Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The requirement under � 404 of the Sarbanes-Oxley Act of 2002 that company management assess the company’s internal controls is now a fact of life for most companies, as � 404 became effective on Nov. 15, 2004, for most companies whose fiscal year ends after that date. See Securities and Exchange Commission Release nos. 33-8238 and 33-8392. For these companies, their upcoming annual reports on Form 10-K must contain an internal control report that states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, as well as an assessment, as of the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial reporting. In addition, the company’s auditors, as part of their annual audit, must attest to, and report on, management’s assessment. These requirements certainly come as no surprise to the myriad internal audit and finance employees and outside auditors engaged in assessing internal controls. In fact, the impact on many companies has been substantial. For small or midsize public companies, the evidence indicates that compliance with � 404 to date has been extremely costly. For example, the average compliance burden has been estimated to be between $1 million and $3 million per company. Even Cynthia Glassman, a commissioner at the Securities and Exchange Commission (SEC), acknowledged that although the costs might not be significant as measured against revenues for larger companies, the costs may be proportionally more burdensome for smaller companies. See Cynthia A. Glassman, Remarks at the XIXth Conference on Financial Markets and Control Systems, Courmayeur-Mont Blanc, Italy, Oct. 1, 2004. See www.sec.gov/news/speech/ spch100104cag.htm. And as the compliance date loomed, the sentiment among many companies was that they still needed more time to comply with � 404, notwithstanding the fact that the SEC had already extended the deadline. In fact, the SEC delayed implementation of � 404′s requirements for a number of smaller issuers in December because of the difficulty these companies had in complying with its requirements. And now the SEC has agreed to hold public meetings in the spring to review the internal-controls requirements and determine if, after all, the costs of compliance are worth the benefits to the public. But absent from much of the reporting on the recent efforts to comply with � 404-but certainly not from the process-has been the impact on chief information officers (CIOs) and information technology assets. This is not surprising, given the general lack of understanding concerning the potential impact information technology (IT) would have on � 404 compliance in the months immediately following its passage. First, most companies failed to give � 404 much attention at all in 2002 or 2003, let alone how IT might be involved. With an initial focus on complying with the chief executive officer (CEO) and chief financial officer (CFO) certification requirements under � 302, compliance with � 404 was simply set aside, notwithstanding the requirement in � 302 that these same officers certify that they had evaluated the effectiveness of their companies’ internal controls. Second, given the general lack of guidance from the SEC and the Public Company Accounting Oversight Board (PCAOB) concerning how management should go about assessing a company’s internal controls, the effective date for compliance with � 404 was extended, and as recently as Nov. 17, the SEC extended for one year the final phase-in period for acceleration of periodic report filing dates “to allow additional time and opportunity for accelerated filers and their auditors to focus their efforts on complying with our new requirements regarding internal control over financial reporting.” See SEC Release nos. 33-8507, 34-5068 and 33-8392. These extensions simply allowed companies to procrastinate further on their internal control review. And finally, it was only in March 2004 that the PCAOB released proposed guidance in Auditing Standard No. 2 on how auditors should audit management’s assessment of internal controls; that guidance did not become effective until mid-June. See PCAOB Auditing Standard No. 2, effective pursuant to SEC Release No. 34-49884, www.pcaobus.org/Rules_of_the_Board/Documents/Rules_of_the_Board/Auditing-_Standard-_2.pdf. It is therefore not surprising that focus on an assessment of internal controls and the role IT will play in that assessment has only recently begun, leaving companies and their CIOs in the embarrassing-and potentially costly-position of having to publicly report exceptions to their information technology controls. For example, among 75 public companies that the Gartner Group surveyed in the fall of 2003, just 63% indicated that their IT departments were involved in the � 404 assessment process. Ben Worthen, “Your Risks and Responsibilities: You May Think the Sarbanes-Oxley Legislation Has Nothing to do With You. You’d be Wrong,” CIO Magazine, May 15, 2003, at www.cio.com/archive/051503/ rules.html. And a survey this past summer by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbanes-Oxley steering committees. Id. Predictably, as the deadline approached, this is one of the significant remaining issues in � 404 compliance. But not all the blame for the failure to understand � 404′s requirements can be placed on officers other than CIOs. As late as last