SlideShare a Scribd company logo

Tip of the Compliance Iceberg

Dwayne Jorgensen
Dwayne Jorgensen

The importance of a strong internal control framework in anticipating compliance issues.

Presentations & Public Speaking
1 of 11
Download to read offline
The Tip of the Compliance Iceberg by Dwayne E. Jorgensen www.JobDoctorsInternational.com
Introduction Since its passage in 2002, the Sarbanes-Oxley Act has spotlighted the realm of corporate gov- ernance as it pertains to compliance with legal regulations. Corporations have spent thousands of hours in preparation for their first attempt to earn an ‘unqualified’ attestation from their public accountants. That attestation is required to substantiate management assertions as to the overall effectiveness of their internal control frameworks, as mandated by Section 404 of the act. As the first deadline approaches in December, 2004, many CEOs and CFOs believe they have ad- equately navigated the course laid out for them by the act. But do corporate efforts to comply with Section 404 supply enough information to avoid the unforeseen complications of future noncompli- ance events? Or have they addressed only the tip of the compliance iceberg? Current State As dramatized in regular headlines, corporate investors are still being unpleasantly surprised by allegations of control breakdowns in flagships of the investment world. Given the nebulous and ramified nature of some transactions, executives are increasingly sensitive to the difficulty of as- certaining whether the proper controls are in place to monitor all related activities effectively. Furthermore, the dynamics of a global economy pose an ongoing challenge to an organization’s ability to ‘assert’ to the overall effectiveness of its control environment. These facts lead to a fundamental question: how can you know your control environment is effective without a full un- derstanding of both the depth of compliance required, and the adequacy of your measurement process? Letter or Spirit? Numerous comments by key individuals, including SEC commissioners, have made it clear that the Sarbanes-Oxley Act was not intended as the ‘end of all means’ as it relates to reassuring the investing public and the federal government about an organization’s operations. Rather, the act was intended as a ‘means to an end’: namely, establishment of an integrated control framework as defined in a landmark report issued by the Committee on Sponsoring Organizations of the 2 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
Treadway Commission (COSO). By design, that framework would address all aspects of the act as a part of the overall defined corporate governance. Despite that fact, many organizations have responded narrowly and tactically to Section 404 compli- ance mandates with ‘cascading certifications’ that require all layers of management to perform the same certification required of the CEO and CFO on SEC quarterly and annual reports. Many have also adopted a wait-and-see attitude relative to the more far-reaching strategic components of the act, such as disclosure guidelines, whistleblower protocols, and the incorporation of a COSO-based uniform control structure across all the organization’s financial and nonfinancial processes. (Corpo- rate Governance and Independence Monitoring Function, 10/1/2003, CFO Project Volume 2) Ascertaining the depth of the compliance iceberg must start with management’s intention to com- ply with the spirit rather than the letter of the Sarbanes-Oxley Act. Management must decide whether to establish an adequate and effective control environment based on the internal control framework defined in the COSO report (spirit), or settle for doing only what’s required to satisfy individual sections (letter). As shown in Figure 1, organizations focused exclusively on compliance with Sections 404 and 302 are addressing merely the tip of the iceberg. True adherence to COSO requires adequate meas- urement of additional layers—other Sarbanes sections, other regulations, lender’s covenants, mission statements, policies, procedures, tasks, and unique control events—as part of COSO’s ongoing “monitoring process.” (See Figure 2 for a description of monitoring in the layers of the ‘COSO Cube’.) That means that once management decides to comply with the spirit rather than the letter of the act, it must first determine how much of what has already been done to prepare for compliance with Section 404 can be used for ongoing control measurements. What You Know What You Might Not Know 404 302 301 409 Cerner Regulations (FDIC 1A, etc.) Public Co. Reg. (NYSE, NASDAQ, etc.) Sarbanes-Oxley Act Compliance Requirements Industry Compliance Standards Company-Specific Standards Lending Convenants Mission Statements Policies Procedures Tasks Unique Control Events Figure 1: The Compliance Iceberg 3 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
The Current State of Section 404 Compliance Since the start of activities to prepare for compliance with Section 404, an ad hoc preparation methodology has emerged. Refined through trial and error, that process has been adopted to various extents by most organizations. It includes these steps: 1. Assess the current state of the organization’s controls in key processes. 2. Ensure that the current state is adequate in terms of both the strength and documentation of controls; where they are missing or inadequate, develop them from scratch. 3. Have agencies or individuals independent of the work done in step 2 test the effectiveness of the controls, correct deficiencies where necessary, and then retest. 4. Report the results of the first three steps to prepare for a management assertion letter as prescribed by Section 404, and provide these results to the external auditors for their required attestation of the assertion. Unfortunately, these four key phases have not been uniformly implemented across all corpora- tions. Cautionary tales abound that relate how organizations have skipped the assessment phase and started at the documentation step, or have authorized the same agencies or people who per- formed the work required by step 2 to test it at step 3. In both cases, these inconsistencies have resulted in additional costs for the organization, either in rescoping or in completely redoing the 404 work. Finally, and more importantly, the work carried out to date in step 4 as the result of this process has not yet been substantiated as the appropriate output, since the final Standards of Testing have not yet been performed by any auditors (PCAOB Standard #2). How Much Is Enough? Regardless of the amount of effort already expended on preparing for Section 404, the answer to the fundamental question posed above—how can you know your control environment is effective without a full understanding of the depth of compliance necessary and the adequacy of your meas- urement process?—may still be “not enough” as it relates to full Sarbanes-Oxley compliance. Many organizations focused solely on complying with section 404 have contracted with service or software-oriented firms that essentially supplied a ‘one-off’ product for the 404 report. The signifi- cant shortcomings of this approach—which fails to ensure that the outcome will be COSO-compli- ant as stipulated by the Public Company Accounting Oversight Board (PCAOB) guidance issued to date—will shortly appear in the efforts required to recreate that work for both future annual 404 assertions, and for the quarterly 302 certifications. As shown in Figure 1, COSO compliance extends many levels below the individual sections of the act—all the way down to the individual 4 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
