The Sarbanes-Oxley Act of 2002 (SOX) was enacted into law in 2002 in the wake of corporation financial reporting scandals involving large publicly held companies. SOX instituted new strict financial regulations with the intent of improving accounting practices and protecting investors from corporate misconduct. SOX requires corporate executives to vouch for the accuracy of financial statements, and to institute and monitor effective internal controls over financial reporting. The cost of implementing an effective internal control structure are onerous, and SOX inflicts opportunity costs upon an enterprise as executives have become more risk adverse due to fears of incrimination.
The Public Company Accounting Oversight Board (PCAOB) was created by SOX to oversee the accounting process and dictate independence requirements for auditors and auditing committees. The PCAOB proposed regulations must be approved by the SEC before they are enacted. Since the passage of SOX, the IT department has become critical in designing and implementing the internal controls in company accounting information systems. The Information Technology Governance Institute (ITGI) created a framework called Control Objectives for Information and Related Technology (COBIT) to provide guidance for companies to implement and monitor IT governance.
Accounting Information Systems Research Paper
The Sarbanes-Oxley Act of 2002 changed the landscape of corporate financial reporting and auditing. In the wake of corporate reporting scandals, Congress decided the accounting profession was unable to self-regulate, and The Sarbanes-Oxley Act of 2002 was signed into law. The law addresses corporate greed and dishonesty by requiring companies to implement extensive internal control procedures to deter fraud and hold corporate executives accountable. The Public Company Accounting Oversight Board is the enforcement arm of the legislation, and is under the authority of the SEC to oversee accounting and auditing processes. Public companies are required integrate internal controls in their accounting information systems to ensure data validity and security. The Sarbanes-Oxley Act of 2002
In the aftermath of several corporate financial reporting scandals involving large publicly held companies such as Enron, WorldCom, and Tyco, the United States Congress passed the Sarbanes-Oxley Act of 2002 and enacted it into law on July 30, 2002. The Sarbanes-Oxley Act (SOX) takes its name from its two primary congressional sponsors, Representative Michael Oxley (R-OH) and Senator Paul Sarbanes (D-MD) (Hoffman, 2005, p. 3). SOX instituted new strict financial regulations with the intent of improving accounting practices and protecting investors from corporate misconduct. The law is intended to protect stakeholders from corporate greed, fraud, and misleading financial reporting. SOX legislation tackles several important concerns including corporate responsibility, internal controls, auditor independence, financial disclosures, criminal and fraud liability, conflicts of interest, and corporate tax returns (Moffett and Grant, 2011, p. 3).
Under the law, independent auditors and corporate officers of publicly traded companies must affirm both the accuracy of the financial statements and their supporting processes and data (Hoffman, 2005, p. 3). The law requires corporate officers to vouch for the effectiveness of the company’s internal controls and to be honest and transparent in financial reporting. SOX is organized under eleven titles, with the majority of the compliance principles written under sections 302, 401, 404, and 409 (A Guide to the Sarbanes-Oxley Act, 2006). Section 302 requires company officers to certify the truthfulness and completeness of quarterly and annual reports. Additionally, the signing officers are responsible for establishing and maintaining the internal controls, and must have evaluated the effectiveness of the controls within 90 days prior to certifying the financial statements (Hoffman, 2005, p. 4). Section 401 of SOX requires corporations to issue financial statements that are complete and accurate and include all material off-balance sheet obligations or liabilities (A Guide to the Sarbanes-Oxley Act, 2006).
This regulation was instituted to prevent public corporations from hiding liabilities from investors, and thus artificially inflating stock prices. Section 404 requires public companies to establish internal controls and report annually on their effectiveness over financial reporting. The CFO and CEO are held personally responsible for the internal controls via the requirement to sign a statement certifying the adequacy of the internal control system (Moffett and Grant, 2011, p. 3). Additionally, the company’s independent auditor must issue an attestation regarding management’s assessment of the internal structure as part of the company’s annual report (Bloch, 2003, p. 68). Material changes to a company’s financial condition or operations must be disclosed to the public in a timely manner under the provisions of Section 409. Rapid disclosure applies to all types of company information – i.e. product recalls, personnel changes, or loss of a major customer (Hoffman, 2005, p. 4). Internal Controls
Effective internal controls protect a company’s assets, maintain compliance, improve operations, prevent fraud, and promote accuracy in financial reporting. In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) designed an internal control framework of five components: the control environment, risk assessment, control activities, information and communication, and monitoring (Moffett et al, 2011, p. 3). Companies use this framework to implement internal control systems tailored to their own needs. No internal control system is infallible, however, effective controls provide reasonable assurance company assets are protected and financial reporting is accurate.
