practical Approach to the Sarbanes-Oxley Act
Joel C. Quall
Act requires that all public companies do something that they
probably should have been doing anyway: assign the CEO and
the CFO authority over the company’s internal controls
and the opportunity to demonstrate competent and transparent
governance, not just to the SEC but to shareholders and the
financial community in general. While some public companies
may previously have managed with less-than-stellar internal
controls, those days are over.
order to achieve increased effectiveness and efficiency
from implementing the act’s requirements, companies
should begin with a clear understanding of the objectives
and requirements and develop an executable plan. Compliance
deadlines will be met, work processes will flow more smoothly,
and along the way, any hidden value may likely be revealed.
In short, the silver lining of Sarbanes-Oxley may be that
it gives companies the motivation and means to improve themselves.
A company’s implementation of Sarbanes-Oxley section
404 should have a dual focus: compliance and internal controls
enhancement. The company will need defined objectives, clear
requirements, proper resources, and an achievable schedule.
404 reads as follows:
Commission shall prescribe rules requiring each annual report
required by Section 13 (a) or 15 (d) of the Securities Exchange
Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal
control report, which shall—
State the responsibility of management for establishing
and maintaining an adequate internal control structure
and procedures for financial reporting; and
2. Contain an assessment, as of the end of the most recent
fiscal year of the issuer, of the effectiveness of the
internal control structure and procedures of the issuer
for financial reporting.
February 2004, the SEC extended the deadline for compliance
with section 404. Accelerated filers (defined as U.S. companies
with a market capitalization exceeding $75 million) must
be in compliance for their first fiscal year ending on or
after November 15, 2004. For nonaccelerated filers, compliance
is required beginning with the company’s first fiscal
year ending on or after July 15, 2005.
of Implementing Section 404
section 404 clearly defines requirements for disclosure
of internal controls, the larger issue is how well a company
understands internal controls. Implementing section 404
presents a great opportunity to enhance the efficiency and
value of the company. Potential immediate benefits include
educating, and development of personnel. Many
employees perform their duties and responsibilities by rote.
Evaluation encourages employees to take a closer look and
discover new ways to improve their efficiency and ultimately
become a more capable workforce. Another benefit from the
evaluation process is the opportunity for cross-training
employees for more than their present duties and responsibilities.
A thoroughly cross-trained workforce that is knowledgeable
about their job functions and how they affect the company
means employees that work smarter, not harder.
the efficiency of the company. Companies that
ask their financial employees why they do certain things
are often surprised to find that a particular procedure
or task has no affect on the financial statements.
documenting procedures, companies will expand awareness,
allowing them to become more efficient in reducing operating
costs, eliminating pointless or redundant processes, and
maintaining correct staffing levels. Human capital makes
the critical difference; assigning the right personnel to
the right task and department enables companies to be most
example, efficiencies allow a company to reduce the number
of days needed to close its books. Documenting and testing
the financial transaction cycles enables a company to develop
or update its policy and procedure manual, and leads to
more-effective accounting and governance practices. A company
with foreign operations or multiple subsidiaries can become
streamlined, with one unified financial accounting reporting
system and one policy and procedure manual.
board of directors and audit committee members.
Many recent corporate accounting failures are traceable
to members of the board of directors or audit committee,
who have been criticized for poor supervision of company
senior executives. Sarbanes-Oxley mandates that audit committees
designate a board member as a “financial expert”
as a way to improve the quality of members of the board
of directors and audit committee.
benefits. Implementation of section 404 may
lead to some surprises, discovery of weaknesses in the internal
control system, or even revelation of past or present fraud.
Companies should prepare by deciding in advance how to manage
such a finding, bearing in mind that for a company to find
its own flaws is preferable to others finding them.
that are considering an initial public offering (IPO) should
have a good grasp of what reporting requirements public
companies face. By complying with Sarbanes-Oxley, companies
take steps toward compliance so they can meet SEC and stock
exchange listing requirements as soon as possible. Building
these requirements into the structure of a company that
is considering an IPO costs less than making changes later.
held companies, although not legally obligated to comply
with Sarbanes-Oxley, may also choose to voluntarily implement
section 404 as part of an overall plan to improve business
practices and to be prepared in case similar legislation
is passed on the state or local level.
