Cover Page


Effective Enterprise Risk Management


Wiley Logo

To my parents


I would like to express sincere appreciation to Kathleen Hajduk and Robert Grenhart for their valuable contributions.


Through my work with public and private entities of all sizes in developing Sarbanes-Oxley compliance programs, the question I receive most often is “Once you establish compliance with Section 404, what’s next?” This book guides corporate accounting and financial executives through the requirements and value-added activities in the post-initial compliance environment. It demonstrates how to monitor and maintain strong internal control systems within finance and accounting operations. In addition, it outlines how to leverage the knowledge harvested through regulatory compliance to improve financial management and make the organization more efficient. In this book, I also suggest new ideas on how to identify and mitigate threats to the financial control environment. My objective for this book is to show readers how to meet compliance requirements, as well as build on initial compliance activities to improve the financial management processes.



Enron, Arthur Andersen, WorldCom, Tyco, Adelphia. These companies have become household names mostly because of their past display of corporate greed, fraud, and accounting improprieties. The offenses of these few organizations are not representative of the majority of more than 15,000 public companies in the United States, yet the results of their abuses are far reaching. When the details of corruption emerged, and stock prices and retirement savings plummeted, the American public became outraged and demanded reform. On July 30, the U.S. Congress answered this public outcry for change and enacted the Sarbanes-Oxley Act of 2002 (the “Act”).

The Act was signed into law to improve the accuracy and transparency of financial reports and corporate disclosures, as well as to reinforce the importance of corporate ethical standards. As a result, the Securities and Exchange Commission (SEC) issued rules outlining the provisions of the Act. In addition, the New York Stock Exchange (NYSE), the American Stock Exchange (Amex) and the over-the-counter Nasdaq Stock Market (Nasdaq), have all significantly modified the standards for listing stocks on their exchanges. Many view the Act’s provisions for internal controls over financial reporting (Section 404) and executive certifications (Section 302) as painful and costly to implement with little derived benefit. Others see the mandated changes as an opportunity to implement best business practices, drive greater performance, and boost investor confidence.


The Act is the most significant legislation impacting the accounting profession since the Securities Acts of 1933 and 1934, which it amends. It addresses a wide range of matters relevant to publicly held issuers and their auditors, including auditor oversight and independence, corporate responsibility for financial reports, and enhanced financial disclosures. The Act is composed of 11 Titles as outlined below.

Title Summaries

Title 1. Public Company Accounting Oversight Board (PCAOB or “Board”)

The Act establishes the board as a private, nonprofit company funded by annual accounting support fees assessed to issuers1 (as defined in Section 3 of the Securities Exchange Act of 1934 (15 U.S.C.78c)). The board’s duties include the mandatory registering of public accounting firms that prepare audit reports; establishing auditing, quality control, ethics, and independence standards relating to the preparation of audit reports; conducting inspections of registered public accounting firms; and enforcing compliance with the Act.

Title 2. Auditor Independence

Title 2 prohibits registered public accountants conducting an issuers financial statement audit from performing nonauditing services such as bookkeeping, the design and implementation of financial information systems, appraisals, valuations, fairness opinions, internal audit outsourcing, and management functions. All audit and nonaudit services require preapproval by the audit committee of the issuer. Additionally, there are provisions for audit partner rotation, specific reporting requirements by registered public accounting firms to the issuers’ audit committee, and an absolute prohibition of an audit firm providing audit services to clients for one year if the client has hired certain employees of the registered public accounting firm in key financial positions.

Title 3. Corporate Responsibility

This provision of the Act mandates the SEC to direct the national securities exchanges and national securities associations to prohibit the listing of any security of an issuer that is not in compliance with the following Act requirements:

  • Existence of audit committee oversight of registered public accounting firm
  • Board of directors/audit committee independence
  • Procedures for receiving complaints concerning accounting or auditing matters and anonymous employee concerns relating to questionable accounting or auditing matters established by the audit committee
  • Audit committee authority to engage independent counsel and other advisors
  • Provision of appropriate funding, as determined by the audit committee, for payment to the registered public accounting firm and to advisors hired by the audit committee

Title 3 also requires chief executive officer (CEO) and chief financial officer (CFO) certifications of financial statements, outlines penalties for corporate officers and directors for material noncompliance, and prohibits insider trading during pension fund blackout periods.

