Mallari, Ashley Mae D.

Relevance of Sarbanes Oxley Act

The Sarbanes Oxley Act, passed by the U.S. House of Representatives in 2002, attempts to
bring in improved principles and accountability in the operations of companies in the U.S. It has
been considered as a major comprehensive legislation in recent years in US business security
affairs. Non-compliance of the law attracts major penalties on company boards.

The purpose of Sarbanes Oxley (also called SOX or SarbOx) is to keep away large businesses
from financial deception and misleading their investors and shareholders. Basically this act is for
protecting the investors from public companies. It acts as a shield for investors from losing their
asset unfairly. The investors are also prevented from being misguided into investing in business.

The Sarbanes Oxley Act contains eleven major sections, ranging from extra corporate board
duties to punishment. SEC (Securities and Exchange Commission) looks after the
implementation of the Sarbanes Oxley Act. It always checks that the issuers report and file
records properly and timely. This activity again prevents companies from misleading or
inaccurate financial standing.

Three important points of the SOX influence the management of company records. The first
point restricts the destruction, alteration, and falsification of records or documents. If a person
attempts these activities, he will face severe penalties and imprisonment. Second point is that
the businesses must follow a set of guidelines concerning communications recording, audits,
records etc. Though SarbOx Act keeps large corporations from fraudulent behavior, it has made
certain accidental burdens on smaller businesses, making it difficult for them to grow and
flourish. Compliance with this act is not a heavy task.

Sarbanes Oxley Act & Internal Audit

The continuous stream of company collapses, highly publicized corporate scandals and the
resulting Sarbanes-Oxley Act have dramatically changed the landscape of corporate America. A
sound internal control environment and effective corporate governance process, which were
once deemed to be best practices have now become mandated into laws and are a necessity to
restore investors' confidence. However, many organizations are struggling with the most
effective manner to set and to start the process that will meet regulatory and investors'
expectations.

Enter the Internal Auditor. Internal audit has often been underutilized as a significant resource
for sound corporate governance advice and invoking positive change in an organization's
control environment. A value-added internal audit function offers a centralized and objective
source of comprehensive information to management regarding whether an organization's
control environment and governance process is operating effectively. This article suggests that
internal audit can play an important role in facilitating the implementation of Sarbanes-Oxley
provided that four key steps are taken.
The Four Step Approach

The following four key steps should be considered to ensure that internal audit plays an
effective role.

Internal audit often walks a tightrope between balancing its objectivity and providing value-
added advisory guidance to management. Due to uncertainty and lack of solid internal controls
savvy, management might be inclined to delegate certain internal control responsibilities to
internal audit inappropriately.

Sarbanes-Oxley has further reiterated the importance of ensuring that senior management does
not shy away from their responsibility for establishing and operating an effective internal control
environment. Internal audit can review, document and recommend changes in the control
environment as well as evaluate whether the changes made were effective. However,
management remains accountable for performing and ensuring the effectiveness of control
activities and deciding when it is essential for the control environment to be enhanced.

Under the COSO model, the role of internal audit falls in the "monitoring" dimension. That is,
internal audit is a monitoring control and it is inappropriate for internal audit to act at any time to
"become" the control. Thus, it is imperative that internal audit continues to guard its objectivity
by drawing a clear line between auditing control processes and conducting and implementing
them as a primary facet of the control environment. If internal audit does not tread carefully in
this area, the accountability objective, as intended by Sarbanes-Oxley, will be defeated.

Internal audit should ensure that its scope of work and communication and reporting
mechanisms are clarified with management and other relevant parties and approved by the
Audit Committee. The internal audit charter can be a useful vehicle for documenting internal
audit's responsibilities as it relates to Sarbanes-Oxley.

Under Sarbanes-Oxley Section 404, the external auditor must attest to management's
assertions regarding the effectiveness of internal controls surrounding financial reporting.
Internal audit can add value by participating in management's meetings with the external auditor
to assist in identifying and meeting the internal control documentation and testing expectations.
In this area particularly, internal audit should clarify and document their role thoroughly.

Internal audit's role also will be most effective when there is widespread organizational support.
Senior management and the Audit Committee must elevate internal audit to a high level of
importance and promote organizational awareness accordingly. This can be facilitated by
including internal audit in all key management committees, requiring and enforcing timely
management responses and action plans for all significant internal audit findings and creating a
reporting hierarchy and culture whereby internal audit can present potential contentious issues
without hesitation.

Internal audit typically has encountered challenges in developing and retaining solid auditing
capabilities, industry knowledge, information technology skill sets, and other related expertise.
Management buy-in on increasing head count has also proven difficult.

With Sarbanes-Oxley, internal audit will require even more resources, including those
specifically attuned to financial reporting disclosures. Fortunately, this time internal audit is likely
to encounter strong commitment by management in ensuring appropriate resources are
allocated to evaluating the internal controls process. Thus, internal audit will need to determine
the additional effort required by Sarbanes-Oxley responsibility and agree on these resource
needs with management and the Audit Committee. However, coverage of the non-financial
reporting related reviews should not be sacrificed. Furthermore, internal audit should consider
accessing specialized skill sets in Sarbanes-Oxley externally. Although most organizations are
just beginning to get a handle on Sarbanes-Oxley, others might be more ahead of the curve and
can offer tremendous insight.

1. DISSEMINATE INTERNAL CONTROLS KNOWLEDGE.Internal audit's mission has

always involved identifying risks and ensuring that related controls exist and are
operating effectively. Thus, senior management can significantly leverage internal audit's
knowledge and documentation of an organization's risks, control weaknesses and
outstanding recommendations for improvement. Furthermore, internal audit can educate
management about the COSO (Committee of Sponsoring Organizations of the Treadway
Commission) framework, which is the most accepted framework for internal control and
has been incorporated intoU.S. auditing standards. Internal audit can provide internal
controls and COSO training to management and serve as a subject matter expert for the
organization.
2. ENSURE THAT OBJECTIVITY IS MAINTAINED.
3. CLARIFY EXPECTATIONS AND SECURE SUPPORT ACCORDINGLY.
4. SECURE APPROPRIATE SKILL SETS AND RESOURCES TO ADAPT TO
ACCOUNTING AND DISCLOSURE REQUIREMENTS AND TO MAINTAIN THE LEVEL
OF INTERNAL AUDITING FOR NON-FINANCIAL REPORTING REVIEWS.
Conclusion

The corporate world has certainly changed. Organizations will need to adjust quickly and
proactively to the new world of corporate reform or surely face grave consequences if
appropriate actions are not taken.

Internal audit has a great opportunity to demonstrate its fullest potential. Management should
tap into this resource extensively but still maintain appropriate accountability and responsibility.

Sarbanes Oxley Act & External Audit

External Auditors Sox 404 Responsibilities

The Accounting Firm (External Auditor) must render two opinions:

Managements Assessment Process

Effectiveness of the companys internal controls over financial reporting

The Accounting Firm must comply with Public Company Accounting Oversight Board (PCAOB)
Audit Standards

In order to render opinions, The Accounting Firm may:

Review our process documentation

Perform walk thrus to validate controls are designed effectively
Review and re-perform a sample of test of controls
Perform additional independent tests
Evaluate controls to ascertain if errors of importance could occur in the financial
statements or if fraud could occur