EXECUTIVE SUMMARY

Sarbanes Oxley Act 2002 seeks to lay the ground for a culture of proactive management of risks

going beyond the reactive approach that has been common so far. Typically, companies were

often caught off-guard as unexpected events struck. In order to avoid the embarrassment of

unmet expectations, companies took recourse to creative accounting to patch up their financial

statements. The Chief Executives had a ready excuse that their responsibilities were limited to

providing strategic direction to their companies. Similarly, the directors of boards of companies

pleaded that their powers are limited in the presence of an omnipotent CEO and the paucity of

access to information.

Sarbanes Oxley ensures that the senior executives have greater responsibility as well as the

means to meet them. Thus, the directors of boards of companies will have direct access to

company information and their committees will have independent oversight over important

matters such as executive compensation, selection of auditors and governance policy. In turn, the

directors will have greater exposure to liability for any negligence in the management of

companies. Similarly, the chief executives will now be responsible for not only the strategic

direction of the company but also its operational effectiveness. Their hands will be strengthened

by additional support they will receive from the board of directors for strategic planning. In

addition, they will also receive much more detailed information about their companies than was

possible in the past.

Sarbanes Oxley provides for checks and balances that were not available in the past.

Whistleblowers will now have greater protection of the law as well as the opportunity to report

fraud in their companies. Similarly, the auditors of companies have to report to the independent

audit committees.

Above all, Sarbanes Oxley seeks to make companies more transparent and vigilant by requiring

the reporting of all their operational risks as well as the internal controls put in place to monitor

them. Any material change in the monitoring of risks has to be reported to the shareholders in

real time.

Overall, the Sarbanes Oxley Act seeks to focus the attention of companies on fortifying their

companies by anticipating risks, all across the enterprise, and to take preemptive action to guard

against the damage that they could wreak. The bedrock of this model of governance would be the

business intelligence infrastructure that will help companies to receive information in real time.

This information will be more widely shared among the executives, shareholders and the board of

directors. All the stakeholders in the company will have both the opportunity and the resources to

put all their minds together to effectively manage their companies.

SARBANES OXLEY: METRICS BASED CORPORATE GOVERNANCE

The progress that Sarbanes Oxley Act 2002 seeks to make in corporate governance is best

understood by drawing an analogy with the total quality movement. In the days of statistical

quality control, companies looked at quality after the fact and measured defect rates in a sample

of their final output. This was not helpful since companies could not undo the damage, i.e., they

had no way to recover the costs incurred on the rejections. The Japanese brought about a

paradigm shift by implementing systems to produce quality products at the outset. They placed

built-in checks on the production floor where errors in manufacturing were corrected before they

were compounded as work-in-progress moved from one stage to another.

Similarly, the message of Sarbanes Oxley is that managements should change from a reactive

approach to risky events to a proactive method which anticipates adverse situations, takes

preemptive action before an unfavorable course of events snowballs into a crisis or the systems

and processes are strong enough to weather the buffeting should unforeseen events strike.

Sarbanes Oxley has removed the veil that hid many ills inside corporations. It now seeks real

time information that can materially impact the financial performance of a corporation. Senior

management cannot hide behind the familiar ruse that their task is to provide a strategic direction

to their companies; they are now required to monitor performance metrics, in real time, to ensure

that their companies are not overtaken by unexpected events. Sarbanes Oxley has dramatically

raised the standards of transparency, and accountability in companies to ensure that they can

sustain a consistent level of performance. The key instrument to clean corporations of fraud and

inefficiency is to provide detailed information, delivered electronically, to executives, shareholders

and regulatory bodies. Strategic and tactical metrics to measure the health of corporations will

play a critical role in the governance of corporations in the future.

Sarbanes Oxley also frees the Board of Directors and the Auditors from the cult of the Chief

Executive and provides them space to play their roles.Increasingly; they will bring their knowledge

and creativity to manage the risks of companies.

Compliance would require data warehouses for storage of financial and non-financial data

affecting risks and its analysis for continually reviewing strategies for risk management. In this

framework, company executives and board members will not have any room to point fingers at

someone else since they would have access to all corporate information and the responsibility to

monitor it.

In the past, companies had a knee-jerk reaction to unexpected turn of events and usually were

not the masters of their situation. Typically, companies could only patch up their balance sheets

when their financial performance fell short. Nothing in the extant corporate governance legislation

required them to analyze the root causes of lapses in performance and work towards improving

the outcomes over time. Sarbanes Oxley requires companies to take a strategic view of risk and

learn from their experiences to improve their model for coping with risk.

KEY PROVISIONS OF THE LAW

Chief Executive’s responsibility for financial statements

A cornerstone of the Sarbanes Oxley legislation is the ownership CFOs and CEOs have for the

quality of reporting of the financial health of their company. They are seen as more than the

leaders of their companies; increasingly they have to act as stewards responsible to ensure that

all processes in the company are working in the interests of shareholders. Under its Sections 302

and 906, they are required to certify quarterly and annual reports filed with the SEC. The

certification confirms whether the CEO and CFO have reviewed the reports and can vouch that

the reports are truthful and do not omit material information and fairly represent the financial

situation of the company. The onus is also on the CEOs and CFOs to review all procedures and

internal controls within the preceding 90 days and have disclosed material weaknesses in them

and any significant changes after the most recent evaluation.

