The Protectors for Big Business –
THE SARBANES-OXLEY ACT was promulgated in the USA on July 30, 2002, primarily in response to the major corporate and accounting scandals in the USA such as Enron , Tyco International , Peregrine Systems, and WorldCom . Sarbanes-Oxley (also known as SOX or Sarbox) was promulgated to restore investor confidence in the reliability of the information provided by companies trading their stocks on USA stock exchanges.
SOX 404, which is an acronym for Sarbanes-Oxley Act , 2002 section 404, states,
SEC . 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or
15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
As a result of this loaded piece of legislation, areas of known or suspected weaknesses in publicly listed companies on USA stock markets must pay attention to the requirement that proper control structures and procedures on financial reporting must be put into place. This calls for the implementation of control and evaluation systems and procedures to check and double-check that the financial reporting done by these companies in every material respect is accurate, to ensure that there are no hidden surprises for investors. Any material weaknesses must, in the execution of SOX 404, be reported to the United States Securities and Exchange Commission (SEC ).
It goes without saying that if up to 60% of tax risk in a business is usually hidden from the tax manager, unless a TRM™ process has been entered into to ensure that the internal control structures and procedures on the financial reporting of tax is carefully checked, material weaknesses in tax issues will result. An online company performing a market intelligence research service in the USA , in a report prepared analyzing material weaknesses in public companies since the inception of SOX 404 until May 15, 2005, reported that nearly 30% of the deficiencies were associated with tax accounting. That is significant. This also accounted for the
highest deficiency under SOX 404.
The sting in the tail of SOX 404 comes in SOX 906 which prescribes the penalties corporate officers will face for noncompliance. Penalties are up to a fine of $5m and prison sentences of up to twenty years.
If the “effectiveness of the internal control structure and procedures of the issuer for financial reporting” has not been carefully audited, which includes the proper assessment of the tax risks in a corporation, the corporate officers may face the severe penalties mentioned above. So apart from up to six times more tax exposure by not self-regulating and self-disclosing any tax discrepancies found during a Tax Risk Management process, the injury is further insulted in the USA with the SOX 906 penalties against corporate officers.
Auditing Standard No. 5 of the Public Company Accounting Oversight Board (PCAOB), which superseded Auditing Standard No. 2, has the following key requirements for the external auditor to consider in the process on conducting a SOX 404 review:
– Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks.
– Understand the flow of transactions, including IT aspects, sufficiently to identify points at which a misstatement could arise.
– Evaluate company-level (entity-level) controls, which correspond to the components of an accepted framework standard.
– Perform a fraud risk assessment.
– Evaluate controls designed to prevent or detect fraud, including management override of controls.
– Evaluate controls over the period-end financial reporting process.
– Scale the assessment based on the size and complexity of the company.
– Rely on management’s work based on factors such as competency, objectivity, and risk.
– Evaluate controls over the safeguarding of assets.
– Conclude on the adequacy of internal control over financial reporting.
Need the BO/CFO and tax manager require more convincing where their corporation shares are trading on a USA stock exchange?
Toward this compliance, management will have to design and implement internal control and procedures that will have to be constantly monitored and audited. They will have to accept responsibility for the effectiveness of these internal controls, using suitable control criteria, supported by sufficient evidence , documentation, and a written assessment of the business’s internal controls over financial reporting, in respect of the business’s most recent financial year. This will include a significant module on the assessment of the business’s tax position.
To comply with SOX 404, there are three basic risk types to assess and monitor:
– Compliance with various regulatory laws
– Financial reporting
These requirements compare to the requirements mentioned in the rest of the special report to cover key tax risk areas in any business. The thing about a SOX 404 process that goes into the effectiveness of a business’s internal controls over financial reporting is that material weaknesses must be disclosed to the SEC , and if there is one or more material weakness , management is not permitted to conclude that its internal controls are effective. This will have repercussions in the investment arena; and apart from the SEC reporting requirement, if the material weakness is a tax-related issue, additional consequences will flow under the FIN 48 requirements, which in turn will draw the attention of the IRS.
In a sense, businesses subject to SOX 404 are really forced to conduct a tax risk management TRM™ strategy, particularly if one considers that in practice many material weaknesses reported to the SEC under SOX 404 are tax related.
Material weakness in the context of SOX 404 means a significant deficiency that, by itself, or in combination with other significant deficiencies, may result in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.
By way of concluding remarks, in a study done by Deloitte, the following threats to compliance have become evident in working with various businesses, giving rise to SOX 404-related concerns:
– lack of a business-wide executive-driven internal control management program
– lack of a formal business risk management program
– inadequate controls associated with the recording on nonroutine, complex, and unusual transactions
– ineffective controlled postmerger integration
– lack of effective controls over the IT environment
– ineffective financial reporting and disclosure preparation processes
– lack of formal controls over the financial closing process
– lack of current, consistent, complete, and documented accounting policies and procedures
– inability to evaluate and test controls over outsourced processes
– inadequate board and audit committee understanding of control risk