Title 4. Enhanced Financial Disclosures

Title 4 outlines requirements to help assure the accuracy of financial statements and supporting financial disclosures. It requires reporting of material unconsolidated and off-balance sheet transactions as well as mandates that pro forma financial information is factual and complete, and reconciles with the financial condition and results of operations of the issuer. Personal loans to executives are prohibited; issuers are required to disclose whether or not they have a code of ethics for senior financial officers, and mandates that the audit committee include at least one financial expert as defined by the Act. This provision also outlines requirements regarding management’s assessment of internal controls and the real-time disclosure of material changes to financial conditions or operations.

Title 5. Analyst Conflicts of Interest

This section of the Act requires the SEC, or national securities exchanges and national securities associations, to implement rules to improve “public confidence in securities research, and to protect the objectivity and independence of securities analysts ….”2

Title 6. Commission Resources and Authority

Pursuant to Title 6, $98 million in funding is authorized to the SEC to hire an additional 200 professionals to provide enhanced oversight of auditors and audit services required by Federal securities laws.

Title 7. Studies and Reports

Title 7 authorizes the General Accounting Office (GAO) and the SEC to perform studies and issue reports investigating the consolidation of public accounting firms; the role of credit rating agencies in the securities market; the number of professionals found to have aided and abetted a violation of securities laws from the period January 1, 1998, to December 31, 2001; the enforcement actions taken by the Commission involving violations of reporting requirements; and whether investment banks and financial advisers assisted public companies in obfuscating their true financial condition.

Title 8. Corporate and Criminal Fraud Accountability

This provision of the Act, which is also referred to as the Corporate and Criminal Accountability Act of 2002, details the penalties for the destruction of corporate audit records and the willful destruction, alteration, or falsification of records in Federal investigations and bankruptcy proceedings. This section also establishes a five-year record retention period for audit or review workpapers and provides protection for whistleblowers.

Title 9. White-Collar Crime Penalty Enhancements

The Act in Title 9, which is also referred to as the White-Collar Crime Penalty Enhancement Act of 2002, modifies the Federal Sentencing Guidelines to increase the penalties for white-collar crimes. More importantly for issuers, it establishes a requirement for the CEO/CFO certification of periodic financial statements and specifies the penalties for the failure to certify and the willful certification of knowingly false financial reports. Penalties range from $1 million to $5 million and may include imprisonment for up to 20 years depending on the violation.

Title 10. Corporate Tax Returns

Title 10 simply states that “[I]t is the sense of the Senate that the Federal income tax return of a corporation should be signed by the CEO of such corporation.”3

Title 11. Corporate Fraud Accountability

The Corporate Fraud Accountability Act of 2002, or Title 11, provides for additional fines and penalties for individuals who fraudulently alter or destroy documents or impede an official proceeding.

Act Requirements

The requirements of the Act are intricate and complex and affect the entire organization regardless of the operational infrastructure. Exhibit 1.1 displays how the significant provisions of the Act influence specific aspects and individuals of a public company, including the relationship of the registered public auditor.

The provisions of the Act that address independence, officer codes of conduct, auditor oversight and hiring, audit approval, and prohibited services apply directly to the audit committee. Other provisions that deal with the forfeiture of incentive pay, the prohibition of personal loans, and whistleblower protection policies may be the responsibility of the human resources department, while provisions regarding interpretations as a matter of law, codes of ethics, and record retention policies are normally the responsibility of the general counsel. Although public company compliance with all aspects of the Act is required, this book focuses only on those aspects of compliance that directly impact financial managers: Sections 302, 404, and 409. Discussion of these sections is divided into three main parts: initial compliance, ongoing maintenance and monitoring, and beyond compliance.

Initial compliance provides an overview of the Act provisions for Sections 302, 404, and 409 and details suggested action steps necessary to comply with the requirements. This part also defines and contrasts the terms reportable conditions, material weaknesses, and significant deficiencies and provides practical examples of each.

Ongoing maintenance and monitoring details the responsibilities of the financial manager after initial compliance with the Act. Major subjects such as quarterly compliance processes, interfacing with both internal audit and registered public auditors, control testing, software considerations, and SAS 70 Letters are discussed in order to provide the financial manager with practical applications.

Beyond compliance addresses the opportunity to move Sarbanes-Oxley compliance from a routine checklist and one-time internal controls improvement process to a defining cultural change initiative. This Part addresses how the financial services industry may be affected by the ever-expanding local and global regulatory, compliance, and reporting requirements. The section concludes with a discussion on the implications for future European Union-listed companies with International Financial Reporting Standards (IFRS) and the differences that exist between IFRS and U.S. generally accepted accounting principles (GAAP).