Comprehensive Internal Controls

Fortification of companies by strengthening their internal controls is one of the most important

instruments that Sarbanes Oxley uses to improve governance. Any material weakness in the

internal controls, consequently a company’s vulnerability to risk, has to be reported to the

shareholders. Under its Section 302, Sarbanes Oxley requires that the CEO and the CFO of the

company report and certify the internal controls established over financial reporting so that

external reporting to shareholders and others is reliable. In addition, the financial reports should

disclose any changes in internal controls with a material effect on financial reporting. The

independent auditors are expected to establish procedures, as required by Public Company

Accounting Oversight Board (PCAOB) Auditing Standard 2 that will enable them to attest the

management’s report on internal controls for financial reporting. They are also required to assess

any material change in internal controls affecting the quality of financial reporting as well as report

on the implications of any misstatements.

Furthermore, the Sarbanes Oxley, under Section 404, requires that a management affirm its

responsibility for establishing and maintaining adequate internal control over financial reporting.

Managements are also required to assess the effectiveness of internal controls over financial

controls each year. The statement of the management has to be also attested by an external

public accounting firm. Finally, Section 404 and the PCOAB Auditing Standard 2,requires the

independent auditor of the company to attest to the management’s assessment of the internal

controls and the management is expected to provide all the relevant documents including results

of the testing procedures.

PCOAB Auditing Standard 2 also stresses the role Information Technology plays in determining

the quality of the control environment since a great deal of reporting is done with information

systems which also have controls built into them and are more likely to do so in the future.

Internal auditors are required to attest to the management’s report on the effectiveness of these

systems in financial reporting.

For more information

http://fic.wharton.upenn.edu/fic/cmbt/Sibel%20Ulusoy.ppt#266,9,%20%20What%20Sarbanes-

Oxley%20Brings

Auditor Independence

In the past, independence of external auditors was routinely compromised by conflicts of interests

caused by related business dealings in consulting. Sarbanes Oxley and associated operative

rules from the Securities Exchange Commission have created a new environment of greater

independence of auditors and focused their attention on improving the quality of information that

is shared with shareholders. External auditing companies are now banned from offering not only

consulting services but also services such as accounting information systems, appraisal and

valuation services, bookkeeping services related to record keeping and financial reporting,

actuarial services, internal audit outsourcing services, management functions or expert services,

recruitment services, investment banking services and legal services.

Both the Sarbanes Oxley Act and SEC require external auditors to report to the audit committee

and report on the critical accounting policies that have been used, the alternative accounting

treatments with a discussion on the impact of using each of them and material communications

between auditors and managements. The Public Company Accounting Oversight Board, with

enhanced authority, is also now responsible for oversight over the profession as a whole.

For more information

http://www.sba.muohio.edu/abas/2003/vancouver/lee_auditor%20independence.pdf

Board of Directors

Increasingly, directors on boards of companies are expected to play much more active roles in

the interest of shareholders. The New York Stock Exchange, consistent with the provisions of the

Sarbanes Oxley Act, expects that non-management directors should hold regular sessions

without the participation of the management or any other person with a material relationship with

it. The regular meetings of the boards are sought for brainstorming without being biased by the

concerns of the management or its influence.

Disclosures

The rampant misrepresentation of the financial situation of companies, especially in the

technology industry, by the use of pro-forma financial statements is not possible now without

additional disclosures to compare them with GAAP consistent accounting. Under Section 401 (b)

of the Sarbanes Oxley Act, it would not be possible to for pro-forma statements to omit any

material fact which misrepresents the fair or true position of the company. In addition, companies

are now required to provide quantitative measures to reconcile the pro-forma statements with the

GAAP consistent financial statements.

The SEC is also rapidly moving towards real time disclosures so that each investor has prompt

access to information, under section 409 that will have a material impact on the company. The

filing deadlines for quarterly and annual reports have been accelerated by a third. The SEC has

also identified items that need to be disclosed in real time.

Fraud

The premise for fraud control is that managements frequently exploit weaknesses in internal

controls for their dubious purposes. PCOAB’s Auditing Standard 2, therefore, specifically requires

that the assessment of internal controls take into account the susceptibility of the company’s

processes to fraud. The internal controls should be able to prevent, deter and detect fraud.

Governance policies

The Sarbanes Oxley Act seeks to encourage explicit discussion of the corporate governance

policies that will set a direction for the board and the management. The New York Exchange has

the operative rules which require that the boards of companies set up a Governance committee

which will spell out the governance principles which will be used to evaluate the board and the

management.

Executive Compensation

In order to check fraud from earnings management by senior executives, Section 304 of of the

Sarbanes Oxley Act, requires a company which restates its financial statements due to material

noncompliance, misconduct, or with any financial reporting requirement, the CEO and CFO must

reimburse the company for bonus or other incentive-based or equity-based compensation

received during the 12-month period following issuance of the financial statements and profits

realized from the sale of equity during the same period.

