By Scott Perry
with permission from the University of Washington Business School, E-Business MBA Certificate
Program copyright 2004"
E-business Review page:
Over the next few months, many large public companies will likely make a
startling announcement about material weaknesses in their systems of
internal controls. The problems that these weaknesses bring to mind are
similar to problems found in well known, once high-flying companies such
as Lucent, Fannie Mae, and Global Crossing. But lesser known companies
such as Adecco SA, which suffered a 30 percent decline in their stock
price on the announcement day, and Mitcham Industries, which lost 22
percent of its equity market value on the announcement day, have had
large price declines after publicly disclosing similar “material
The genesis of the coming
announcements is the Sarbanes-Oxley Act of 2002 (SOX), known primarily
as a corporate governance law. It arose from a series of converging
events in the 1990s — a combination of inflated projections of the value
of dot-com companies, investors’ disregard for sound financial
principles when deciding whether to invest in overvalued dot-coms, and
devious practices by corporate executives seeking to circumvent
traditional internal controls. The resulting act of Congress was used to
create more corporate responsibility over financial reporting of public
The purpose of this paper
is to explain how the problems created for companies in the wake of
Sarbanes-Oxley, and particularly its Section 404 about internal
controls, creates an opportunity for e-business initiatives. After
briefly giving an overview of SOX, the paper will discuss why Section
404 has become such a costly and important provision of the act. It will
then examine the internal control systems of firms and why they are
ill-equipped to comply with SOX. Finally, it will explain how e-business
solutions can add value, ensure accurate financial reporting, and help
to rescue firms from the costly compliance morass.
What is Sarbanes-Oxley?
If you work for a public
company or know someone who works for one, it is likely you are already
somewhat familiar with Sarbanes-Oxley. On July 30, 2002, the
Sarbanes-Oxley Act was signed into law by President Bush.
Created to bolster
investor confidence in U.S. capital markets and protect the public from
fraudulent (or negligent) accounting and reporting practices, SOX
mandates many changes in the ways that accounting is done and
information is given to the public. Some of its better known provisions
are those that prohibit auditors from performing consulting services for
the same firm, that require the CEO and CFO to personally certify the
accuracy of information in financial reports, and that establish harsh
criminal penalties for corporate officers that conceal information from
But the most far-reaching
and onerous provision of the act is found in Section 404, which
addresses how public companies record and manage their internal
controls. Prior to SOX, the requirement for internal controls within
public companies existed only within the banking industry. The Federal
Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) required
banks, among other tasks, to take ownership of its internal control
processes and self test their effectiveness. When the FDICIA was passed,
many bankers denounced it as the epitome of regulatory burden. In
initial reviews of the legislation, economic journalists did not look
upon the FDICIA favorably, viewing it as unnecessarily over reactive to
the industry’s troubles. It has been questioned whether the FDICIA does
anything to better industry efficiency and competitiveness. It is
somewhat puzzling therefore that Section 404 of Sarbanes-Oxley sailed
through Congress without much discussion. We can only assume that the
reason was the escalated public demand for immediate action in the wake
of a barrage of unsettling news of fraud at the executive level of
seemingly trustworthy companies.
Section 404: What does it mean for public companies?
Section 404 requires each public company to include in its annual report
an “internal control report,” which shall:
the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial
Contain an assessment, as of the end of the issuer’s fiscal year, of
the effectiveness of the internal control structure and procedures
of the issuer for financial reporting.
put, companies now have to set adequate internal controls, continually
monitor them, and give the investing public an accurate and honest
assessment of how their internal controls are working.
involves establishing financial reporting controls, engaging in a risk
assessment, implementing control activities, creating an effective
communication structure, and establishing ongoing monitoring. When
developing the compliance framework, the law requires using a structured
the first time public companies (outside the banking industry) have ever
been required to document, assess, and assert the effectiveness of its
internal controls over financial reporting. Since detailed guidelines
have only been directed at audit firms and not public companies, these
companies have wrestled with how to comply with the law.
companies are adopting the Internal Controls-Integrated Framework of the
Committee of Sponsoring Organizations (COSO). COSO was originally formed
in 1985 to sponsor a national commission (called the Treadway
Commission) on fraudulent financial reporting. It received participation
and endorsement from industry, and major auditing and financial
management associations, while remaining independent.
Treadway Commission issued the Integrated Framework to provide a common
set of internal control principles and structures to assist enterprise
management in enhancing control over its business activities. The
framework is vague but its structure is now accepted as the de facto
standard for Sarbanes compliance. Adherence to COSO is now built into
SOX compliance reports.
