Accounting Systems and Controls

Accounting systems are comprised of hardware, software applications, and the people who design and administer the system as a whole. An accounting system has three distinct components: analysis, design and implementation. These components generally incorporate databases, user applications and the designers and end-users of the entire system. This essay looks closely at the role that an organization's internal controls have in an accounting system. Internal controls function as the administrative and procedural framework of an accounting system and can be thought of as a sub-system within the overall accounting system. The elements of an internal controls system are: The control environment, risk assessment, control activities, information and communication and monitoring of the controls. Internal controls are very much in the spotlight at organizations as a result of implementation of the Sarbanes-Oxley Act of 2002. Much scrutiny has been placed on internal controls that monitor financial transactions. The Sarbanes-Oxley Act has been blamed for adding complexity and cost to overall corporate governance. The costs of implementation and compliance have steadily risen since 2002 and many companies continue to struggle with SEC guidelines for administering Sarbanes-Oxley directives. A chief accounting officer at General Motors Corp. was quoted as saying of the Act, "The real cost isn't the incremental dollars, it is having people that should be focused on the business [being instead] focused on complying with the details of the rules." This essay discusses trends in the cost of compliance as well as SEC efforts to clarify the guidelines for companies. Today, many companies are turning their attention to implementing an internal control framework that supports an overall risk management strategy within an organization. The benefits of implementing strong internal controls are not just a benefit or a requirement of public companies. Today, private companies are implementing accounting systems and internal controls as a means to improve operations, accountability and efficiency. Lastly, this essay reviews a number of trends and best practices for internal controls for enterprise risk a means to illicit further discussion and research.

Keywords Accounting Controls; Accounting System; Assurance; Chief Audit Executive (CAE); Committee of Sponsoring Organizations of the Treadway Commission COSO; Control Environment; Corporate Compliance; External Audit; Internal Controls; Private Company; Public Company; Public Company Accounting Oversight Board (PCAOB); Risk-based Audit; Sarbanes-Oxley (Sarbox or SOX or SOA); Securities and Exchange Commission (SEC); The American Institute of Certified Public Accountants (AICPA)

Overview

Internal Controls

Merriam-Webster's dictionary defines a "system" as a regularly interacting or interdependent group of items forming a unified whole. A "control" is defined as a device or mechanism used to regulate or guide the operation of a machine, apparatus, or system. It is important to define the individual terms within the topic of "accounting systems and controls" to clarify the scope of what is meant by it.

An accounting system consists of the following three components: Analysis, design and implementation. These three components define the accounting system framework and should provide businesses with a uniform way in which to use their data and financial information. Accounting systems are, in-part, comprised of the hardware, software and applications that allow for storage of important organizational information-both financial and non-financial. For purposes of clarification, this essay concentrates on discussing "internal controls" as they impact accounting systems and not the electronic storage of financial data.

Internal controls can be thought of as a sub-system within the accounting system ("Internal controls," 2007). Internal controls offer guidance, practices and procedures that the accounting system needs to operate within an organization. Internal controls are designed to protect against fraud and abuse, ensure accuracy and timeliness of information, and ensure that an organization is in compliance with regulatory guidelines (Internal controls," 2007). Internal accounting controls are a series of procedures and practices designed to promote management practices — both financial and general. Internal controls can be further outlined as being designed to insure the following within an organization ("Developing an internal accounting control system," 2007):
  • Financial information is reliable and that managers and boards have assurance that financial data is accurate.
  • Company assets and records (information) are protected from fraud.
  • Policies are followed by employees, stakeholders.
  • All applicable regulations are met by the organization.

Five Key Elements of Internal Controls

The elements of an internal controls system are generally accepted as having the following five elements ("Internal controls," 2007).