of Internal Controls
1992, the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) created a model of internal control. COSO
broke down internal control into five interrelated components
in order to simplify a company’s organizational plan
of all activities that go into an efficient internal control
defined internal control as “a process, effected by
an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding
the achievement of the objectives” in the following
Effectiveness and efficiencies of operations;
Reliability of financial reporting; and
Compliance with applicable laws and regulations.
environment. This component of internal control
sets the tone of a company and is the foundation for all
other components of internal control: discipline, structure,
integrity, ethical values, employee competence, management’s
philosophy and operating style, and the leadership provided
by senior management and the board of directors.
assessment. Risk assessment is the establishment
of objectives, and the identification and analysis of risks
to achievement, forming a basis for determining how the
risks should be managed.
activities. These are the policies and procedures
that ensure how management directives are executed. They
include activities such as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, the safeguarding
of assets, and the segregation of duties.
and communication. Information must be identified,
captured, and communicated in a form and timeframe that
enables people to carry out their responsibilities. Personnel
must understand their own role in internal control, as well
as how individual activities relate to others. Employees
must have the means to communicate information upstream,
with customers, suppliers, regulators, and shareholders.
The internal control process must be monitored. This is
accomplished through management’s ongoing assessment
of the performance of internal control. Ongoing monitoring
allows the internal control process to react to changing
conditions of the company.
SEC issued a final rule titled “Management’s
Reports on Internal Control Over Financial Reporting and
Certification of Disclosure in Exchange Act Periodic Reports”
(Release No. 33-8238), which became effective August 14,
2003. The final rule defines “internal control over
financial reporting” as:
process designed by, or under the supervision of, the
registrant’s principal executive and principal financial
officers, or persons performing similar functions, and
effected by the registrant’s board of directors,
management and other personnel, to provide reasonable
assurance regarding the reliability of financial reporting
and the preparation of financial statements for external
purposes in accordance with generally accepted accounting
principles and includes those policies and procedures
Pertain to the maintenance of records that in reasonable
detail accurately and fairly reflect the transactions
and dispositions of the assets of the registrant;
(2) Provide reasonable assurance that transactions are
recorded as necessary to permit preparation of financial
statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the
registrant are being made only in accordance with authorizations
of management and directors of the registrant; and
(3) Provide reasonable assurance regarding prevention
or timely detection of unauthorized acquisition, use or
disposition of the registrant's assets that could have
a material effect on the financial statements.
final rule attempts to link governance controls with control
activities of COSO. Time and again since Sarbanes-Oxley
was passed, COSO has been identified as the preferred internal
control framework. The objectives of the COSO framework
include improving efficiency and profitability, preventing
fraud, and developing accurate financial reporting. Companies
that follow the COSO framework will build an efficient internal
control structure and be in compliance with the final rule
of the SEC.
and Executing the Implementation Plan
a company understands the above internal control model,
it can implement section 404 using a five-step methodology.
1: Form the sponsoring committee, the implementation team,
and the formal written plan. The success of
an internal controls project depends upon the endorsement
and ongoing support of senior management and the board of
directors. Senior management should believe that implementing
section 404 is more than a legal obligation; in the long
run, doing so will increase the value of the company.
ultimate success of all projects derives from a company’s
values—its culture of integrity, honesty, and high
ethical standards. This tone is set at the top. In addition
to senior management setting the tone, resources must be
available to the project. The implementation team, as defined
below, must hold the authority to make critical decisions
and allocate resources when and where needed. Two major
resources that senior management must contribute are time
and personnel. Once senior management decides on the requirements
and commits to the project, speed is essential. A small,
focused, motivated team, staffed by the best experts that
the company can afford, is the best means to success.
conceived plan is key. A clear statement of requirements
must be followed by a timeline with obtainable milestones
and a realistic estimate of required resources. This becomes
a proper workplan when the form of deliverables is developed
and included. Communication with outside professionals,
such as the audit firm and legal counsel, is important.