Protection of Whistleblowers

Sarbanes Oxley has provided added protection to whistleblowers who can establish a prima facie

case of retaliation when they report malfeasance in the company. The instrument for achieving

this goal is the change in the burden of proof rules which are now in favor of employees. If they

submit evidence that the retaliation was a contributing factor to the adverse employment action, a

presumption of retaliation is created. In order to defeat this presumption, the employer must

establish, by clear and convincing evidence, that it would have taken the same action with

respect to the employee, regardless of the alleged protected activity.

For more information

www.goodwinprocter.com/publications/LE_SOX_whistleblow_05_04.pdf

Compensation Committees

Sarbanes Oxley does not explicitly spell out rules governing compensation in order not to restrict

the freedom of companies to make their decisions. However, the New York Stock Exchange

Governance rules require the Boards to form independent compensation committees which have

the authority to decide on compensation policies consistent with the business goals of their

companies. They are also required to make decisions on the incentive component of

compensation and ensure that they are effective in achieving the performance goals of the

company. Compensation committees are also expected to seek advice from compensation

consultants about executive pay.

Audit Committees

Sarbanes Oxley has sought to govern auditors at the board level in order to avoid the conflicts

that can happen with the management. These audit committees are composed of directors and

have the responsibility to ensure that the financial statements of the company and the internal

controls are consistent with the regulatory policy. The audit committees are also required to

discuss the company’s exposure to risk and the means to manage them.

For more information

www.nyse.com/pdfs/finalcorpgovrules.pdf

http://www.thelenreid.com/articles/article/sec_corp_gov_chart_idx.htm

SARBANES OXLEY: DEPARTURES FROM THE PAST

Executive Compensation

Sarbanes Oxley recognizes that the mode of compensation, an increasing share of equity and

equity options, in the packages that executives received was responsible for the frauds that were

committed at several large companies. This kind of compensation created incentives for fudging

the balance sheet and the income statement to engineer stock price increases. In addition,

severance packages are overly generous. A survey by McKenzie in 2003, a management

consulting firm, found that 52% of the directors of companies believe that executive

compensation is way too high. Academic literature also finds significant correlations between a

high component of equity compensation and symptoms of fraud such as accounting

restatements, high proportions of accruals, capitalization of expenses, etc. A widely quoted study

of a professor from the business school of University of Chicago, reports that in a sample of 50

firms accused of fraud by SEC by contrast to another 50 companies which ware not, a clear

pattern of higher occurrence of higher-than-average component of stock compensation was found

in the former sample. Other studies also confirm that companies are more likely to be subject to

enforcement action if their boards are dominated by the management and they don’t have a block

holder or an audit committee.

Severance pay is another contentious aspect of executive compensation often patently unrelated

to performance. A striking case is that of the approval of a $140 million severance package for

Michael Ovitz by the Disney Board in response to a request from CEO Michael Eisner, in 1996.

Ovitz had hardly worked a year as Disney's president when Eisner decided he wasn't the right

man for the job.

Increasingly, governance bodies are concerned that executive compensation does not reflect the

performance of the chief executive. While equity compensation is a means to address the agency

issue by tying the interests of owners and managers, the executives undeservedly also benefit

from the overall increase in market indices unrelated to the financial performance of the company.

In addition, severance pay and retirement benefits and a host of other fees paid to former

executives are not related to performance. While Sarbanes Oxley has not specifically mandate

any rule for compensation for executives, it does vest authority on compensation committees to

decide on executive pay is consistent with the overall interest of the company.

For more information

http://www.ncnacd.org/Summaries/November%2020%202003%20Summary.pdf

http://www.cfo.com/article.cfm/3011471/1/c_3046605?f=insidecfo

“The Economics of Earnings Manipulation and Managerial Compensation”, by Keith J Crocker

and Joel Slemrod, February 2005

“Is there a link between Executive Compensation and Accounting Fraud” by Merle Erickson,

Michelle Hanlon and Edward Maydew, Feb 2004.

Beyond GAAP

Traditionally, the accounting profession has followed the principles laid down by Generally

Accepted Accounting Practices (GAAP) when they prepare the financial statements of the

company. GAAP, however, is not necessarily a means to present a representative or fair picture

since it has several vague definitions of important terms like materiality. GAAP also creates room

for judgments on the treatment of special items besides the scope it allows for estimates of a

variety of items.

Under U. S. GAAP, an item is considered material if it has the potential to influence the judgment

of a financial statement reader. Since the term material has not been rigorously defined, it is often

hard to pin down just when creative accounting has a material impact. Typically, auditors look at

quantitative measures; for example, an item that does not change net income by any more than a

tiny percentage is considered immaterial. Similarly, it is hard to tell the threshold for the

materiality of changes in the policies towards estimates.

The rising numbers of incidents of earnings management in the 1990s were indicative of the

significance that executives attached to the weaknesses in GAAP. The percentage of Industrial

companies reporting special items climbed from 48% in 1989 to 71% in 1998. Reports of special

items among Mid-Caps and Small-Caps moved from 31% to 53% and from 32% to 42%,

respectively. On an average, among companies with positive earnings before special items,

68.4% of special items reported were negative. The corresponding statistic for companies with

negative earnings before special items was 82.9%.