  • Control Environment — This refers to the general attitude of management or others who administer the internal controls of an organization. A high level of commitment to ethical values and good business practices should be exhibited at the executive, management and board level to instill employees with a similar attitude to implementing effective controls. The control environment may include background checks for key employees, technical competence of staff and thorough written procedures to support the controls.
  • Risk Assessment — Identifies areas of potential risk in an organization and asks the following questions: What assets are at risk? What can go wrong? Who is in a position of risk? The role of the controls administrator is to identify methods to control risk and analyze associated costs.
  • Control Activities — Refers to activities that provide a "reasonable" level of assurance that the goals and objectives of the organization or a business unit will be met. Absolute assurance is not possible because of a number of factors including: Prohibitive costs, human error and management's ability to over-ride controls.
  • Information and Communication Systems — Communication lets employees know what is expected of them and how to accomplish given objectives. Clear communication also identifies who has responsibility for a given task and provides needed clarity for employees. Information systems include data repositories as well as the reports that monitor progress related to operational, financial and compliance objectives. Information provides a means to monitor progress toward specific accomplishments and provides administration with the information to make decisions.
  • Monitoring — This step involves checking on the internal control system and making certain that it operates as expected. The focus of monitoring should always be on areas of highest risk. It is the role of the controls administrator to change internal controls to reflect any changes in operational circumstances as they may occur.

History of Internal Controls

Internal Controls are probably most often thought of within the context of corporate compliance and specifically as a means to comply with section 404 of Sarbanes-Oxley (SOX) legislation that was passed in 2002. SOX Section 404 falls under the heading "Management Assessment of Internal Controls." Section 404 states, "Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures" (Sarbanes-Oxley Act Section 404," 2004).

Donald C. Langevoort (2006) states the following regarding SOX section 404:

"Today, the vocal criticism is largely reserved for just one piece of the legislation: The internal controls requirement found in section 404, which in some circles has become almost synonymous with SOX itself. Doubts about the balance of costs and benefits and whether the result will be increased de-listings and going to private transactions to avoid 404's burdens have made this the portion of the Act that has encountered the most political resistance" (p. 950).

Given the amount of ink that has been devoted to SOX legislation and in particular section 404 over the past five years, one might think that the subject of internal controls and corporate transparency issues didn't exist before this decade's now famous accounting scandals. However, corporate scandals have been around for a long time and will likely continue despite the best intentions and government intervention.

From a historical perspective, one should consider the following quote:

"Concern about the adequacy of internal controls-and corporate accountability generally-was one of the most important issues in securities regulation in the 1970s. Because a handful of large corporations had funded the break-in of the Democratic headquarters, the Watergate scandal led directly to questions about the legitimacy of corporate managers' opaque dominion over corporate assets, especially as it related to foreign and domestic bribery and illegal political campaign contributions" (Langevoort, 2006, p. 951).

In another citation, Langevoort points outs the following:

"Revisiting section 3.4.2 of Clark's Corporate Law'* ("Duty of Care as Responsibility for Systems") reminds us, however, that the internal controls story actually goes back many decades, and that many of the strategic issues that are at the heart of section 404 have long been contentious"(2006, p. 950).

By now it should be clear that internal controls are not a new concept for corporations. Depending upon the size and complexity of an organization, the implementation of internal controls to mitigate financial and operational risk may vary, but few businesses operating today can afford not to implement a base-level of checks and balances -particularly for publicly-traded companies. Public companies must satisfy not only regulatory requirements but also meet stakeholder expectations when setting up and monitoring internal controls. The most visible "testing" of internal controls remains the auditing of a company's financial statements. With increasing frequency, internal controls are put in place to mitigate risk throughout all functional areas of an organization and as such, financial audits are being replaced by enterprise risk audits.

"The primary stakeholders of internal audit — the board of directors, audit committees and senior executive management — have come to recognize the valuable role that internal audits should perform and have set their expectations accordingly" (Gregory, 2007, ¶4).

Similarly, executive managers have set their expectations higher; they look to internal audits for a reliable appraisal of the system of internal control — for which they are responsible — and, most importantly, they want advice as to how internal control should be improved (Gregory, 2007, ¶7).