control activities within the organization. To fully achieve the mandated compliance, an organiza- tion must take a more fundamental approach to the elements of the ‘COSO Cube.’ COSO: Internal Control—Integrated Framework The report entitled “Internal Control - Integrated Framework”, was commissioned by the Commit- tee on Sponsoring Organizations of the Treadway Commission (COSO). It established a common definition of internal control that meets the needs of various parties not only for assessing their control systems, but also for determining how to improve them. As originally published, the COSO Report was considered a voluntary approach to implementing best practices as they relate to a sound control environment. However, with the passage of the Sarbanes-Oxley Act and the further clarification provided by both the SEC and the PCAOB, the COSO Report has been established as the benchmark for determining compliance with the act. More importantly, as other aspects of the act are more clearly defined or become applicable, the components of the COSO Report take on more meaning. They cover not only the controls nec- essary for compliance with financial reporting mandates, but also clearly identify the operational controls that will become critical to the accurate assessment and disclosure of all issues subject to disclosure guidelines, whether financial or operational in nature. The most pertinent aspect of the COSO Report is its establishment, for the first time ever, of a universal definition of internal control: Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Figure 2: The impact of Sarbanes-Oxley on the COSO Cube IT components Section 404 Section 409 Section 302 Risk Assessment Control Environment Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awarness Training IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations IT Risk Management, IT Risk Assessments, Business Impact Analysis “Tone at the top”, IT Governance, Regulatory Compliance Monitoring Information & Communication Control Activities 5 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved. Based on the COSO illustration (copyright 1994) by the Committee of Sponsoring Organizations (COSO).
• Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations. Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process. The components are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. The following sections provide a brief overview of the nature, significance, and primary drivers of each internal control component named in the report. Control Environment The control environment sets the organization’s tone, influences the control consciousness of its people, and serves as the disciplinary and structural foundation for all other components of inter- nal control. Key factors in that environment include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. What does this means to an organization? The control environment is the starting point for exec- utive management’s decision as to whether compliance with the Sarbanes-Oxley Act will be per- ceived as a ‘spirit’ or ‘letter of the law’ exercise. Organizations that decide to settle for compliance with the letter of the law can reasonably expect to fall short of the expectations of the SEC and PCAOB at some future point, and to reap all the potentially negative consequences of that short- fall. Given that probability, a more prudent approach would be to recognize that while control is management’s responsibility, it must be actively embraced by everyone associated with the organ- ization. This tone should be reflected in corporate mission statements; ethics policies; disclosure guidelines; and board, audit committee, and internal audit charters. Primary drivers of this component include the board of directors, CEO, and CFO. Risk Assessment Every entity faces external and internal risks that must be carefully investigated. A precondition to effective risk assessment is establishing objectives that are linked at different levels and internal- ly consistent. Risk assessment identifies and analyzes risks that may affect the achievement of those objectives. It also provides a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions are all subject to ongoing change, mechanisms are needed to identify and deal with the special risks associated with change. 6 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
What this means to an organization is that risk management, formerly the exclusive realm of inter- nal auditors and insurance brokers, is assuming a key management role. In fact, more and more corporations are acknowledging its strategic importance by appointing a chief risk officer (CRO) to give this COSO component the attention it deserves. Ironically, most operational managers confronted by risk assessment policies for the first time are quick to realize how little of their prior responsibilities involved consideration of a ‘what-if’ component. And yet, as most immediately rec- ognize, only a realistic evaluation of the potential for and impact of a negative outcome can lead to a clear understanding of the steps needed to mitigate that risk. The ever-changing conditions of the business world make risk assessment a dynamic and ongo- ing activity. It requires implementing a defined process to guide the organization through the defi- nition of key risk areas, pinpoint specific risks in these areas, evaluate the likelihood and severity of each risk, and identify the resources required to mitigate them to acceptable levels. Now more than ever, the realities of a global business community make the ability to control all significant risks essential to an organization’s success. Primary drivers of this component include the CEO, CFO, CRO, COO; operating management; and the internal auditor. Control Activities Control activities are the policies and procedures that embody management directives. They en- sure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They are as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating perfor- mance, security of assets, and segregation of duties. The organizational significance of control activities relates to the fact that most of the effort (and expense) corporations have dedicated to achieving 404 compliance to date has been expended on identifying and documenting these COSO components. Yet, most—if not all—of that effort has been limited to the financial controls as they pertain to the production of the financial statements. As demonstrated in Figure 1, it will be readily apparent to most managers that the next monumen- tal task required by the act will be the inclusion of the other two control areas: business operations and regulatory compliance. The effort required to achieve adequate documentation in these addi- tional areas will depend on the prior state of overall control maturity in the organization. Primary drivers of this component include the CFO, CRO, COO, and operating management. 7 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
