Sarbanes-Oxley Act (SOX) 404
In July 2002, the United States Congress passed the Sarbanes-Oxley Act ("the Act") into law. The Act was primarily designed to restore investor confidence following well-publicized bankruptcies and internal control breakdowns that brought chief executives, audit committees, and the independent auditors under heavy scrutiny. The Act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).
The Act called for the formation of a Public Company Accounting Oversight Board (PCAOB) and specified several requirements ("sections") that include management's quarterly certification of their financial results (Section 302) and management's annual assertion that internal controls over financial reporting are effective (Section 404). In the case of Section 404, the independent auditor of the organization is required to opine on the effectiveness of internal control over financial reporting in addition to the auditor's opinion on the fair presentation of the organization's financial statements (also referred to as the "integrated audit").
Section 404 draws attention to the significant processes that feed and comprise the financial reporting process for an organization. In order for management to make its annual assessment on the effectiveness of its internal control, management is required to document and evaluate all controls that are deemed significant to the financial reporting processes. If the organization uses a service provider to process transactions, host data, or other significant services, management may need to evaluate the design and test the operating effectiveness of the service organization's controls.
Management will either need to conduct an evaluation of the service organization's controls, or management may obtain a Type 2 SAS No. 70 service auditor's report from the service organization, if a service auditor has been engaged, to gain an understanding of the service organization's controls. The relevant audit guidance for SAS No. 70 already requires that a service auditor's report contain information on the five components of internal control as it relates to the service organization.
Service organizations that have customers who are publically registered companies should expect an increase in demand for information on the service organization's controls. Service organizations should consider the following:
- What are the fiscal year-ends of the service organization's customers?
- When will the management of the service organization's customers conduct their evaluations and assessments?
- If the service organization currently receives a SAS 70 audit, is the scope adequate to meet the needs of customer management and the auditors of the customers?
- If the service organization does not currently receive a SAS 70 audit, does the service organization have the bandwidth from a resource standpoint to handle the additional requests that may result from Section 404 of the Act?
The SEC published its final rules related to the adoption of Section 404, which can be viewed at the SEC website. Public companies that meet the definition of an "accelerated" filer were the first issuers who had to comply with the internal control reporting requirements for fiscal years ending after November 15, 2004. Public companies that are not accelerated filers, including foreign private issuers, must begin to comply with the annual internal control report for its first fiscal year ending on or after December 15, 2007. The non-accelerated filer deadline was deferred by the SEC to 2006 in March 2005, and then again to 2007 in September 2005.
On December 20, 2006, the SEC released proposed interpretive guidance for management regarding its evaluation of internal control over financial reporting. The interpretive guidance sets forth an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting. You can download a PDF copy of the proposed rule from the SEC website. The interpretive guidance was approved by the SEC on May 23, 2007.
The PCAOB is responsible for publishing the guidance that practitioners (i.e., auditors) must follow when examining management's assertion on the effectiveness of controls over financial reporting. On March 9, 2004, the PCAOB released Auditing Standard No. 2 ("AS 2") entitled "An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements". Appendix B of the file rule contains information on service organizations and confirms that a SAS 70 service auditor's report is an acceptable format to allow management to assess the operating effectiveness of controls at the service organization. The SEC adopted the PCAOB's Auditing Standard No. 2 on June 17, 2004. You can download a PDF copy of AS 2 from the PCAOB website.
On May 24, 2007, the PCAOB released Auditing Standard No. 5 ("AS 5") entitled "An Audit of Internal Control over Financial Reporting That is Integrated with an Audit of Financial Statements." AS 5 supersedes AS 2 and was designed specifically to improve the implementation of the internal control reporting requirements by focusing the auditors on the "most important matters" and by eliminating procedures that the PCAOB believes are unnecessary to an effective audit of internal control. Under AS 5 (Appendix B17-B27), SAS 70 audit reports continue to play an important role in allowing management and auditor to evaluate the operating effectiveness of controls at a service organization. AS 5 was approved by the SEC on July 25, 2007 and is effective for audits of internal control over financial reporting required under Section 404 for fiscal years ending on or after November 15, 2007. More information can obtained via the news release on the PCAOB's web site.
It is expected that the Type 2 Service Auditor Reports prepared in accordance with the new service organization reporting standards, ISAE 3402 and SSAE 16, will continue to meet the requirements outlined in AS 5.
Section 404 of the Sarbanes-Oxley Act is also referred to "SOX 404" in many discussion forums.
The AICPA maintains a web page dedicated to the latest developments surrounding the Sarbanes-Oxley Act. You can access this web page at: http://www.aicpa.org/sarbanes/index.asp
The IT Governance Institute has published a very handy reference guide entitled "IT Control Objectives for Sarbanes-Oxley". The guide was updated in September 2006. You can download a PDF copy of this powerful research tool which maps many of the CobIT control objectives to the widely-recognized COSO framework for internal control.
If you need further information, contact us.