University of Maryland University College
The Sarbanes-Oxley Act (SOX) is a legislation enacted in 2002 under the sponsorship of U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). The law introduced increased government oversight for publicly held companies. It also imposes additional management responsibilities and corporate operating costs on companies trading under SEC regulations. Sarbanes-Oxley was enacted in direct response to a number of corporate accounting scandals, including those of Enron, Tyco International, and WorldCom. As a result of the SOX Act, Corporate Managers (CEOs, CFOs) are required to: 1) issue Internal Control Report beginning with the 2004 company annual report; 2) certify quarterly to the effectiveness of internal controls over financial reporting; 3) issue two opinions on internal controls on the annual report a) management’s assessment process and b) effectiveness of controls. Moreover, Section 404 mandated company reporting on internal control by management and independent auditors. What is the reasoning behind the decision? In fact, according to the Authors, SEC believes that First, internal control was not conceptually designed to be a panacea for corporate ills. Traditionally, in the audit literature, the concept of internal control is narrow in scope and procedural in application. It is narrow because the scope of internal control is largely confined to accounting systems to support the accounting process. It is procedural because auditors tend to follow a set of prescribed mechanical procedures to determine whether internal controls surrounding and embedded in accounting systems are reliable. In general, auditors will not concern themselves with controls beyond the accounting process. This is where the problem of the traditional internal control concept lies. Second, the Foreign Corrupt Practices Act of 1976 (FCPA) defines the responsibilities of corporate management regarding the establishment of an effective system of internal control. Accordingly, the mechanism of corporate governance through internal control has been mandatory since then. Section 404, in essence, renews the enforcement of the Foreign Corrupt Practices Act. However, the failure of the FCPA should have conveyed the potential difficulties in the implementation of SOX section 404. Third, requiring independent auditors to attest to and render an opinion on the effectiveness of internal control is nothing new. The evaluation of internal control is an integral part of a financial audit. The scope of the audit is based on the assessment of the strengths and weaknesses of internal control over a company’s accounting systems. At the end of an audit engagement, independent auditors generally provide a management report that includes recommendations to strengthen internal control if it is found to be significantly weak. If management uses the auditor’s report to improve internal control, with the auditor required by section 404 to attest to management’s assertions about the effectiveness of internal control, conflict-of-interest issues would be raised.
In 1992, the Committee of Sponsoring Organizations (COSO) issued the Internal Control–Integrated Framework, internal controls encompass a set of policies, rules, and procedures enacted by management to provide reasonable assurance that 1) financial reporting is reliable, 2) its operations are effective and efficient, and 3) its activities comply with applicable laws and regulations.
Clearly, COSO indicates that internal control has purposes other than reliable financial reporting. Internal control deals with potential risks existing in three areas of business: information processes (capturing data, maintaining databases, and providing information to achieve reliable financial reporting); operation processes (activities in the...