The Sarbanes-Oxley Act of 2002 commonly known as SOX is a policy that was passed by the parliament of the US to become law. This policy was meant to create transparency for investors which entails financial statements and also internal controls over financial reporting (I.C.F.R); disclosures were also included in this policy.
The policy was established to address the frequent frauds that had taken place in most large organizations such as Enron, WorldCom and Tyco among many others. Sections 404 (a) and (b) of the policy states that public organizations must use their own expertise to evaluate their Internal Control over Financial Reporting and thereafter seek additional evaluation of controls conducted by independent auditors who are usually in private practice.
Small public organizations that have a public float of a monetary value which is less than $75 million have been exempted from this procedure until the end of July 2006 and July 2007.
They consist of the Securities and Exchange Commission. Section 404 (b) commands that the attestation of the auditor who evaluates the controls of the small public organization be presented in a form known as 10-K but again the adoption of this policy has been postponed to the end of the year 2009 or later as may be found appropriate.
The postponements were introduced to give more time to small public organizations so that they can realize their present faults in internal controls and make the necessary adjustments within a timeline of four years. If the small public organizations were rushed they would not bring the desired results like the big organizations because they don’t have enough funds to cater to the cost of adoption.
Introduction
Small public organizations were made to present their findings on section 404 (a) about the assertion and usefulness of their internal controls over financial reporting (I.C.F.R). This report focuses on the Sarbanes Oxley law, especially SOX 404 and its effects on internal auditing functions.
Sarbanes Oxley Act is a federal policy that was passed by policymakers in the U.S. in July 2002. The policy brought new regulations that were to be observed by all publicly owned organizations in the U.S. The policy was named after the people who were the pioneers of its implementation that is Paul Sarbanes and Michael G. Oxley. The policy aims at protecting investors by making employees be cautious about their activities in a bid to prevent white-collar crimes in public organizations. SOX 404 aims at improving an organization’s internal controls, ensuring shareholders and other parties are in line with the financial reports of the company (Internal Control Practitioners 25).
Lord and Benoit relied on information obtained from an online research model in order to find out exactly what information could be obtained from the four years that the SOX 404 was postponed. The information obtained indicates that most organizations used the postponements to buy more time to get ready, evaluate and make the necessary adjustments that were appropriate in conforming to the terms of the policy. However, it is important to note that the evaluation of controls was hardly carried out by external auditors as stated in section 404 (a) and (b) respectively.
History of Financial Reporting Functions
Due to the increased financial scandals towards the end of the 20th century, SOX was enacted by Congress in 2002. Several small public organizations did not pay attention to the terms of this policy and those that did so were very partial hence the organizations did not adhere to the terms of this particular policy 404.This argument is based on various observations that suggest that for every eight small public entities only one of them presented unreliable unveiled 302 evaluations before they realized their controls were misleading based on what was stated in section 404 (Internal Control Practitioners 4).
The conditions for the above-stated policy go hand in hand because they work together hence the few organizations that were ignorant undermined the postponements that were earlier introduced to give them more time to gauge their own controls because most of them waited until the last days towards the deadlines. This means that they carried out their evaluations in a rush and that’s why their evaluations were faulty.
According to Ramos the presentation that was provided by these few organizations causes one to doubt the correctness of their completed task because the government realized that the self-evaluations needed more time (22). That is why the postponement was allocated a longer duration and thus one wonders how these few organizations were able to carry out these tasks within a very short time because they did their evaluations at the end of the year. Considering that most public organizations are extremely occupied at that time, how they managed to beat the deadline is remains to be a misery.
The postponements encouraged some public organizations to ignore their role in the implementation of the policy and some did not even bother to read the terms of the policy in order to be aware of what the policy stated and what they were to do to adhere to the terms. Keen observation revealed that about 97 organizations did not hand in their report. Some of them had to be literally followed up by Security Exchange Commission (SEC) through frequent phone calls but a good number of them were willing to hand in their report hence they handed in their report right on time.
The total number of organizations that were supposed to present their reports was 3,204, but 455 of these organizations did not adhere to the terms of the policy because 3.3 percent did not hand in their report while 3.9 percent handed in reports that were inaccurate. This is because they did not enclose their arguments about their own internal controls over financial reporting. Additionally, 8.2 percent of these organizations handed in reports that were confusing because they did not indicate in their reports whether they were adhering or not abiding by the terms of policy number 404 (Graham 7).
The proceeds of the 455 small organizations were added and the final value was $ 5.8 billion. This fact answers the question as to why most investors were not interested in these public organizations. Sonnelitter argues that the postponements for implementing policy 404 (a) failed their intended purposes because there are organizations that did not work on their self-evaluation (6). This is because even after the postponement period the rate of weaknesses within the concerned organizations did not decline but continued to hike.
Among the small public organizations that forwarded their reports late, a group comprising of 242 organizations was closely observed and the outcome suggested that by 1st September 2008 only 50 organizations had forwarded their forms which were satisfactory to the terms of policy 404 (a). Nineteen organizations reckoned they had wrong internal controls over financial reporting while the rest who turned out to be the majority argued that their internal controls over financial reporting were correct.
Literature Review
The argument that was presented by the majority of organizations that forwarded their reports late sounds too good to be true because for a judgment to be arrived at concerning internal controls over financial reporting the task force must have taken more time in monitoring the said system. This means that their conclusions were based on assumptions because they knew they had wasted the time that could have provided the real facts about their internal controls over financial reporting, but since the reports were mandatory for all small public organizations they felt they should just make up a report for the sake of adhering to the orders that were stated in the policy (Graham 4).
