Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Scott Green Head of Audit & Compliance, Weil, Gotshal & Manges LLC
CIO Insight: What will enforcement of Sarbanes-Oxley look like?
Green: The first line of enforcement lies in the role of the outside auditors, the external accountants. The new Public Company Accounting Oversight Board has set out new standards, and they will evaluate those standards and, where appropriate, take action through investigations and enforcement recommendations. That regulatory oversight previously had been performed by self-policing within the auditing profession.
Then we have the SEC, which has the ultimate authority and oversight. They will continue, as they have in the past, to take action against companies they believe are not meeting the spirit of the financial reporting requirements. They have a broad mandate. In the past, the SEC has reviewed financial statements issued by companies. Where they had a problem, they raised issues. I think they will continue to do that.
What whistle-blowers provide is also important. If a whistle-blower does contact the SEC, and the complaint is credible, I suspect the SEC will launch an investigation. Will they continually have people out in these companies, continually evaluating them? It's doubtful.
Do you expect that in the next few years there will be some high-profile enforcement actions to send the message that this act has teeth?
To the extent that there's real criminal activity, yes. Having said that, I do think corporate America is doing everything it can to comply with the letter and the spirit of Sarbanes-Oxley. If we enter a quiet period in the next couple of years after this, I would view that as a good thing, not necessarily lax enforcement or oversight.
Why did the SEC twice push back the deadline for Section 404?
Section 404 compliance has turned out to be a bigger job than most people originally envisioned. Companies are working hard to comply, and it's my opinion that the SEC recognized that companies are trying hard to do the right thing here, and that they need more time to do it. And with the PCAOB just putting out the auditing standards, it gives more people time to react.
What does it mean to be ready for Sarbanes-Oxley?
It means that you're able to prove to your auditorsbecause they are going to attest to your assertionsthat you have a strong system of internal controls that can reasonably ensure the reliability of your financial reporting. People have to be prepared to provide their documentation to support their internal control structure. You have to be able to prove that you regularly test your internal control structure and that you believe it's operational. In the past, many of these controls may have been present but may have been informal. In other words, they weren't thoroughly documented, or the results were just communicated verballythey weren't necessarily put in report form and sent periodically to management for review and sign-off.
How can information technology help companies comply?
Technology can play a key role in strengthening the internal controls structure. Automated preventive controls tend to be the strongest controls and manual detective controls the least strong. Wherever you can implement a technological solution that will prevent an event that you don't want to occur, that's best. Technology can also help monitor that control structure by automating key-performance-indicator reporting to senior management. If we can automate that reporting to senior management regularly and, more important, flag whenever there's an exception, that can add greatly to the control structure. Finally, you use technology to maintain documents. There are systems out there you can buy to help bring this all together so you know you have some type of documentation that addresses every significant control. That can be helpful, especially for large companies with far-flung operations.
Should companies just try to meet the minimum requirements?
Should companies just try to meet the minimum requirements?
It's certainly good business to take it further, as long as there's a cost benefit. You're trying to manage risk. You need to evaluate the downside and put in cost-effective controls. At the end of the day, if a control risk could severely hamper the corporation, you may want more than one point of control. You may want several points around that risk. Even the simplest businesses will have certain risks that they want to have a belt-and-suspenders approach to.
Do you anticipate any unintended consequences of the act?
I am concerned about how small and medium-size companies will be able to comply. It's not clear to me what is expected of them at this point. Basically, the PCAOB has referred back to the COSO Framework, the Committee of Sponsoring Organizations. They put out a framework in 1992 that recognizes that smaller companies may not have the same level of control as bigger companies, either due to their size or lack of resources.
Rather than have perfect segregation of duties across the organization, you will have the CEO or CFO or a small management team that is able to provide effective oversight that basically eliminates the need for a particular control. By oversight, they know that no fraud is occurring, that the checks that are clearing are properly authorizedthose sorts of things. They see it all as it crosses their desks. But as an organization grows, obviously this is no longer effective because the managers can't keep their hands on everything. That's when you need to start implementing formal controls and formal segregation of duty and system-access restrictions and such. It's not clear to me how the auditors will see where the bright line is that says, "now you need to implement formal controls."
Elizabeth Wasserman is a Washington, D.C.-based writer. Formerly, she was Washington Bureau Chief for The Industry Standard.