|
The primary objective of the Sarbanes-Oxley Act is to restore investor confidence. To do so, the act requires CEOs and CFOs of listed companies to certify that the reports they periodically file with the Securities and Exchange Commission correctly portray the company's financial condition. Section 404(a) further requires that the management assess the effectiveness of the company's internal controls over financial reporting, and then state in its annual report to shareholders whether these controls are operating effectively. Basically, it means that the management must look closely and regularly at all the steps taken to ensure the integrity and reliability of the company's financial accounts, and tell the public if there are material weaknesses in the design or operation of these steps, thereby hopefully avoiding Enron-like surprises.
Listed companies are spending substantial sums on Sarbanes-Oxley compliance. However, a large section of companies believe that the process of complying with SOX has not yielded significant internal benefits for their company and that the benefits of compliance do not outweigh costs. The concern over the costs of complying with Sarbanes-Oxley appears to be growing. It may increase even more as the intersection between Sarbanes-Oxley and outsourcing comes into better focus, particularly around the requirements of Section 404, which are now beginning to be fully appreciated. Though many factors drive outsourcing, cost savings are a major impetus. Key questions from the Indian service provider perspective are whether Sarbanes-Oxley adds to the cost of outsourcing, will outsourcing diminish on account of it, or will it impact certain types of outsourcing but not others.
Let us deliberate on these points.
In order to ensure increased integrity and reliability of financial statements, SOX requires the management to assess the effectiveness of the company's internal controls over financial reporting, and the external auditor to evaluate this assessment and then render an independent report. The body that oversees the audit of public companies, the Public Company Accounting Oversight Board (PCAO has laid down what is expected from this report. PCAOB instructs the auditors to address two inter-related questions.
First, is the management's assessment fairly stated, in all material respects? Second, does the company in fact maintain, in all material respects, effective internal control over financial reporting? Section 404(b) requires the company's auditor to attest and report on the assessment made by the company's management. The PCAOB soon recognised that auditors cannot attest something without conducting their own independent investigation. An attestation engagement to examine a management's assessment of internal controls requires the same level of work as an audit of internal control over financial reporting. The auditor needs to test the effectiveness of internal control to be satisfied that the management's conclusion is correct and, therefore, fairly stated. It is recognised that internal control does not follow 'one-size-fits-all'. Large companies may require extensive and sophisticated internal control systems; smaller companies, where senior management is more directly involved in daily interactions with both internal and external parties, need less elaborate systems.
In determining whether any particular system is effective, the auditor is instructed to exercise reasonable professional judgement in determining the extent of the audit of internal control, and perform only those tests that are necessary to ascertain the effectiveness of the company's internal control. More precisely, the PCAOB endorsed the use of the same framework that the management is encouraged to use in its own assessment of internal controls. The Internal Control-Integrated Framework is published by the Committee of Sponsoring Organisations.
Auditing Standard No. 2 contains detailed guidance about what is supposed to happen next. The auditor, states the PCAOB, should begin by looking at the assessment of the management. The auditor should then take steps to understand how the company's system of internal control is designed and operates, like doing walkthroughs of the more significant processes.
Tests should be conducted as to both the design of the controls and their operation. After the conclusion of all relevant tests, the auditor must evaluate the results. In this phase, the auditor has to identify any control deficiencies. A control deficiency is any fault in the design or operation of an internal control that may prevent a company's managers or employees, in the normal course of performing their assigned functions, from detecting mis-statements on a timely basis. All significant deficiencies and material weaknesses must be immediately communicated to the company's audit committee. An auditor's report must contain two opinions: one, on management's assessment; the other on the effectiveness of the company's internal control on financial reporting.
|