REVISITING SARBANES-OXLEY – WHY
COMPANIES MUST CONSTANTLY
REVIEW THEIR INTERNAL CONTROLS
Noah Gottesman
The views and opinions expressed in this paper are those of the author and do not
necessarily reflect the official policy or position of Thomson Reuters.
Senior executives have an attitude problem
when it comes to the concept of internal control
over financial reporting – the system that allows
a company to maintain accurate financial
information, both for external auditors and to
meet its own management goals.
They assume that internal control requires very
little thought. They hold the illusion that as long
as they do what the regulator says, and throw
enough money at the issue, they can forget about
the whole thing from one year to the next.
For this reason, senior executives at many
companies had largely forgotten about internal
control since the Sarbanes-Oxley Act (Sox), which
revolutionized the concept, was enacted by the
US Congress in 2002.
However, many have turned their attention to it
again since May 2013, when the Committee of
the Sponsoring Organizations of the Treadway
Commission (Coso), an association of accounting
trade bodies, published a document named
Internal Control – Integrated Framework, an
updated version of a 1992 document. This
document, commonly known as Coso 2013, set
out a framework for internal controls, covering
both financial reporting and other areas, including
controls over operational and strategic functions.
In concentrating on this, however, they are making
the same error as before. They are assuming that
they can order their staff to implement Coso 2013,
and then forget about internal control for another
decade, until the next major initiative comes.
In reality, however, this is not enough. Coso 2013
sets out principles. When responding to these
principles, executives need to ask some key
questions about their internal controls, including:
• Are we applying our internal controls rigorously
enough?
• Are we applying them broadly enough?
2
REVISITING SARBANES-OXLEY
• What changes, either within the company or in
the outside world, should force us to revise our
internal control procedures?
• Is it time to change it all around?
When it is done well, internal control minimizes
the risk of earnings surprises, poor corporate
decisions and reputational damage. It creates a
less accident-prone, more competent and more
confident organization.
WHAT INTERNAL CONTROL REALLY MEANS
Back in 1992, Coso suggested that internal control
comprised five components. These sum up the
essence of what Coso said:
• The control environment – the set of standards,
processes and structures that provide the
framework for carrying out internal control
across the organization. This includes the
organizational structures, the ethical values
of the company and expectations of rigor in
performance measures.
• Risk assessment – identifying and assessing
risks that could impact the achievement of
objectives.
• Control activities – actions to ensure that
management efforts to mitigate risk are carried
out. This includes authorizations, verifications
and business performance reviews.
• Information and communication – the
generation of information and its dissemination
both within and outside of the company.
• Monitoring activities – checks to see if internal
control is working.
This definition of internal control initially took
some time to be accepted, but eventually became
widely adopted by companies in the aftermath of
Sox. It largely makes sense, though some experts
have warned that Coso 2013’s interpretation of
the principles concentrates too much on internal
threats to a company rather than external threats,
such as a change in the competitive environment.
MAY 2015
WHAT SOX SAYS
The early 2000s saw a series of US corporate
scandals, many of them involving accounting
fraud. In 2001 it was revealed that Enron, the
energy company, had hidden billions of dollars of
losses. In 2002 it was discovered that WorldCom,
the telecoms company, had overstated cashflows.
The slew of scandals cost investors billions of
dollars following the collapse of share prices.
This shook public faith in the probity of the US
corporate world – and this loss of faith threatened
the future of the US economy, which relies on the
investment of capital by the public.
Washington’s response was the ambitious
Sarbanes-Oxley Act, which set new or enhanced
standards for all public company Boards,
management and public accounting firms.
The full name of the Act sums up its purpose
succinctly:
“An Act to protect investors by improving the
accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for
other purposes.”
It is based on the idea that the more accurate a
company’s financial reporting, the fewer nasty
surprises there are for investors, and the greater
the public confidence in the capital markets that
are essential to the efficiency of the US economy.
