internal audit function, another management team, or outside consultants
should begin their Section 404 compliance review process by launching a formal, special
project along the lines of project management processes. While details may vary, the project
could be launched following these steps:
1. Organize the Section 404 compliance project approach.
2. Develop a project plan
3. Select key processes for review
4. Document selected process transaction flows.
5. Identify, document, and test key internal controls
6. Assess selected process risks
7. Assess control effectiveness through appropriate test procedures.
8. Identify any control gaps.
9. Review compliance results with key stakeholders
10. Complete report on the effectiveness of the internal control structure.

At the present time in these still early years of SOx, there are still smaller, private, or non-
U.S. enterprises that have not fully adopted the COSO internal control framework. There are
many SEC-registered corporations today whose internal audit functions have performed some
internal control reviews but have not otherwise embraced a COSO-like internal control
framework throughout the enterprise.