Sarbanes-Oxley - Corporate Responsibilities for Financial Reports
The requirements listed in Title III, Section 302, of the Sarbanes-Oxley Act - Corporate Responsibilities for Financial Reports - lists the responsibilities of signing officers:
- The signing officers have reviewed the report
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
Items 1, 2 and 3 do not present major difficulties. However, items 4, 5 and 6 require in-depth analysis of your reporting environment, and the support of your IT department and the BI platform management and administration team.
Sarbanes -Oxley - Management Assessment of Internal Controls
Title IV, Section 404, of the Sarbanes-Oxley Act - Management Assessment of Internal Controls - may be summarized as follows:
Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
The "scope and adequacy of the internal control structure and procedures for financial reporting" is critical to establishing confidence in your financial statements.
Public Company Accounting Oversight Board (PCAOB)
The Public Company Accounting Oversight Board (PCAOB) was established by the US Congress in compliance with the Sarbanes-Oxley Act of 2002. It is a nonprofit corporation that "oversees the audits of public companies in order to protect the interests of investors and further public interest in the preparation of informative, accurate and independent audit reports."
PCAOB's Auditing Standard No. 5 provides guidance for the performance of "an audit of internal control over financial reporting that is integrated with an audit of financial statements." According to the standard, Risk Assessment underlies the entire audit process, and your control objectives should be an extension of your risk assessment (PCAOB St. No. 5, 10). Risk Assessment by an auditor is meant to uncover material weakness (that is, any control deficiency) that may potentially lead to material misstatement of financial data.
Section 56 of the standard, which pertains to the testing of internal controls, speaks to the necessity of change management and baselining:
56. The additional evidence that is necessary to update the results of testing from an interim date to the company's year-end depends on the following factors -
- The specific control tested prior to the as-of date, including the risks associated with the control and the nature of the control, and the results of those tests;
- The sufficiency of the evidence of effectiveness obtained at an interim date;
- The length of the remaining period; and
The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date.
[emphasis added]
Slow, manual, labor-intensive baselining processes are the enemy of timely, accurate, low-risk financial reporting.
One of the indicators of material weaknesses that auditors look for is "Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee" (PCAOB St. No. 5, 69).
To an auditor, lack of detail and transparency may be indicators of material weakness in the internal control structure:
When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness. (PCAOB St. No. 5, 70)
An auditor is expected to obtain from management, in writing, representations concerning any changes that might affect internal control over financial reporting.
75. In an audit of internal control over financial reporting, the auditor should obtain written representations from management -
…
h. Stating whether there were, subsequent to the date being reported on, any changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses. (PCAOB St. No. 5, 75)
How easily will you be able to produce such representations? How will you return responsibilities into opportunities?
Read More About SOX Responsibilities & Opportunities...