8 Information and Communication Pertinent information must be identified, captured, and communicated in a form and within a time- frame that enables people to carry out their responsibilities. Information systems produce reports on operational, financial, and compliance-related information that make it possible to run and control the business. They supply not only internally generated data, but also information about external events, activities, and conditions necessary to informed business decision-making and external reporting. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top manage- ment that control responsibilities are to be taken seriously. Workers must understand not only their own role in the internal control system, but how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties such as customers, suppliers, regulators, and shareholders. What this means to an organization is that it’s not enough merely to document the control activities identified in the 404 compliance exercise. They must be effectively communicated to the rank and file, along with a ‘tone at the top’ that reinforces the fact that control is everyone’s job. In addition, as Section 409 (timeliness of reporting) takes effect, most organizations will be forced to assess yet again the effectiveness of their internal communication systems, with an emphasis on how those systems ensure that information is communicated, processed, and passed along in a timely and efficient manner. Primary drivers of this component include the CFO and CIO, as well as operating management. Monitoring Internal control systems need to be monitored through a process that assesses the quality of each system’s performance over time. The process must incorporate ongoing monitoring activi- ties, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, along with other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring proce- dures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. What this means to an organization is that the most significant success factor in achieving a CO- SO-compliant control framework is the ability to measure the depth and consistency of compliance with the organization’s individual controls. As any internal auditor can testify, three ‘steady states’ define a typical organization’s activities: • The vision of the executive management team • The way that vision is translated into corporate policies and procedures • What is actually done day-to-day by the organization’s workers © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
Generally, these three states—which should be identical—reflect varying degrees of consistency throughout the organization. This inconsistency can typically be tied to the most overlooked and underutilized component of the COSO framework: the monitoring function. More importantly, in an environment still reeling from disclosures of the Enron and WorldCom nature, the separate evaluation mentioned earlier has assumed an increasingly important role in supporting the organ- ization’s ability to assure the investing public that it takes the concept of governance seriously. Therefore, as opposed to the static or sporadic monitoring management performed in the past, systems are needed that give management the confidence that real-time monitoring is occurring on all key controls in every process—financial, operational, or regulatory. Ancient mariners had to rely on manual systems to measure the depth of an iceberg. With the ad- vent of sound navigation ranging, or SONAR, technology was harnessed to provide accurate and real-time measurements. As with the maritime equivalent, technology can significantly improve an organization’s ability to measure both the depth and consistency of control compliance. In evaluating the return on investment of technology upgrades, management must compare the costs of the technology against both the costs of the labor required to perform the measurements manually, and the risks associated with inadequate controls that are not continuously assessed on a real-time basis. Primary drivers of this component include the CEO, CFO, CRO, CIO, and COO; operating man- agement; and internal and external auditors. 9 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
10 Tidal Influences Some key takeaways already emerging from the various compliance war stories heard to date apply to the areas of planning and the overall control maturity of the organization. Either of these ‘tidal influences’ can significantly affect the effectiveness—and the cost-effective- ness—of the organization’s measurements of the depth of its compliance efforts. As an example, the effort logged by many organizations to prepare solely for Section 404 compliance has been estimat- ed to exceed 5,000 hours of internal work, with expense estimates ranging from $500,000 to several million. These figures underline the vital importance of ensuring that a methodical approach is taken to determine the depth of compliance necessary for the organization and to realistically assess both the organization’s current control maturity and the desired target level once the process is complete. Conclusion Although many organizations are confident they will meet the Section 404 compliance deadline, that confidence diminishes exponentially when they’re asked whether they consider themselves ‘COSO-compliant’ in relation to all aspects of the organization’s compliance iceberg. Most would acknowledge an even lesser degree of confidence that—given the ever-changing nature of the corporate (and regulatory) environment—the work carried out for the first 404 event will equally satisfy future 404 requirements or 302 certifications. That fact poses a second fundamental ques- tion: one that all corporate executives should be asking themselves today. “Since 404 compliance is merely the tip of the compliance iceberg, how can I improve my confidence level as regards fully satisfying the need for overall compliance with the spirit (or complete COSO compliance) of the Sarbanes-Oxley Act?” Initial Repeatable Defined Managed Optimizing Initial Repeatable Defined Managed Optimizing Control structure is not defined. Control occurs incidentally. Control structure is not defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized and integrated into control processes for the organization. The control process is regularly assessed and tested. detailed measures of the control process are collected and reported. Continuous process improvement is enabled by quantitative feedback from the control process. Figure 3: Internal Control Maturity Model © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
T: 888-420-6861  |  E: Jim@JobDoctorsIntl.com www.JobDoctorsInternational.com About the Author Dwayne E. Jorgensen, CIA, CFE, is an expert in Corporate Governance and Internal Audit Services. Mr. Jorgensen created the Sarbanes-Oxley Services & IT Governance global practice for Computer Task Group (CTG), and was North American Practice Director of Internal Audit Services for Jefferson Wells International. He oversaw the growth and development of both firm’s internal audit service lines in the United States, Europe and Canada.