SEC’s Accounting Bulletin No. 99, issued to clarify operative aspects of Sarbanes Oxley, requires

that accountants take both quantitative and qualitative considerations into account before making

a judgment on the materiality of an accounting policy. The facts “surrounding the circumstances”

and the “total mix” of information has to be assessed before coming to a decision just as the

Supreme Court mandated in several landmark cases.

For more information

www.findarticles.com/p/articles/mi_qa3972/is_200210/ai_n9119297/pg_3

http://www.sec.gov/interps/account/sab99.htm

Audit Committees

Sarbanes Oxley has significantly raised the stature of the audit committees and requires them to

have the competence, the independence and the knowledge to be capable of their fiduciary roles.

In the past, directors and audit committees were protected, by the business judgment rule, from

liability suits as long as they were taking decisions with due care, after evaluating all the material

information and in good faith and honest belief that they were acting in the best interests of the

company and its shareholders. The Sarbanes Oxley has raised the standards which are required

before directors will be immune to law suits.

One recent case of use of an expanded set of standards for defense under the business

judgment rule is the suit filed by shareholders against the CEO of Oracle and some of its

Directors for insider trading. A group of Directors, members of a specially set up litigation

committee, investigated the matter and came to the conclusion that the accused did not have

access to non-public information for an insider trading charge to be valid. However, the

shareholders counteracted by pointing out that the Directors of the committee were not

independent; some of the committee members were professors at Stanford and some of the

defendants were donors to the University or professors. The courts were willing to use soft

criterion to judge whether the relationship could have biased their decisions.

At the same time, the audit committees have the means to act in better judgment. One important

requirement of the current corporate governance laws is that they should have a financial expert

capable of judging the quality of financial reporting by internal and external auditors. They are

also expected to confer with external experts to come to their decisions.

In addition, audit committees now have greater access to information which flows to them directly

without the mediation of the Chief Executive. A KPMG survey in the spring of 2002 found that

nearly 19.2% of them were not receiving critical accounting information, judgments and estimates

to ensure the quality of reporting. Following the Sarbanes Oxley Act, the audit committee is

expected to seek information on the business, legal and financial risks besides keeping abreast of

issues related to the competitive, regulatory and the economic environment of the company.

For more information

http://www.cfo.com/article.cfm/3011471/1/c_3046605?f=insidecfo

http://www.thelenreid.com/articles/article/art_204.pdf

Fraud

Fraud in corporate America is not exceptional as would seem from sound bites focused on Enron.

According to surveys of the Association of Certified Fraud Examiners (ACFR), fraudsters and

white-collar hackers are the cause of loss of 6% of the revenue or $600 billion in 2002 ($ 2 million

for each company) earned by companies. Just how ineffective are the current controls are in

checking this fraud is indicated by the fact that an average scheme lasted 18 months before it

was detected if at all.

The malfeasance in Enron could not have been exposed without the whistleblowers. A report by

ACFR found that tips accounted for the highest share of fraud detected, i.e., 43% of all.

Additionally, tips accounted for 51% of the frauds committed by owners and executives. Yet, the

experience of whistleblowers in the past has been that they are not rewarded for the risks they

take, the more likely possibility is that they will be hounded for sticking their neck out. Sarbanes

Oxley Act, together with related proposals from NASDAQ and NYSE, require that the audit

committee establish procedures for receiving and reviewing complaints submitted without an

ulterior motive in mind. Companies are also required to build confidence so that employees don’t

fear any retaliation should they decide to report untoward accounting methods.

Fraud is most frequently perpetrated by senior executives in a company. According to a Wall

Street Journal (July 8th 2002), 70% of corporate frauds involved the CEO. The losses incurred

were much lower, when an employee was involved instead of a senior executive of a company,

by a factor of nearly fifteen. In the past, chief executives could override any dissent within a

company to escape the consequences of their crimes.

Sarbanes Oxley has strengthened the hands of audit committees within the boards to ensure that

report any management override. Fraud is also often reflected in unusual journal entries often at

the time of close of accounts. Sarbanes Oxley Act, under its Section 404, requires reporting on

control systems and their internal auditing so that shareholders know whether the company has

the processes to detect such fraudulent activities.

For more informationwww.deloitte.com/dtt/cda/doc/content/us_assur_Antifraud%20whitepaper.pdf

http://www.oversightsystems.com/whitepapers/Control_tradeoffs.pdf

http://www.cfenet.com/pdfs/2004RttN.pdf

Internal Controls and Risk Management

Sarbanes Oxley implicitly goes beyond the traditional financial accounting at a given point of time

or at the end of the financial year by requiring that auditors examine both the internal controls

over financial reporting as well as financial reports for any material weaknesses. Since the tests

for the material weakness of financial statements can only be done over a period of time, they

end up scrutinizing the stability of the finances of companies over an extended period of time.