Good corporate governance relies on risk management to identify the problems faced by the organization and on internal controls to achieve that organization's objectives. Internal auditors, apart from supporting the organization and enabling it to identify and monitor the upcoming risks, must also understand and monitor the functioning of the internal controls system, which is the key to implementing the corporate governance principles (Florin & Carmen, 2013).

Applications

Clarification of Internal Controls

(Specific to Sarbanes-Oxley Section 404)

In 2005, the Securities and Exchange Commission (SEC) issued the "Statement on Management's Report on Internal Control Over Financial Reporting." This statement was written to address many of the questions that had surfaced by corporate management teams and auditors in the first few years of SOX 404 compliance. Adrian P. Fitzsimons and Gerard A. Lange noted the following in their article about the SEC statement.

"The SEC staff noted in the statement that the establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977 (FCPA). The significance of Section 404 of the SOA is that it re-emphasizes the important relationship between the maintenance of effective internal control over financial reporting and the preparation of reliable financial statements" (2006, p. 42).

The SEC statement pointed out some of the high level issues and concerns that had been brought to their attention regarding SOA 404 compliance. The SEC noted that in many cases, "significant costs" had been incurred by companies — the SEC noted that some of the expense could be attributed to 'start-up expenses' associated with implementing the increased internal controls. The SEC also admitted that it was aware of cases where "excessive, duplicative and mis-focused efforts" had resulted at some companies with SOA 404 compliance. The SEC countered that with time and experience, "management and external auditors should bring reasoned judgment and a top-down risk-based approach to section 404 compliance" (Fitzsimons & Lange, 2006, p. 41).

The SEC's clarification statement encouraged corporate management to take more ownership and responsibility for implementation — specifically regarding the following:

  • Management must determine the format and level of appropriate controls.
  • Management must determine the scope of assessment of internal controls as well as the methods and timeframe for testing controls.

The clear message given in the SEC statement was that individual organizations and their management teams must take the responsibility, along with their auditors to use their judgment in interpreting the application of internal controls (as applied specifically to accounting practices).

Benefits of the SEC

"We expect that the SEC proposed management guidance, along with the proposed auditing standard of the Public Company Accounting Oversight Board (PCAOB), will result in a reduction of total Section 404 efforts due to various specific positive changes such as:

  • The ability of management to undertake or accelerate a controls rationalization process through the principles in the proposal to better focus its assessment on those controls that impact its financial statement reporting.
  • The ability of an auditor to increase the use of the work of others, if certain conditions are met (Fitzsimons & Lange, 2006).

The following are positive aspects of the SEC's proposal ("Center for audit quality," 2007):

  • A principles-based approach to the internal control assessment that can be scaled based on the size and complexity of the issuer.
  • A top-down risk-based approach to management's assessment of ICFR that requires testing of only those controls necessary to prevent or detect material misstatements in the financial statements.

With respect to internal control, the SEC staff concluded that “one size does not fit all and that internal control effectiveness is affected by many factors” (Fitzsimons & Lange, 2006, p. 41).

SEC Clarification Statements

In the statement, “the SEC staff notes that compliance with Section 404 has produced benefits, including a heightened focus on internal controls at the top levels of public companies and that focus should produce better financial reporting” (Fitzsimons & Lange, 2006, p. 41).

The following are a few notable statements of clarification that were provided in the SEC statement and help to inform the reader of the nature and scope of questions that had arisen as a result of SOA 404 legislation, according to Hall and Gaetanos (2006):

  • The SEC staff cautions that, due to their inherent limitations, internal controls cannot prevent or detect every instance of fraud.
  • Internal controls are susceptible to manipulation, especially in instances of fraud caused by the collusion of two or more people including senior management.
  • In performing these steps, management and auditors should keep the "reasonable assurance" standard in mind.
  • The application of judgment by management and the auditor will typically affect the nature, timing and extent of control testing such that the level of testing performed for a low-risk account will likely be different than it will be for a high-risk account.
  • Overly conservative interpretations of the applicable requirements and hesitancy by the independent auditor to use professional judgment in evaluating management's assessment resulted, in many cases, in too many controls being identified, documented and tested.
  • The SEC staff stated it expects that, through the natural learning process, management will achieve efficiencies as it completes future assessments of internal control.

