"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

Section 404 requires each public company to include in its annual report an “internal control report,” which shall:

1. State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

2. Contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Simply put, companies now have to set adequate internal controls, continually monitor them, and give the investing public an accurate and honest assessment of how their internal controls are working.

This involves establishing financial reporting controls, engaging in a risk assessment, implementing control activities, creating an effective communication structure, and establishing ongoing monitoring. When developing the compliance framework, the law requires using a structured internal framework.

This is the first time public companies (outside the banking industry) have ever been required to document, assess, and assert the effectiveness of its internal controls over financial reporting. Since detailed guidelines have only been directed at audit firms and not public companies, these companies have wrestled with how to comply with the law.

Most companies are adopting the Internal Controls-Integrated Framework of the Committee of Sponsoring Organizations (COSO). COSO was originally formed in 1985 to sponsor a national commission (called the Treadway Commission) on fraudulent financial reporting. It received participation and endorsement from industry, and major auditing and financial management associations, while remaining independent.

The Treadway Commission issued the Integrated Framework to provide a common set of internal control principles and structures to assist enterprise management in enhancing control over its business activities. The
framework is vague but its structure is now accepted as the de facto standard for Sarbanes compliance. Adherence to COSO is now built into SOX compliance reports.

The SOX 404 deadline has been postponed twice due to the difficulty of compliance and lack of proper infrastructure and guidance. At the present time, the first companies that are required to comply are those accelerated U.S.- based issuers that have over $75 million in capitalization and have fiscal years ending after November 15, 2004. Therefore, except for those relatively few companies with fiscal years ending on November 30, the first wave of compliance efforts will be for companies that have fiscal year ends that correspond with calendar year end dates, which happens to be the majority of companies.

The Cost of Sarbanes-Oxley: The New "Top Priority" Project

The overall cost of SOX to all public companies is expected to exceed $5 billion. Another estimate puts the cost of the first year of SOX 404 compliance to be 1 percent of a public company’s assets — an astronomical figure, particularly since many of the Act’s initial predictions conjectured that it would merely be a simple reporting exercise, unworthy of significant management attention.

In my experience working for a large external auditor, we were brought into a multi-billion dollar corporation with initial expectations of a $1 million SOX budget for one of their larger business units. Over the course of the project, the budget was essentially thrown out and deferred to whatever amount it took to be compliant. It seems that SOX 404 has become the top priority and a very expensive project for public companies. Why did this happen?

It’s all new. Most companies lack the understanding, knowledge, vision, and project management disciplines, to undertake the massive compliance efforts required by SOX. The problems here are reminiscent of the Y2K craze when companies established massive projects to identify and rectify computer system conditions that could not appropriately handle the millennium change.

There is nothing that gets a project more attention than the threat of jail time for a CEO or CFO.

Most companies that I have consulted lacked the basic understanding of control concepts. The CIOs I met with
initially were in denial about problems and were mainly concerned about the resource drain the project would tap from their staff. Limited skill set and frameworks available. Traditionally, the skill set needed to document and assess internal controls is found in the audit profession. For IT, there is a specialty field dedicated to the audit of information systems led by the professional association, The Information Systems Audit and Control Association (ISACA), which got its start in 1967.

Today, ISACA has certified over 35,000 professionals as Certified Information Systems Auditors in 100 countries worldwide. However, people with this certification often have never actually performed a detailed assessment of internal controls. Typically, big audit firms would complete mini-assessments within their financial audit methodology — just enough to rely on a company’s internal controls to deliver a more efficient audit. The requirements of this mini-assessment are dwarfed by the magnitude of a SOX 404 project. Given the number of public companies and the need for the skill set of experienced auditors of internal control systems, demand for workers with these skills grossly exceeds the supply.

Small and medium sized companies often do not even have any in-house IT audit capability. The $2 billion asset mark (depending on the regulatory requirements of the company and the industry it serves) is typically the threshold below which the company would forgo such capability. Thus, there is an even more significant staff shortage in these smaller companies. These companies have created a strong market for second-tier advisory firms (as opposed to big four accounting firms) to fill their void in IT audit expertise.

Lack of understanding of existing business processes.