July, media reports indicated that 80% of CIOs did not fully understand their own compliance responsibilities. See John Logan, “The CIO Time Bomb,” News.com, July 29, 2004, at news.com.com/The+CIO+time+bomb/2010-1022_3-5287894.html. And it is now giving CIOs nightmares, as they and their companies struggle late in the game to ensure that existing applications are appropriately tested and that new applications identified as necessary to the internal-control framework are purchased (at high costs to IT department budgets), tested and rolled out. This situation potentially exposes the company, the CEO and CFO-and perhaps even the CIO-to liability under the securities laws. CIO’s responsibilities Section 404 has essentially put CIOs on the tip of a double-edged sword. First, their departments are the keepers of their companies’ financial reporting applications. As such, management and auditors are scrutinizing these systems to ensure they meet the standards pronounced by the PCAOB in Auditing Standard No. 2, which contains nearly 160 pages of standards and guidance. Critical to CIOs’ compliance are two statements in that standard. The first relates to management’s assessment of which controls should be tested: “The auditor must obtain an understanding of, and evaluate, management’s process for assessing the effectiveness of the company’s internal control over financial reporting. When obtaining the understanding, the auditor should determine whether management has addressed the following elements: Determining which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include . . . information technology general controls, on which other controls are dependent.” As so many internal controls relating to the company’s financial statements and financial reporting are dependent on the controls established through IT controls, this alone implicates a large proportion of IT assets for possible review. The second PCAOB statement concerns the requirement that the auditor gain an understanding of each component of internal control over financial reporting. The PCAOB identifies five such components: the control environment, risk assessment, control activities, information and communication, and monitoring. According to the PCAOB, IT general controls relate to each component of internal control and management, and auditors must comprehensively assess them to ensure their effectiveness. The result is that the IT department can come under severe scrutiny. To make matters worse, little guidance has been given by the regulators regarding the appropriate methods for assessing IT controls. Notwithstanding the broad statements identifying IT controls as relevant to the overall assessment of internal controls in Auditing Standard No. 2, the PCAOB says little else about how to actually assess those IT controls. And given the historical gap between financial auditing and IT auditing, CIOs find themselves in the difficult position of figuring out exactly who and what should be assessed. See Christopher Koch, “The Sarbox Conspiracy: Sarbanes-Oxley Compliance Efforts Are Eating Up CIO Time and Budgets,” CIO Magazine, July 1, 2004. In addition, to the extent that the auditors have identified the need for additional controls in other departments-which often demand greater automation of business processes as a control against manual error or fraud-implementation of those controls often requires the acquisition or modification of software applications. This adds significantly to the burden of the IT department, to the detriment of other IT initiatives. At the same time, CIOs must get their own house in order, ensuring that the IT department has established its own governance and internal controls, not only on the accounting and financial reporting systems, but all other systems that might affect the company’s accounting or financial statements. Issues such as security, access to systems and separation of IT functions all need to be reviewed and documented. And documentation, particularly from a control perspective, needs to be clear and complete for both management and auditors to get the comfort needed to assess the controls. Anecdotal evidence indicates that CIOs are struggling to ensure that their own internal controls, and those of the systems they oversee, are adequate. This is particularly true as to the robustness of the audit trail regarding changes to data and processes. Some auditors hold that changes that have been implemented in the production environment, the reasons for the changes, who developed them and whether they were adequately tested and signed off must be included in any review of information technology controls. This means that some IT processes, such as customization of applications (for example, a customization of general ledger software) that might not contain the same audit trail as other parts of the application, could be identified as a control weakness that needs to be documented and corrected. For many IT departments, however, the ability to audit their processes, particularly manual processes and the documentation for those processes, has traditionally been weak. See, e.g., Ed Parry, “SOX Wars: CIOs Share Ideas, Fears on Sarbanes-Oxley Compliance,” CIO.com, July 21, 2004. And as controls tend to break down when discretion is involved, reliance on human processes, even within IT, involves greater risk, and