Section 404 compliance. Section 404 mandates that Securities and Exchange Commission (SEC) registered companies implement and maintain adequate internal control procedures for financial reporting, and also appropriately assess and report on the internal controls’ effectiveness (Conway, 2003, p. 19). Company executives and audit committees are expected to take an active role in defining and evaluating the internal control structure and procedures. The COSO internal control framework is widely accepted as the best criteria for evaluation of a company’s internal control structure. Documentation of internal control procedures is essential to the evaluation process. Documentation provides evidence that controls have been identified and can be monitored. All relevant financial statement assertions and each of the five COSO internal control components should be documented. When
documentation is lacking or nonexistent, independent auditors will report either a significant deficiency or material weakness in internal control (Conway, 2003, p. 19).
Furthermore, documentation provides evidence that management applies wisdom to protecting company assets and instills integrity in financial reporting in a way that is pleasing to the Lord, as affirmed in Proverbs 24:3, “By wisdom a house is built, and through understanding it is established” (New International Version). Internal controls should be evaluated to determine whether they are operating effectively and to substantiate management’s assertion on the adequacy of the controls. Internal control testing and results should be documented, with deficiencies noted and remediation plans identified (Conway, 2003, p. 19). Upon completion of the evaluation process, management prepares its assertion on the effectiveness of internal control over the financial reporting process. As part of the independent audit, the external auditor will test and evaluate the internal control system, and subsequently attest to management’s assertion regarding internal controls.
Section 404 impact on small business. One of the biggest concerns to small firms is the onerous cost of implementing Section 404 on internal controls. Companies have seen audit fees increase by as much as 30% due to tougher accounting and auditing standards required by SOX (Solomon & Bryan-Low, 2004). In addition to external auditing expenses, the cost of hiring employees to create, implement and monitor Section 404 compliant internal controls can be burdensome to small businesses.
In addition to the financial burden created by SOX compliance, SOX imposes significant opportunity cost on corporations by making executives more risk-adverse by instilling in managers a fear of incrimination (Vakkur, McAfee, & Kipperman, 2010, p. 19). SOX inflicts extremely punitive measures on corporate executives to include penalties, incrimination, private litigation, and potential labor market penalties (Ahmed, McAnally, Rasmussen & Weaver, 2010, p. 354). When managers’ time is consumed with regulatory compliance, they are not focused on new-product development or growing the business, resulting in lower profits and reduced marketplace competitiveness. The PCAOB
The Public Company Accounting Oversight Board (PCAOB) was created by the Sarbanes-Oxley Act to oversee the accounting process and dictate independence requirements for auditors and auditing committees (Kim, 2003, p. 236). In order to curb the system of accountants’ self-regulation, only two of the five members of the PCAOB may be current or former certified public accountants. The PCAOB conducts annual quality inspections of accounting firms that audit more than one hundred companies and triennial inspections of all other accounting firms (Kim, 2003, p. 241). The PCAOB has the authority to conduct special inspections of accounting firms at any time, and can impose sanctions on an accountant or accounting firm if the Board finds unreasonable failure to supervise any person associated with auditing or quality control standards (Kim, 2003, p. 241). The SEC maintains authority over the PCAOB, and must approve PCAOB proposed regulations in order for them to become effective. PCAOB Pronouncements
Pronouncements related to accounting information systems. Auditing Standard No. 12, “Identifying and Assessing Risk of Material Management,” addresses the auditor’s requirement to understand the company’s information system, including related business processes, relevant to financial reporting. This includes understanding transactions that are significant to the financial statements, and the procedures by which these transactions are initiated, authorized, processed, recorded, and reported. The auditor is to obtain understanding of related accounting records, supporting information, and specific accounts that are used to initiate, authorize, process and record transactions. The auditor should understand how the information system captures events and conditions that are important to the financial statements and how information technology affects the company’s flow of transactions. Additionally, the auditor should become knowledgeable about the company’s period end financial reporting process, including general ledger procedures, application of accounting principles, procedures used to process and record journal entries and adjustments, and procedures for preparing financial statements and related disclosures (Auditing Standard No. 12, 2010).
Pronouncements related to internal controls. Auditing Standard No. 5, “An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements,” establishes requirements and provides direction for audit engagements of management’s assessment of the effectiveness of internal control over financial reporting that is part of a financial statement audit. Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and related financial statements. The auditor is required to plan and perform the audit to obtain appropriate evidence about whether material weaknesses exist in the internal control over financial reporting. General standards apply in the audit, including technical proficiency as an auditor, independence, due professional care, and professional skepticism.