Recommended

Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance IcebergDwayne Jorgensen
 
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...MHM (Mayer Hoffman McCann P.C.)
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013Lorri Jongeneel, CPA
 
Sox Ima
Sox ImaSox Ima
Sox Imasteinkamps6
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryKatherine Reyes V.
 
Team1 so xpresentation
Team1 so xpresentationTeam1 so xpresentation
Team1 so xpresentationbobbyreeder
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 

Recommended

Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance IcebergDwayne Jorgensen
 
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...
FASB’s Proposal for Going Concern Uncertainties: A New Layer of Accounting Gu...MHM (Mayer Hoffman McCann P.C.)
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013Lorri Jongeneel, CPA
 
Sox Ima
Sox ImaSox Ima
Sox Imasteinkamps6
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryKatherine Reyes V.
 
Team1 so xpresentation
Team1 so xpresentationTeam1 so xpresentation
Team1 so xpresentationbobbyreeder
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
SOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationSOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationCIMCON Software
 
1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docxdrennanmicah
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
CIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Chicago essay format
Chicago essay formatChicago essay format
Chicago essay formatWriters Per Hour
 
Streamlining Compliance for Community Banks
Streamlining Compliance for Community BanksStreamlining Compliance for Community Banks
Streamlining Compliance for Community BanksScott White
 
Arnold ITP M
Arnold ITP MArnold ITP M
Arnold ITP MPaul Arnold
 
Audit paper----Lu Han
Audit paper----Lu HanAudit paper----Lu Han
Audit paper----Lu HanLu Han
 
13 internal controls
13 internal controls13 internal controls
13 internal controlsCA. (Dr.) Rajkumar Adukia
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
Assignment 2
Assignment 2Assignment 2
Assignment 2Lee Ann James
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate GovernanceDwayne Jorgensen
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007Slava Gorbunov
 
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...Workiva
 
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfThe Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfnipuns1983
 
Financial Engineering
Financial EngineeringFinancial Engineering
Financial EngineeringDeependra Singh
 
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docxJO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docxvrickens
 
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docxevonnehoggarth79783
 
Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipDwayne Jorgensen
 
After Sarbanes Oxley
After Sarbanes OxleyAfter Sarbanes Oxley
After Sarbanes OxleyDwayne Jorgensen
 

More Related Content

Similar to Tip of the Compliance Iceberg

Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
SOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationSOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationCIMCON Software
 
1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docxdrennanmicah
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
CIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Streamlining Compliance for Community Banks
Streamlining Compliance for Community BanksStreamlining Compliance for Community Banks
Streamlining Compliance for Community BanksScott White
 
Audit paper----Lu Han
Audit paper----Lu HanAudit paper----Lu Han
Audit paper----Lu HanLu Han
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate GovernanceDwayne Jorgensen
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007Slava Gorbunov
 
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...Workiva
 
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfThe Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfnipuns1983
 