Personnel in large organizations are typically siloed; they understand their processes, but lack the big picture. This usually happens because of the complexity of systems and the turnover of personnel. In every client I have served, the SOX 404 compliance project represented the first time the company documented its financial reporting processes from a business transaction’s inception all the way to its entry in the general ledger.

Financial reporting processes are typically a patchwork of systems from varying platforms, combined with
spreadsheets, queries, and manual reconciliations. When companies actually document their financial reporting processes, there are typically significant inefficiencies and large-scale opportunities for error. For example, in one instance working with a public company, major financial systems used automated processes with tight controls throughout the process only to dump all their financial results in a spreadsheet on a personal work station for ad hoc manipulation prior to final posting. In fact, an Ernst & Young survey taken in December 2003, found that only 10 percent of respondents had a comprehensive Enterprise Resource Planning (ERP) system that controlled the entire financial reporting process.

Penalties are severe. There is nothing that gets a project more attention than the threat of jail time for a CEO or
CFO. SOX imposes very real penalties, including potential delisting of stock, as much as $5 million in penalties and prison time (up to 20 years) for executives. This creates an interesting dynamic for a SOX 404 project, where executives want to carefully monitor and completely understand the project as it progresses through its various stages.

Documentation is often unavailable or outdated.

Documentation of internal systems is usually spotty. Documentation tends to be better initially; however companies rarely update it over time. Also, systems documentation is functional in nature — rarely does it describe system controls in the format required by SOX internal control auditors.

The Model of Internal Control for E-Business

So how can companies implement e-business applications with strong controls that can sustain the rigor of a Sarbanes-Oxley project? It starts with a model for reliability. One organization that has been working towards developing a subset of suggested standards and controls tailored for SOX has been the IT Governance Institute www.itgi.org

The Institute, which was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology, considered various frameworks for its control model (tailored for SOX):

1. The Control Objectives for Information Technology (CobiT) framework, created by the ISACA,

2. The Information Technology Infrastructure Library (ITIL), a generally accepted set of IT processes, and

3. ISO17799, a set of security standards issued by the International Standards Organization.
   Their findings have been captured in a free document entitled “IT Control Objectives for Sarbanes-Oxley:

Figure 1 above shows a model for SOX-required IT controls, and demonstrates the components of the e-business application and supporting infrastructure controls needed for reliable financial processing. It shows the three major components for reliable e-business processing controls: company-level controls, general controls, and application controls. Company-Level Controls: These controls set the organizational structure that should exist for reliable e-business process development. They require proper IT planning, including proper budgeting and strategic architectural direction, resource planning, and reverence for quality control and integrity of systems at all levels of the organization. General Controls: These controls are the infrastructure controls that allow computer applications to operate consistently over time.

They include:

• Data center operation controls:
  Controls that ensure the proper execution of scheduled production technology systems — including proper systems scheduling, problem management, and backup and recovery.

• Application Software Development and Maintenance:
  Controls that direct the acquisition or development of systems through the use of robust and consistently followed systems development life cycle methodology. These insure, for example, that new systems are introduced into the live business processing environment only through a carefully architected change management process.

• Access control:
  Controls that restrict access to systems to only those that require it for their job functions. Systems Infrastructure controls: Controls that drive the proper introduction and operation of system software — including operating systems, database, and network software.

• Application Controls:
  These controls are embedded with applications that prevent, detect, or correct financial reporting errors. The errors detected might include lack of completeness, accuracy, or validity of financial transactions, and lack of proper authority for the transactions.

How Sarbanes-Oxley Changed Internal Controls Management

Within a Sarbanes-Oxley compliance project, each business process related materially to financial reporting is documented and analyzed to determine the nature of controls that reduce errors on the financial statements. These controls come in three flavors:

• Manual: Those controls that require human intervention for its performance. These include activities such as manual check authorizations, review of paper-generated documents, key review meetings, etc.

• Information Technology Dependent: Those controls that are manual but depend on computer-generated data for its performance. These include review of computer generated reports, budget-to-actual reviews, system exception handling, etc.

• Automated or Application: Those controls performed within computer system operation, without human intervention. Before SOX, reviews of financial controls were rarely performed except for periodic internal audits and through the annual external financial audit. Therefore, there was limited demand for financial system developers (especially in-house) to build robust applications.