The auditor prepares and signs a report expressing whether the company maintained effective internal control over financial reporting that is dated and issued in conjunction with the report on the audited financial statements (Auditing Standard No. 5, 2007). Auditing pronouncements. SOX authorized the PCAOB to establish auditing and professional practice standard to be employed by registered public accounting firms. Auditor compliance is mandatory. On an interim basis, the PCAOB has adopted the generally accepted auditing standards as described in the American Institute of Certified Public Accountants’ Auditing Standards Board’s Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, in existence on April 16, 2003 (Auditing, 2003). Ethics and independence pronouncements. In accordance with Rule 3520, the registered accounting firm and auditors must be independent of the firm’s audit client throughout the audit and the engagement period.
In accordance with Rule 3500T, the registered accounting firm and auditors shall comply with ethics standards as written in AICPA’s Code of Professional Conduct Rule 102, and interpretations and rulings as in existence on April 16, 2003 (Ethics & Independence, 2003). Quality control pronouncements. In April 2003 the PCAOB adopted as interim quality control standards the AICPA’s Auditing Standards Board’s Statements on Quality Control Standards, as in existence on April 16, 2003. The section requires that certified public accounting firms shall have a system of quality control for its accounting and auditing practice that ensures services are completely delivered and adequately supervised. Firm personnel are to comply with applicable professional standards and the firm’s standards of quality (Quality Control, 2003). Attestation pronouncements. In April 2003 the PCAOB adopted as interim attestation standards the AICPA’s Auditing Standards Board’s Statements on Standards for Attestation Engagements, related interpretations, and statements of position as in existence on April 16, 2003.
The practitioner shall have adequate training and proficiency in the attest function and the subject matter. The practitioner shall maintain independence in mental attitude, and exercise due professional care in the engagement. Work shall be adequately planned and supervised, and sufficient evidence shall be obtained to support a reasonable basis for the conclusion expressed in the report (Attestation, 2003). Future PCAOB pronouncements. The PCAOB is considering including an Auditor’s Discussion and Analysis (AD&A) with an auditor’s report. The AD&A could include information related to the audit, including audit risks, audit procedures and results. It could also include discussion related to the auditor’s views of management’s judgments and estimates, accounting policies and practices, and difficult issues. (Current Activities, 2013). SOX and PCAOB Impact on Accounting Information Systems
The SOX requires that companies evaluate the effectiveness of both the design and operation of internal controls (Holmes & Neubecker, 2006, p. 25). Because of the reliance on accounting information systems for financial transactions and reporting, internal controls must be built into in the accounting system infrastructure in order to provide reasonable assurance that financial reporting is valid, complete, and free of fraud. Damianides (2005) stresses, “IT will be crucial to achieving this objective and establishing the foundation for a sound internal control environment.” Prior to SOX, there were no definitive requirements on the extent of accounting system information technology controls a company was expected to implement. Prior to SOX, wise managers and companies that placed high importance on integrity had already instituted internal control procedures. The bible speaks to this concept of being good stewards of the property entrusted to us. As noted in Proverbs 27:23, “Be sure you know the condition of your flocks; give special attention to your herds” (New International Version).
Once SOX became law, more attention was given to internal controls that should be inherent in accounting information systems. Accounting transactions from inception to disposition are automated, resulting in a direct relationship between IT effectiveness and operational effectiveness in companies (Holmes et al., 2006, p. 25). The chief information officer plays a critical role in SOX internal control compliance. IT professionals are tasked to provide accurate, visible, and timely information while ensuring the protection and security of information systems (Damianides, 2005, p. 77).
IT governance is a process whereby a company’s IT system sustains and supports company goals and objectives (Gelinas, Dull, & Wheeler, 2012, p. 264). The Information Technology Governance Institute (ITGI) created a framework called Control Objectives for Information and Related Technology (COBIT) to provide guidance for companies to implement and monitor IT governance. The five key elements of the COBIT framework are: strategic alignment, service delivery, resource management, risk management, and performance measurement (Kepczyk, 2012, p. 5).
Strategic alignment is the integration of the IT infrastructure into an enterprise’s strategic plans. Service delivery refers to the IT systems ability to securely provide information system access on any company-approved device from any location, on-site or remote. Resource management is the proactive monitoring and control of IT hardware and software costs, proactively applying cost-benefit analysis. Risk management encompasses the identification of threats and vulnerabilities to IT infrastructure, with proactive actions taken to mitigate potential impacts. Lastly, performance management is process of determining the acceptable levels of network performance and monitoring adherence through such tools as balanced scorecards and benchmarks (Kepczyk, 2012, p. 5).