404 deadline has been postponed twice due to the difficulty of
compliance and lack of proper infrastructure and guidance. At the
present time, the first companies that are required to comply are those
accelerated U.S.- based issuers that have over $75 million in
capitalization and have fiscal years ending after November 15, 2004.
Therefore, except for those relatively few companies with fiscal years
ending on November 30, the first wave of compliance efforts will be for
companies that have fiscal year ends that correspond with calendar year
end dates, which happens to be the majority of companies.
Cost of Sarbanes-Oxley: The New "Top Priority" Project
overall cost of SOX to all public companies is expected to exceed $5
billion. Another estimate puts the cost of the first year of SOX 404
compliance to be 1 percent of a public company’s assets — an
astronomical figure, particularly since many of the Act’s initial
predictions conjectured that it would merely be a simple reporting
exercise, unworthy of significant management attention.
experience working for a large external auditor, we were brought into a
multi-billion dollar corporation with initial expectations of a $1
million SOX budget for one of their larger business units. Over the
course of the project, the budget was essentially thrown out and
deferred to whatever amount it took to be compliant. It seems that SOX
404 has become the top priority and a very expensive project for public
companies. Why did this happen?
new. Most companies lack the understanding, knowledge, vision, and
project management disciplines, to undertake the massive compliance
efforts required by SOX. The problems here are reminiscent of the Y2K
craze when companies established massive projects to identify and
rectify computer system conditions that could not appropriately handle
the millennium change.
is nothing that gets a project more attention than the threat of jail
time for a CEO or CFO.
companies that I have consulted lacked the basic understanding of
control concepts. The CIOs I met with
initially were in denial about problems and were mainly concerned about
the resource drain the project would tap from their staff. Limited skill
set and frameworks available. Traditionally, the skill set needed to
document and assess internal controls is found in the audit profession.
For IT, there is a specialty field dedicated to the audit of information
systems led by the professional association, The Information Systems
Audit and Control Association (ISACA), which got its start in 1967.
ISACA has certified over 35,000 professionals as Certified Information
Systems Auditors in 100 countries worldwide. However, people with this
certification often have never actually performed a detailed assessment
of internal controls. Typically, big audit firms would complete
mini-assessments within their financial audit methodology — just enough
to rely on a company’s internal controls to deliver a more efficient
audit. The requirements of this mini-assessment are dwarfed by the
magnitude of a SOX 404 project. Given the number of public companies and
the need for the skill set of experienced auditors of internal control
systems, demand for workers with these skills grossly exceeds the
medium sized companies often do not even have any in-house IT audit
capability. The $2 billion asset mark (depending on the regulatory
requirements of the company and the industry it serves) is typically the
threshold below which the company would forgo such capability. Thus,
there is an even more significant staff shortage in these smaller
companies. These companies have created a strong market for second-tier
advisory firms (as opposed to big four accounting firms) to fill their
void in IT audit expertise.
of understanding of existing business processes.
in large organizations are typically siloed; they understand their
processes, but lack the big picture. This usually happens because of the
complexity of systems and the turnover of personnel. In every client I
have served, the SOX 404 compliance project represented the first time
the company documented its financial reporting processes from a business
transaction’s inception all the way to its entry in the general ledger.
reporting processes are typically a patchwork of systems from varying
platforms, combined with
spreadsheets, queries, and manual reconciliations. When companies
actually document their financial reporting processes, there are
typically significant inefficiencies and large-scale opportunities for
error. For example, in one instance working with a public company, major
financial systems used automated processes with tight controls
throughout the process only to dump all their financial results in a
spreadsheet on a personal work station for ad hoc manipulation prior to
final posting. In fact, an Ernst & Young survey taken in December 2003,
found that only 10 percent of respondents had a comprehensive Enterprise
Resource Planning (ERP) system that controlled the entire financial
are severe. There is nothing that gets a project more attention than the
threat of jail time for a CEO or
CFO. SOX imposes very real penalties, including potential delisting of
stock, as much as $5 million in penalties and prison time (up to 20
years) for executives. This creates an interesting dynamic for a SOX 404
project, where executives want to carefully monitor and completely
understand the project as it progresses through its various stages.
Documentation is often unavailable or outdated.
Documentation of internal systems is usually spotty. Documentation tends
to be better initially; however companies rarely update it over time.