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docxJO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docxvrickens
 
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docxevonnehoggarth79783
 

Similar to Tip of the Compliance Iceberg (20)

Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox compliance
 
SOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationSOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for Implementation
 
1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industry
 
CIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance Solutions
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom Industry
 
Chicago essay format
Chicago essay formatChicago essay format
Chicago essay format
 
Streamlining Compliance for Community Banks
Streamlining Compliance for Community BanksStreamlining Compliance for Community Banks
Streamlining Compliance for Community Banks
 
Arnold ITP M
Arnold ITP MArnold ITP M
Arnold ITP M
 
Audit paper----Lu Han
Audit paper----Lu HanAudit paper----Lu Han
Audit paper----Lu Han
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects
 
Assignment 2
Assignment 2Assignment 2
Assignment 2
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate Governance
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
 
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
CAN SOMEONE PLEASE EXPLAIN CARBON ACCOUNTING AND DEFINE WHAT A CARBON LEDGER ...
 
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfThe Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdf
 
Financial Engineering
Financial EngineeringFinancial Engineering
Financial Engineering
 
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docxJO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
JO3403Sarbanes-Oxley ActHR’s Role in Ensuring Complianc.docx
 
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
65© 2011 Wiley Periodicals, Inc.Published online in Wile.docx
 

More from Dwayne Jorgensen

Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipDwayne Jorgensen
 
Sarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeSarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeDwayne Jorgensen
 
The Sane Solution To Sox Costs
The Sane Solution To Sox CostsThe Sane Solution To Sox Costs
The Sane Solution To Sox CostsDwayne Jorgensen
 
SCS Presentation - Corporate Governance
SCS Presentation - Corporate GovernanceSCS Presentation - Corporate Governance
SCS Presentation - Corporate GovernanceDwayne Jorgensen
 
Cf O Magazine blog comment
Cf O Magazine blog commentCf O Magazine blog comment
Cf O Magazine blog commentDwayne Jorgensen
 

More from Dwayne Jorgensen (9)

Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal Leadership
 
After Sarbanes Oxley
After Sarbanes OxleyAfter Sarbanes Oxley
After Sarbanes Oxley
 
Risk Factor 9 05 Issue
Risk Factor 9 05 IssueRisk Factor 9 05 Issue
Risk Factor 9 05 Issue
 
CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05
 
Sarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeSarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso Cube
 
The Sane Solution To Sox Costs
The Sane Solution To Sox CostsThe Sane Solution To Sox Costs
The Sane Solution To Sox Costs
 
SCS Presentation - Corporate Governance
SCS Presentation - Corporate GovernanceSCS Presentation - Corporate Governance
SCS Presentation - Corporate Governance
 
Cf O Magazine blog comment
Cf O Magazine blog commentCf O Magazine blog comment
Cf O Magazine blog comment
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 

Recently uploaded

Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxLANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxBasil Achie
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 

Recently uploaded (20)

Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxLANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 

