There was one thing common in the collapse of these giants: massive failure in internal controls. In response to these catastrophic events, Congress passed the Sarbanes-Oxley Act of 2002, commonly referred to as SOX.

SOX imposed new standards on all U.S. public companies, their boards and management, as well as public accounting firms, but did not apply to privately held companies.

One of the key provisions is Section 404, the assessment of internal control. This provision is important to public companies as it requires an “internal control report” to be issued for each annual report.

The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” The report must also “contain an assessment, as of the end of the most recent fiscal year of the company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”

Management is responsible for performing their assessment in the context of a top-down risk-based assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. From this, management in most companies, with the assistance of the internal audit function, works on the assessment of the design and operating effectiveness of selected internal controls, understanding the flow of transactions, evaluating company-level (or entity-level) controls, performing a fraud risk assessment, evaluating the controls designed to prevent or detect fraud, and determining the adequacy of internal control over financial reporting, among other matters.

In addition, management and the internal audit function have to enhance their processes, as well as the documentation support and test results over those processes, to comply with the Public Company Accounting Oversight Board’s Auditing Standard No. 5, also known as AS5. External auditing firms must also comply with AS5. By conforming to AS5, management and internal audit are maximizing the reliance that can be placed on management’s assessment of internal controls.

SOX and AS5 streamline communication and assessments between internal audit, management, and external audit. For internal audit functions across organizations, SOX should be an integral part of the annual audit procedures. The more internal audit personnel familiarize themselves with the processes, the better they can develop effective audit procedures over internal controls to address the risks that can have an impact on financial statements.

The tone that is set at the top and a risk-based approach are seen as increasingly important in the aftermath of the credit crisis. Organizations such as Lehman Brothers and Washington Mutual have disappeared or been acquired due to aggressive risk practices.

Economic events teach us that a constant re-evaluation of financial statement risks, and the design and operating effectiveness of internal controls that mitigate such risks, is critical to a valuable SOX assessment.

SOX in the Dodd-Frank Era
This year marks the 11-year anniversary of the SOX legislation, but will the law continue to remain relevant in the Dodd-Frank environment of today?

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 has a lot in common with Sarbanes-Oxley in that it provides sweeping regulatory reform. By no means, however, does it wipe out SOX or replace it.

Organizations have done a pretty good job in the last 11 years or so streamlining their SOX initiatives. Corporate budgets dedicated to SOX initiatives have been further optimized year over year, and management has continued to leverage SOX initiatives to add value to accounting functions.

That said, SOX is here to stay for now. The Dodd-Frank will only add to it. In fact, because SOX has been streamlined over the years, Dodd-Frank will dominate the investment of corporate time and resources in the near future.

The Dodd-Frank legislation is similar to Sarbanes Oxley in that it’s a reaction to the most recent financial crisis in the banking and financial industry. Dodd-Frank affects a very broad area of financial regulation, including banks, specialty finance institutions, consumer regulations and rules for the governance of public companies in general.

Though it is broad, companies are not yet feeling its weight because most of the provisions of the law are still being finalized and therefore have yet to be implemented. Portions of the act are scheduled to take effect in the spring, however.

How will it affect public companies? I can’t say for certain, but the effects are definitely going to be felt as the Dodd-Frank Act develops over the next few years. History suggests there will be some aspects that will need further “tweaking,” to say the least.

I suspect the implementation will be more challenging compared to SOX because several aspects of Dodd-Frank attempt to deter human behavior that is subjective and unpredictable to begin with. How does one effectively legislate so that people become more risk averse and think long term instead of the instinctive desire for short-term financial rewards?

How do you shape the stock markets, which are highly driven by sentiment, into a sound financial system focused on long-term healthy gains? Can that be done to begin with? How do you deny the fact that some investors who held stock throughout the crisis in companies that were not affected came out better than those who bailed out?

The fundamental issues that Dodd-Frank attempts to address are far too complicated to resolve by enacting such legislation. Though it might be a good start, it will take years before the law’s benefits are fully realized. The legislation is intended to supplement the benefits to shareholders and the public markets from the Sarbanes-Oxley Act. It is not meant by any means to do away with SOX.

Sunil Sajnani, CPA, LIFA, is a Senior Enterprise Risk Management professional with over nine years of experience in corporate risk functions within the retail, private equity, financial services and banking sectors. He specializes in financial, operational and business process improvement, cost containment, risk management, and was part of the internal audit and advisory start-up initiatives of a Fortune 50 financial institution. Prior to that, he was a Senior Associate in PricewaterhouseCoopers’ Mergers and Acquisitions practice. Sunil has a Master in Accounting, a Bachelor in Financial Economics and graduated from the University of Michigan in Ann Arbor. He can be contacted at ssajnani@umich.edu.