The Case for an E-Business Escalated Solution

The business case to implement new e-business systems as a replacement to deficient financial reporting processes for SOX 404 compliance is strengthening for 2005. This is largely because the automated or application controls defined in the previous section are the ultimate way to economically achieve Sarbanes-Oxley compliance. This is because of several factors:

• Systems reliability: The inherent nature of e-business transaction systems lends itself to predictable and repeatable processes in comparison to manual processes and controls. Note, however, that this premise can only be followed if the underlying technology infrastructure (i.e. IT general controls) has reliable processes and controls, as described above.

• Testing efficiency: The nature of computer systems allows automated controls to be tested more efficiently than manual controls. External audit plans allow for “tests of one” whereby an auditor only needs to examine one test case of an automated control since the system will predictably perform the same operation the same way every time (as opposed to 25 occurrences of a manual control).

Over the scope of testing controls for a complex global enterprise, these efficiencies add up. An E&Y survey indicated that companies in the $1 billion to $20 billion revenue range that are planning to spend more than 100,000 hours on SOX this year has increased dramatically.

Nearly half the companies polled with revenue greater than $5 billion plan to spend more than 50,000 hours on SOX compliance.

Focus on more preventative than detective controls: Controls come in three types: preventative, detective, and corrective. Preventative controls (e.g. access restrictions) restrict errors from ever occurring. Detective controls (e.g. manual review of exception reports) will allow errors to occur, but will identify them in a timely enough manner to reduce their impact to a minimum. Corrective controls (e.g. disaster recovery plans) are controls that allow errors, but will fix the damage in a structured way, limiting the impact to an acceptable level. (Corrective controls are typically not in a SOX project.)

The environment of e-business systems tend to allow more preventative controls since the point of control error origin can be more clearly identified, and therefore prevented, at that point.

Automated workflow: The advancement of Microsoft SharePoint and other document management systems blends itself well into e-business systems for financial reporting. Vendors such as Captaris and K2 are employing .NET to streamline any non-automated business processes at a reasonable cost. Their workflow solutions bring new levels of productivity to any business flow, from simple departmental-level processes on up to enterprise processes that cross software, department, and even company boundaries.

These systems will produce huge future dividends in SOX compliance projects.

More reliable than spreadsheets: The May 24, 2004, issue of Computer World indicated that, “Anecdotal evidence suggests that 20-40 percent of spreadsheets have errors, but recent audits of 54 spreadsheets found that 49 (or 91 percent) had errors, according to research by Raymond R. Panko, a professor at the University of Hawaii.”

1 At the 2003 EuSpRIG (European Spreadsheet Risk Interest Group) Conference, a reference was made to the failure to control a spreadsheet in the TransAlta energy company of Calgary, Canada. They lost $24 million in June, 2003, through a “cut-and-paste” error that mismatched prices.

2 The opportunities for e-business are greater than ever if companies can recognize the link between e-business control initiatives and the creation of shareholder value.

Overall Lower Cost: If you factor in the amount of effort it takes to operate disparate business processes throughout an enterprise, including full-time equivalent personnel performing manual review controls, the total cost of automating e-business processes is well justified.

Continuous Monitoring: The Desired End State for an E-Business Control System All of the previously mentioned controls can result in a model for automated and continuous monitoring of controls.

The desired end state for a true e-business solution is a system in which control is automatically applied in a consistent manner and exceptions are flagged and immediately reported.

The convergence of many factors will make this end a realistic short run possibility. Due to sheer market interest, software vendors are more focused on developing tools allowing greater control. The technology allowing for enterprise collaboration tools that interact with financial systems is now more than just brochure ware. The Meta Group asserts that it is an emerging market that will continue to grow through 2008, as this type of software becomes more critical to managing the global business processes typically deployed across disparate systems.

3 There are five components that are used in a continuous monitoring solution:

Controls Rules: This component establishes the population of control tests that will be part of the continuous monitoring system. It would include what control exceptions management would want reported. These rules would establish a variety of automated checks such as check digit verification, pre-defined data field selections, reasonable values, and threshold limits.

Testing: This component actually interrogates the data to identify trends and threshold exceptions. Within a SOX engagement, thresholds are established for reasonable controls.

Risk Assessment: In a continuous monitoring system, thresholds can automatically be set using the risk assessment component. The goal of continuous monitoring is to be as near real-time as possible.

