Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Corporate Finance

SOX Summary

TBI Consulting – Proprietary and Confidential
EXECUTIVE SUMMARY
Overview
The Sarbanes-Oxley Act of 2002 (“SOX”) ushers Corporate America into a new era of
financial transparency. The primary purpose of SOX is to protect investors by improving the
accuracy and reliability of corporate disclosures made pursuant to the securities laws. Many of
SOX’s requirements are broad and untested. However, the expectations by both the public and
regulators are high.
One thing is for certain - the requirements of SOX can no longer be put off. SOX contains
key provisions that impact every key player in the capital market. Companies need to be
realistic in getting their SOX projects underway.
Many companies are overburdened and
short-staffed, and ill equipped to handle the requirements of SOX. Since inception of SOX,
companies have responded under fire-drills to meet the current requirements of SOX as they
are mandated. However, SOX is an ongoing process by which companies need to build the
required processes to ensure that corporate governance is a part of their everyday culture – not
an afterthought.
One of the most significant requirements of SOX is Section 404 – Management’s Assessment of
Internal Controls. Internal controls are no longer the auditor’s problem. Congress deliberately
wrote the law to ensure that companies themselves be held accountable for the fairness,
thoroughness and accuracy of their financial reporting and disclosure. Under the requirements
of SOX, companies are required to assess, implement, monitor and evaluate their internal
controls before their auditors can issue an attestation report.
A sustainable program must be developed. Internal controls are not something that can be
done once and forgotten about. Nor can companies afford to focus on internal controls in the
last quarter of the year to squeak by in meeting their SOX requirements. Companies are now
accountable to continuously enhance and modify their internal controls through regular
evaluations and by making internal controls an integral part of their organization.
Each company is unique and can not be compared to another in assessing its levels of
internal control compliance. It is important to understand as companies are being bombarded
with information there is no one quick fix answer to meeting the requirements of SOX. Special
software programs and standard pre-printed checklists are being touted as the one-step quick
fix answer. While they may assist in SOX compliance, in the end these programs and checklists
will not fix the problem.
Section 302
Compliance with Section 302 became effective for reports covering periods that ended after
August 29, 2002. The final rules require companies to file the certifications mandated by Section
302 and 906 as exhibits to its annual and quarterly filings with the SEC. Section 906 added a
new section to U.S. Code Title 18 to contain a certification requirement subject to specific federal
criminal provisions. It is separate and distinct from the certification requirement mandated by
Section 302.
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
Page 1
TBI Consulting – Proprietary and Confidential
KEY CERTIFICATION PROVISIONS
MANDATED BY 302
R
n
io
at
m ed
or nt
nf e
l i es
ia pr
nc rly
na ai
Fi is f
e
m c por
is on t d
re ta o
pr in es
es a n
en ny ot
ta
tio
n
CEO AND CFO
CERTIFY THEY HAVE
REVIEWED REPORT, AND
d
rte o
po t
re cies ee
ve en itt
ha fici mm
ey de co
Th ny dit
a au
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
C
e
“d re rtif
is sp y
an clo on the
d su sib y
pr re le ar
oc c f e
ed on or
ur tro
es ls
”
SECTION 302
CERTIFICATION
Page 2
TBI Consulting – Proprietary and Confidential
Section 404
The final rules implementing Section 404 were adopted by the SEC on May 27, 2003.
Accelerated filers (U.S. companies that have equity market capitalization over $75 million) will
be required to comply with these requirements for fiscal years on or after November 15, 2004.
All other issuers (including small business issuers and foreign private issuers) will be required
to comply for fiscal years ending on or after July 15, 2005. The first filing that will be required
for calendar year accelerated filers will be the Form 10-K filed in 2005 for the year ended
December 31, 2004.
The final rules also state that companies will be required to perform quarterly evaluations of
changes that have materially affected or are reasonably likely to materially affect the company’s
internal controls.
Sections 302 and 404 Are Interrelated
Section 302
Management’s Certification that financial
information included in Company’s report
fairly presents in all material respects the
financial condition and results of operations
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
Section 404
Internal Control Report of Management’s
assessment of the effectiveness of the
internal control structure and procedures
Page 3
TBI Consulting – Proprietary and Confidential
MANAGEMENT'S REPORT ON INTERNAL CONTROL
OVER FINANCIAL REPORTING
The final rule defines “Internal control over financial reporting” as
A process designed by, or under the supervision of, the registrant’s principal
executive and principal financial officers, or persons performing similar functions,
and effected by the registrant’s board of directors, management and other
personnel, to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and includes those
policies and procedures that:

Pertain to the maintenance of records that in reasonable detail accurately and
fairly reflect the transaction and dispositions of the assets

Provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with GAAP, and that
receipts and expenditures are being made only in accordance with
authorizations of management and the board of directors.

Provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of assets that could have a material
effect on the financial statements.
404 FINAL RULES REQUIREMENTS

A statement stating management is responsible for establishing and
maintaining adequate internal control over its financial reporting for the
company.

A statement identifying the framework used by management to conduct the
required evaluation of the effectiveness of the Company’s internal control over
its financial reporting.

Management's assessment of the effectiveness of this internal control as of
the end of the company's most recent fiscal year, including a statement as to
whether or not the company’s internal control over its financial reporting is
effective. The assessment must include disclosures of any “material
weaknesses” in the report identified by management.
Management is not permitted to conclude that the company’s internal control
over financial reporting is effective if there are one or more material
weaknesses in the company’s internal control over financial reporting.

A statement that a registered public accounting firm that audited the financial
statements included in the annual report has issued an attestation report on
management's assessment of the company’s internal control over its
financial reporting.
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
Page 4
TBI Consulting – Proprietary and Confidential
COSO as Evaluation Framework Standard
The final rules state that management must base its evaluation of the effectiveness of the
company’s internal control over financial reporting on a suitable, recognized control framework
that is established by a body or group that has followed due process procedures, including
broad distribution of that framework for public comment.
 The SEC states that the framework of the Committee of Sponsoring Organizations of
the Treadway Commission (COSO) satisfies the criteria and may be used as an
evaluation framework for purposes of management’s annual internal control
evaluation and disclosure requirements.
 However the final rules stop short of mandating the use of any particular
framework, such as COSO. This is in recognition of the fact that other evaluation
standards exist outside of the United States, and other frameworks may be
developed within the U.S. in the future. The final rules require management’s report
to identify the evaluation framework used by management to assess the
effectiveness of the company’s internal control over financial reporting.
 Specifically, a suitable framework must:

Be free from bias;

Permit reasonably consistent qualitative and quantitative measurements of a
company’s internal control;

Be sufficiently complete so that those relevant factors that would alter a
conclusion about the effectiveness of a company’s internal controls are not
omitted; and

Be relevant to an evaluation of internal control over financial reporting.
COSO is widely adopted and considered the best choice for the vast majority of U.S.
based public companies. COSO has been accepted by the U.S. Government and its agencies,
incorporated in U.S. auditing standards (AU 319), and is a generally accepted integrated
framework for control infrastructure.
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
Page 5
TBI Consulting – Proprietary and Confidential
Integrated Framework1
Internal control is defined as a process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations
The Fundamental concepts:
 Internal control is a process. It’s a means to an end, not an end in itself.
 Internal control is effected by people. It’s not merely policy manuals and forms, but
people at every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity’s management and board.
 Internal control is geared to the achievement of objectives in one or more separate by
overlapping categories.
The Internal Control Components:
MONITORING
UN
MM
CO
ICA
N
TIO
MA
OR
INF
RISK ASSESSMENT
N&
TIO
CONTROL ACTIVITIES
CONTROL ENVIRONMENT
The control environment provides an atmosphere in which people conduct their activities
and carry out their control responsibilities. It serves as the foundation for the other
components. Within this environment, management assesses risks to achievement of specified
objectives. Control activities are implemented to help ensure that management directives to
address the risks are carried out. Meanwhile, relevant information is captured and
communicated throughout the organization. The entire process is monitored and modified as
conditions warrant.
Committee of Sponsoring Organizations of the Treadway Commission, Internal Control – Integrated Framework (New York:
AICPA, 1994)
1
Sarbanes-Oxley Compliance Services
© TBI Consulting
All rights reserved
Page 6
Related documents
Subject Category: Microbial population and community
Subject Category: Microbial population and community
JD Manager, Internal Audit
JD Manager, Internal Audit
Home Was a Horse Stall Name: Directions: Answer the following
Home Was a Horse Stall Name: Directions: Answer the following
CSC Final Part 2
CSC Final Part 2
Microsoft Word - Thesis Complete_20100507
Microsoft Word - Thesis Complete_20100507
The Human Cost of Brain Injury - Dr Tracey Ryan
The Human Cost of Brain Injury - Dr Tracey Ryan
Module_Presentation_09_14_12_1451 Booz Allen Ham
Module_Presentation_09_14_12_1451 Booz Allen Ham
Download