The Act was wide-ranging. For example, it
outlined the responsibilities of the Board of
Directors, tightened up conflict of interest
rules, and set criminal penalties for executive
misconduct. It ramped up the regulatory regime
for US accounting and internal control, since it
was apparent that Coso’s pre-existing Integrated
(Internal) Control Framework, written in 1992 to
reduce fraudulent financial reporting, had not
been sufficient.
The key part of Sox that relates to directors’
responsibilities for internal controls is Section 404,
which looks specifically at financial rather than
3
REVISITING SARBANES-OXLEY
The US was not alone in tightening up
corporate internal controls in the early 2000s.
Many other countries also did so, often in
response to their own accounting scandals.
Japan passed the Financial Instruments and
Exchange Law (usually known as J-Sox) in
2006. Ireland passed the Irish Company Law
Enforcement Act in 2001 and the Companies
(Auditing and Accounting) Act in 2003.
non-financial controls. It requires (with certain
exceptions) all public companies to assess the
effectiveness of internal control and report the
results on an annual basis.
The Securities and Exchange Commission (SEC)
says that internal control over financial reporting
should include procedures that:
• Provide reasonable assurance that transactions
are recorded well enough to permit the
preparation of financial statements in
accordance with Generally Accepted Accounting
Principles (GAAP).
• Ensure the maintenance of records that
accurately reflect the transactions and
dispositions of the assets of the company.
• Provide reasonable assurance regarding the
prevention or timely detection of un-authorized
acquisition or use of the company’s assets that
could have a material effect on the financial
statements.
Despite these clear rules and guidelines from
legislators, regulators and other authorities,
there are many signs that the quality of both the
internal controls and the corporate accounts that
are underpinned by them is often unsatisfactory:
• Accounting misses – in 2015 the International
Forum of Independent Audit Regulators released
a report showing continuing “high levels of
deficiencies” in the audits of public companies
by auditing firms around the world. Many of
MAY 2015
these companies were in the US. For 24%
of companies where the audits were judged
unsatisfactory, there were deficiencies in internal
control testing – more than for any other area.
The Public Company Accounting Oversight
Board has regularly found fault with the audits
of public companies by both large and small
accounting firms – with deficiencies in internal
control a particularly common weakness.
• Hotlines – the sense that something is wrong
in companies’ internal control procedures is
heightened by the statistics for whistleblowing.
The SEC’s whistleblower program received
3,620 tips in 2014. Not only is this number high
– it is also a 20% increase on 2012. The fact
that thousands of people felt more confident
about solving a breach of rules through calling
on outside help, rather than through relying
on internal procedures, testifies to a lack of
employee faith in internal control.
• Corporate scandals – the lack of adequate
internal control is reflected in the huge number
of US corporate scandals since Sox was enacted.
Revealing examples include:
— The JPMorgan “whale trade” of 2012 – a $6.2
billion loss in derivatives dealing. George
Canellos, co-director of the SEC’s division
of enforcement, concluded that the bank
“failed to keep watch over its traders as
they overvalued a very complex portfolio to
hide massive losses”. The SEC found fault
with the bank’s internal controls for failing
to ensure that the traders were properly
valuing the portfolio, and with its senior
management for failing to inform the firm’s
audit committee about severe breakdowns in
the chief investment office’s internal controls.
In particular, during a series of internal
reviews, senior management learned that
the valuation control group within the chief
investment office, whose function was to
4
REVISITING SARBANES-OXLEY
detect and prevent trader mismarking, was
ineffective and insufficiently independent
from the traders it was supposed to police.
JPMorgan agreed to pay four regulators
$920m, after admitting violating US federal
securities laws.
— Numerous examples where US companies
have been fined for breaches of the Foreign
Corrupt Practices Act (FCPA), which outlaws
bribery. For example, in December 2014
the SEC charged global beauty products
company Avon Products Inc. with violating
the FCPA by failing to put controls in place
to detect and prevent payments and gifts to
Chinese government officials from employees
and consultants at its Chinese subsidiary.