Scheduling: The scheduling component allows for the flexibility to define “near real-time” in the context of a specific ERP system.

Alert Management: One of the benefits of e-business systems is that they are better able than manual processes to capture the point at which control errors occur.

A case study on continuous monitoring within a manufacturing company was presented by the Institute of Internal Auditors in August, 2003. This company had installed an SAP system and had 2500 employees using it. However, with that many employees and given hires and terminations, control of access rights became difficult.

To address this problem, the company deployed a continuous monitoring solution for access control. Using this tool, the company was able to detect and correct several types of segregation of duties violations that had the potential to harm the company. These included accounts payable fraud (manager making “payments” of $500,000 to a dummy vendor he created), sales order fraud (a sales rep had been changing sales orders after they were approved), accounts receivables fraud (an accounts receivables clerk had been handing out unauthorized discounts for a “fee”), and user access violations (access rights were not deleted when employees left the company, leaving active backdoors to the system). This continuous monitoring saved the company an estimated $250,000 each year.

What Your Firm Should Do - The Business Case is Stronger Than Ever

In today’s business environment, it is not enough to identify problems during events such as a quarterly audit, or even worse, during an annual audit. These audits often miss key problems and are too late for effective correction.

E-business control systems can monitor transactions independently and continuously, close to the time of origin. Data analysis technologies that run alongside operational application systems can add an additional control layer. This layer can improve the process of checking compliance with controls, and can produce exception reporting.

The infrastructure needed to enable an effective continuous monitoring strategy should include several key
components:

• Independence from the system that processes the transaction.

• The ability to compare data and transactions across multiple platforms.

• The ability to process large volumes of data.

• Prompt notification of transactions that represent control exceptions.

Ideally, ERP systems and other transaction processing systems should be implemented so that controls are embedded in the core applications.

As for concerns about the cost, organizations  that have implemented continuous monitoring systems frequently find that cost recovery, and indeed cost savings, is achieved in a short period of time due to the timely identification of errors and fraudulent activity. Jerome Klajbor, CFO of IntelliCorp claims that a large U.S. organization will typically spend $4.7 million each year to implement requirements associated with SOX, and automating the process can reduce costs of compliance by 30 percent. Firms must find a balance between effectively testing controls in higher risk areas and not creating an over-controlled environment, which slows down operational efficiency. If an effective balance is found, continuous monitoring will be a solution that improves profitability and corporate governance

A Cause for Action

The initial SOX reviews will show many internal control deficiencies. Furthermore, the unexpected difficulty of the reviews is likely to cause the first round of reviews to leave many problems undetected. The investing public will be bombarded with so many announcements of problems that it will be difficult to separate true issues from issues of lesser importance.

Look for some market instability in the months ahead.

Shareholder value will be driven by how the market perceives how the company is operating. Any mention of noncompliance or the need to restate financial results will have a negative impact on shareholder value. In addition, noncompliance can result in fines, possible delisting for public companies, and civil/criminal penalties. A confused investor public will demand greater controls embedded within financial processes, but will not be educated enough to understand the complete circumstances underlying control deficiencies. The capital market will be left with a gap between the perception of a company’s report on its financial condition and its actual financial results.

Is Sarbanes-Oxley good for e-business?

Some look at the unexpectedly high costs of compliance with SOX and see this as a new cost of e-business. But the opportunities for e-business are greater than ever if companies can recognize the link between e-business control initiatives and the creation of shareholder value. This is a unique time in the history of corporate America; many executives will be signing their financial reports with a shaky pen and some companies will not survive complying with Sarbanes-Oxley.

With the fever over internal controls at an all-time high, new e-business systems deploying continuous monitoring just may be the new “top priority” project over the next several years.

END NOTES

1 “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act.” PriceWaterhouseCoopers, July 2004, p 1.

2 David Chadwick, “Stop That Subversive Spreadsheet,”  (October 2004)
http://www.eusprig.org/eusprig.pdf

3 ACL Services Inc, IntelliCorp, and Approva Corporation have tools available that can be deployed to achieve continuous monitoring. All three work within the infrastructure of ERP systems to provide real-time notification of control exceptions. ACL calls their suite Continuous Controls Monitoring (CCM), IntelliCorp uses the NetProcess Tool suite and Approval calls their solution BizRights.