They should be in agreement with the process, especially
because the audit firm will ultimately be called upon to
certify the process.
committee. The company should organize a sponsoring
committee that is charged with defining the requirements
for the implementation team. The sponsoring committee will
also supervise the implementation team and be responsible
for seeing that the team’s duties and responsibilities
approach is geared toward a large company and may be impractical
for a small or medium-sized company. Such companies may
wish to combine the sponsoring committee and the implementation
sponsoring committee will define the requirements for the
project, which are then signed off on by the CEO, the CFO,
the in-house legal counsel, the board of directors, and
the members of the audit committee. This committee must
take responsibility for ensuring that the right questions
are asked at the right time; for seeing that the implementation
team has the proper resources and ongoing executive support;
for signing off on the implementation plan; and for monitoring
progress and reporting back to the board of directors, audit
committee, and outside professionals (i.e., outside legal
counsel and auditors). The implementation team may issue
a weekly or monthly report to all internal parties as well
as to outside legal counsel and auditors. Before any report
is released to outside parties, however, in-house counsel
should review it for potential legal issues.
team. This team is responsible for developing the implementation
plan, submitting it to the sponsoring committee for approval,
and executing it. The team must generate all supporting
documentation, including a new policy-and-procedure manual.
The team must represent the company’s disciplines
and should include the following individuals:
Chief accounting officer
Accounting department representatives
Members of the internal audit department
Chief information officer
Members of the information technology department
of foreign subsidiaries
Representatives of key business units
Members of the treasurer’s department.
implementation team should formally present the plan in
writing to the sponsoring committee. Once approved, the
plan will serve as a roadmap for the implementation team.
internal control weaknesses are noted during the implementation,
the team should address plans to remedy them as soon as
possible. After the initial process, the implementation
team should meet on a monthly basis to monitor the internal
2: Document the financial cycles. Virtually
all public companies already have some semblance of an internal
control structure in place, however informally it may be
documented. Documenting financial cycles allows the company
to assess the effectiveness of internal controls at an acceptable
level of errors or omissions. The documentation process
should reflect the internal control objectives and identify
any internal control deficiencies that may exist.
can take different forms. Three common methods of documenting
the understanding of internal control are narratives, flowcharts,
and internal control questionnaires. These can be used separately
or in combination.
preferred documentation methods are narrative workflow and
a flowchart of the financial cycles. The documentation should
be traced back to the policy-and-procedure manual, if one
exists, which should be updated if any deviations are noted.
If the company has systems descriptions, these are a good
is a written description of a company’s internal controls
and financial cycles and should include the following:
Descriptions of every document and record used in the
Descriptions of every process that occurs, whether manual
or computer-generated, drilled down to the lowest level
possible (e.g., preparation of purchase orders with the
Descriptions of the disposition of every document and
record in the system.
Indications of the identified control related to the document
or procedure. For example: authorizations and approvals,
preparer and reviewer sign-offs, verification, and separation
is a symbolic representation of a company’s flow of
documents and processes. The flowchart can be a better representation
of document workflow and separation of duties as the documents
and processes go through the financial cycle. Flowcharts
have the advantage of being easily updated on a periodic
or as-needed basis.
internal control questionnaire can be obtained from outside
audit firms. These questionnaires are very generic and can
be difficult to customize if the questionnaire is not received
in an electronic format.
companies, such as SAP, PeopleSoft, Oracle, and others,
have developed software evaluation tools that help users
automate the documentation of their internal control structure.
Although technology has made the documentation process easy,
a well-trained user of the software must be able to correctly
understand the computer-generated documentation and evaluate
its findings and conclusions.
3: Test transactions. The test of transactions
is a method to verify that identified internal controls
are performing as they were designed to do. The test of
transactions should be performed in two directions, each
tracing transactions through the computer and manual processes
The first direction is a sample made of certain source documents
(e.g., vendor invoice, sales transaction, subsidiary ledger
balance) and is traced through to the financial statement
balance. The test of transactions in this direction addresses
Do the internal controls handle the transactions in the
Do all the transactions reach the financial statements?
The test in this direction traces a sampling of transactions
from the financial statement balance back to the source
document. The test of transactions in this direction addresses
the issue of whether all data contained in a financial account
balance is supported by source documentation.
both directions, the sample of transactions tested should
be selected using a sampling technique. Sampling techniques
can employ either a judgmental or statistical approach.
An example of a judgmental approach is a systematic selection
of days of the fiscal year or every 100th transaction in
a numerical sequence. A statistical approach would take
random samples from among all transactions.
tests of transactions should be designed to test management
assertions as defined in SAS 31, Evidential Matter,
which classifies management assertions into five categories:
Existence or occurrence. This assertion deals
with whether assets, liabilities, and equity included
in the balance sheet actually existed on the balance sheet
date. Additionally, the assertion of occurrence is concerned
whether recorded transactions included in the financial
statements actually occurred during the period. This assertion
is concerned with the inclusion of amounts that should
have been included (e.g., inventory that exists and is
available for sale at the balance sheet date).