Costs of Internal Accounting Controls

While companies have an existing obligation to maintain an adequate system of internal accounting controls under the Foreign Corrupt Practices Act, preparing an annual report on controls by management involves additional costs. Moreover, compliance is not a one-time effort or a one-year project; it is an ongoing process requiring extensive investment. For example:

  • Senior management must be involved in the evaluation of controls.
  • Internal audit departments may need to be enlarged, or in some cases formed.
  • Consultants may be engaged to analyze and design control systems.
  • The company may need to purchase additional computer software or hardware.
  • Audit fees will undoubtedly increase.

Additional section 404 compliance costs are attributed to documentation, legal requirements, detailed policy development, self-assessment, attest requirements and certifications, and staff training. Information technology consultants believe that companies will also invest heavily in technologies such as workflow, document management, and identification management tools to automate section 404 compliance processes (Hall & Gaetanos, 2006, p. 58).

Issues

Cost of Compliance

The SEC "Statement on Management's Report on Internal Control Over Financial Reporting" addressed the "cost" of compliance with SOA 404. The 2005 statement noted that "significant costs" had been incurred by many companies as a direct result of SOA legislation-with section 404 adding the most overhead. The SEC optimistically stated that "integrating internal audit of general controls with financial controls will help reduce costs" (Fitzsimons & Lange, 2006). It was the view of the SEC and many others that companies would simply "get better" at meeting compliance objectives and that the costs of meeting 404 compliance would level off in time — this has not proven to be the case.

"According to the fifth edition of an annual study conducted by law firm Foley and Lardner LLP on the costs associated with corporate governance reform, companies of all sizes experienced double-digit percentage increases in compliance costs during fiscal year 2006 in comparison to fiscal year 2001, the year before the Sarbanes-Oxley Act was implemented"(Taylor, 2007, ¶2).

Some predictions were made that “external audit fees would decrease after the initial implementation of Section 404 audits as external auditors became more familiar with their client's accounting controls and therefore more efficient in conducting their audits," Tom Harman, a Foley partner, stated. "Our study results do not support this prediction. Indeed, external audit fees have been the only cost our study has shown to increase every year since the Sarbanes-Oxley Act was passed" (cited in Taylor, 2007).

There are a number of reasons that costs associated with accounting and internal controls have increased. One will recall from evidence cited earlier in this essay that there are a number of elements recommended for successful implementation of internal controls. They include: Communication, documentation, education, risk management, information systems and monitoring of internal controls. All of these elements contribute directly or indirectly to implementation and administration of internal controls for accounting.

Thanks to the Sarbanes-Oxley Act, the Securities and Exchange Commission and the Basel II Capital Accord, companies are spending a fortune on internal controls and other processes that add only a negligible value to governance, risk management and accurate reporting of financial results (Hampton, 2006, ¶2).

The following trends and statistics are taken from The Cost of Being Public in the Era of Sarbanes-Oxley, the annual report conducted by Foley & Lardner LLP.

  • The average cost of compliance for companies with under $1 billion in annual revenue has increased more than $1.7 million to approximately $2.8 million since the enactment of the Sarbanes-Oxley Act. This represents a 171 percent overall increase between fiscal years 2001 and 2006.
  • Out-of-pocket costs associated with Sarbanes-Oxley compliance were up 13 percent in fiscal year 2006 from fiscal year 2005 for public companies with annual revenue of under $1 billion, and were up 12 percent over the same period for public companies with annual revenues over $1 billion. The increased cost of audit fees, board compensation and legal fees were the primary drivers of these out-of-pocket percentage increases.
  • On average, external audit fees have increased 271 percent between fiscal years 2001 and 2006 for companies with under $1 billion in revenue. Between fiscal years 2005 and 2006, external audit fees for these companies increased by 4 percent.
  • The increases seen in connection with the initial implementation of Section 404, which required all public companies to go through an internal audit enhancement program, have been sustained from its introduction in 2004 to fiscal years 2005 and 2006.
  • External audit fees necessitated by the Sarbanes-Oxley Act have continued to increase and represent a "significant expense" for public companies (Hartman, 2007, p. 1).

