The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges

Preface
Why Sarbanes-Oxley Was Enacted
The Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley) was enacted on July 30, 2002, largely in response to a number of major corporate and accounting scandals involving some of the most prominent companies in the United States. These scandals have resulted in a great loss of public trust in corporate accounting and reporting practices and are viewed by some to have played a major role in significant devaluations of investors' holdings.

CEOs and CFOs of public companies must firmly grasp the degree and significance of distrust that now exists. For example, according to some surveys:

• 77% of the public believe that CEO greed and corruption have caused the U.S. financial meltdown — CNN/USA Today Poll, July 2002
• 71% of investors say accounting fraud is rampant — Survey of Main Street Investors, July 2002
• 82% of investors believe that tough new laws are needed — Harris Poll, July 2002
• 54% of portfolio managers say not just a few bad apples among companies — F.D. Morgan Walke Poll, August 2002
• 81% of fund managers and analysts think executives place their own interests ahead of shareholders — Broadgate Consultants, March 2002
• 71% of fund managers say executive pay is too high, 0% say it is too low or just right — Pearl Meyer, June 2002
• 70% of the corporate frauds studied between 1987 and 1999 involved the CEO — The Wall Street Journal, "Auditors' Methods Make It Hard to Catch Fraud by Executives," July 8, 2002

The Legislation of Accountability
Sarbanes-Oxley establishes new or enhanced standards for corporate accountability and penalties for corporate wrongdoing. The legislation contains 11 titles, ranging from additional responsibilities for audit committees to tougher criminal penalties for white-collar crimes such as securities fraud. Many of the legislation's provisions direct the SEC to issue implementing guidance.

A brief summary of each of Sarbanes-Oxley's titles is provided in Appendix A.

Without question, these new requirements are burdensome on some companies' executives and internal resources as well as others involved in corporate reporting. To restore the credibility of corporate accounting and reporting, Sarbanes-Oxley defines a higher level of responsibility, accountability, and financial reporting transparency, and provides for certain changes to personal executive conduct — changes that ultimately are intended to return to investors the confidence they need to once again become active in the nation's financial markets.

PricewaterhouseCoopers recently published Building Public Trust — The Future of Corporate Reporting, in which our CEO, Sam DiPiazza describes the "corporate reporting supply chain," how it works, and how it can be improved to regain public trust in corporate reporting. The key players in this supply chain are (1) company executives who prepare or approve the information distributed to investors and other stakeholders, (2) boards of directors who represent these stakeholders' interests and are responsible for governance and oversight of management activities on their behalf, (3) independent auditors who provide assurance on financial statements distributed in the capital markets, (4) information distributors that consolidate reported information and provide it to others for use, (5) third-party analysts who use company-provided information and their own analysis to make investor recommendations, and (6) investors and other stakeholders who are the ultimate consumers of corporate reporting information. A primary objective of Building Public Trust was to identify and encourage certain behaviors by all the key players in the corporate reporting supply chain that are intended to result in more reliable, timely, and useful information to assist stakeholders in their decision-making process.

Sarbanes-Oxley requires that company executives, boards of directors, and independent auditors take specific actions to achieve a similar goal for corporate reporting. A central theme of Sarbanes-Oxley is how these key players in the supply chain must work together, with critical cross-checks, to achieve that goal. To carry out this theme, Sarbanes-Oxley reinforces and expands on the responsibilities of these players in the corporate reporting supply chain:

1. Company Executives
   • Sarbanes-Oxley reaffirms that the CEO and CFO carry the primary responsibility for a company's reports to various stakeholders, and institutes a requirement for them to report on the completeness and accuracy of the information contained in reports as well as the effectiveness of underlying controls.
   • Sarbanes-Oxley establishes a reporting requirement that is broader than GAAP, indicating that the CEO and CFO must report financial statements and other financial information that is transparent in the way it fairly presents the company's financial condition, results of operations, and cash flows.
2. Board of Directors
   • As the representative of a company's shareholders, the board of directors, through its audit committee, is responsible for overseeing the company's accounting and financial reporting processes and audits of its financial statements. Sarbanes-Oxley also imposes a new requirement to disclose whether or not at least one member of the audit committee is a "financial expert" and, if not, the reasons why. Finally, the audit committee is required to pre-approve any services provided by its external audit firm.
3. External Auditor
   • An independent public accounting firm must report on the fairness of the presentation of a company's financial statements in accordance with accounting standards. Sarbanes-Oxley reaffirms the necessity for the auditor to be independent of management, in fact and appearance, and expands the auditor's reporting responsibility to the newly required management assertions on internal controls and procedures for financial reporting.