Also, systems documentation is functional in nature — rarely does it
describe system controls in the format required by SOX internal control
Model of Internal Control for E-Business
can companies implement e-business applications with strong controls
that can sustain the rigor of a
Sarbanes-Oxley project? It starts with a model for reliability. One
organization that has been working towards developing a subset of
suggested standards and controls tailored for SOX has been the IT
Governance Institute www.itgi.org
Institute, which was established in 1998 to advance international
thinking and standards in directing and controlling an enterprise’s
information technology, considered various frameworks for its control
model (tailored for SOX):
Control Objectives for Information Technology (CobiT) framework,
created by the ISACA,
Information Technology Infrastructure Library (ITIL), a generally
accepted set of IT processes, and
ISO17799, a set of security standards issued by the International
Their findings have been captured in a free document entitled “IT
Control Objectives for Sarbanes-Oxley:
above shows a model for SOX-required IT controls, and demonstrates the
components of the e-business application and supporting infrastructure
controls needed for reliable financial processing. It shows the three
major components for reliable e-business processing controls:
company-level controls, general controls, and application controls.
Company-Level Controls: These controls set the organizational structure
that should exist for reliable e-business process development. They
require proper IT planning, including proper budgeting and strategic
architectural direction, resource planning, and reverence for quality
control and integrity of systems at all levels of the organization.
General Controls: These controls are the infrastructure controls that
allow computer applications to operate consistently over time.
Data center operation controls:
Controls that ensure the proper execution of scheduled production
technology systems — including proper systems scheduling, problem
management, and backup and recovery.
Application Software Development and Maintenance:
Controls that direct the acquisition or development of systems
through the use of robust and consistently followed systems
development life cycle methodology. These insure, for example, that
new systems are introduced into the live business processing
environment only through a carefully architected change management
Controls that restrict access to systems to only those that require
it for their job functions. Systems Infrastructure controls:
Controls that drive the proper introduction and operation of system
software — including operating systems, database, and network
These controls are embedded with applications that prevent, detect,
or correct financial reporting errors. The errors detected might
include lack of completeness, accuracy, or validity of financial
transactions, and lack of proper authority for the transactions.
Sarbanes-Oxley Changed Internal Controls Management
Sarbanes-Oxley compliance project, each business process related
materially to financial reporting is documented and analyzed to
determine the nature of controls that reduce errors on the financial
statements. These controls come in three flavors:
controls that require human intervention for its performance. These
include activities such as manual check authorizations, review of
paper-generated documents, key review meetings, etc.
Information Technology Dependent:
Those controls that are manual but depend on computer-generated data
for its performance. These include review of computer generated
reports, budget-to-actual reviews, system exception handling, etc.
Automated or Application:
Those controls performed within computer system operation, without
human intervention. Before SOX, reviews of financial controls were
rarely performed except for periodic internal audits and through the
annual external financial audit. Therefore, there was limited demand
for financial system developers (especially in-house) to build
Case for an E-Business Escalated Solution
business case to implement new e-business systems as a replacement to
deficient financial reporting processes for SOX 404 compliance is
strengthening for 2005. This is largely because the automated or
application controls defined in the previous section are the ultimate
way to economically achieve Sarbanes-Oxley compliance. This is because
of several factors:
The inherent nature of e-business transaction systems lends itself
to predictable and repeatable processes in comparison to manual
processes and controls. Note, however, that this premise can only be
followed if the underlying technology infrastructure (i.e. IT
general controls) has reliable processes and controls, as described
The nature of computer systems allows automated controls to be
tested more efficiently than manual controls. External audit plans
allow for “tests of one” whereby an auditor only needs to examine
one test case of an automated control since the system will
predictably perform the same operation the same way every time (as
opposed to 25 occurrences of a manual control).
scope of testing controls for a complex global enterprise, these
efficiencies add up. An E&Y survey indicated that companies in the $1
billion to $20 billion revenue range that are planning to spend more
than 100,000 hours on SOX this year has increased dramatically.
half the companies polled with revenue greater than $5 billion plan to
spend more than 50,000 hours on SOX compliance.
more preventative than detective controls: Controls come in three types:
preventative, detective, and corrective. Preventative controls (e.g.
access restrictions) restrict errors from ever occurring. Detective
controls (e.g. manual review of exception reports) will allow errors to
occur, but will identify them in a timely enough manner to reduce their
impact to a minimum. Corrective controls (e.g. disaster recovery plans)
are controls that allow errors, but will fix the damage in a structured
way, limiting the impact to an acceptable level. (Corrective controls
are typically not in a SOX project.)
environment of e-business systems tend to allow more preventative
controls since the point of control error origin can be more clearly
identified, and therefore prevented, at that point.
workflow: The advancement of Microsoft SharePoint and other document
management systems blends itself well into e-business systems for
financial reporting. Vendors such as Captaris and K2 are employing .NET
to streamline any non-automated business processes at a reasonable cost.
