Sarbanes Oxley

Ernst & Young is advising US companies and their overseas operations in implementing the Sarbanes Oxley Act.

Read more on Ernst & Young insights on Sarbanes Oxley 404 implementation:

• Evaluating internal controls - Evaluating overall effectiveness, identifying matters for improvement, and ongoing assessment of controls

While companies have long recognized the importance of strong internal control, the Sarbanes-Oxley Act of 2002 (the Act) now makes executive management responsible not just for establishing, evaluating, and assessing over time the effectiveness of internal control over financial reporting and disclosure, but also periodically asserting to its effectiveness. The Act changes the regulatory landscape for public companies and presents serious consequences for those companies that fail to comply with the new requirement. However, this new challenge presents opportunities for companies that not only recognize and accept the new regulatory landscape, but also rather view the evaluation of internal control over financial reporting as more than a compliance process and recognize it as an opportunity to reach a higher level of financial reporting integrity and corporate performance.



---

• Evaluating internal controls - Considerations for evaluating internal control at the entity level

The Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants and their independent auditors. Section 404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company's independent auditors to attest to and report on management's assessment. The SEC issued its proposed rules in October 2002 and, if adopted as proposed, they will be effective for companies with fiscal years ending on or after September 15, 2003.

Therefore, companies should be getting ready now for the comprehensive documentation and evaluation of internal control that will be needed to support management's assessment and the auditors' attestation report. Our publication, Preparing for Internal Control Reporting – A Guide for Management's Assessment under Section 404 of the Sarbanes-Oxley Act (the Guide) (Ernst & Young SCORE Retrieval File No. EE0677), provides a methodology and framework for completing the evaluation.

The methodology outlined in the Guide includes five phases:


• Understand the Definition of Internal Control
  
• Organize a Project Team to Conduct the Evaluation
  
• Evaluate Internal Control at the Entity Level
  
• Understand and Evaluate Internal Control at the Process, Transaction, or Application Level
  
• Evaluate Overall Effectiveness, Identify Matters for Improvement, and Establish Monitoring System
  

Additional guidance on the first two phases of the methodology is provided in the Guide. We will be providing more information about the detailed documentation and evaluation – the last two phases – in future publications. This document is a tool to assist management in performing the third phase: evaluating internal control at the entity level.

A logical place to begin any comprehensive evaluation of internal controls is at the top – entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors in each of the five components of internal control that can have a pervasive effect on the risk of errors or fraud. These five interrelated components are:


• Control Environment
  
• Risk Assessment
  
• Information and Communication
  
• Control Activities
  
• Monitoring
  

---

• Evaluating internal controls - Considerations for documenting controls at the process, transaction, or application level




The Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants and their independent auditors. Section 404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company's independent auditors to attest to and report on management's assessment. The SEC issued its proposed rules in October 2002 and, if adopted as proposed, they will be effective for companies with fiscal years ending on or after September 15, 2003.

Companies should be getting ready now for the comprehensive documentation and evaluation of internal control that will be needed to support management's assessment and the auditors' attestation report. Our publication, Preparing for Internal Control Reporting – A Guide for Management's Assessment under Section 404 of the Sarbanes-Oxley Act (the Guide) (Ernst & Young SCORE Retrieval File No. EE0677), provides a methodology and framework for completing the evaluation.

The methodology outlined in the Guide includes five phases:


• Understand the Definition of Internal Control
  
• Organize a Project Team to Conduct the Evaluation
  
• Evaluate Internal Control at the Entity Level
  
• Understand and Evaluate Internal Control at the Process, Transaction, or Application Level
  
• Evaluate Overall Effectiveness, Identify Matters for Improvement, and Establish Monitoring System
  

Guidance on the first two phases of the methodology is provided in the Guide. Detailed guidance on the third phase is provided in the Ernst & Young publication, Evaluating Internal Controls – Considerations for Evaluating Internal Control at the Entity Level (Ernst & Young SCORE Retrieval File No. EE0687). We will be providing more information about the overall evaluation –the last phase –in a future publication. This document is a tool to assist management in performing the fourth phase: understanding and evaluating internal control at the process, transaction, or application level.

Internal control at the entity level can have a pervasive influence on internal control at the process, transaction, or application level. However, unlike the evaluation of entity-level controls, documenting and evaluating controls at this detailed level will be far more specific and likely will require significantly more time to complete.

Evaluating process, transaction, or application level-controls provides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting. Management will need to consider controls, including information technology (IT) controls, which serve to prevent or detect errors of importance relating to each significant account.