The purpose of this paper is twofold:

1. To help company executives, boards of directors, and audit committees of public companies better understand the implications of these reporting obligations; and
2. To suggest strategies and actions developed by PricewaterhouseCoopers to help company management develop tailored plans and processes to manage their reporting obligations.

While this paper focuses on the first player in the corporate reporting supply chain —company executives — our intention is to continue to pursue actions that will strengthen the entire chain and provide additional guidance in the future.

Beyond the guidance included herein, the following key elements, as discussed in Building Public Trust, are paramount for all players in the corporate reporting supply chain:

• Spirit of Transparency — Companies have an obligation to provide willingly to shareholders and other stakeholders the information needed to make decisions. This information should be transparent in the way it presents a company's financial condition, results of operations, cash flows, and other aspects of its business.
• Culture of Accountability — Transparent information must be accompanied by a firm commitment to accountability among all players in the corporate reporting supply chain and those who define how it should work. Each player must take responsibility, in collaboration with all others, for carrying out its role in this chain.
• People of Integrity — Transparency and accountability depend on people of integrity trying to "do the right thing," not just what is expedient or even permissible. Without personal integrity as the foundation for reported information, there can be no public trust.

Appendix B provides a recap of the effective dates of the principal provisions directly affecting public companies in Titles III and IV of Sarbanes-Oxley and related SEC rules.

CEO/CFO Certification: The First Challenge
As directed by Title III, §302 of Sarbanes-Oxley, the SEC has issued a certification rule, "Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports," effective August 29, 2002. This rule requires that, as part of each quarterly and annual report filed by a public company under the Exchange Act of 1934, the CEO and CFO must provide certifications containing several representations as summarized below:

1. They have reviewed the report.
2. Based on their knowledge, the report contains no untrue statement of a material fact and does not omit any material fact that would cause any statements to be misleading.
3. Based on their knowledge, the financial statements and other financial information in the report fairly present, in all material respects, the company's financial position, results of operations, and cash flows.
4. They are responsible for and have designed, established, and maintained disclosure controls and procedures, and the report presents conclusions about the effectiveness of disclosure controls and procedures based on their evaluation within 90 days prior to the report's filing date (see "Disclosure Controls and Procedures" below).
5. They have disclosed to the audit committee and external auditor (a) any significant deficiencies and material weaknesses in internal controls for financial reporting and (b) any fraud (material or not) involving anyone having a significant role in those internal controls.
6. They have disclosed in the report whether, after their most recent evaluation, significant changes occurred that affected internal controls for financial reporting, and whether any actions were taken with regard to significant deficiencies and material weaknesses.

• Management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting
• Management's conclusions about the effectiveness of internal controls and procedures for financial reporting as of year-end, based on management's evaluation
• That the external auditor has attested to, and reported on, management's evaluation

The proposed SEC rule also requires a company's external auditor to attest to management's assertions about internal controls and procedures for financial reporting. It does not establish standards for the contents of an attestation report, but requires that the attestation be performed in accordance with standards issued or adopted by the Public Company Accounting Oversight Board, once the new board becomes operational. Until those standards are adopted, existing and widely accepted standards for performing attestations can be found in AICPA attestation standards.

The SEC has proposed making its implementation rules for §404 effective beginning with annual reports for fiscal years ending on or after September 15, 2003.

The obligation to issue this internal control report which must be attested to by the external auditor raises a number of implementation issues, several of which are addressed in section III of this paper under the sub-heading "Internal Controls and Procedures for Financial Reporting."

Strategies and Actions for Achieving Reporting Compliance
CEOs and CFOs carry a heavy burden of responsibility for their companies' internal controls. Provisions in Sarbanes-Oxley and recent SEC rulemaking make it clear that they are responsible for 1) establishing and maintaining disclosure controls and procedures, 2) designing disclosure controls and procedures to ensure that specified information is made known to them, and 3) undertaking regular evaluations of disclosure controls and procedures in connection with quarterly certifications and other reporting obligations.

Sarbanes-Oxley also imposes a new requirement upon company management to assert to and report on the effectiveness of a company's internal controls and procedures for financial reporting on an annual basis. In addition, a recent SEC proposal would amend the existing quarterly CEO/CFO certification requirements to explicitly require a quarterly evaluation. Congress put noticeable teeth in these responsibilities by instituting tough civil and criminal penalties for knowingly certifying to the SEC a report that contains material misstatements or omissions.