Tip of the Compliance Iceberg

  • 1. The Tip of the Compliance Iceberg by Dwayne E. Jorgensen www.JobDoctorsInternational.com
  • 2. Introduction Since its passage in 2002, the Sarbanes-Oxley Act has spotlighted the realm of corporate gov- ernance as it pertains to compliance with legal regulations. Corporations have spent thousands of hours in preparation for their first attempt to earn an ‘unqualified’ attestation from their public accountants. That attestation is required to substantiate management assertions as to the overall effectiveness of their internal control frameworks, as mandated by Section 404 of the act. As the first deadline approaches in December, 2004, many CEOs and CFOs believe they have ad- equately navigated the course laid out for them by the act. But do corporate efforts to comply with Section 404 supply enough information to avoid the unforeseen complications of future noncompli- ance events? Or have they addressed only the tip of the compliance iceberg? Current State As dramatized in regular headlines, corporate investors are still being unpleasantly surprised by allegations of control breakdowns in flagships of the investment world. Given the nebulous and ramified nature of some transactions, executives are increasingly sensitive to the difficulty of as- certaining whether the proper controls are in place to monitor all related activities effectively. Furthermore, the dynamics of a global economy pose an ongoing challenge to an organization’s ability to ‘assert’ to the overall effectiveness of its control environment. These facts lead to a fundamental question: how can you know your control environment is effective without a full un- derstanding of both the depth of compliance required, and the adequacy of your measurement process? Letter or Spirit? Numerous comments by key individuals, including SEC commissioners, have made it clear that the Sarbanes-Oxley Act was not intended as the ‘end of all means’ as it relates to reassuring the investing public and the federal government about an organization’s operations. Rather, the act was intended as a ‘means to an end’: namely, establishment of an integrated control framework as defined in a landmark report issued by the Committee on Sponsoring Organizations of the 2 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 3. Treadway Commission (COSO). By design, that framework would address all aspects of the act as a part of the overall defined corporate governance. Despite that fact, many organizations have responded narrowly and tactically to Section 404 compli- ance mandates with ‘cascading certifications’ that require all layers of management to perform the same certification required of the CEO and CFO on SEC quarterly and annual reports. Many have also adopted a wait-and-see attitude relative to the more far-reaching strategic components of the act, such as disclosure guidelines, whistleblower protocols, and the incorporation of a COSO-based uniform control structure across all the organization’s financial and nonfinancial processes. (Corpo- rate Governance and Independence Monitoring Function, 10/1/2003, CFO Project Volume 2) Ascertaining the depth of the compliance iceberg must start with management’s intention to com- ply with the spirit rather than the letter of the Sarbanes-Oxley Act. Management must decide whether to establish an adequate and effective control environment based on the internal control framework defined in the COSO report (spirit), or settle for doing only what’s required to satisfy individual sections (letter). As shown in Figure 1, organizations focused exclusively on compliance with Sections 404 and 302 are addressing merely the tip of the iceberg. True adherence to COSO requires adequate meas- urement of additional layers—other Sarbanes sections, other regulations, lender’s covenants, mission statements, policies, procedures, tasks, and unique control events—as part of COSO’s ongoing “monitoring process.” (See Figure 2 for a description of monitoring in the layers of the ‘COSO Cube’.) That means that once management decides to comply with the spirit rather than the letter of the act, it must first determine how much of what has already been done to prepare for compliance with Section 404 can be used for ongoing control measurements. What You Know What You Might Not Know 404 302 301 409 Cerner Regulations (FDIC 1A, etc.) Public Co. Reg. (NYSE, NASDAQ, etc.) Sarbanes-Oxley Act Compliance Requirements Industry Compliance Standards Company-Specific Standards Lending Convenants Mission Statements Policies Procedures Tasks Unique Control Events Figure 1: The Compliance Iceberg 3 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 4. The Current State of Section 404 Compliance Since the start of activities to prepare for compliance with Section 404, an ad hoc preparation methodology has emerged. Refined through trial and error, that process has been adopted to various extents by most organizations. It includes these steps: 1. Assess the current state of the organization’s controls in key processes. 2. Ensure that the current state is adequate in terms of both the strength and documentation of controls; where they are missing or inadequate, develop them from scratch. 3. Have agencies or individuals independent of the work done in step 2 test the effectiveness of the controls, correct deficiencies where necessary, and then retest. 4. Report the results of the first three steps to prepare for a management assertion letter as prescribed by Section 404, and provide these results to the external auditors for their required attestation of the assertion. Unfortunately, these four key phases have not been uniformly implemented across all corpora- tions. Cautionary tales abound that relate how organizations have skipped the assessment phase and started at the documentation step, or have authorized the same agencies or people who per- formed the work required by step 2 to test it at step 3. In both cases, these inconsistencies have resulted in additional costs for the organization, either in rescoping or in completely redoing the 404 work. Finally, and more importantly, the work carried out to date in step 4 as the result of this process has not yet been substantiated as the appropriate output, since the final Standards of Testing have not yet been performed by any auditors (PCAOB Standard #2). How Much Is Enough? Regardless of the amount of effort already expended on preparing for Section 404, the answer to the fundamental question posed above—how can you know your control environment is effective without a full understanding of the depth of compliance necessary and the adequacy of your meas- urement process?—may still be “not enough” as it relates to full Sarbanes-Oxley compliance. Many organizations focused solely on complying with section 404 have contracted with service or software-oriented firms that essentially supplied a ‘one-off’ product for the 404 report. The signifi- cant shortcomings of this approach—which fails to ensure that the outcome will be COSO-compli- ant as stipulated by the Public Company Accounting Oversight Board (PCAOB) guidance issued to date—will shortly appear in the efforts required to recreate that work for both future annual 404 assertions, and for the quarterly 302 certifications. As shown in Figure 1, COSO compliance extends many levels below the individual sections of the act—all the way down to the individual 4 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 5. control activities within the organization. To fully achieve the mandated compliance, an organiza- tion must take a more fundamental approach to the elements of the ‘COSO Cube.’ COSO: Internal Control—Integrated Framework The report entitled “Internal Control - Integrated Framework”, was commissioned by the Commit- tee on Sponsoring Organizations of the Treadway Commission (COSO). It established a common definition of internal control that meets the needs of various parties not only for assessing their control systems, but also for determining how to improve them. As originally published, the COSO Report was considered a voluntary approach to implementing best practices as they relate to a sound control environment. However, with the passage of the Sarbanes-Oxley Act and the further clarification provided by both the SEC and the PCAOB, the COSO Report has been established as the benchmark for determining compliance with the act. More importantly, as other aspects of the act are more clearly defined or become applicable, the components of the COSO Report take on more meaning. They cover not only the controls nec- essary for compliance with financial reporting mandates, but also clearly identify the operational controls that will become critical to the accurate assessment and disclosure of all issues subject to disclosure guidelines, whether financial or operational in nature. The most pertinent aspect of the COSO Report is its establishment, for the first time ever, of a universal definition of internal control: Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Figure 2: The impact of Sarbanes-Oxley on the COSO Cube IT components Section 404 Section 409 Section 302 Risk Assessment Control Environment Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awarness Training IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations IT Risk Management, IT Risk Assessments, Business Impact Analysis “Tone at the top”, IT Governance, Regulatory Compliance Monitoring Information & Communication Control Activities 5 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved. Based on the COSO illustration (copyright 1994) by the Committee of Sponsoring Organizations (COSO).
  • 6. • Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations. Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process. The components are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. The following sections provide a brief overview of the nature, significance, and primary drivers of each internal control component named in the report. Control Environment The control environment sets the organization’s tone, influences the control consciousness of its people, and serves as the disciplinary and structural foundation for all other components of inter- nal control. Key factors in that environment include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. What does this means to an organization? The control environment is the starting point for exec- utive management’s decision as to whether compliance with the Sarbanes-Oxley Act will be per- ceived as a ‘spirit’ or ‘letter of the law’ exercise. Organizations that decide to settle for compliance with the letter of the law can reasonably expect to fall short of the expectations of the SEC and PCAOB at some future point, and to reap all the potentially negative consequences of that short- fall. Given that probability, a more prudent approach would be to recognize that while control is management’s responsibility, it must be actively embraced by everyone associated with the organ- ization. This tone should be reflected in corporate mission statements; ethics policies; disclosure guidelines; and board, audit committee, and internal audit charters. Primary drivers of this component include the board of directors, CEO, and CFO. Risk Assessment Every entity faces external and internal risks that must be carefully investigated. A precondition to effective risk assessment is establishing objectives that are linked at different levels and internal- ly consistent. Risk assessment identifies and analyzes risks that may affect the achievement of those objectives. It also provides a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions are all subject to ongoing change, mechanisms are needed to identify and deal with the special risks associated with change. 6 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 7. What this means to an organization is that risk management, formerly the exclusive realm of inter- nal auditors and insurance brokers, is assuming a key management role. In fact, more and more corporations are acknowledging its strategic importance by appointing a chief risk officer (CRO) to give this COSO component the attention it deserves. Ironically, most operational managers confronted by risk assessment policies for the first time are quick to realize how little of their prior responsibilities involved consideration of a ‘what-if’ component. And yet, as most immediately rec- ognize, only a realistic evaluation of the potential for and impact of a negative outcome can lead to a clear understanding of the steps needed to mitigate that risk. The ever-changing conditions of the business world make risk assessment a dynamic and ongo- ing activity. It requires implementing a defined process to guide the organization through the defi- nition of key risk areas, pinpoint specific risks in these areas, evaluate the likelihood and severity of each risk, and identify the resources required to mitigate them to acceptable levels. Now more than ever, the realities of a global business community make the ability to control all significant risks essential to an organization’s success. Primary drivers of this component include the CEO, CFO, CRO, COO; operating management; and the internal auditor. Control Activities Control activities are the policies and procedures that embody management directives. They en- sure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They are as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating perfor- mance, security of assets, and segregation of duties. The organizational significance of control activities relates to the fact that most of the effort (and expense) corporations have dedicated to achieving 404 compliance to date has been expended on identifying and documenting these COSO components. Yet, most—if not all—of that effort has been limited to the financial controls as they pertain to the production of the financial statements. As demonstrated in Figure 1, it will be readily apparent to most managers that the next monumen- tal task required by the act will be the inclusion of the other two control areas: business operations and regulatory compliance. The effort required to achieve adequate documentation in these addi- tional areas will depend on the prior state of overall control maturity in the organization. Primary drivers of this component include the CFO, CRO, COO, and operating management. 