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) outlines that the task of monitoring the internal controls of any given organization is assigned to the Board of Directors and the audit committee. Because the majority of organizations that forwarded their reports late did not have a proper internal control most likely because the audit committees and Boards of directors were busy attending to other matters that they considered more important (Internal Control Practitioners 15).
According to Moeller, this ignorance can be avoided if only the members of board of directors participate actively in manning the procedures followed in self evaluations and also consider the possible risks which can be experienced while preparing financial statements (8). The audit committee should evaluate the performance of internal controls to establish whether they are reliable when presenting financial statements.
Some organizations presented reports that were thought to be inaccurate because their administrative units are not concerned about the accuracy of financial statements as long as they are presented by the responsible department. It is therefore important for administrators to seek accurate financial reports from the appropriate experts because this will make them handle financial issues with utmost seriousness.
Moeller argues that the above-mentioned excuses are not good enough because if an organization does not have the necessary experts to perform a given task it should consider giving contracts to the professionals who are knowledgeable in this field. This outsourcing of personnel can only happen if the organization is committed to performing the task in question (46).
Others were unable to bring satisfactory reports because they experienced disagreements among themselves when it came to the application of generally accepted accounting principles. This could have been caused due to a lack of evaluating the opinions that were issued when the reports were being drafted. It is certain that some people don’t buy the objections brought by others because they feel they know everything. Criticism can be beneficial because it helps to identify mistakes that could not be realized if the evaluating party does not allow suggestions to be presented (Graham 6).
Impact on the Internal Auditing Function
SOX regulations has enabled companies to focus on rightful financial information by presenting their annual reports including the organization’s internal controls. This has also strengthened the performance of internal auditors because every aspect regarding an organization’s performance in the marketplace must be documented and supported with tangible evidence.
In this light, the information that was collected by Audit Analytics was used by Lord and Benoit to carry out an analysis on small public organizations that had responded to the Sarbanes-Oxley section 404 (a) for the first time. The organizations were sorted to retain those whose financial year ended between 12/15/07 and 1/31/08. The study revolved around 3,946 organizations that fulfilled the necessary conditions. However foreign organizations were excluded from the study because they had not forwarded their report concerning the policy due to the fact that they are given an extra period that does not exceed six months after the end of the financial year (Ramos 19).
SEC can be excluded from a SOX 404 analysis of internal controls over financial reporting possibly due to unavoidable circumstances. Graham explains that for an exclusion to be valid it has to be in writing to command authority. This means that an organization can not be excluded from this review unless it has a written document to justify itself (4).
Having in mind the close ties that exist between section 302 disclosure regulations and section 404 on internal controls over financial reporting, Lord and Benoit identified the differences between Q3 section 302 of disclosure regulatory reports and section 404 of annual reports. The outcome indicated that only one organization was found to have steady reporting between section 302 and section 404. Research has proved that internal controls over financial reporting in small public organizations work properly as time moves by (Internal Control Practitioner 4). These findings were obtained from an observation that revealed that the improvement of internal controls was a gradual process that requires a lot of patience.
Ittonen argues that the outcomes of improper internal controls mean that the government had tried as much as possible to minimize errors because organizations had adequate durations which allowed them to cross-check their internal controls but most of them did not take that initiative they failed the government (44). Moreover, the number of small public organizations with undesirable internal controls would have swelled if the organizations had carried self-evaluation without including the attestation of the auditor.
Furthermore, SOX 404 has reduced the work of internal auditors because when rules governing SOX compliance are followed, an organization is deemed to provide correct financial reports. Previously, most public organizations failed to deliver satisfactory reports even when they had four years to carry out self-evaluation of their organizations’ internal controls over financial reporting. Most organizations argued that they lacked relevant expertise to carry out this exercise and also due to a lack of cooperation within the organization. However, that has changed since SOX provides guidelines for providing genuine reports regarding any internal auditing function.
Situation Before and After SOX Regulations
The following is a table showing the history of events before and after the enactment of the SOX 404 Act
Conclusion
Small public organizations should take issues seriously by attending to them early enough because when they present reports that are based on assumptions they make investors lose confidence in them. SOX 404 helps organizations analyze their financial reports with regard to compliance with internal controls. Administrators of public organizations should analyze reports before they are handed over to other bodies to make sure the findings of those reports are true. When an organization is faced with a task that requires specialized expertise it should consider hiring the appropriate personnel for that task.
References
Graham, Lynford. Complying with Sarbanes-Oxley Section 404: A Guide for small publicly held companies. New Jersey: John Wiley & Sons, Inc., 2010. Print.
Internal Controls Practitioners. Sarbanes-Oxley Section 404: A Guide for Management. 2nd Ed. The Institute of Internal Auditors. 2008. Web.
Ittonen, Kim. Audit reports and Stock Markets. Vaasa: University of Vaasa, 2009. Print.
Moeller, Robert. Sarbanes-Oxley Internal Controls: effective auditing with AS5. New Jersey: John Wiley & Sons, Inc., 2008.
Ramos, Michael. The Sarbanes-Oxley section 404 implementation toolkit practice. New Jersey: John Wiley & Sons Inc., 2008.
Sonnelitter, Robert. SOX 404 for Small, Publicly Held Companies 2009. Chicago: CCH, 2008. Print.