Thank you for sharing!

Your article was successfully shared with the contacts you provided.
I handle the Sarbanes-Oxley 404 initiative for a midsized public oil and gas company. In other words, my job fosters immense anger and utter confusion. To the organization, I’m the SOX guy. When people see me approaching, I see the look on their faces, which seems to say: “Oh, no, more paperwork.” This is not to say that these employees have anything to hide. It is solely that they do not understand what I’m supposed to do, and people fear what they don’t understand. I could try to give a straightforward answer and discuss the elements of the Sarbanes-Oxley Act and its implications and layers of requirements. But SOX requirements are so lengthy and confusing that it’s not surprising that many companies (including the audit industry) have had to form their own interpretation of this law. So how does one who manages the Sarbanes-Oxley initiative discuss interpretation with the personnel of a company, and expect any understanding, when auditors � as well as compliance officers who test compliance � are not yet entirely sure what is expected? At this stage, “interpretation” is simply another word for “confusion.” Before companies can start to implement the requirements of Sarbanes-Oxley, the audit industry itself must understand the act. When an act is passed in an expedited manner, it is only natural for history to show its ugly head during the implementation phase. In the case of Sarbanes-Oxley, I have observed three implementation issues that all stemmed from past errors in the field of internal control compliance. First, when the Sarbanes-Oxley Act was passed, auditors quickly adopted two previously established control frameworks � structured rule systems � mainly because this was the only place where substantial internal control assessment procedures existed and also because these frameworks were the most widely accepted in the audit business. Unfortunately, though, these “frameworks” may not have been the right way to interpret SOX and should not have been the ultimate focus. The first framework, a document produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), provides a common definition of internal controls, standards, and criteria against which companies can assess themselves. COSO contains established objectives that allow for timely, accurate, and complete processing and review of financial data. A second system, COBIT, designed by the Information Systems Audit and Control Association, is COSO’s technological counterpart, providing IT governance to mitigate various types of systematic risk (such as problems with information security). For example, a company must establish a system to manage access to sensitive areas such as financial data. When general ledger data is being processed, only authorized individuals should be able to change a company’s books. As another example, when a company is changing its computer systems by moving a piece of critical software to a different server, it should have established policies to ensure that none of the software data are lost or corrupted. Handling the documentation for COSO and COBIT control processes takes an enormous amount of time. In fact, I, as well as the auditors, no longer have the focus nor the time to address the most important aspect of the Sarbanes-Oxley Act: the documentation and testing of a company’s “entity-level environment,” otherwise known as its management style. For instance, one kind of “style” is when power is centralized in a top-heavy organization. Control in this kind of company is so private that there are many opportunities for fraud. WHAT’S YOUR STYLE? To define a company’s style, one must ask all sorts of questions: Does management behave in an ethical manner? Do all employees understand management’s ethical values? Is appropriate remedial action taken when rules have been breached? Does the organization have an active and effective board of directors and audit committee? What is senior management’s risk-assessment process? If we were to take a step back for a minute and assess why Sarbanes-Oxley 404 was implemented in the first place, we could see that all the Enron and WorldCom disasters in the last two years came from a break in the “entity-level environment.” It was not a COSO- or COBIT-related control that broke. Even before Sarbanes-Oxley appeared on the scene, the COSO and COBIT compliance requirements were enormous. To better understand them, let’s look more closely at the testing of one accounts payable control. One function in accounts payable is the payment of bills. To ensure that all money is authorized to move, COSO requires formalized approvers within the organization who can sign off on various dollar payments. This, then, is the “control.” Although this element of the “control” is important, while the auditor and I are testing hundreds of invoices for appropriate sign-off, the “style” analysis is losing focus. How could an auditor document a company’s style or internal structure? One idea would be for him to create more elaborate tests to see if there are certain risk assessments, monitoring, or communication procedures already in place. BUSINESS MODEL Some might