top of page

   Corporate Governance_(Sarbanes-Oxley – SOx – Controls)

 

  • The Sarbanes-Oxley Act of 2002 (SOx) (a/k/a Public Company Accounting Reform and Investor Protection Act, and, Corporate and Auditing Accountability, Responsibility, and Transparency Act) promotes the use of internal controls – meaning mini-protocols controlling processes within the enterprise that were designed to document (whether in written verbiage, or graphically – through standardized corporate flow charts – or even physically – such as a lock on the door to a secure server room) every step of particular enterprise processes, to prove to an independent external auditor at some future time that a particular enterprise process in question can be successfully-completed repeatedly, by following the steps enumerated in the internal control.

  • An internal control is just a form of checklist, or series of checklists, in which every line item is an instruction, in a sequence of instructions, that will lead the person performing those instructions from the beginning of the sequence to the successful conclusion of the sequence (assuming the person does not skip an instruction, or jump around in the sequence); the instructions may be just a system of activities, policies, procedures, reviews, rules and segregation of duties, all strung together in that particular sequence, with the sole purpose of accomplishing a particular task; in order to design a control, the designer must first determine what outcome the designer wishes to accomplish with the control, and then must work backwards from that outcome to the very first step necessary to commence the control sequence, so that the instructions in the control sequence (however many such instructions may be required to proceed from the commencement of the control sequence to the outcome desired by the control designer) will flow logically from one to another, and thus result in the outcome desired by the control designer.

  • The intent of an internal control checklist is to assist an independent external auditor (who might not necessarily be familiar with the process governed by such control) to identify any design deficiencies in the steps of the control, so that such design deficiencies might be remediated; in the event the auditor identifies any such design deficiency, the auditor must then check all the succeeding steps after the deficiently-designed step, to determine whether there might be any such succeeding step that would act to negate the deficiently-designed step, thus preserving the final outcome intended for the control by the original designer; if the auditor does find a succeeding step that negates the deficiently-designed step, the auditor may flag the deficiently-designed step for remediation; however, if the auditor is unable to find any such succeeding step that negates the deficiently-designed step, the auditor must flag the deficiently-designed step for redesign or replacement; unfortunately, it is important to remember that an internal control is only as good as the people who adhere to it, and cannot protect the enterprise from employee collusion, embezzlement, fraud, theft and all other bad behavior to which all humans are prone.

  • Since SOx was enacted mainly to regulate the financial industry, it is not uncommon to encounter references to financial-related internal controls in external independent audits, since every enterprise deals in finance, in some form or another; such financial-related internal controls are adapted from the financial industry, and may be categorized into several types, the most-common of which may be (in order of general implementation):

    • preventative internal controls – the most cost-effective internal controls, because their primary purpose is to help prevent the loss of assets, and they are generally not very expensive to implement; some examples of preventive internal controls may be – access controls, which limit access to any area, facility, item,or vitual environment to only those the enterprise may feel have a need for access (such as: key cards; passwords; physical locks; security guards; and the like); delegation of authority (from a person of higher title to a lower-titled person or group of people); double-entry accountingdrug testing; dual-signature requirements on all checks over a pre-defined amount; fidelity bonds or insurance covering the activities of all employees who handle cash; firewalls on computer systems; employee background checks; employee certifications; employee training; password-protected access to asset storage areas; physical locks on inventory warehouses; pre-employment screening; safeguarding assets with physical barriers; security camera systems; segregation of duties (such as – asset custodianship, authorizationss, reconciliations and recording should each be handled by separate individuals);

    • detective internal controls – seek to identify when preventive internal controls were not effective in preventing errors and irregularities, particularly in relation to the safeguarding of assets; some examples of detective internal controls may be: bank reconciliations (bank cash balance sheets are compared – reconciled – to the enterprise cash balance sheets); control totals (cash register tape is reconciled to the final cash in the cash register drawer); financial reporting; financial statement; physical inventory counts (inventory is physically counted and then reconciled to the inventory ledger); reconciliation of the detailed subsidiary ledgers to the general ledgers; surprise spot counts of cash on hand (petty cash is counted on both a random and a surprise basis, and then reconciled to requested disbursemets);

    • corrective internal controls – implemented after detective internal controls have identified but failed to correct an issue; some examples of corrective internal controls may be – data backups (to restore lost data in case of a computer disruption, fire or other disaster; data validity tests (such as blockchain and checksums, that require users to confirm data inputs if, for example, the checksum of the data sent does not match the checksum of the data recieved); employee disciplinary actions (such as loss of pay or suspension); insurance (to replace damaged or stolen assets); management variance reports (highlight variances from the budgeted amounts to the actual amounts); new corporate policies; software patch management; training and operations manuals (that can always be revised as necessary to prevent future errors).  