Avon entities agreed to pay $135 million to
settle the SEC’s charges and a parallel case
brought by the US authorities. According
to the SEC’s complaint, Avon management
learned about potential FCPA problems
at the subsidiary through an internal audit
report in late 2005. Avon management
consulted an outside law firm, directed that
reforms be instituted at the subsidiary, and
sent an internal audit team to follow up.
Ultimately, however, no such reforms were
made at the Chinese subsidiary. Avon finally
began a full-blown internal investigation in
2008 after its CEO received a letter from a
whistleblower.
— Numerous examples of accounting
miscalculations. For example, in March 2015
Genworth Financial Inc., a life and mortgage
insurer, said that it had identified “material
weakness” in its control over financial
reporting. Because of this it had failed to spot
a $44 million error in its after-tax earnings.
Genworth said that it failed to implement
changes to one of its methodologies correctly
as part of its long-term care insurance claim
reserves review.
MAY 2015
Many other countries have also experienced
their own extremely high-profile accounting
scandals. In 2004 the auditors of Parmalat,
the Italian dairy and food company, found
€14.3 billion in hidden debts. In 2014 Tesco,
the UK’s biggest food retailer, said that it
had mis-stated its half-year profit guidance
by £263m.
Finally, there is a strong case for suggesting that
the credit crunch of 2008 was largely caused
by poor internal controls – including a failure to
value mortgage assets correctly, and to monitor
and limit counterparty exposure to individual
financial companies at risk of falling into trouble.
WHY COSO 2013 ISN’T THE ANSWER
The Coso 2013 framework was drafted in response
to a continued stream of corporate mishaps, missteps and scandals. Internal control and auditing
experts felt that not enough had changed in the
wake of Sox.
Coso 2013 is a private-sector initiative, jointly
sponsored and funded by five organizations:
• The American Accounting Association
• The American Institute of Certified
Public Accountants
• Financial Executives International
• The Institute of Management Accountants
• The Institute of Internal Auditors
It is not obligatory to follow Coso 2013. However,
the SEC requires companies that are subject to
Sox to follow an internal control framework such
as Coso 2013, and this looks set to be the most
popular. Much of the discussion has centered on
the creation of 17 principles, which aim to improve
internal control. Each of these principles has a
number of “Points of Focus”.
For example, Principle 1 is: “The organization
demonstrates a commitment to integrity and
5
REVISITING SARBANES-OXLEY
ethical values.” One of its Points of Focus
is: “Processes are in place to evaluate the
performance of individuals and teams against the
entity’s expected standards of conduct.”
This example illustrates that Coso 2013 has
many virtues, but its precepts are necessarily
generalized and high-level because the document
seeks to cover the full range of companies
operating in the US today. It lays the tracks on
the journey to good internal controls, but it does
not take executives all the way. If executives are
serious about improving their internal control,
they have to regard each principle as a mere
starting point. To take the quoted Point of Focus
as an example, each business must do a lot
of work on its own in deciding what processes
should evaluate people against expected codes
of conduct – and further in ensuring that these
processes are put into practice. In other words,
Coso 2013 is not sufficient without a genuine
desire by senior executives to improve their
internal controls.
HOW TO MAKE INTERNAL CONTROL BETTER
In order to make the most of Coso 2013,
executives should step back and consider — in
the broadest possible way — whether they are
applying internal controls well enough. They
should ask themselves the four key questions
posed earlier:
• Are we applying our internal controls rigorously
enough? The PCAOB Auditors Staff Audit
Practice Alert 11, Considerations for Audits
of Internal Control over Financial Reporting,
published in 2013, found frequent weaknesses
in a number of areas. These included risk
assessment and the audit of internal control,
the selection of controls to test, and information
technology. What was most troubling was that
it found that firms failed to test controls for all
relevant assertions of the significant accounts
and disclosures. In other words, it was hard to
be confident that all of the figures provided to
external auditors were accurate.