argue that it’s as if an auditor is testing the psychology of top-level management, and attempting to create a business world with consistent business practices. But isn’t that what Sarbanes-Oxley is trying to create: a standard business model where fraud cannot occur? Yes, the COSO and COBIT frameworks should be used to ensure that certain reviews are being performed, but why not increase our time spent on the organization’s style? Sarbanes-Oxley already is part of an organization’s audit, but that does not mean that it should be viewed solely from a numbers perspective. For example, during my Sarbanes-Oxley “entity-level” testing, I required a sample of individuals to fill out various surveys with probing questions about the organization. This is critical data and should have been analyzed extensively. When the auditors began to test, it looked as if many in the audit industry had already decided that they would test a company’s style only on the surface, and undertake any deeper analysis of an organization’s answers only as a secondary thought. But at least on one level, that decision makes sense, since there is too much COSO and COBIT testing required to allow for detailed entity-level analysis. The decision to avoid looking at an organization from the top does make sense, since most COSO and COBIT testing involves a careful selection of transactions to review, which is a fundamental element of auditing. Ultimately, what needs to occur is the reassessment of the entire COSO/COBIT framework’s importance as well as a universal agreement that incorporating qualitative elements of SOX is ultimately the most important test. If steps are not taken to focus more on the higher levels of a company, the act will fail. The second problem with implementing Sarbanes-Oxley is the way control reviews were established in the first place. After all, the audit industry has previously established testing. In this system, if a company’s risk level is determined to be low, an audit firm can use its internal control employees to test a company’s operational controls. In turn, the firm’s audit area can perform less financial testing. Before my involvement with internal Sarbanes-Oxley compliance, I worked at a Big Four firm and was able to get a pretty clear understanding of the relationship between the firm’s financial audit and internal control groups. Although both areas try to work collaboratively, it was easy to see that there was a communication issue. Both groups’ job responsibilities had been completely independent of each other. After passage of SOX, it was finally time for both groups to interact. Throughout the year, I have spoken to many auditors and SOX compliance officers. I found that while public organizations were hiring control specialists for their compliance positions, it was the auditors who would ultimately test the internal controls. If I did not work in both the audit department and in the control group in a Big Four audit firm, it would have been extremely difficult for my company to obtain a clear sense of what it was doing right and wrong. The third problem is the question of audits that are picking up financial problems that they missed in the past. Of course, many audit firms perform their audit in immense detail. Since it appears that nearly everyone in business is fearful, it is easy to see that audits have been delving a little more deeply into a company’s financial areas to ensure that no legal issues arise in the future. Due to a more detailed year-end audit, audit firms are finding financial problems that they have not seen in previous audits. It is my opinion that these financial issues should have been found by the auditors in the past. And since they were not, the issue becomes one of internal control. Sarbanes-Oxley has allowed for the creation of many improvements in the process, as well as increased communication and self-assessment. But at the same time, there are still many important issues that must be addressed before I can effectively explain the requirements of Sarbanes-Oxley to employees. Although there have been problems with the first implementation phase of Sarbanes-Oxley, I hope that auditors and compliance officers will continue to question the requirements of Sarbanes-Oxley in a logical manner, most importantly the role that COSO and COBIT frameworks will play in SOX reviews from now on. Ultimately, for SOX compliance to be effective, auditors must realize that all aspects of Sarbanes-Oxley are governed by senior management. If the auditor is not comfortable that top management is taking this law seriously by providing extensive review policies and risk-assessment procedures, then all of the costs being accumulated by the company and, in turn, the public, are doing no good. We cannot create a strong, secure, communicative environment if senior management doesn’t want to and if the auditors don’t retrieve enough information to be able to figure out whether a company is compliant.
Josh Platt handles Sarbanes-Oxley compliance for Delta Petroleum, an oil and exploration company in Denver. Previously, he worked at Deloitte & Touche in its enterprise risk services practice.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.