Sarbanes Oxley & Internal Controls

I had an opportunity to summarise an excellent training course by two professors of accounting on LinkedIn – it was behind a paywall. Anyway, my notes are as follows –

As a result of the ENRON & Worldcom audit debacles, Sarbanes Oxley rules and regulations were drafted in the hope that strengthened methodology for development and maintenance of enterprise internal controls in large US enterprises would prevent another crisis.

Sarbanes Oxley provides the following valuable set of methodologies and logic –
Identifies the three components of the fraud triangle.
Describes the structure and responsibilities of the audit function.
Distinguishes the four aspects of earnings management.
Provides methodology for internal controls.

Three components of the fraud triangle –

The Fraud Triangle

Structure & responsibility of the audit function

Auditors are tasked with ensuring that an enterprise has implemented effective methods to prevent fraud and deception and ensure financial information is truthful.

Auditor functions –
Auditors interview enterprise employees to understand internal processes.
Make observations about enterprise activities and controls.
Examine enterprise physical things (including Cash, inventory, land, equipment) and representational information about those assets.
Contact 3rd parties including suppliers.
Execute Analytical procedures.

Requirements –
In the case of a public company, an oversight board should be established.
Revised rules on auditor client relations to limit consulting. The auditor should not provide any other services to the client whom they audit.
Company CFO & CO to vouch for financial accuracy.
According to Sarbanes Oxley, all publicly traded companies should have internal controls scrutiny.
Balancing benefits & costs of audit can be difficult to quantify. It’s not always possible to observe the benefit i.e. prevented fraud. But assuming emerging open-source audit technologies and techniques are employed, the benefits should outweigh the costs.
Primary purpose is to improve public confidence.
OLP can conduct detailed investigation and can share details with the group.
Additional OLP roles –

  • Certify auditors
  • Set standards
  • Review the auditors

External auditor must be as independent as possible given that the auditee company does the hiring and the paying. Detailed understanding secured via the audit process does allows potentially lucrative consulting, restructuring, taxation, technology implementation and other services to be delivered. No bookkeeping, advisory, valuations, legal or any other services should be provided. Allowing that would impede the independence of the external auditor. Investments by external auditor in the audit client is also denied.

External Auditors ensure financial reports are prepared & presented in accordance with the standard, are reliable, free from error and not misstated in any manner.
Confidence in financial reports – banks & lenders and all manner of entities that might have either a direct or indirect reliance.
Generally accepted auditing standards.
Not possible to guarantee – only possible to say if fairly presented.
Materiality – find every error big enough to impact decisions. Not designed to fix immaterial items.
Not commenting on loan risk or if good investment.

Sarbanes Oxley requires public companies have an audit committee – CFO must not be on the audit committee. External audit firm report their findings to the committee. Committee members should be non-operational directors. Those requirements provide for an independent audit committee. Or at least as independent as is reasonably possible.

Relevant audit requirements & reasoning –
The external auditor provides a report detailing the extent of the audit engagement and the findings of that engagement.
CFO & CO must certify the account fairly reflect performance and position of the enterprise.
Code of ethics must be adhered to.
Company loans to officers & directors are prohibited.
Management affirm controls are in place and working.
Good internal control systems should be implemented in order to support a reliable financial system.
Active staff of internal professional auditors might be required for enterprises of a certain scale.
Internal auditors monitor controls and activities around financial systems on a frequent basis.
No-one likes auditors looking over their shoulders.
No-one likes accounting scandals that cost money.
Internal controls mandated by Sarbanes Oxley.
Auditors must report to top management – may be pressured by managers. Accordingly, Independent channel goes directly to the audit committee of enterprise. Goes around operational management.
Good internal control practices should be adopted and adhered to.

Earnings Management

Do you think that the amount of reported earnings impacts perception of a company?

Earnings management joke –
Perspectives on the question 4+4 = ?
Answers –
Statistician – 4 with a confidence interval of 99.99%.
Lawyer – 2+2 is defined to be equal to 4.
Accountant – closes door. Whispers, 2+2, what do you need it to be?