auditors rightly insist that where the risks are greater the controls must be tighter. Controls-related exceptions Many companies have only in the last few months begun to focus on information technology controls. CIOs and their departments are thus finding themselves identifying, creating or documenting numerous controls, while rushing to do so before the annual reporting deadline. Although recent reports indicate that most companies will have their IT controls in place and tested, some predict that in the first round of 10-K reports filed in the coming weeks for the first group of accelerated filers, as many as 25% will have to report controls-related exceptions that require additional remediation. Companies that report controls-related exceptions-even those concerning IT controls-should be aware that the existence and disclosure of exceptions, particularly those that may rise to the level of material weaknesses, could pose a significant risk. At a minimum, it will be embarrassing to the company and its officers that these weaknesses are now disclosed to the marketplace, customers and competitors. Investors have shown little patience for companies with anything other than pristine financial reports since the passage of the Sarbanes-Oxley Act, and competitors are always looking for a way to distinguish themselves in the market. And remaining shareholders, as well as boards of directors, will demand explanations and remediation and will hold responsible those officers and others who failed to ensure the controls were adequate. Additionally, the SEC has already extended the � 404 compliance deadline to give companies adequate time to assess their internal controls and have their auditors review management’s assessment. It is likely that the SEC’s Enforcement Division will not be sympathetic to companies that now identify material control weaknesses after these extensions. Thus, the CEO and CFO, who must certify as to the adequacy of the internal controls and who therefore face serious civil and criminal penalties should the certifications be false, will demand that a mandatory element of the CIO position is that no IT controls-related exceptions exist. Disclosure of significant controls-related exceptions will also be a red flag to the SEC staff that the financial statements may not fairly reflect the accounts and transactions of the company-notwithstanding the certifications. The SEC staff may therefore seek additional information on, and possibly even investigate, the disclosure as an enforcement matter. And even if the SEC does not immediately examine identified control weaknesses, should the company later discover fraud or other material financial misstatements as a result of those weaknesses, it is likely that the SEC would seek fraud charges against the senior officers of the company who certified as to those controls, as well as the company, for causing the company’s misstatements. In a speech last year, SEC Enforcement Director Stephen Cutler indicated the staff’s intent to continue the use of monetary penalties against individual executives as well as corporations in order to both deter and punish, noting that the enforcement division starts from the presumption that any serious violation of the federal securities laws should be penalized with a monetary sanction. See Stephen Cutler, Speech at 24th Annual Ray Garret Jr. Corporate & Securities Law Institute, April 29, 2004, www.sec.gov/news/speech/spch042904smc.htm And the SEC’s current practice is that if an officer or director is involved in the alleged fraud, the SEC will seek to bar that individual from acting as an officer or director of any public company in the future. This may even include barring individuals from acting as CIOs. See SEC Litigation Release No. 18070, SEC v. Livesay, No. CV-03-S-0758-S (N.D. Ala. April 4, 2003), at www.sec.gov/litigation/ litreleases/lr18070.htm. Finally, as part of their inspections of public accounting firms, the PCAOB inspections staff reviews a sample of audits performed by the accounting firm. To the extent control weaknesses have been identified by an issuer, it is likely that the PCAOB inspections staff will be aware of that disclosure and seek to review that portion of the audit accordingly. And even if no control weaknesses were identified, the PCAOB staff will certainly examine audits for compliance with � 404. As a result, CIOs could find their departments under even greater scrutiny by these outside parties, the result of which leads to their heads spinning as they go through the vicious cycle of review, audit, remediation, regulatory scrutiny and more review. It is therefore in the CIOs’ best interest, and their companies’, that CIOs not only take seriously their responsibilities under � 404, but also ensure that senior management takes the CIOs’ responsibilities for, and contributions to, the process just as seriously. In the long run, more effort now is worth the investment, given that the potential regulatory actions that could otherwise result are almost always more costly. Donald E. Griffith is senior counsel to the Washington office of Foley & Lardner. His practice includes the representation of companies, broker-dealers, officers and directors, and other individuals and institutions in securities enforcement, compliance and litigation matters.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.