Exhibit 1.1 How Sarbanes-Oxley Affects Your Organization


Most companies would profess to have a strong emphasis on internal controls to ensure the reliability of financial reporting, yet in the absence of specific guidelines, determining the necessary level of control has primarily been a subjective decision. Early on, the impetus for effective internal controls was driven by the Securities Exchange Act of 1934, a law designed to restore investor confidence after the stock market crash of 1929, by providing more structure and government oversight. Issuers were later required to maintain adequate systems of internal controls after the Securities Exchange Act was amended in 1977. However, the term adequate was not clearly defined. In response to this requirement, most companies developed their own approach to compliance through the cooperative efforts of management, internal audit, and external auditors.

In the early 1990s, companies began adopting the Internal Controls–Integrated Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s study of internal controls.4 The COSO internal controls approach (Exhibit 1.2) is a framework designed to establish an internal control system for an entire company not limited to financial or financial reporting controls. This framework balances control objectives with the required control components necessary to maintain effective internal control within a company, process, or function. The three COSO control objectives are as follows: accurate and reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. The COSO framework breaks effective internal control into five interrelated components:

  1. 1. Control environment
  2. 2. Risk assessment
  3. 3. Control activities
  4. 4. Information and communication
  5. 5. Monitoring

Exhibit 1.2 COSO Internal Controls Approach

The Act has placed significant responsibility on issuers for designing, implementing, and maintaining effective systems of internal controls to assure adequate financial reporting to the SEC and investors. Paragraph 13 of PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, sets forth the standards for registered public auditor attestation of issuers’ internal controls as required in Section 404(b) of the Act. Standard No. 2 requires issuers to “base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment.”5 Paragraph 13 concludes by mandating that an internal control assessment framework is suitable only when it:

Additionally, Paragraph 13 states that the COSO integrated framework to internal controls “provides a suitable and available framework for purposes of management assessment” and “[f]or that reason, the performance and reporting directions in this standard are based on the COSO framework”7 even though other suitable standards may exist or may be developed in the future. The internal control delivery framework presented in Chapter 3 is based on the COSO Internal Control-Integrated Framework.

In addition to SEC- and COSO-driven internal control initiatives, many companies in specific industries such as pharmaceuticals and defense have historically placed a greater emphasis on internal controls because of specific regulatory requirements or other industry-specific environmental factors. These issuers may be in a better position than most issuers to more rapidly implement the requirements of the Act. They have already lived through a crisis similar to the one that prompted the Sarbanes-Oxley Act of 2002.

In the early and mid-1980s, the defense industry reeked of fraud, overcharges, and the perception of impropriety. In response to adverse headlines publicizing corruption, multiple congressional hearings, and the release of the Congressional report, A Quest for Excellence, the CEOs of 32 defense contractors met and established the Defense Industry Initiative on Business Ethics and Conduct (DII).8 The DII established six principles for doing business.

These principles, which establish a code of conduct or ethics, encourage internal reporting of violations of the code with the promise of no retaliation for such reporting. The principles also require the establishment of internal controls, a process for monitoring such controls, and a procedure for reporting violations. Defense contractors aggressively implement internal controls in part to protect themselves from the significant fines and penalties established for violating government contracting rules as well as fraud statutes and the Anti-Kickback Act of 1986. Most defense contractors incorporated the COSO framework into their internal control structures and as a result may have a good basis from which to implement the additional provisions of the Act.

Like the crisis in the defense industry, the scandals leading to the passing of the Act resulted in a loss of confidence and faith in corporate leadership and the integrity of financial reporting. The perception is that boards of directors had simply become that of a “rubber stamp” approver of management decisions. In the minds of many investors, boards had forgotten their most important role: corporate oversight and governance.

The Act and the resultant changes—including SEC requirement and regulations, the formation of the PCAOB, and changes to listing requirements of the NYSE, Nasdaq, and Amex—have all forced businesses to reevaluate their organizational structure and systems of internal control. These changes have created new roles as well as modified existing roles for the individuals involved in the financial reporting process.


Simply reading the Act provides enough information to know that corporate America must change the way it conducts business. The Act affects all of the participants in the financial reporting process from the users of the financial reports and information released by issuers to the individual employee who enters data to record a transaction. The following briefly outlines the effect the Act will likely have on each participant.

Investors and Other Users of Financial Data

Why did anyone care about the financial scandals and fraudulent activities involving companies such as Enron, WorldCom, and Adelphia? Simply stated, it is because the market values of those companies declined significantly when the magnitude of the fraud was realized. This resulted in investments and retirement savings losses of billions of dollars.