Management also will need to consider controls that address each of the five components of internal control:


• Control Environment
  
• Risk Assessment
  
• Information and Communication
  
• Control Activities
  
• Monitoring
  

Controls relating to several of these components – control environment, risk assessment, and monitoring – often are at a higher level and must be evaluated carefully to determine whether the controls are sensitive enough to prevent or detect errors of importance or fraud relating to each significant account. Many of the more detailed controls that management will identify to support its assessment will be from the information and communication and/or control activities components and primarily relate to specific processes and applications.

Companies with multiple locations, business segments, or reporting units likely will need to sponsor multiple, concurrent documentation efforts to adequately address all significant aspects of the system(s) of internal control in a timely manner. The broader documentation and evaluation efforts required in these situations make it incumbent on management to invest appropriate time in building a project team, developing an approach for identifying and documenting controls, determining the types and amount of required documentation, training all team members, developing appropriate timelines for completing all phases of the work, and developing appropriate two-way communication plans so all project team members are adequately informed about project requirements and issue management and resolution procedures.

Like our previous publications, this document is designed to assist management in transforming COSO's conceptual framework into a detailed evaluation of internal control over financial reporting. Ernst & Young developed this document based on our extensive knowledge and expertise in evaluating internal controls. While no methodology can consider all possible issues related to an assessment of a company's internal control, we believe this document provides a useful methodology and framework to assist management in its evaluation.

---

• Preparing for internal control reporting - A guide for Management's Assessment under section 404 of the Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002 (the Act) requires reporting on internal control for SEC registrants and their independent auditors. Specifically, Section 404 of the Act:

• directs the SEC to adopt rules requiring annual reports to contain an assessment of the effectiveness of internal control over financial reporting; and
  
• requires the new Public Company Accounting Oversight Board to adopt standards for independent auditors to attest to management's report on internal control.

The most commonly used and understood framework for evaluating internal controls over financial reporting is that contained in the report of The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO report, Internal Control-Integrated Framework, established a broad definition of internal control extending to all objectives of an organization. The COSO report established three categories of controls:

• effectiveness and efficiency of operations;
• reliability of financial reporting; and
• compliance with laws and regulations.

It also identified five interrelated components that must be present and functioning to have an effective internal control system, and it described the criteria for effective internal control. Although the rules for reporting under Section 404 of the Act have not yet been finalized, the recent SEC rule proposal indicates that management's assessment of internal controls and procedures for financial reporting would be based on current auditing standards relating to internal control, which are consistent with the definition contained in the COSO report.

If adopted, the SEC's rules under Section 404 would apply to companies whose fiscal years end on or after September 15, 2003. However, management should not wait for the final rules to begin the process of developing appropriate documentation and establishing procedures for evaluating internal controls. This guide, Preparing for Internal Control Reporting, is designed to assist management, by providing a methodology for applying the COSO conceptual framework, when conducting their evaluation of internal controls over financial reporting.

---

• Emerging trends in internal control - fourth survey
  
  “Emerging Trends in Internal Controls, Fourth Survey and Industry Insights," the latest in Ernst & Young’s accelerated filer series, contains results from May 2005 and an August 2005 follow-up designed to detect shifts in responses attributable to the 16 May 2005, regulatory guidance. The survey provides a detailed look at responses from 255 companies and spans the first, second, and subsequent years of experience with Section 404. A key finding: even with additional time, learning, and guidance, non-accelerated filers and FPIs will find that Section 404 compliance requires substantial time and resources.




---

• Section 404 Post-Implementation -- What You Should Be Thinking About Now addresses Section 404 post-implementation issues, including the level of effort required for implementation, how to embed control consciousness in business units, and how to avoid being locked into "implementation only" strategies. A framework for the future containing elements we are developing and piloting with a select group of companies also is included. (See the A&A Developments Database.)

Companies are in the midst of implementing Section 404 of the Sarbanes-Oxley Action of 2002 (Section 404), one of the most involved and costly processes they may have faced. Many companies are starting to think past implementing Section 404 to post-implementation –"404+1" and beyond. We work with companies to help them address post-implementation issues: level of effort, how to embed control consciousness in business units, and how to avoid being locked into "implementation-only" strategies that may prove to be cost-ineffective in the long run.

While we recognize the significant time and effort your company is putting toward Section 404 implementation, we feel strongly that post-implementation is something you should be thinking about now. The requirements of Section 404 are no less onerous in year two and beyond, although the sheer amount of documentation may be less.

Based upon surveys we have conducted, as well as observations from Section 404 Roundtables and seminars, we have note some preliminary observations on 404+1:

• Ongoing compliance efforts will be significant – as much as 50% to 75% of first-year implementation.
  
• Over 70% of companies are planning some form of control self-assessment as part of their future compliance strategy, yet many such programs have failed to deliver in the past.
  
• The role of internal audit in the ongoing process is still evolving, and views seem to be polarizing.
  
• Technology enablers and other techniques can reduce the cost of compliance and bring additional value.