The Public Company Accounting Oversight Board spells this out in its Audit Standard 2 which

requires company wide operating effectiveness of controls. The operating effectiveness can only

be tested for a number of periods of time. The reconciliation of cash receipts, for example, would

be free from material weakness if the test is successful for a number of days or months. Similarly,

controls over debt management would not be complete unless the auditors also study the

controls over all the inter-connected departments of the company and the effect each of them

separately and all put together could have on the solvency or the financial health of the company.

The comprehensive examination of the controls and the exposure of the company to operating

risks have broken new ground since it takes an integrated view of the exposure of the company to

risks. This is only a short step away from enterprise risk management systems.

For more information

http://www.nysscpa.org/cpajournal/2005/505/essentials/p22.htm

http://www.kpmg.ie/seminarslides04/sarbanes.pdf

http://www.pcaobus.org/

SARBANES OXLEY: IS IT PERFORMING?

Costs and Benefits of Compliance

Sarbanes Oxley sweeping provisions greatly add to the costs of compliance without a doubt.

Most companies see compliance as a sunk cost for the long-term benefits of credibility and

efficiency benefits that will extend over many years. In addition, they expect that the costs of

compliance will decline as companies as systems are put in place and companies learn to

automate their processes. Currently, many companies are unsure about the benefits they will

actually reap and the means to automate compliance in a situation where processes are hard to

standardize.

According to widely quoted figures from Foley and Lardner, the costs of compliance for

companies with sales turnover of less than one billion dollars, the costs of compliance was about

$2.86 billion in financial year 2003 up from $2.12 billion in financial year 2002 and the

corresponding figures for companies with revenues in excess of $1 billion is $7.4 billion. The

major components of costs were Directors and Officers Insurance, lost productivity and

accounting.

Figures have been presented in a variety of ways depending on how they are collected. Other

sources such as Parson Consulting indicate that 50 percent or more of overall corporate

governance cost revolves around process improvement, controls documentation, testing and

adapting controls to changing needs.

In more recent years, however, companies are also increasingly reporting benefits from their

investments in compliance with Sarbanes Oxley. In a survey of 200 financial executives by

Oversight Systems, 49% of them reported that the risk of fraud and errors has been reduced,

48% of them agree that their financial operations are now more efficient and 31% report lower

error rates.

Furthermore, companies will be increasingly focused on lowering costs from automation of their

compliance processes. As many as 60% of them have plans to implement technology to

automate their manual processes.

For more informationhttp://www.complianceweek.com/_articleFiles/foley-lardner-052504.pdf

http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14276

http://www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf

http://www.fei.org/advocacy/sarbanesoxley.cfm

Transformation of Board of Directors

A charismatic and omnipotent Chief Executive Officer has long been the hallmark of the American

corporate sector while the Directors on Boards of companies have been content to remain

passive. Sarbanes Oxley has significantly raised the profile of Directors and expects them to

provide alternative perspectives besides their monitoring role in companies. Eventually, directors

of companies are expected to contribute to strategy formulation, refine the culture of their

companies as well as manage strategic risks. Accounting problems, in the final analysis, are

caused by failures of strategy or the inability to read the early warnings of stress on corporations.

Directors have to be willing to analyze relevant information, suggest solutions and supervise the

implementation of strategies.

A pre-requisite for a more active role for directors is the separation of the role of the Chairman

and Chief Executives or vesting of greater authority of the Board of Directors in some other form.

In a recent survey conducted by AT Kearney, it was found that 61% of the companies had a lead

or presiding director and 43% of them appointed them in the year before the survey in 2004. The

same survey also shows that the large majority of directors do not favor the separation of the role

of the Chairman and the Chief Executive Officer. The diminished role of Chief Executives is

evident from the fact that the Chairpersons of Committees are selected by the Boards in 50% of

the cases up from 24% in 2002.

Willingness to acquire knowledge of the financials of the company, as well as the competitive and

industrial environment of the company, would prepare the directors to participate in the decision

making process. In the past, they had neither direct access to the details of the financials of the

company or the knowledge and interest to ensure the integrity of the reporting. Recent surveys

are indicating that a significant numbers of the members of the Board (66%) as well as their Audit

Committees (71%) are gaining understanding of the finances of their companies and knowledge

of their internal controls which they need to do to understand the many nuances of chancery in

accounting methods. The internal auditors of companies are also reporting directly to the Audit

committees. The intended objective of Sarbanes Oxley to increase the independence of Boards

of Governors of companies and commensurate access to information and responsibility for the

outcomes in companies is being achieved.

Boards still have to make a great deal of progress before they can contribute to the performance

of companies and shareholder value. They are still pre-occupied with ensuring the compliance of

their companies with the existing regulations (74% report active involvement) while 32% report

active involvement in improving the performance of companies. The Boards of Directors rate their

effectiveness in examining problems and monitoring financials is relatively high at 49% and 43%

respectively while the corresponding figures for guiding strategies and managing risks was 21%

and 16%. The achievement of this objective will depend greatly on the availability of relevant

information about the company in real time.

For more informationhttp://www.atkearney.com/shared_res/pdf/Corporate_Boards_S.pdf

Independence of External Auditors

External auditors now need to exercise independent judgment when they review the accounts of

their clients and attest to the management’s assessment to continue to qualify for the registration

with the Public Company Accounting Oversight Board. There is also evidence to show that they

are beginning to prevail. Instead of browbeating their external auditors or dismissing them in the

event of a dispute over material weaknesses or disclosures, managements are learning to be

more constructive and disclose their plans to improve their processes or face the prospect of a

drastic decline in their share prices.