  • SOx was originally-intended to apply primarily to the financial processes within an enterprise; thus, one of the most simple and effective financial-related internal controls in an enterprise is the reconciliation (a comparison of the enterprise financial records to financial records about the enterprise generated by some third-party, such as a bank statement listing the enterprise bank accounts); when internal controls are used to maintain the integrity of financial data and transactions, the term of art applied is internal controls over financial reporting (ICFR); the SOx-created Public Company Accounting Oversight Board (PCAOB) has promulgated Auditing Standard No. 5, which is an excellent resource for understanding the application of ICFR to financial reporting; some examples of financial-related internal controls may be:

    • customer billing controls (with a checklist including instructions such as – all discounts and special prices must be confirmed in writing by the department manager; all invoices and unverified bills of lading must be checked for errors and signed by at least the senior clerk; the running sales order total must match the running invoice total; the department manager shall issue statements of any unpaid amounts by each debtor on the last business day of each month);

    • payables controls (with a checklist including instructions such as – all invoices over a certain dollar amount must be approved by the department manager; all blank checks must be stored in a locked safe box (for which only the assistant department manager has the key) in a locked store room (for which only the department manager has the key), and the sequence for every check issued is tracked in a log book stored in the store room, adjacent to the safe box, and each check up to $1,000 must be signed manually by either the department manager or the assistant department manager, but any check over $1000 may only signed manually by the department manager; every  purchase order, receipt form and supplier invoice must be verified through a 3-way comparison of their numbers; no invoice may be stamped as paid until the bank receipt for such invoice is received and signed manually by either the department manager or the assistant department manager);

    • payroll controls (with a checklist including instructions such as – each supervisor of each employee must review the hours noted on each timesheet and sign each employee’s timesheet before sending such timesheet to the junior clerk for processing; each timesheet must be matched to the corresponding employee and signed by at least the junior clerk before being processed for payment; the senior clerk must reconcile the total hours claimed by employees to the hourly rates paid to such employees prior to issuing any checks to the employees; the preliminary payroll register must be approved and signed by the payroll manager prior to issuing any checks directly to employees.

  • Since it is imperative that financial reporting integrity must be maintained in an external independent SOx audit, external independent auditors may employ  an extended protocol to examine financial-related internal controls, as follows (in no particular order of precedence):

    • create an detailed matrix listing all internal controls;

    • decide which of all such internal controls are key internal controls, and then decide which of such key controls may be ICFR financial-related key controls, relevant to the external independent audit (including but not limited to – any login credentials used to access enterprise computers; corporate policies enumerating protocols to determine the competency of the chief financial officer – CFO – as well as the competency of each level of employee in the accounting department; and the like); the American Institute of Certified Public Accountants (AICPA) AU-C Section 315 recommends that when attempting to identify key internal controls may be ICFR financial-related key controls, an independent external auditor should always concentrate on – internal controls that remediate general significant risks to the enterprise (such as fraud); remediate risks for situations that are not addressed by existing enterprise corporate policies; internal controls related to journal entries (listing transactions in an accounting journal that show the enterprise debit and credit balances); any internal controls the independent external auditor may wish to test for efficacy;

    • continue to assess all identified controls by personally-witnessing how the personnel of the enterprise client operate such controls;

    • flag suspected errors in data generated by the controls, for further investigation to determine whether such data is actually incorrect or whether there is some design deficiency in the internal control, or whether the possibly-incorrect data was the result of an operating error;

    • if an actual deficiency is identified, determine the materiality of such deficiency; internal control deficiencies are generally of two (2) types (design and operational), and may generally occur when an internal control either fails to perform the function it was designed to accomplish – perhaps through negating the efficacy of some related internal control, or may have been mistakenly-omitted altogether from the original internal control design (these would be characterized as design deficiencies) – or fails because it was used improperly or not at all, such as – an unlocked supposedly self-locking door to a secure server room (this would be an example of an operational deficiency in a physical internal control), or a software firewall that suddenly vanishes because someone clicked on the wrong icon and did not notice the alert that popped up (this would be an example of an operational deficiency in a virtual internal control); once an external independent auditor identifies a design deficiency or operational deficiency in either a physical or virtual internal control, that independent external auditor is obligated to first record the deficiency, and then to make a determination about the materiality of such deficiency, meaning whether the deficiency of the internal control constitutes a clear and present threat to the functioning of the enterprise, in which case the external independent auditor must classify the deficiency as material (also called a material weakness, which requires immediate re-design, remediation or complete replacement), or, if there is no clear and present threat to the enterprise, and just results in less-efficient functioning of the internal control, the external independent auditor then classifies the deficiency as non-material (also called a significant deficiency, which is anything not classified as material or a material weakness, and which only requires attention as soon as practicable); the external independent auditor must then record these findings in the final SOx audit report, which will be presented to the enterprise client at the completion of the independent external SOx audit;

