Complying With Sarbanes-Oxley 404: an Introduction

First a strict rule: this blog will cover finance matters in a general sense. None of it is to be considered financial advice given to anyone's specific situation. Everything you use from this blog is at your own risk, as it may or may not be sufficient for your particular needs or situation.

********************

I got into consulting in January 2004 when the Sarbanes-Oxley Act (SOX) was being implemented by many publicly held corporations. Since SOX was new, there was no accumulated experience to draw from -- we had to create it on the fly. Four years later, we know a lot more. I have worked on 14 or 15 projects in every capacity from team leader to tester. Accordingly, I have accumulated a lot of templates, forms and practical know-how on how to do a SOX project.

I am going to give you a brief introduction to SOX.

The Purposes of SOX

The Sarbanes-Oxley Act was created for two major reasons: (1) to help prevent gross misstatements in financial statements filed with the Securites Exchange Administration (SEC), through either error or deliberate acts, and (2) to help prevent fraud, both asset fraud and financial statement fraud.

Misstated financial statements are those with significant errors. If filed with the SEC, they will be relied on by investors in making decisions to buy or sell the company's stock on a stock exchange. The SEC is very unhappy when investors lose money by relying on false information. Sometimes financial managers who misstate financial statements go to jail.

Financial statement fraud is when management issues false financial statements in order to get or keep a line of credit, or to support the market price of the company's stock, among others.

Internal Control: the Way to SOX Compliance

The way companies prevent financial statements from material misstatement is through internal control. Internal control is the system of checks and balances companies use to verify information, prevent fraud, prevent accounting errors and comply with rules and regulations. Internal control can also include procedures to maximize efficiency, enhance profitability and prevent waste. These kinds of controls are called operational controls, and though of great importance to a company, they are not the focus of SOX compliance efforts.

Internal controls are such activities as reconciliations, authorizations, and verifications. We'll get into more details in later posts.

The major thrust of SOX 404 compliance is to understand, document and test a company's internal controls. Before we can do that, we must know what internal controls exist, which are missing, effective or ineffective. So the first aspect of a SOX compliance project is gathering information.

Taking Inventory of Major Business Processes

Every company has major business processes such as sales, payroll and purchasing. If you are starting out on your SOX project, the first thing to do is inventory the processes. Here are some that you may have (not comprehensive):

1. The Sales Cycle: Order entry, order acceptance, order approval, shipment of goods, billing and collections.
2. The Purchasing Cycle: Requistioning, issuance of Purchase Orders, receipt of goods, accounts payable, cash disburements.

I'll try to post a more comprehensive list in a later post. The above is just an example.

Benchmarking - The Concept of "Best Practices"

To figure out if your internal controls and procedures are adequate, you should first compare them to "best practices," i.e. the usual practices in place in well-run companies. In payroll, for example, a best practice is to use direct deposit into employee accounts to avoid the use of checks which may be lost, stolen or converted.

Go through all of your business processes and determine which controls should be in place; which actually are in place; and which are missing. It's a complex process that is beyond the scope of this brief overview. We'll get into details in later posts.

Testing Internal Controls

Once you have identified those "key" controls that should be in place and have determined that they actually are in place, you need to test them. Testing the controls allows you to determine that they are working as they were designed to do. For example, if every check over $25,000 requires dual signatures, you would sample the population of checks over $25,000 and verify that they bear a second signature. You would determine an error rate, if any, and use the information to evaluate whether or not the control is effective. If it isn't, you "remediate" the control, change the procedures to ensure that it will work in the future.

Documenting SOX 404 Compliance

Documenting SOX compliance is very important. Your auditors can't determine the effectiveness of the program without something to look at (duh). So how do you create this documentation? What does it look like? What does it do?

Okay, this is just a quick overview but here are some of things you should document and how you shoud do it.

1. Materiality - Determine a dollar volume that will represent a "material" error. This is often assumed to be 5% of net income before taxes, though there are more sophisticated ways to determine materiality. Once you determine the volume of error that will be considered a material deficiency, divide it by 5 and you have the amount that will represent a "significant deficiency."
2. Test Plan - This is a write-up of how you are going to test controls, e.g. with statistical sampling, judgmental sampling, using a minimum sample number based on frequency of the control's occurrence, etc.
3. Business Process Narratives - Each major business process (Sales, Purchasing, Payroll, Inventory, etc) should be documented in sufficient detail to follow transactions through it from beginning to end. The usual method is to interview the business process owners and write up their procedures in a narrative. The internal control points are indicated in the narrative (as well as any deficiencies).
4. Business Process Flowcharts - Business processes can also be documented in Visio flowcharts as an added aid to understanding. These are usually a supplement to the narratives, though some have (unwisely, in my opinion) attempted to use them in place of a narrative.
5. Risk Control Matrix - This is generally an Excel spreadsheet that is organized by business cycle and subcycle; it ties back to the narratives and lists each internal control; describes the objective of the control; the risk if the control fails; the type of control; and the fianancial statement assertion it affects. The risk control matrix is the workhorse of SOX documentation.
6. Testing and Results - All tests have to be documented and this can be done in varios ways. I generally use Excel spreadsheets that describe the control, how the test sample was selected, and the attributes being tested.

Okayyy - that's my first technical post. Where do we go from here?

A Financial Consultant in Silicon Valley

Greetings! I'm a CPA who lives and works in Silicon Valley. I have for years maintained my own website. However, keeping up a traditional website is difficult and time consuming. Blogs, on the other hand are extremely easy to update, AND they have the added benefit of being widely available to search engines.

Getting yourself noticed on the web isn't easy with a traditional website, but blog entries are regularly webcrawled by search engines and available to web browsers very quickly.

So here I am! If you aren't a financial professional yourself, this blog will cure your insomnia and bore you to tears. However, if you are interested in Sarbanes Oxley compliance, accounting management, ERPs, external and internal auditing, GAAP research and compliance and special projects for pre-IPOs and publicly held corporations, then this site should be of interest.

Okay, let's begin.