Businesses that apply biblical wisdom to learning and understanding legal requirements and how to implement them will be successful in overcoming the tactical challenges of complying with the law. We are reminding in Proverbs 1:5, “let the wise listen and add to their learning, and let the discerning get guidance.” Conclusion
The Sarbanes-Oxley Act of 2002 is the most significant legislation concerning market regulation since the Exchange Acts of 1933 and 1934 (Holmes et al., 2006, p. 27). Public corporations are most impacted by the stringent internal control requirements. The PCAOB oversees accounting processes and auditing requirements. Companies that are successful in establishing and maintaining effective internal controls automate them within their accounting information systems. As the automation in business processes is continually growing, managers are challenged to ensure transactions are valid, security is strong, and reports are accurate and valid.
A Guide to the Sarbanes-Oxley Act. (2006). Addison-Hewitt Associates. Retrieved April 30, 2014, from http://soxlaw.com Ahmed, A., McAnally, M., Rasmussen, S. & Weaver, C. (2010). How costly is the sarbanes oxley act? Evidence on the effects of the act on corporate profitability. Journal of Corporate Finance, 16, 352-369. Attestation. (2003). Retrieved April 30, 2014, from www.pcaobus.org Auditing. (2003). Retrieved April 30, 2014, from www.pcaobus.org Auditing Standard No. 5. (2007). Retrieved April 30, 2014, from www.pcaobus.org Auditing Standard No. 12. (2010). Retrieved April 30, 2014, from www.pcaobus.org Bloch, G. (2003). Sarbanes-oxley’s effects on internal controls for revenue. The CPA Journal, 73(4), 68-70. Retrieved from http://search.proquest.com/docview/212294542?accountid=12085 Conway, R. (2003). Sarbanes-oxley, section 404: Achieving compliance. Orange County Business Journal, 26(15), 19. Retrieved from http://search.proquest.com/docview/211081168?accountid=12085 Current Activities. (2013). Retrieved April 30, 2014, from www.pcaobus.org Damianides, M. (2005). Sarbanes-oxley and IT governance: new guidance on IT control and compliance. Information Systems Management, 22(1), 77-85. Retrieved from http://search.proquest.com/docview/214122540?accountid=12085 Ethics & Independence. (2003). Retrieved April 30, 2014, from www.pcaobus.org Gelinas, U., Dull, R., & Wheeler, P. (2012). Accounting information systems (9 ed.). Mason, OH: Cengage/South-Western. Hofman, S. (2005). Beyond sarbanes-oxley requirements. ISeries News, 1-6. Retrieved from http://search.proquest.com/docview/219592654?accountid=12085 Holmes, M. & Neubecker, D. (2006). The impact of the sarbanes-oxley act of 2002 on the
information systems of public companies. Issues in Information Systems, 7(2), 24-28. Retrieved from http://iacis.org/iis/2006/Holmes_Neubecker.pdf Holy Bible, New International Version®, NIV®. (1973, 1978, 1984, 2011). Retrieved from http://www.biblica.com Kepczyk, R. (2012). Raising your IT governance awareness. The Practicing CPA (Online), 40(8), 4-5. Retrieved from http://search.proquest.com/docview/1115475024?accountid=12085 Kim, B. (2003). Sarbanes-Oxley Act. Harvard Journal on Legislation, 40, 235-252. Retrieved from http://heinonline.org.ezproxy.liberty.edu:2048/HOL/Page?collection=journals&handle=hein.journals/hjl40&type=Image&id=241 Moffett, R. & Grant, G. (2011). Internal controls and fraud prevention. Internal Auditing, 26(2), 3-12. Retrieved from http://search.proquest.com/docview/863454394?accountid=12085 Quality Control. (2003). Retrieved April 30, 2014, from www.pcaobus.org Roman, H. K. (2012). Raising your IT governance awareness. The Practicing CPA (Online), 40(8), 4-5. Retrieved from http://search.proquest.com/docview/1115475024?accountid=12085 Solomon, D. & Bryan-Low, C. (2004). Companies complain about cost of corporate-governance rules. Wall Street Journal, February 10. Retrieved from http://search.proquest.com/docview/398856653?accountid=12085 Vakkur, N., McAfee, R. & Kipperman, F. (2010). The unintended effects of the sarbanes-oxley act of 2002. Research in Accounting Regulation, 22(1), 18-28. Retrieved from http://dx.doi.org/10.1016/j.racreg.2010.02.001