    • perform a risk assessment for all internal controls where an actual deficiency has been identified, using the industry-standard determination categories – acceptance; avoidance; reduction; transference;

    • once each of the deficient internal controls has been categorized for risk, then determine the level of effort (remediation, complete redesign, replacement or additional new internal controls) that must be expended to bring any such deficient internal control up to an acceptable level of performance to pass the external independent audit, and then complete any necessary work to accomplish that goal;

    • document all the details of such work in the final external independent SOx audit;

    • provide any necessary training to enterprise employees to familiarize them with the operation of all new or remediated internal controls.

  • The SOx concept of a financial-related internal control as a verification tool was eventually so widely-accepted in all enterprises that are subject to SOx regulation, that internal controls for all types of processes within such enterprises became prevalent, particularly for processes related to information technology (IT) functions.

  • Generally speaking, an internal control is a process, consisting of a chain of sequential actions, that has the objectives of: encouraging adherence to enterprise corporate policies; ensuring accurate reporting of data; promoting efficiency; protecting enterprise assets.

  • SOx requires regular testing of all internal controls; an enterprise must engage an independent external auditor (which should be a PCAOB-approved auditor) annually to perform comprehensive testing of all internal controls, and then to produce a SOx report with the conclusions and findings, which will eventually be disseminated to the public; however, SOx does not set any limit on how many times per year the enterprise may test all internal controls;  thus, large enterprises often may have their own full-time team of internal auditors, who perform testing of the internal controls several times per year; generally, the enterprises will test their internal controls a minimum of three (3) times per year – an initial internal control test at the beginning of the year, performed by the enterprise internal audit team; a mid-year internal control test, also performed by the enterprise internal audit team; and the end-of-year internal control test, which would be the required annual SOx audit by the independent external auditors; if the enterprise chose to do quarterly internal control audits, then the first three (3) quarterly audits would be performed by the enterprise internal audit team, and the final quarterly audit would be performed by the independent external auditor; it is important to note that the external independent auditor and the enterprise internal audit teams are not allowed to work simultaneously; the external independent auditor must always work without interference, so that is why enterprise internal control testing always occurs on a different schedule altogether that the testing by the independent external auditor.

  • SOx requires that the enterprise must reveal all security breaches (if any) to the independent external auditor that may have occurred in the past year, and how the enterprise remediated such breaches; the independent external auditor is allowed to interview the internal enterprise personnel to gather any opinions or suggestions such personnel may care to share; the independent external auditor must also collect Statement on Standards for Attestation Engagements (SSAE) reports – which are forms based upon sets of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) – 16 or 18 (which contain information relating to the testing of internal controls in any service organization engaged by the enterprise) from the enterprise, to verify that the internal controls of such service organizations were tested as well.

  • SOx philosophy is that management has the ultimate responsibility for designing the internal controls, but the users of the internal controls make such controls work, since (like an airplane, car, computer or any other such complex human-made object) no matter how well-designed the object may be, it is reliant for its efficacy on the skill of the person using it.

  • SOx best practices for implementing internal controls may include (in no particular order of precedence):

  • author a comprehensive playbook, cataloguing each and every internal control (including both key internal controls and non-key internal controls) including – a description of what such control is intended to accomplish; all the dependencies of each (meaning any other internal controls above or below in the sequence chain, upon which this internal control may be dependent, or which may be dependent upon this internal control; the sequence of steps for each; the location of each; the designer of each; the implementation date of each; the maintenance history of each; the key performance indicators (KPIs) for each; whether each control is implemented automatically or manually; and the like;

  • automate the monitoring of internal controls whenever possible, through the implementation of specialized software platforms, and monitor them all continuously, always checking for any degradation of performance;

  • determine materiality (meaning what processes may be most-critical to the functioning of the enterprise, and what internal controls may be associated with such most-critical processes); concentrate on: the enterprise profit and loss (P&L) sheet; prioritization of the various enterprise business units; prioritization of repetitive key transactions; risk analysis of all known or potential internal and external risks to the enterprise;

  • identify all enterprise processes that might require segregation of duties (SOD) to some extent, perhaps due to overlaps of approvals, functions, sign-offs, or the like between personnel of different departments, divisions, locations, titles or the like, and assign only one duty to one person, to avoid conflicts;