Their workflow solutions bring new levels of productivity to any
business flow, from simple departmental-level processes on up to
enterprise processes that cross software, department, and even company
systems will produce huge future dividends in SOX compliance projects.
reliable than spreadsheets: The May 24, 2004, issue of Computer World
indicated that, “Anecdotal evidence suggests that 20-40 percent of
spreadsheets have errors, but recent audits of 54 spreadsheets found
that 49 (or 91 percent) had errors, according to research by Raymond R.
Panko, a professor at the University of Hawaii.”
1 At the
2003 EuSpRIG (European Spreadsheet Risk Interest Group) Conference, a
reference was made to the failure to control a spreadsheet in the
TransAlta energy company of Calgary, Canada. They lost $24 million in
June, 2003, through a “cut-and-paste” error that mismatched prices.
opportunities for e-business are greater than ever if companies can
recognize the link between e-business control initiatives and the
creation of shareholder value.
Overall Lower Cost:
If you factor in the amount of effort it takes to operate disparate
business processes throughout an enterprise, including full-time
equivalent personnel performing manual review controls, the total cost
of automating e-business processes is well justified.
The Desired End State for an E-Business Control System All of the
previously mentioned controls can result in a model for automated and
continuous monitoring of controls.
desired end state for a true e-business solution is a system in which
control is automatically applied in a consistent manner and exceptions
are flagged and immediately reported.
convergence of many factors will make this end a realistic short run
possibility. Due to sheer market interest, software vendors are more
focused on developing tools allowing greater control. The technology
allowing for enterprise collaboration tools that interact with financial
systems is now more than just brochure ware. The Meta Group asserts that
it is an emerging market that will continue to grow through 2008, as
this type of software becomes more critical to managing the global
business processes typically deployed across disparate systems.
are five components that are used in a continuous monitoring solution:
This component establishes the population of control tests that will be
part of the continuous monitoring system. It would include what control
exceptions management would want reported. These rules would establish a
variety of automated checks such as check digit verification,
pre-defined data field selections, reasonable values, and threshold
component actually interrogates the data to identify trends and
threshold exceptions. Within a SOX engagement, thresholds are
established for reasonable controls.
Assessment: In a
continuous monitoring system, thresholds can automatically be set using
the risk assessment component. The goal of continuous monitoring is to
be as near real-time as possible.
scheduling component allows for the flexibility to define “near
real-time” in the context of a specific ERP system.
of the benefits of e-business systems is that they are better able than
manual processes to capture the point at which control errors occur.
study on continuous monitoring within a manufacturing company was
presented by the Institute of Internal Auditors in August, 2003. This
company had installed an SAP system and had 2500 employees using it.
However, with that many employees and given hires and terminations,
control of access rights became difficult.
address this problem, the company deployed a continuous monitoring
solution for access control. Using this tool, the company was able to
detect and correct several types of segregation of duties violations
that had the potential to harm the company. These included accounts
payable fraud (manager making “payments” of $500,000 to a dummy vendor
he created), sales order fraud (a sales rep had been changing sales
orders after they were approved), accounts receivables fraud (an
accounts receivables clerk had been handing out unauthorized discounts
for a “fee”), and user access violations (access rights were not deleted
when employees left the company, leaving active backdoors to the
system). This continuous monitoring saved the company an estimated
$250,000 each year.
Your Firm Should Do - The Business Case is Stronger Than Ever
today’s business environment, it is not enough to identify problems
during events such as a quarterly audit, or even worse, during an annual
audit. These audits often miss key problems and are too late for
E-business control systems can monitor transactions independently and
continuously, close to the time of origin. Data analysis technologies
that run alongside operational application systems can add an additional
control layer. This layer can improve the process of checking compliance
with controls, and can produce exception reporting.
infrastructure needed to enable an effective continuous monitoring
strategy should include several key
Independence from the system that processes the transaction.
ability to compare data and transactions across multiple platforms.
ability to process large volumes of data.
Prompt notification of transactions that represent control
ERP systems and other transaction processing systems should be
implemented so that controls are embedded in the core applications.
concerns about the cost, organizations that have implemented
continuous monitoring systems frequently find that cost recovery, and
indeed cost savings, is achieved in a short period of time due to the
timely identification of errors and fraudulent activity. Jerome Klajbor,
CFO of IntelliCorp claims that a large U.S. organization will typically
spend $4.7 million each year to implement requirements associated with
SOX, and automating the process can reduce costs of compliance by 30
percent. Firms must find a balance between effectively testing controls
in higher risk areas and not creating an over-controlled environment,
which slows down operational efficiency. If an effective balance is
found, continuous monitoring will be a solution that improves
profitability and corporate governance
Cause for Action
initial SOX reviews will show many internal control deficiencies.