A recent case of increasing independence of external auditors was revealed in the case of Molex,

the Chicago-area electronics maker. The company's auditor, Deloitte & Touche, quit when it’s

CEO and his chief financial officer refused to disclose an accounting error worth 1% of net

income into the audited results and were supported by their board.

The firm followed by writing a trenchant account of the incident at the SEC. That sent out a signal

to other auditors who would not have worked for Molex again as long as the concerned CEO was

involved. The directors had to change their decision and they decided to oust the CEO.

For more informationhttp://www.businessweek.com/magazine/content/05_17/b3930015_mz001.htm

http://www.cfo.com/article.cfm/3126520/1/c_3148382?f=archives

http://www.theiia.org/index.cfm?doc_id=5161

Quality of Financial Reporting

Financial statements, such as the balance sheet and the income statement, have long been

amenable to manipulation euphemistically known as creative accounting. These statements

report the financial situation of a company for a given year while the accounting for revenues and

expenses extending beyond the year are subject to a variety of special rules. Revenue

recognition for earnings from construction contracts, for example, can be by percentage of

completion method or the completed contract method. The percentage of completion method is

prone to subjective interpretation while the completed contract method can present an overly

positive picture of a company for the year when revenues are recognized at the time a contract is

fully completed. Misrepresentation of the financial situation of companies has grown as the

emerging industries like software and telecom as well as new business models involving off-

balance sheet financing have emerged in recent times. In addition, pro-forma statements became

a regular feature, especially in press releases of companies in the 1990s, and a means of

deception. Pro-forma statements exclude one time expenses, such as goodwill expensing or

write-offs of inventories, and help to focus attention of cash flows which are widely seen as a

measure of health of a company. Over time, companies found it a convenient method to distract

attention from their long-term liabilities.

Recent surveys are indicating substantial improvement in oversight of the frequently manipulated

aspects of accounting (mean response of 46%) such as revenue recognition, closing entries and

estimates (62%) as well as accounting estimates (46%).

For more informationhttp://www.benbest.com/business/newecon.html

www.theiia.org/iia/download.cfm?file=1617

Redesign of Business Processes

Sarbanes Oxley calls for real time reporting of material facts about the financial health of the

company, going beyond the quarterly and annual reporting, that has been common in corporate

America so far. Increasingly, companies are under pressure to accelerate the flow of information,

improve its quality and accessibility to keep pace with the reporting requirements of Sarbanes

Oxley. A recent Ventana study found that 80% of executives agreed that that fundamental

process and financial system design is important or very important for compliance. Executives

also identified "harmonizing the company's charts of accounts" and "reducing spreadsheet use"

as important goals. A harmonized design of accounts across the company can facilitate

consolidation and consistency of data and it’s reporting besides simplifying external audit

processes. Routine processes, such as accounts payable, are accounted in a variety of ways

which contributes to inconsistency in data.

Sarbanes Oxley requires the documentation of the audit trail but this is hard to achieve as

financial processes are typically spread over numerous spreadsheets, hosted on a variety of IT

systems, which are hard to audit and are replete with flawed formulas. In a survey conducted by

IDC, jointly with the Revenue Recognition Magazine (a unit of CFO.com), 63 percent of

respondents believe that spreadsheets are prone to errors, 58 percent cited the lack of audit trail

and 56 percent said they lacked internal controls. It is also hard to build controls to ensure quality

in the preparation of spreadsheets which can often have fraudulent schemes. The separation of

duties that controls over these spreadsheets would require disproportionate auditing effort.

The shorter reporting intervals mandated by Sarbanes Oxley requires companies to streamline

individual processes such as cycle time for financial closure, procure-to-pay and the order-to-

cash cycle.

Business Intelligence systems are expected to achieve the goals of consolidating data, improving

its quality and its rapid reporting.

For more informationhttp://www.revenuerecognition.com/printarticle.cfm/3468589

http://www.intelligententerprise.com/print_article.jhtml?articleID=56200373

Awareness of Risk

Sarbanes Oxley’s focus on instituting controls over the finances and operations of companies has

made them transparent for their own managements. The detailed and on-going monitoring of

these controls also increases the knowledge of the risks that they are expected to mitigate. Since

Sarbanes Oxley requires reporting on both the financial and operating risks, companies now have

the ability to analyze their financial performance based on their knowledge of their operations. For

example, theft in retail chains is endemic and can have deleterious effect on their financial

performance. Auditing of controls would reveal how the managements of the retail store try to

stem losses from theft and the problems they face in doing so. The information about incidents

about theft is made available not only to the store managers but also to the senior management

and the boards of directors who can then consider means to lower the losses from theft by either

buying insurance or reinforcing security or use video technology as a deterrent to theft.

