Reviewing Internal Control over Financial Reporting—The Sarbanes-

Oxley Approach]
Section 404 (Management Assessment of Internal Control) requires management of US
quoted companies to establish, maintain, assess and certify to an adequate internal control
structure for financial reporting. It also requires the company’s external auditors
to attest to, and report on, management’s assessment.

Section 302 (Corporate responsibility for financial statements) which requires the signing
officers of a published report to certify, inter alia, that they have designed and evaluated
internal controls over reporting and that the report is reliable in all respects (Figure 8.2), not
just with respect to internal controls over financial reporting but other disclosure controls as
well. Section 302, at (6), also requires signing officers to certify in their companies’ published
reports that they have indicated whether or not there have been any significant changes in
internal controls or in other factors that could significantly affect internal controls
subsequent to the date of their evaluation, including any corrective actions with
regard to significant deficiencies and material weaknesses.

Section 906 (Corporate responsibility for financial statements) is also relevant

in that it introduces severe criminal sanctions for breaches of s. 302 and s. 404
The ‘‘Control Environment’’ Component of Control in SOX Compliance

Section 301 of the Act (Figure 8.5) makes an audit committee a statutory listing
requirement and sets out other statutory requirements for audit committees. These
include, but are not limited to, giving the audit committee direct responsibility for
the appointment, compensation and oversight of the external auditor. Section 301 also
establishes a statutory independence definition for audit committee members, including that
they must receive no fees from the company other than for their board service and must not be
an “affiliated person” of the issuer or any subsidiary.
Section 407 requires disclosure, with reasons, if the company does not have a financial expert
as a member of the audit committee. The SEC’s Final Rule has defined an audit committee
financial expert as a person with all of the five following attributes:
1. An understanding of generally accepted accounting principles and financial statements;
2. The ability to assess the general application of such principles in connection with the
accounting for estimates, accruals and reserves;
3. Experience preparing, auditing, analyzing or evaluating financial statements that present
a breadth and level of complexity of accounting issues that are generally\ comparable to
the breadth and complexity of issues that can reasonably be expected to be raised by
the registrant’s financial statements, or experience actively supervising one or more
persons engaged in such activities;
4. An understanding of internal controls and procedures for financial reporting; and
5. An understanding of audit committee functions.

Under the Final Rules, in order to qualify as an audit committee financial expert a person must
have acquired the above listed attributes through any one or more o the following:
• Education and experience as a principal financial officer, principal accounting officer,
controller, public accountant or auditor or experience in one or more positions that involve the
performance of similar functions;
• Experience actively supervising a principal financial officer, principal account- ing officer,
controller, public accountant, auditor or person performing similar functions;
• Experience overseeing or assessing the performance of companies or public accountants with
respect to the preparation, auditing or evaluation of financial statements; or
• Other relevant experience; and, if other relevant experience is what qualifies the director,
that experience must be described.
Section 406 requires a US issuer to disclose whether it has a Code of Ethics for its senior
financial officers. Any changes to the Code of Ethics must be disclosed. The Act requires that
the Code cover honest and ethical conduct, including the ethical handling of actual or apparent
conflicts of interest between personal and professional relationships; full, fair, accurate, timely,
and understandable disclosure in the periodic reports required to be filed by the issuer; and
compliance with applicable governmental rules and regulations. The SEC in their Rule has
expanded the requirement to cover:
1. Honest and ethical conduct, including the ethical handling of actual or apparent conflicts
of interest between personal and professional relationships;
2. Avoidance of conflicts of interest, including disclosure to an appropriate person or
persons identified in the code of any material transaction or relationship that
reasonably could be expected to give rise to such a conflict;
3. Full, fair, accurate, timely, and understandable disclosure in reports and documents that
a company files with, or submits to, the Commission and in other public
communications made by the company;
4. Compliance with applicable governmental laws, rules and regulations;
5. The prompt internal reporting to an appropriate person or persons identified in the
code of violations of the code; and
6. Accountability for adherence to the code.

The ‘‘Risk Assessment’’ Component of Control in SOX Compliance

Elements of risk assessment stressed in the Sarbanes-Oxley Act relate to conflicts of interest,
improper influence on the conduct of audits and avoidance of the provision of most non audit
services by a company’s external auditors.
The ‘‘Control Activities’’ Component of Control in SOX Compliance
Most of the effort involved in meeting the requirements of s. 404, by both management and
the external auditors, is focused on the controls built into processes that contribute to the
reliability of financial statements. A SOX methodology has developed which is a sound approach
to be followed more generally in audit work.

The ‘‘Information and Communication’’ Component of Control in SOX Compliance

The purpose of s. 302 and s. 404 compliance work is to assess the reliability of financial and
other information that is published. The chapter have placed most emphasis on control
activities (key control procedures) as means of ensuring this. It should not only be accurate and
complete, it should be timely, clear, mutually consistent and useful as well.

The ‘‘Monitoring’’ Component of Control in SOX

PCAOB Standard No. 5 requires the external auditor to evaluate the extent to which he or she
will use the work of others, such as internal auditors, to reduce the work the auditor might
otherwise perform himself or herself to meet the audit requirements of s. 404. The Standard
explains that the degree of competence and objectivity of the other party has to be assessed to
determine the extent the auditor may use their work. In practice, the company should set out
to achieve a maximum amount of coordination between internal and external auditors with
respect to s. 404. The external auditor is likely to be able to place more reliance on internal
audit if internal audit is auditing the SOX process rather than performing the process of
designing, documenting and testing the control processes.