Furthermore, the unexpected difficulty of the reviews is likely to cause
the first round of reviews to leave many problems undetected. The
investing public will be bombarded with so many announcements of
problems that it will be difficult to separate true issues from issues
of lesser importance.
for some market instability in the months ahead.
Shareholder value will be driven by how the market perceives how the
company is operating. Any mention of noncompliance or the need to
restate financial results will have a negative impact on shareholder
value. In addition, noncompliance can result in fines, possible
delisting for public companies, and civil/criminal penalties. A confused
investor public will demand greater controls embedded within financial
processes, but will not be educated enough to understand the complete
circumstances underlying control deficiencies. The capital market will
be left with a gap between the perception of a company’s report on its
financial condition and its actual financial results.
Sarbanes-Oxley good for e-business?
at the unexpectedly high costs of compliance with SOX and see this as a
new cost of e-business. But the opportunities for e-business are greater
than ever if companies can recognize the link between e-business control
initiatives and the creation of shareholder value. This is a unique time
in the history of corporate America; many executives will be signing
their financial reports with a shaky pen and some companies will not
survive complying with Sarbanes-Oxley.
fever over internal controls at an all-time high, new e-business systems
deploying continuous monitoring just may be the new “top priority”
project over the next several years.
Use of Spreadsheets: Considerations for Section 404 of the
Sarbanes-Oxley Act.” PriceWaterhouseCoopers, July 2004, p 1.
Chadwick, “Stop That Subversive Spreadsheet,” (October 2004)
Services Inc, IntelliCorp, and Approva Corporation have tools available
that can be deployed to achieve continuous monitoring. All three work
within the infrastructure of ERP systems to provide real-time
notification of control exceptions. ACL calls their suite Continuous
Controls Monitoring (CCM), IntelliCorp uses the NetProcess Tool suite
and Approval calls their solution BizRights.
Prashanth Boccasam and Nitin Kapoor, “Managing Separation of Duties
Using Continuous Monitoring.” The Institute of Internal Auditors’ IT
F. Klajbor, “The Key to Unlocking Year Two Compliance: Automated
Continuous Monitoring.” Sarbanes-Oxley Compliance Journal,
Services Inc. “Continuous Control Monitoring.”
Corporation. “BizRights and Sarbanes-Oxley Compliance.”
“Application System Internal Control Questionnaire.”
Lisa. “Before and After the FDICIA: A look into Commercial Banking Risk
Behavior.” The Park Place Economist. April 2001, Volume IX, pp. 83-90.
Prashanth, Kapoor, and Nitin “Managing Separation of Duties Using
Continuous Monitoring.” The Institute of Internal Auditors’ IT Audit Web
David. “Stop That Subversive Spreadsheet.”
Software Corporation. “The Practical Guide to Sarbanes-Oxley
Young. “Emerging Trends in Internal Control: Second Survey.” May 2004,
W. Lee. “FDICIA’s Regulatory Changes and the Future of the Banking
Industry.” Assessing Bank Reform. 1993, pp. 148-154.
Information and Controls Association. “About ISACA: Overview and
IntelliCorp. “IntelliCorp: Corporate Overview.”
Governance Institute. “IT Control Objectives for Sarbanes-Oxley.”
Jerome, F. “The Key to Unlocking Year Two Compliance: Automated
Continuous Monitoring.” Sarbanes-Oxley Compliance Journal Web site.
Mark J. “An Assessment of the Change in the Incidence of Earnings
management Around the Enron-Andersen Episode.” Forthcoming in The Review
of Accounting and Finance, Volume 4 Number 1
(2005). Abstract from Mark J. Nigrini Web site.
Mark J. “Forensic Accounting: Findings and Observations.” Mark J.
Nigrini Web site.
PriceWaterhouseCoopers. “The Use of Spreadsheets: Considerations for
Section 404 of the Sarbanes-Oxley Act.” July 2004.
University of Notre Dame. “Accountancy 477 - Controls for Computerized
Systems - II.”
Decker, John. “The Need for Continuous Monitoring.” Meta Group Web site.
Delta 2951 June 9, 2004.
John. “Risk Management and Continuous Monitoring.”
Jay M. “FDICIA From the Bankers’ Perspective: Too Much Medicine Applied
Indiscriminately.” Assessing Bank Reform. 1993, pp. 107-112.
Eric W. “Benford’s Law.” MathWorld Web site.
Harald. “What is the single most challenging Sarbanes-Oxley issue
today?” Sarbanes-Oxley Compliance Journal Web site.