4 Prashanth Boccasam and Nitin Kapoor, “Managing Separation of Duties Using Continuous Monitoring.” The Institute of Internal Auditors’ IT Audit, http://www.theiia.org/itaudit/index.cfm?fuseaction+forum&fid=5433

5 Jerome F. Klajbor, “The Key to Unlocking Year Two Compliance: Automated Continuous Monitoring.” Sarbanes-Oxley Compliance Journal, http://www.s-ox.com/features/2004_7/f_monitoring_klajbor.html

REFERENCES

ACL Services Inc. “Continuous Control Monitoring.” http://www.acl.com/products/ccm.aspx

Approve Corporation. “BizRights and Sarbanes-Oxley Compliance.”
http://www.approva.net/solutions/sox-compliance.htm

AuditNet. “Application System Internal Control Questionnaire.” http://www.auditnet.org/appl_icq.htm

Birr, Lisa. “Before and After the FDICIA: A look into Commercial Banking Risk Behavior.” The Park Place Economist. April 2001, Volume IX, pp. 83-90.

Boccasam, Prashanth, Kapoor, and Nitin “Managing Separation of Duties Using Continuous Monitoring.” The Institute of Internal Auditors’ IT Audit Web site. http://www.theiia.org/itaudit/index.cfm?fuseaction+forum&fid=5433

Chadwick, David. “Stop That Subversive Spreadsheet.” http://www.eusprig.org/eusprig.pdf

Ecora Software Corporation. “The Practical Guide to Sarbanes-Oxley Compliance.” 2004.

Ernst & Young. “Emerging Trends in Internal Control: Second Survey.” May 2004, p. 5.

Hoskins, W. Lee. “FDICIA’s Regulatory Changes and the Future of the Banking Industry.” Assessing Bank Reform. 1993, pp. 148-154.

Information and Controls Association. “About ISACA: Overview and History.”
http://www.isaca.org/template.cfm?section=Overview_and_History

IntelliCorp. “IntelliCorp: Corporate Overview.”
 http://www.intellicorp.com/docs/IntelliCorp_CorporateOverview.pdf

IT Governance Institute. “IT Control Objectives for Sarbanes-Oxley.”
http://www.itgi.org/Template_ITGI.cfm?Section=ITGI&CONTENTID=9757&TEMPLATE=/ContentManagement/ContentDisplay.cfm

Klajbor, Jerome, F. “The Key to Unlocking Year Two Compliance: Automated Continuous Monitoring.” Sarbanes-Oxley Compliance Journal Web site.
http://www.s-ox.com/features/2004_7/f_monitoring_klajbor.html

Nigrini, Mark J. “An Assessment of the Change in the Incidence of Earnings management Around the Enron-Andersen Episode.” Forthcoming in The Review of Accounting and Finance, Volume 4 Number 1 (2005). Abstract from Mark J. Nigrini Web site.
http://nigrini.com/images/Enron_Earnings_Management.htm

Nigrini, Mark J. “Forensic Accounting: Findings and Observations.” Mark J. Nigrini Web site.
http://nigrini.com/images/ForensicAccountantReport.htm

PriceWaterhouseCoopers. “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act.” July 2004.

University of Notre Dame. “Accountancy 477 - Controls for Computerized Systems - II.”
http://www.nd.edu/~ehums/acct477/ac47736.htm

Van Decker, John. “The Need for Continuous Monitoring.” Meta Group Web site. Delta 2951 June 9, 2004.
http://www.metagroup.com/webhost/ONLINE/739743/d2951.htm

Verver, John. “Risk Management and Continuous Monitoring.”

AuditNet Web site.
 www.auditnet.org/articles/Risk%20Management%20&%20Continuous%20Monitoring%20Verver.pdf

Weintraub, Jay M. “FDICIA From the Bankers’ Perspective: Too Much Medicine Applied Indiscriminately.” Assessing Bank Reform. 1993, pp. 107-112.

Weisstein, Eric W. “Benford’s Law.” MathWorld Web site.
 http://mathworld.wolfram.com/BenfordsLaw.html

Will, Harald. “What is the single most challenging Sarbanes-Oxley issue today?” Sarbanes-Oxley Compliance Journal Web site.
 http://www.sox.com/resources/roundtable/2004.1/HaraldWill.html