MAY 2015
• Are we applying them broadly enough? Many
companies focus narrowly on financial controls.
However, internal control is a broader concept.
It is also about controlling systems that might, if
deficient, pose a risk to the financial results. For
example, in its 2003 report on Internal Control
over Financial Reporting, the SEC refers to the
need to prevent un-authorized acquisition or
use of the company’s assets that could have
a material effect on the financial statements.
This includes the control of passwords and
other aspects of cyber security. For example,
in December 2013 hackers were able to slip
their software into the computer systems of
Target, the retailer, by stealing the credentials
of a refrigeration contractor. Once inside, the
software migrated to the company’s checkout
stations and began skimming card data –
with the information on 40 million credit and
debit cards at risk of being stolen. As well as
prompting the resignations of the company’s
CEO and CIO, the breach forced the company to
book a $148 million charge.
• What changes, either within the company or
in the outside world, should force us to revise
our internal control procedures? Since Sox was
enacted in 2003, an enormous amount has
changed in the business world, as well as in
society in general. This should have generated
significant change in the way that internal
control is undertaken – but in many cases it
hasn’t.
Examples of changes include:
— The creation, within business groups, of many
more overseas companies and legal entities
designed to minimize tax liabilities. This
needs to be documented by internal control.
— The increasing sophistication of cyber
criminality – as shown by the case of
Target and many other companies. In
well-run companies, this has provoked
6
REVISITING SARBANES-OXLEY
much stronger security controls, including
a greater frequency in the change of
passwords, and the use of passwords that
contain a combination of letters, numbers
and punctuation, since these are harder to
hack. However, standards of security control,
such as requirements for sufficiently strong
passwords, are often left to the discretion of
individual staff.
— Changes in notions of ethical corporate
behavior, including the use of finite resources,
and of resources that may contribute to
climate change. Given these issues, codes of
conduct need to be updated annually.
• Is it time to change it all around? Change for the
sake of change sounds counter-intuitive. But
it is often extremely effective when it comes to
procedures that can become routine and stale.
At this point, staff go through the motions of
control, without thinking about what might be
most effective.
Let’s take a hypothetical example of the need
for change for the sake of change. Every
year, access to the inventory system of a
manufacturer’s factory is tested by checking
the HR list of who has access against the
names of people who are still at the plant
– to work out who should be crossed off or
inserted onto the list. One year, an external
auditor decides to look at it in a different
way. He takes the list of transactions on the
inventory and compares it to the HR list.
Major discrepancies are found.
MONEY ISN’T THE ANSWER
Senior executives will be relieved to hear that
the problem is not really to do with money. They
do not need to increase costs if the systems
to improve internal control are intelligently
designed. They may, however, be dismayed to
MAY 2015
hear that the problem does require them to spend
more time on internal control. Their personal
responsibility for internal control is set out in
Section 302 of Sox. It notes that “the principal
executive officer or officers and the principal
financial officer or officers” are responsible for
“establishing and maintaining internal controls”.
They must also evaluate the effectiveness of
internal controls within the 90 days prior to any
annual or quarterly earnings report.
Naturally, senior executives cannot perform the
work of internal control on their own. They need to
maximize the effectiveness of the people who are
helping them. This includes:
• Training staff. Staff need annual training, at the
very least, in risk assessment and methods of
internal control. This training should be broad
and up-to-date, including the latest thinking on
ethics, cyber security and so on.
• Rotating external auditors. This is rarely done at
large public companies – and US government
proposals to mandate this have recently become
bogged down. However, it is essential, because
it provokes fresh thinking about internal control.
Remember the example of the manufacturer’s
inventory system.
• Aligning the pay of staff more closely with the
aims of internal control. This should start at the
top: CEOs should not receive a bonus if there is a
serious failure of internal control at the company,
such as an ethics violation, major cyber security
breach, or accounting error caused by the poor
quality of information submitted by the company
to the external auditors.