The greater awareness of risk within the enterprise paves the way for using analytical methods to

find its causes and to find strategies to overcome it. For example, store managers have to make

decision about the inventory they need to stock. If they make mistakes, the company is likely to

suffer losses. The sharing of information within the company that Sarbanes Oxley enables helps

senior management to bring to bear analytics such as the impact of economic, demographic and

competitive factors on sales to make better decisions about stocking.

In the past, individual departments in marketing or operations made assessments of their own

risks and very rarely shared them with others. Sarbanes Oxley has put in place an institutional

process where the risks effecting all departments can be gathered and analyzed in all its inter-

dependence. Companies can now look at their business, financial and operational risks and

understand how they interact with each other. Companies have a measure of the risk associated

with their strategies and make decide on how much risk they are willing to undertake.

For more informationhttp://www.kpmg.ca/en/services/advisory/err/documents/complianceJourney.pdf

Performance Metrics and Financial Performance

In the aftermath of Sarbanes Oxley, boards and shareholders have been increasingly concerned

about transparency in measures of performance and their predictability. According to a survey of

the BPM forum, 82% of Board members felt that performance data was increasingly important in

their discussions. Financial earnings have been the much used and abused measures of

performance which often don’t present a consistent picture of the achievements of companies.

Non-financial data, when seen together with the financial data, is likely to forewarn investors

about latent problems in companies. Trends in customer satisfaction is one such measure that

investors could use to predict future financial performance. In the early 1990s, for example, Apple

was famously successful company much admired for the quality of its products. Customer

satisfaction data would have revealed that consumers were increasingly dissatisfied with the

pricing of the company. As many as 91% of the respondents in the BPM survey indicated that

companies do not have the operational data required to predict financial health and performance.

Pemstar, a manufacturer of printed circuit boards realizes that it will need to monitor both financial

and operating parameters to comply with Sarbanes Oxley. It has deployed a data warehouse and

analytical software that draws on its operational data from its ERP system. The senior executives

are now able to read the operating metrics on their desktops and understand the financial

implications of an unexpected turn of events and be able to report it.

www.optimizemag.com/article/showArticle.jhtml?articleId=17700918&pgno=2

http://www.bpmforum.org/

http://www.managingautomation.com/maonline/magazine/read/753675?page=1

INFORMATION MANAGEMENT AND THE FUTURE OF SARBANES OXLEY

Managing Risks Across the Enterprise

Corporations are rethinking their strategies towards the management of risk in the future to

effectively comply with the Sarbanes Oxley Act. Increasingly, companies are implementing

Enterprise Risk Management Systems and employing Chief Risk Officers to govern their

strategies for risk across the enterprise. Companies do not any longer want to be taken by

surprise and incur losses as they are hit by unexpected events. They now realize that their ability

to manage risks depends on anticipating risks, detecting their risks more effectively by looking at

them in all its inter-dependence and fortifying their systems to withstand shocks. Some of the

more sophisticated corporations, such as Microsoft and Boeing, implemented such systems in the

past, independent of regulatory policy, while other companies are following in their steps under

pressure from new laws such as Sarbanes Oxley, Basel II, etc. A recent survey indicates that

50% of financial executives believe that they integrate their SOX compliance with Enterprise Risk

Management. This best practice has been spelled out, in all its details, in the seminal document

of the Committee of the Sponsoring Organizations of the Treadway Commission on the subject.

The conceptual breakthrough that under girds the new approach to risk management is the

realization that business risks, financial risk and operational risk feed on each other and

compound the impact of any one type of shock to a company. Operational risk, such as fraud in

the company, can create a liquidity crisis for the company. Similarly, business risk, such as loss

of intellectual property from outsourcing of business processes overseas, could lead to

bankruptcy of a company. The vulnerability of companies has increased with the growing reliance

on sophisticated financial instruments, an extended enterprise and information technologies.

Increasingly, companies realize that they need to create a culture in which employees at all levels

respond to unnoticed sources of risk in any corner of the enterprise and communicate it to the

rest of the organization. This is facilitated by Enterprise Risk Dashboards which help to

communicate potential threats to the company and galvanize organizations to react rapidly before

a crisis goes out of control.

An example of enterprise wide management of risks is the case of TriQuint Semiconductor Inc., a

Hillsboro, Ore.-based supplier of communications components and modules. As part of its

compliance effort, TriQuint is conducting a risk assessment of all the business processes that

affect its balance sheet and income statement. That evaluation is helping the company uncover

latent risk across all its five divisions. TriQuint's combined Sarbanes-Oxley and ERM efforts have

helped it to gain insight into risks in the businesses it acquires. Typically, mergers fail when the

cultures of two different companies clash. TriQuint has made several acquisitions in recent years,

and some of those businesses have operations outside the United States. The company has

been able to identify and discuss the risks new acquisitions face, including exposures related to

specific cultural and regulatory environments.

For more information

http://www.asse.org/jameslam.ppt#256,1,Slide 1

http://www.coso.org/

http://www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf

http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14193&pg=3

http://www.cio.com/archive/110104/risk.html

Streamlining business processes

Many companies are complaining about the high costs of compliance with Sarbanes Oxley while

others are using the opportunity to raise the efficiency of their business processes. The thorough

investigation of processes that is now possible would have otherwise been stymied by turf battles

within companies.