Stated simply, companies have no choice as to whether to put effective controls in place and report on them as required by the SEC. The only real decision to be made is how to achieve compliance and a culture of accountability that supports it.

The remainder of this paper suggests strategies and actions developed by PricewaterhouseCoopers to help CEOs, CFOs, and others involved in internal control develop plans and processes to manage their reporting obligations in a manner that will enhance public trust.

Starting with a Framework for Internal Control
Companies that are just beginning to formalize their risk management process and controls will find that a framework for internal control provides a helpful starting point and a solid foundation for building an effective internal control system.

This section briefly describes the dynamics and components of a framework for internal control and how it can be used to establish and evaluate controls across an organisation. Next, several implementation issues are addressed that involve internal controls and procedures for financial reporting and disclosure controls and procedures, respectively. Finally, thoughts are provided about the risks of an informal control process, especially with respect to controls for which Sarbanes-Oxley requires evaluation and public reporting on their effectiveness.

COSO Internal Control Framework
"Internal control" means different things to different people, a problem that is compounded when the term is written into laws, rules, and regulations.

In the U.S., the most broadly accepted framework for internal control is provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In the spirit of transparency, we acknowledge that PricewaterhouseCoopers authored the COSO framework for the Committee of Sponsoring Organizations in 1992. Since that time, this framework has also been incorporated into U.S. auditing standards. One of the benefits of COSO is that it establishes a common definition serving the needs of different people while providing a standard and criteria against which companies and organisations can assess or design their control systems.

Many companies already have an internal control system based on the COSO framework. We recommend adopting the COSO framework as the standard for establishing an internal control system that is tailored to a company's business environment. It can be especially helpful in the design, maintenance, and evaluation of internal controls and procedures for financial reporting and disclosure controls and procedures.

The COSO framework and U.S. auditing standards define "internal control" as a process — effected by an organisation's board of directors, management, and other personnel — that provides reasonable assurance regarding achievement of objectives in the following categories.

• Effective and efficient operations. Addresses a company's basic business objectives, including performance and profitability goals and the safeguarding of resources.
• Reliable financial reporting. Covers the preparation of reliable financial statements and other financial information.
• Compliance with applicable laws and regulations. Covers laws and regulations to which a company is subject, such as Sarbanes-Oxley and related rules, to avoid damage to a company's reputation or other negative consequences.

• Control environment. Establishes the foundation for an internal control system by providing discipline and structure.
• Risk assessment. Involves the identification and analysis by management of relevant risks to achieving predetermined objectives, forming a basis for determining how those risks should be managed.
• Control activities. Refers to the policies and procedures to ensure that management objectives are achieved and risk mitigation strategies are carried out.
• Information and communication. Supports all other control components by communicating control responsibilities to employees and providing information that allows people to carry out their duties.
• Monitoring. Covers the oversight of internal controls by management or other parties outside the process; or the application of independent methodologies, such as customized procedures or standard checklists, by employees within a process.

Conclusion: A New Beginning
Sarbanes-Oxley marks the beginning of a new reporting era for public companies. Many of its requirements are broad and untested, but expectations by both the public and regulators are high. In the early reporting stages, some companies will of necessity respond with "fire-drill" or add-on reviews of controls in order to fulfill their reporting responsibilities. Over the long term, however, companies will need to build in the required processes to ensure that their corporate reporting on internal controls is part of the way they do business, not just an afterthought.

No company can afford to ignore new reporting requirements, even though SEC rules impacting a number of key areas have yet to be issued. CEOs and CFOs must be committed and prepared to comply with all rules as they become effective to avoid the risk of the tough civil and criminal penalties that are built into Sarbanes-Oxley. In particular, they must understand Sarbanes-Oxley and SEC reporting obligations and guide their companies in managing compliance efforts. By having effective control structures in place to meet these obligations, including the required review and evaluation procedures, companies can provide complete, accurate, and trustworthy information to their stakeholders.

The strategies and actions suggested in this paper are intended to assist company leaders in developing and executing effective, pragmatic, and tailored plans that will enable their companies to meet the Sarbanes-Oxley challenge.

Companies that succeed in these efforts will be able to satisfy reporting requirements to shareholders, the public, directors, and other stakeholders with greater confidence. They will also benefit from the enhanced credibility that comes from quality corporate reporting — a key advantage that can have a positive impact on both their cost of capital and their ability to operate at peak effectiveness.

BACK TO SAMPLES