What sort of questions should CEOs be asking
to ensure that internal control is effective? A
good technique is to follow the principles used
by auditors themselves: proactively look at a few
random items to see if they meet internal control
principles. It is also a good idea to talk to junior
as well as senior control staff, to get a picture of
7
REVISITING SARBANES-OXLEY
how well internal control is working throughout
the firm. A good general principle is to do the
unexpected sometimes, rather than giving senior
members of internal control an easy time by
allowing them to second-guess you.
BENEFITS
This paper has concentrated largely on the
problems caused by poor internal control.
However, we should also emphasize the benefits
of good internal control, while drawing attention
to the perils of bad management of this function.
The benefits include:
• Smoother earnings. Many of the profit warnings
issued by listed US companies arise from a
poor internal control environment. In July 2012
JPMorgan was forced to restate its quarterly
earnings because of the whale trade – reducing
its net income by $459 million. It also admitted
a “material weakness” in internal controls.
Companies with good internal controls tend to
stay out of the headlines because they report
more consistent profits and fewer earnings
surprises. Qualcomm, the semiconductor and
telecoms equipment manufacturer, provides
a textbook example. In a quarterly earnings
release published in January 2015, it revealed
that a large customer was not expected to use
its processor. By revealing this early, before
earnings had actually been hit, it showed a
strong grasp of internal control, including both
good risk assessment and effective information
and communication. Investors were reassured.
• Better corporate decisions. In 2013 Hewlett
Packard acquired Autonomy, the UK software
company, for $11.1bn. A year later HP said that
Autonomy was worth $8.8bn less than this. The
deal, sometimes described as one of the worst
in corporate history, was botched because HP’s
internal control procedures were found to be
wanting. Before acquiring the company, HP
failed to conduct basic financial analysis and due
diligence.
MAY 2015
• Well-managed reputational risk. Companies
that suffer a serious failure of internal control
are often tarnished for many years. This reduces
their ability to attract new clients. Customers
demand a high standard of ethics and
competence, and the secure holding of private
information about them. If they do not get this,
they will find other companies that can provide
it.
SUMMARY
Good internal control over financial reporting
is key to the success of corporations, but senior
executives often neglect it.
8
REVISITING SARBANES-OXLEY
When internal control is poorly executed it causes
reputational damage, volatility of earnings and
poor corporate decisions, such as ill thought-out
takeovers.
When it is done well, internal control minimizes
the risk of earnings surprises, poor corporate
decisions and reputational damage.
Internal control does not need millions of extra
dollars thrown at it, but in many cases it needs
clearer thinking and more management time.
Relying on the Coso 2013 framework is not
enough – it is just a starting point, though in
many ways a good one. US corporations have the
money, the capacity and the talent to raise their
internal controls to a level of excellence.
MAY 2015
ABOUT THE AUTHOR
Noah Gottesman is a Certified Internal Auditor with over fifteen years of compliance, internal audit,
internal control and risk management experience. At Thomson Reuters Accelus, Noah serves as the
Audit Advisory and Innovation Director within Professional Services, assisting clients with Accelus
implementations. Prior to joining Thomson Reuters, Noah spent thirteen years with a big-four
accounting firm, gaining global experience across a wide range of industries, including banking and
financial services, technology and insurance.
9
REVISITING SARBANES-OXLEY
MAY 2015
THOMSON REUTERS RISK MANAGEMENT SOLUTIONS
Risk Management Solutions bring together trusted regulatory, customer and
pricing data, intuitive software and expert insight and services – an unrivaled
combination in the industry that empowers professionals and enterprises to
confidently anticipate and act on risks – and make smarter decisions that
accelerate business performance.
For more information, visit accelus.thomsonreuters.com
© 2015 Thomson Reuters GRC02739/5-15