Month: April 2020

The Delegation of Authority/Accountability

I discussed the delegation of authority being the core concept behind SOX. Note here that the flip side of the management’s authority, delegated by the company shareholders (through the board of directors), must be their accountability to the BoD/shareholders.

SOX 302 requires company CEO/CFO to certify the effectiveness of their internal controls.

This, then, naturally necessitates them to delegate the accountability to process/control owners, when it comes to process level controls (PLC’s), at a department management level. Accordingly, a public company needs to design the PLC’s in such a way as to hold adequately competent management accountable for relevant, underlying (financial) data (which would affect related journal entries ultimately posted to the accounting ledgers).

At the same time, strong leadership is necessary to hold financial control team accountable for SOX compliance, and for the team to;

 1. adopt the “top-down, risk-based” approach properly per Auditing Standards No. 5;

2. be able to define logical key risks (with relevant financial assertions) in each of the five phases from Initiation through Reporting, including the critical paths at which journal entries are recorded/posted to the sub-ledger/GL;

3. be able to support business departments to identify proper control owners for each proper, effective key controls, which mitigate each of the logically-defined key risks;

4. design Preventive controls, as opposed to Detective controls, to the extent possible;

5. provide stakeholders, including external auditors, with the legitimate rationality for the U.S. Company’s assessment of PLC’s under SOX; and

6. sustain CFO’s (and CEO’s) certification in the financial statements.

The Detective vs. Preventive Controls

The number 4 above is particularly important to keep in mind when designing controls because;

even if a Detective control was effective (and a misstatement was corrected thanks to the effective control), the misstatement would repeat as the root cause for the misstatement has not been rectified.

That’s why designing Preventive controls (e.g., application/access controls, management review of data input, etc.), as opposed to Detective controls (e.g., management review of reconciliation, etc.) effectively is important to design and operate the controls that are “effective” under SOX 404.

For a more detailed discussion about designing Preventive controls, see this post.

What SOX is all about is “Power” (or authority) and the delegation thereof.

The concept is inherited from COSO (Committee of Sponsoring Organizations of the Treadway Commission).

As widely known, what they call “COSO Framework” is the conceptual framework to sustain the integrity of a public organization, which is trusted, funded, and empowered by (oftentimes) numerous benefactors, fund-providers, investors, and other stakeholders, including citizens/taxpayers in case of the organization being a governmental body. Because the management/administration of such an organization is typically composed of elected/appointed/entrusted (board of) directors (as usually seen in the case of a public company), one of the primary concerns of the fund-providers and/or taxpayers would be corruption: i.e., the abuse of power.

Take the Watergate scandal for example. President Nixon abused his presidential power, or authority, by spending taxpayers’ money to benefit his personal gain; i.e., committing a burglary of the Democratic Party headquarters.

The scandal led to many other corporate illegal and corrupt activities, which were essentially a similar abuse of corporate management’s power, or authority, delegated by the corporate board of directors, or the representative body of the corporate shareholders.

The series of events prompted the U.S. Congress to enact the FCPA (Foreign Corrupt Practice Act) of 1977 and the COSO.

The COSO Framework consequently provides corporate governance with the conceptual framework of internal controls to mitigate the risks of the corporate management’s abusing their authority delegated by the board of directors.

The SOX Act 2002, in conjunction with correspondingly updated COSO Framework 2013, specifically deals with the financial information aspects of the public companies that are regulated by PCAOB (Public Company Accounting Oversight Board), part of SEC (Securities Exchange Commissions).

That is, the SOX Act (302) requires the corporate governance (of SEC listed companies), specifically CEO and CFO, to hold themselves accountable for reporting the financial statements (and footnote information thereof) that are fairly stated and disclosed (without a material misstatement in accordance with US GAAP) by establishing an effective system (of internal controls over financial reporting, or ICFR) – “based on criteria established in the” COSO Framework 2013 (as in a management’s ICFR effectiveness report in their 10-K) – to adequately mitigating the risks of misstatement due to fraud (as a result of abusing the authority/power: e.g., Management Override, Collusion, etc.) and/or due to unintentional error (as a result of lacking adequate accountability/competence).

Therefore, the objective of ICFR under the SOX and COSO Framework (2013) is for a public company management to “hold themselves accountable to their shareholders (to the extent of their authority delegated by the shareholders: i.e., the corporate owners) in their reporting/disclosing the fairly-stated financial statements (under US GAAP and SEC regulations), by controlling (to mitigate) the risk of (material) misstatements due to fraud and errors.“

Prior to SOX (the Sarbanes Oxley Act), if any material misstatements (which could lead to restatements, law suits by shareholders, etc.), Company sued their (external) Auditors.

The Trigger (for the SOX Act)

The high-tech bubble burst in 2000.

• SEC named names.

Accounting Malpractice (by Enron, WorldCom, etc.) and Misstatements/Restatements (by Amazon, etc.)

• The U.S. stock market needed to regain credibility.

The Purpose of SOX is;

To hold Company Management Accountable – NOT (external) Auditor

NOTE: What this means, for example, would be that the burden of proof, should the company be sued at all, would rest on CFO/CEO, who would need to prove their certification (under SOX 302; i.e., what the logic was when they said, “our internal controls are effective”).

(An example of the ill-conceived statements would be, “we did what our auditors told us to do.)

• CEO and CFO must certify (SOX302).

Consequence

Regardless of whether it’s fraudulent or not, if they certified that their internal controls over financial reporting (ICFR) was free from material misstatements when it was not in actuality;

• CEO and CFO could go to jail (SOX 906).

In short, the objective of the SOX Act 2002 appears to protect auditors (of an SEC listed company) from being accountable, or even convicted, for their SEC-listed client’s misinforming the public shareholders.