  • limit the number of key (critical) internal controls as much as possible, prioritizing their status for purposes of maintenance, monitoring, remediation, and the like, so as not to increase the number of personnel who must care for such key controls, or to overburden any implemented software platform with excessive resources; all non-key controls will then be assigned to a class of lesser-risk to the enterprise in the event of failure to conserve human and IT resources;

  • SOx – particularly Sections 302, 404, 906 and 1001 – assigns certain personal duties to certain executives in certain situations, as well as assigning general responsibilities to such executives (such as – authoring and maintaining relevant enterprise policies and procedures; communicating such enterprise policies and procedures to the board of directors, enterprise personnel, and to all interested external third-parties; monitoring the compliance of all relevant personnel with such policies and procedures; organizing; strategic planning);

  • control activities are the internal controls which help ensure that the directives of such executives are implemented and enforced as such executives intended, based on the written directions of such executives, such as (in no particular order of precedence):

    • access (one of the most cost-effective and simple solutions to dramatically-increase data privacy and data security is just to limit the access to your critical records and systems to only the fewest employees possible, and to only the fewest senior management and executives possible; this can be accomplished physically by installing lock on doors, and sophisticated biometric devices, and virtually by adjusting the access permissions in your software);

    •  authorizations (a series of corporate policies defining the what is the minimum level of manager or executive that is authorized to make particular decisions);

    • reconciliations (one of the oldest and most useful generally-accepted accounting practice – checking information generated internally by the enterprise a against an independently-verifiable source);

    • record keeping (document everything accurately and in real time, and then retain such documentation for the period of time specified in the applicable document retention laws);

    • review (critical information should be reviewed by at least one other person, independent of the person who entered the information into an information ecosystem, before it is represented to be the accepted and final version of the information; both the original person who entered the information and the reviewed who checked that information, should have forms to sign attesting to the dates they performed their respective tasks, and what they did);

    • safeguarding of assets and resources (this relates to ensuring increased physical security barriers to guard facilities and physical assets of the enterprise, and ensuring increased virtual security for intangible enterprise assets, such as data and intellectual property);

    • segregation of duties (preventing both a single employee from having to perform multiple tasks in multiple business disciplines simultaneously, and multiple employees from having to perform overlapping tasks in the same business discipline simultaneously); 

    • sign-offs (requiring actual forms to be completed and signed the manager or executive who authorized the control action which the sign-off form was intended to document);

  • integration – internal controls must be carefully-designed and located, to avoid situations in which one internal control might negate another;

  • provide SOx framework administrators with real-time access to the SOx framework, so that the SOx framework system itself, or such administrators manually, can react quickly to any external threats (such as cracking attempts), or in the event of SOx system failure;

  • use of a top-down risk assessment approach to risk strategy (meaning working backwards from the anticipated results of a hypothetical catastrophe, to determine and enumerate all the control activities in an internal control sequence that could have been employed to avoid or to mitigate such catastrophe; and then develop new protocols to remediate any defective or to design and implement any missing controls.

  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework (meaning a structured guide that organizes and categorizes data) for evaluating internal control deficiencies, which focuses on five (5) key areas of internal control assessment, as follows (in no particular order of precedence):

  • communication of information – the control system must allow for the access to (on a need-to-know basis), capture, identification (such as, an ability to identify data patterns and origins) and exchange of information both within both the external and internal environments;

  • control activities – help ensure that risk responses to threats are implemented effectively; examples of control activities include: approvals, authorizations, corporate policies, reconciliations, verifications, segregation of duties, security checks;

  • control environment – this intangible factor and influences the effectiveness of any internal controls within it, and is the foundation for all other elements of ethical behavior, internal control and technical achievement; examples of control environment considerations may include (in no particular order of precedence) – competence of personnel; corporate policies; corporate culture; delegations of authority; enterprise organizational structure; ethics; integrity; management philosophy;

  • monitoring – continuously-evaluating the effectiveness of internal controls, and is designed to ensure that internal controls continue to operate effectively; most-effective when monitoring identifies design deficiencies in internal controls prior to the material failure of any such defectively-designed internal control; should always be under management supervision, to avoid the in decision of lower-level personnel and thus increasing the enterprise response times to counter threats;

  • risk assessment – identifying all external and internal risks through the analysis of potential events, the likelihood for their occurrence, their impact on the enterprise if they were to occur, and the ability of internal controls to ameliorate or completely eliminate any such impact; there should be an equal emphasis on change management (both external – in terms of regulatory changes – and internal –in terms of changes required for operating efficiency or because of external factors, such as a supply chain disruption or war), enterprise objectives, risk identification, risk prioritization.

  • Drafting and negotiating all SOx-related documents and legal support for all SOx-related tasks.

   Progress_Page_Last_Updated_221105_0040

bottom of page