7 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 8. 8 Information and Communication Pertinent information must be identified, captured, and communicated in a form and within a time- frame that enables people to carry out their responsibilities. Information systems produce reports on operational, financial, and compliance-related information that make it possible to run and control the business. They supply not only internally generated data, but also information about external events, activities, and conditions necessary to informed business decision-making and external reporting. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top manage- ment that control responsibilities are to be taken seriously. Workers must understand not only their own role in the internal control system, but how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties such as customers, suppliers, regulators, and shareholders. What this means to an organization is that it’s not enough merely to document the control activities identified in the 404 compliance exercise. They must be effectively communicated to the rank and file, along with a ‘tone at the top’ that reinforces the fact that control is everyone’s job. In addition, as Section 409 (timeliness of reporting) takes effect, most organizations will be forced to assess yet again the effectiveness of their internal communication systems, with an emphasis on how those systems ensure that information is communicated, processed, and passed along in a timely and efficient manner. Primary drivers of this component include the CFO and CIO, as well as operating management. Monitoring Internal control systems need to be monitored through a process that assesses the quality of each system’s performance over time. The process must incorporate ongoing monitoring activi- ties, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, along with other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring proce- dures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. What this means to an organization is that the most significant success factor in achieving a CO- SO-compliant control framework is the ability to measure the depth and consistency of compliance with the organization’s individual controls. As any internal auditor can testify, three ‘steady states’ define a typical organization’s activities: • The vision of the executive management team • The way that vision is translated into corporate policies and procedures • What is actually done day-to-day by the organization’s workers © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 9. Generally, these three states—which should be identical—reflect varying degrees of consistency throughout the organization. This inconsistency can typically be tied to the most overlooked and underutilized component of the COSO framework: the monitoring function. More importantly, in an environment still reeling from disclosures of the Enron and WorldCom nature, the separate evaluation mentioned earlier has assumed an increasingly important role in supporting the organ- ization’s ability to assure the investing public that it takes the concept of governance seriously. Therefore, as opposed to the static or sporadic monitoring management performed in the past, systems are needed that give management the confidence that real-time monitoring is occurring on all key controls in every process—financial, operational, or regulatory. Ancient mariners had to rely on manual systems to measure the depth of an iceberg. With the ad- vent of sound navigation ranging, or SONAR, technology was harnessed to provide accurate and real-time measurements. As with the maritime equivalent, technology can significantly improve an organization’s ability to measure both the depth and consistency of control compliance. In evaluating the return on investment of technology upgrades, management must compare the costs of the technology against both the costs of the labor required to perform the measurements manually, and the risks associated with inadequate controls that are not continuously assessed on a real-time basis. Primary drivers of this component include the CEO, CFO, CRO, CIO, and COO; operating man- agement; and internal and external auditors. 9 © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 10. 10 Tidal Influences Some key takeaways already emerging from the various compliance war stories heard to date apply to the areas of planning and the overall control maturity of the organization. Either of these ‘tidal influences’ can significantly affect the effectiveness—and the cost-effective- ness—of the organization’s measurements of the depth of its compliance efforts. As an example, the effort logged by many organizations to prepare solely for Section 404 compliance has been estimat- ed to exceed 5,000 hours of internal work, with expense estimates ranging from $500,000 to several million. These figures underline the vital importance of ensuring that a methodical approach is taken to determine the depth of compliance necessary for the organization and to realistically assess both the organization’s current control maturity and the desired target level once the process is complete. Conclusion Although many organizations are confident they will meet the Section 404 compliance deadline, that confidence diminishes exponentially when they’re asked whether they consider themselves ‘COSO-compliant’ in relation to all aspects of the organization’s compliance iceberg. Most would acknowledge an even lesser degree of confidence that—given the ever-changing nature of the corporate (and regulatory) environment—the work carried out for the first 404 event will equally satisfy future 404 requirements or 302 certifications. That fact poses a second fundamental ques- tion: one that all corporate executives should be asking themselves today. “Since 404 compliance is merely the tip of the compliance iceberg, how can I improve my confidence level as regards fully satisfying the need for overall compliance with the spirit (or complete COSO compliance) of the Sarbanes-Oxley Act?” Initial Repeatable Defined Managed Optimizing Initial Repeatable Defined Managed Optimizing Control structure is not defined. Control occurs incidentally. Control structure is not defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized and integrated into control processes for the organization. The control process is regularly assessed and tested. detailed measures of the control process are collected and reported. Continuous process improvement is enabled by quantitative feedback from the control process. Figure 3: Internal Control Maturity Model © Copyright, 2004, Dwayne E. Jorgensen, All rights Reserved.
  • 11. T: 888-420-6861  |  E: Jim@JobDoctorsIntl.com www.JobDoctorsInternational.com About the Author Dwayne E. Jorgensen, CIA, CFE, is an expert in Corporate Governance and Internal Audit Services. Mr. Jorgensen created the Sarbanes-Oxley Services & IT Governance global practice for Computer Task Group (CTG), and was North American Practice Director of Internal Audit Services for Jefferson Wells International. He oversaw the growth and development of both firm’s internal audit service lines in the United States, Europe and Canada.