Completeness. This assertion states that the
financial statements include all transactions and accounts
that should be presented. It is concerned with the possibility
of omitting items from the financial statements that should
have been included (e.g., a sales-cutoff test to determine
that sales are recorded in the proper accounting period).
or allocation. This assertion is related to whether
the asset, liability, equity, revenue, and expense accounts
have been included in the financial statements at appropriate
values (e.g., fixed assets stated at the net book value).
and obligations. This assertion is related to whether
the assets are the rights of the company and the liabilities
are the obligations of the company at the balance sheet
Presentation and disclosure. This assertion is
related to whether components of the financial statements
are properly classified, grouped, or reported separately
and disclosed in the financial statements (e.g., liabilities
properly recorded as a current or long-term liability).
4: Evaluate. After the tests of transactions
are performed, the results must be evaluated. The documentation
should describe the procedures used and the results obtained
about operating effectiveness to provide a basis for their
conclusion. If, during the evaluation, internal control
deficiencies are identified, plans to remedy these internal
controls should be documented and implemented as soon as
control deficiencies are classified into two categories:
Reportable conditions are significant deficiencies in
the design or operation of the internal control structure
that could adversely affect the company’s ability
to record, process, summarize, and report financial data
consistent with the assertions of management in the financial
A material weakness is a reportable condition that is
so serious that the design or operation of one or more
of the specific internal control elements does not reduce
to a relatively low level the risk that errors or irregularities
in amounts that would be material to the accuracy of the
financial statements may occur and not be detected within
a timely period by employees in the normal course of performing
their assigned tasks. The presence of a material weakness
may indicate that the internal control structure is not
must take corrective action to remedy an internal control
deficiency as soon it is noted. The corrected internal control
procedure must be in place and in operation for a period
of time prior to the reporting date for management to be
able to evaluate the corrected control and conclude that
the control is operating effectively as of the reporting
of prior years’ audit management letters should be
made to determine that all past identified weaknesses are
addressed. A company may decide to upgrade existing computer
systems, purchase a new accounting software system, or improve
the integration of computer processes with the manual processes.
evaluation does not end here. Pursuant to SEC rules, a company
must report on internal control for every reporting period.
The evaluation of internal control is an ongoing process
and must become part of the culture of every company. The
evaluation of internal control should always be extensive,
but the collection of information does not have to be as
extensive as the initial implementation. Companies should
update the internal control process on a quarterly basis,
and fully evaluate it annually. Additionally, when a company
acquires another company, the acquirer must evaluate whether
the acquisition will have a material affect on its internal
1 and Exhibit
2 illustrate documentation forms for assessment of internal
5: Report. When the SEC final rule (Release
No. 33-8238) became effective on August 14, 2003, it stated
that the company’s annual Form 10-K must report management’s
responsibilities to establish and maintain adequate internal
controls over financial reporting.
report of management should contain the following:
A statement of management’s responsibility for establishing
and maintaining adequate internal controls over financial
reporting for the company;
A statement identifying the framework used by management
to conduct the required evaluation of the effectiveness
of the company’s internal controls over financial
Management’s assessment of the effectiveness of
the company’s internal controls over financial reporting
as of the end of the company’s most recent fiscal
year, including a statement as to whether the company’s
internal control over financial reporting is effective.
The assessment must disclose any material weaknesses in
the company’s internal controls over financial reporting
identified by management. Management is not permitted
to conclude that the company’s internal controls
over financial reporting are effective if there are one
or more material weaknesses in the company’s internal
controls over financial reporting; and
A statement that the auditor has issued an attestation
report on management’s assessment of the registrant’s
internal controls over financial reporting.
sometimes need to reinvent themselves to succeed. Companies
that focus merely on legal compliance with the Sarbanes-Oxley
Act will miss the potential benefits of using the act’s
provisions as a catalyst for company-wide change. Companies
can leverage the Sarbanes-Oxley provisions to improve employee
efficiency and productivity, streamline operations, and
make better financial decisions through timelier financial
information. The Sarbanes-Oxley Act represents an opportunity
to elevate corporate integrity, restore investor confidence,
and move the economy forward.
C. Quall, CPA, is manager of technical accounting
and internal control at MarketAxess Holdings Inc., and a member
of the NYSSCPA’s Chief Financial Officers Committee.
He can be reached