One thing that is rising is something called SOX
The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D–Md.) and Representative Michael G. Oxley (R–Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company Boards, Management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.
The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.
The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.
Senator Sarbanes’s bill passed the Senate Banking Committee on June 18, 2002, by a vote of seventeen to four. On June 25, 2002, WorldCom revealed that it had overstated its earnings by more than $3.8 billion during the past five quarters, primarily by improperly accounting for its operating costs. Senator Sarbanes introduced Senate Bill 2673 to the full Senate that very same day and it passed 97 to 0 less than three weeks later on July 15, 2002.
The House and the Senate formed a Conference Committee to reconcile the differences between Senator Sarbanes's bill (S. 2673) and Representative Oxley's bill (H.R. 3763). The conference committee relied heavily on Senate Bill 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)
The Committee approved the final conference bill on July 24, 2002 and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating that it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." ("Elisabeth Bumiller, Bush Signs Bill Aimed at Fraud in Corporations", The New York Times, July 31, 2002, page A1).
Under Sarbanes-Oxley, two separate certification sections came into effect – one civil and the other criminal. See 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id..
Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262)a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. To do this, managers are generally adopting an internal control framework such as that described in COSO
Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)
In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology ("IT"). Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.
The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.
The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:
"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.
For a detailed discussion on the impact of SOX on IT audit and controls.
There is considerable debate over the specific requirements of the Sarbanes-Oxley act, as written. Some people in the business community have acknowledged that, as John Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary" [1]. However, the cost of implementing the new requirements has led some to widespread questioning of how effective or necessary the specific provisions of the law truly are.
For companies, a key concern is cost of updating information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.
Costs associated with SOX 404 compliance have proven to be significant. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement. This has been a boon for the auditing profession, more than offsetting the reduced revenues arising from the Act's restriction against those firms conducting various non-audit services for audit clients.
As more companies and auditors gain experience with SOX 404, audit costs have been falling. Audit firm revenues are still higher than they were prior to the Act, although audit fees were rising prior to the Act, partly as a result of the accounting scandals that prompted the Act.
In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:
"Project mindset: … many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."
"Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."
"Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"
"Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."
"Underestimation of technology impacts and implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting — a critical requirement at most large and complex enterprises."
"Ignored risks: Effective internal control is predicated on risk… the controls themselves — exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought — if addressed at all."
The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":
Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls
Integrated financial and internal control processes
Technology to enable compliance
Clearly articulated roles and responsibilities and assigned accountability
Education and training to reinforce the "control environment"
Adaptability and flexibility to respond to organizational and regulatory change.
Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.
Carl Oxholm III, Sarbanes-Oxley in Higher Education: Bringing Corporate America’s “Best Practices” to Academia, 31 J.C. & U.L. 351 (2005).
"Sarbanes-Oxley §§ 302 & 906: Corporate reform or legislative redundancy? A critical look at the 'new' corporate responsibility for financial reports" by Luke Alverson, 33 Sec. Reg. L.J. 15 (2005)
"Company Liability After the Act Sarbanes-Oxley," by Peri Nielsen & Claudia Main, 18 No. 10 Insights 2 (Oct. 2004)
"Enron--The bankruptcy heard around the world and the international ricochet of Sarbanes-Oxley," by John Paul Lucci, 67 Alb. L. Rev. 211 (2003)
"A Pox on Both Your Houses: Enron, Sarbanes-Oxley and the Debate Concerning the Relative Efficacy of Mandatory Versus Enabling Rules," by Jonathan R. Macey, 81 Wash. U. L.Q. 329, 333 (2003)
"United States v. Simon and the new certification provisions," by Christian J. Mixter, 76 St.John's L.Rev. 699 (2002)
Roberta Romano, The Sarbanes-Oxley Act and the Making of Quack Corporate Governance, 114 Yale L.J. 1521 (2005)
Lawrence A. Cunningham, The Sarbanes-Oxley Yawn: Heavy Rhetoric, Light Reform (And It Might Just Work), 45 Conn. L. Rev. 915 (2003)