One distinctive case of remarkable improvement in business processes is Owens Corning which

used the opportunity to review and reorganize business processes in all its 115 plants spread

around the world. The company managers reduced the company's income statement, balance

sheet and disclosures into 16 business cycles (e.g., the order-to-cash cycle) and vested

ownership of each of them to a project manager who has the responsibility to design internal

controls. The company executives identified the best control system for each of these processes

in all their plants and decided to implement it in all the rest of the plants.

For more information

http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14276&pg=5

Business Intelligence Systems

Business Intelligence software is the technology of choice to go beyond the Ken Lay defense,

“That wasn't my responsibility -- it was the fault of internal audit, the external auditor or the

accounting department." The message from Sarbanes Oxley is “The buck stops here, period”.

CEOs and CFOs have to find a way to be aware of every beat of the pulse of business activity in

their company even as they are absorbed with strategic management. Companies agonize over

its potential to add to several layers of bureaucracy and slow down the decision making process.

The smarter companies, on the other hand, are integrating their business intelligence systems

with their compliance systems to monitor activity in their companies without being intrusive. For

example, the monitoring of fraud activity can happen by keeping track of unusual or suspicious

transactional activity. Auditors can then focus their attention on transactions that are most likely to

be fraudulent.

Automation of compliance has also yielded other unintended benefits of uncovering information

that was spread out on myriad Excel sheets and other formats. The thorough going review of

controls and procedures has enabled companies to unearth the information and to begin to

analyze for their strategic planning. One case of this is Crown Media which decided to upload its

entire Excel on new compliance and business intelligence software. In addition, the software has

the ability to create processes for monitoring each financial transaction. If a transaction is

conducted by the unauthorized person or without the approval of the assigned person, the

program triggers a warning.

Crown Media is realizing a benefit from this investment which it has not expected at the outset.

The new software has made the company data available throughout the company and accessible

anywhere in the company. The data on advertising contracts is not buried in some spreadsheet in

an obscure corner of the company. This has enabled Crown Media to conduct marketing

campaigns involving sales and other operations to realize business benefits that are generally

done by its larger competitors.

The appetite for new technologies for compliance varies across companies and most were, till

recently, unwilling to take the plunge or and preferred to adapt their content management

infrastructure to adapt them for compliance purposes. Lately, however, companies have shown a

much greater interest in integrating their internal controls with enterprise management systems as

they realize that they can recoup their investments in processes to reap benefits of better risk

management.

The more significant benefits of information sharing will be realized when company management,

including the Boards of Directors, is able to use the information from dashboards to guide the

destiny of their companies. According to the AT Kearney survey cited above, the large majority of

directors felt that the lack of tools and processes providing early warning signs (41%) was the

single most important barrier to their effectiveness followed by adequate and relevant information

for their needs (22%) and board culture close behind (21%). An overwhelming majority still rely

on management presentations (90%) while only 6% use dashboards. Most directors expressed

dissatisfaction with their current sources of information and will prefer forward looking information

with details of performance data such as shifts in repeat customers, demographics and customer

segments and sales performance data all of which is more readily available from dashboards.

For more information

www.cioinsight.com/print_article2/0,2533,a=127248,00.asp

www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf

Chief Risk Officer

Companies are finding it increasingly burdensome to comply with all pervasive compliance as

they are required to monitor operating risks. The Chief Risk Officers (CROs) are symptomatic of

the transition towards enterprise risk management systems and increasingly strategic

perspectives towards regulatory compliance. According to a survey conducted by the Economist

Intelligence Unit, 45 per cent of the companies interviewed had already appointed a CRO or

equivalent predominantly in the financial services sector. In other industries, one in four

companies is planning to appoint CROs. The Chief Risk Officer has become the point person to

take the onus for all the compliance with the regulations of Sarbanes Oxley.

The Chief Risk Officers are taking on the all important role of managing enterprise wide risks. In a

survey of the insurance industry, it was found that 39% of the respondents noted that chief risk

officers have the primary responsibility for risk management-up from 19% in 2002. And 40% of

chief risk officers now report to the CEO-an increase from 26% in 2002.

The growing importance of the Chief Risk Officers reflects the need for a new breed of finance

employees with a forte in strategic finance planning. According to a survey reported by the CFO

magazine, 79 percent of the respondents chose "strategic financial thinking" as one of the top

three qualities they would value in a new CFO. This contrasts with the qualities in a traditional

finance executive such as "champion of financial transparency" (36 percent), "zero tolerance

toward accounting errors and fraud" (34 percent), and "operational experience running parts of

the business" (30 percent).

http://www.keepmedia.com/pubs/InsuranceNetworkingNews/2005/04/01/795704?page=2

http://www.cfodirect.com/cfopublic.nsf?opendatabase&content=http://www.cfodirect.com/

cfopublic.nsf/vContent/MSRA-659QSM?Open

http://www.gvsi.com/download/editorials/World-Energy-Jul-04.pdf

http://management.silicon.com/government/0,39024677,39130302,00.htm

http://www.cfo.com/article.cfm/3013927/c_3042575?f=TodayInFinance_Inside