For investors and other users of financial data, the Act and other resultant regulatory changes strengthen the controls over financial reporting by requiring issuers to ensure timely, accurate, and complete financial reporting and real-time disclosure of financial information. To encourage issuers to comply with the new requirements, the Act specifically imposes significant criminal penalties and fines for corporate executives. Will these rules prevent all future corporate scandals? Probably not, but they will likely be enough incentive to improve the quality, accuracy, and timeliness of financial data to allow investors to make informed decisions regarding their investments.

Regulatory Bodies

The Act resulted in several important changes to regulatory bodies. First, the Act mandated the creation of the PCAOB to oversee the public accounting industry and to set standards for conducting the review of issuer’s internal control over financial reporting. Second, the Act effected several changes to SEC reporting requirements, including provisions for mandatory real-time disclosures of certain changes to issuers’ financial conditions and new accelerated due dates for quarterly and year-end reports. Finally, the Act required the national securities exchanges to change their listing requirements for issuers subject to the Act.

The Board of Directors

The two primary responsibilities given to boards of directors are (1) strategic direction and leadership of the business, and (2) corporate oversight. The Act and changes made by the national listing exchanges reinforce those responsibilities and ensure they are taken seriously. These changes require boards to be composed of a majority of independent members, hold meetings with only independent directors, and implement corporate governance and codes of ethics.

Audit Committee

The role of the audit committee has also changed. First, the audit committee must consist of only independent directors, and the board must disclose if the audit committee does not contain at least one “financial expert” as defined by the SEC. Second, the audit committee is solely responsible for the engagement and compensation of the external auditor and oversight of the auditors work relating to the audit of financial statements. Finally, the external auditor now reports directly to the audit committee and no additional services can be provided without the committee’s preapproval.

External Auditors

In addition to now reporting directly to the audit committee, external auditors must register with the PCAOB, refrain from performing certain nonauditing services, and must comply with audit partner rotation requirements. The external auditor is also responsible for an attestation review of the issuer’s internal control over financial reporting and report on management’s assessment of the same.

Executive Management

Executive management is now explicitly responsible for establishing and maintaining a system of internal control over financial reporting and creating an annual assessment of the same. The CEO and CFO are responsible for the financial reports filed with the SEC and must certify the accuracy of such reports under the risk of criminal penalties and fines. Other members of the executive management team are responsible for the new requirements relating to codes of ethics, record retention, insider trading, attorney conduct rules, whistleblower policies, as well as other legal and human resource issues.

Management and Staff

While the Act does not specifically mention any requirements of managers and supporting staff, these individuals will likely be directly responsible for the majority of the additional work that will be required to comply. Since executive management is held accountable for compliance, it is in their best interest to ensure their financial managers are knowledgeable about the Act and its impact on their company.

Based on the work effort outlined, it is clear that companies will experience significant increases in costs and time necessary to comply with the provisions of the Act and the related regulatory changes. These increased costs will be related to:

  • More frequent board and audit committee meetings
  • Increased oversight activities
  • Continual communication with external auditors
  • Increased legal and human resource work resulting from new policies and procedures

By far, the most significant cost increases will result from the external auditor attestation of internal control over financial reporting and the internal cost of complying with the provisions of Section 302, Section 404, and Section 409 of the Act.

The cost of compliance will vary based on the size of the company, the number of operations, and the complexity of the business. Nonetheless the total is still significant for most organizations. A January 2004 Financial Executives International (FEI) survey suggests that Section 404 compliance will cost companies, on average, 12,265 internal people hours, 3,059 external resource hours to supplement internal hours, $732,100 for external consulting, and $590,100 for the external auditors attestation review.9 To determine a reasonable estimate of the cost of compliance, companies will first need to understand the requirements of the Act and what efforts will be needed to comply. The next three chapters discuss the specific requirements of Section 302, Section 404, and Section 409, respectively.


This book is intended to help financial managers go beyond mere compliance and seize the opportunity to improve business practices and/or processes, drive greater performance, and transform the perception of the finance organization into that of a value-added key contributor to the company. For discussion purposes, financial manager refers to anyone who is a CFO, controller, vice president of finance, divisional CFO, or a manager who directly works for someone in such a position.

This book focuses on the aspects of Sarbanes-Oxley that impact those employees working directly or indirectly for the CFO. It is designed to lead the reader from initial compliance with the Act, through ongoing maintenance and monitoring, and ultimately to beyond compliance; however, each section can be read and applied individually.

The PCAOB’s web site ( is a perfect complement to the information contained in this book. The web site lists the board’s current and pending regulatory actions regarding rules and the adoption of auditing standards. The site also maintains briefing papers and other documents that can serve as valuable information for financial managers who are responsible for implementing various sections of the Act, as well as Q&A documents clarifying opinions on issues related to the implementation of the standards of the PCAOB.10