Reported numbers have great power to frame opinions about an enterprise.

Managers may have a temptation to manipulate information. i.e.
Internal targets – motivate managers to meet targets, allocate resources.
Attract new investors by stretching the truth.
Cover up performance issues.
Meeting external stakeholders’ requirements – employees, customers, investors, lenders, suppliers – reliable partners.
Incoming smoothing – no one likes volatility – timing recognition of income & expenses – easier to get a loan or investment. Smoothing moves revenues or expenses forward or backward in time in order to create the appearance of financial stability.
Window dressing – accounting assumptions stretched, just be for taking a large loan.

Earnings management continuum is a reality. Deals get slowed down or sped up, delayed or cancelled. Management has to react and report accordingly.
Transaction dating is an important requirement of the system design. Methodology for dating transactions must take into account relevant accounting standards.
Change in accounting methods or forecast estimates with full disclosure is a requirement.
Impact of any changes should be full disclosed.
Deceptive accounting is illegal and should not be practiced.

In saying that, earnings can be managed without violating rules. Managers are expected to manage earnings within the constraints of the rules. A manager has an ethical obligation to optimise shareholder earnings but should do so within constraints of generally accepted accounting principles.

Human judgement is sometimes required when it comes time to making predictions about the future. i.e. when should revenues be booked given the status of a complex project.

Risk areas for managing earnings –
Non-GAAP/IFRS accounting practices adopted.
Hide something, fictitious transactions – fake transactions or fake cosmetic changes – accounting changes that are fabricated.
Aggressive manipulation, attempting to deceive is illegal and can result in prison time.

Internal controls

Benefits of Internal Controls –
Accounting errors are minimised and/or prevented.
Accounting disagreements are resolved.
Desperate financial managers are prevented from behaving in a manner which might be detrimental to the enterprise.
Chances of theft of enterprise resources are minimised.
Chances of accounting statement fraud is minimised.
Misappropriation of funds – Stealing.
Financial report fraud – Lying.

Managers are inclined to take advantage of opportunities.
Financial pressure – cannot tell by looking. Feeling financial pressure can produce behaviour in a manager that may not be evident without that pressure.
Rationalisation for theft can be fabricated in the mind of a normally rational, law-abiding citizen.
Opportunity controlled via a rule – 2 persons. The person who collects the stock should never be responsible for paying for the stock. The person who handles the cash should never be responsible for booking cash transactions.

Internal controls are all about removing the third leg in the fraud triangle.
Worst impulses are tempered.
Unexpected independent checks are implemented.
Mandatory vocations with an in-fill person are put in place so no one person is in a sensitive role for an extended timeframe.
Establishing & maintaining good internal controls.
Policies and procedures must be supported at the top of the enterprise.
Accurate records and efficiently run operations are important.

Control structures –

Internal control objective must be established.
Clear lines of authority & responsibility must be established.
An organization structure for checks & balances to create transparency should be implemented.

Controls –
Hands that touch asset do not touch the records – Control activities , procedures, policies.
Separation of duties.
Adequate docs & records.

Preventative controls.
Detective controls.

Keep separate inventory handling vs. inventory recording.
Cash – easy to steal & use.

A model to strive toward.

Hiring through proper procedures.

Who is authorised to request certain business functions? Organisational resources are not used for any purpose unless assigned by an authorised employee.

Owner or manage should conduct the checks – or better yet, external auditor.

Worst impulses are tempered by unexpected independent checks.
Mandatory vocations with an in-fill person allows fresh visibility over the activities and may uncover unauthorised or erroneous activities.

Internal controls are designed in a manner that increase the probability that financial reports are accurate and properly represent the position and performance of the financial entity.

Internal controls are designed to increase the responsibility of the managers of an enterprise with respect to financial system controls and financial statements.

Investor relations, financial reporting and other forms of corporate communication are best served by the provision of accurate and truthful information.

Andrew Noble

Andrew Noble

Accountant, Technologist & Futurist