As companies move toward enterprise implementation of internal controls, the hope remains that compliance costs associated with Sarbanes-Oxley will fall as redundancies in controls are eliminated. Today, many are skeptical about the ability to contain compliance costs — as companies err on the side of "over-compliance."

"Companies are probably spending more time and resources on 404 compliance than a reasonable reading of the legislation and the rules necessarily requires, heavily influenced by those who gain from issuer over-compliance" (Langevoort, 2006).

However, a Financial Executives International annual survey of SOX compliance done in 2008, which polled 185 companies to find trends in the Act's perceived impact and effectiveness during the prior four years, pointed to the overall value of section 404 as follows:

  • 50.3% of respondents agreed that financial reports were more accurate, up from 46% in 2006.
  • 56.0% agreed that financial reports were more reliable, up from 48% in 2006.
  • 43.6% agreed that compliance with Section 404 had helped prevent or detect fraud, up from 34% in 2006.
  • 69.1% agreed that compliance with Section 404 had resulted in more investor confidence in their financial reports, up from 60% in 2006.

The survey also showed an overall decline in cost of compliance during those previous four years.

Furthermore, three years later, in 2011, Chelikani and D'Souza used logistic regression analysis to show that the implementation of SOX resulted in "greater reliability of market information, lower levels of mispricing, and hence a more efficient market." They also argued that their results provided evidence that the SOX-imposed compliance costs were not as burdensome as critics claimed.

Mergers & Acquisitions — Internal Controls

There is evidence to suggest that the cost of maintaining internal controls for accounting practices and financial reporting is affecting corporations in profound ways. Corporate mergers and acquisitions have been popular since the mid-1990s. An abundance of global capital has enabled global players to snatch up competitors at an astonishing rate. Mergers and acquisitions have long been seen as an opportunity for an acquiring firm to capitalize on a target company's strengths, while reducing operational redundancies.

"Mergers can result in combined entities that can more easily absorb the significant compliance costs associated with SOX (Koehn & DelVecchio, 2006). With costs being so significant as has been cited within this essay, corporate mergers may be the one way to ultimately reduce compliance costs in the long run. When two companies become one, the compliance requirements could be expected to drop by 50%.

Even if a merger provides the resources needed to absorb compliance costs, the initial expenses associated with compliance and maintaining internal controls will be significant. "While the number of deals after SOX has not declined, SOX has still affected M&A activity by impacting the due diligence required to support merger transactions. Acquiring companies must carefully review financial records, vendors, and key customers of target companies, and assume accountability after the merger for those records and relationships. Such increased time and scope for due diligence has increased the transaction costs associated with mergers and acquisitions" (Koehn & DelVecchio, 2006).

Staying Private — Internal Controls

The Cost of Being Public in the Era of Sarbanes-Oxley, the annual report conducted by Foley & Lardner LLP, contends that "companies looking to go public may be discouraged by financial hurdles presented by the Sarbanes-Oxley Act, the corporate governance reforms enacted by the United States government in 2002 — and the growing trend of private equity buyout in the tech industry may be directly related to those increased costs" (Taylor, 2007).

According to Don S. Peters, Director of Collins Industry Inc., the cost of complying with Sarbanes-Oxley was estimated at $1 million. Peters questioned whether being publicly listed justified the cost, stating: "It's a heck of a mess for companies our size" (Koehn & DelVecchio, 2006).

Sarbanes-Oxley has “made it more time-consuming and expensive to function as a public company. And the executives and directors of publicly held outfits face greater scrutiny — putting them personally at risk if things go wrong — from regulators such as the Securities & Exchange Commission and New York Attorney General Eliot Spitzer. The new responsibilities add to the growing sense that status as a public company means a lot more hassles than it used to” (Rosenbush, 2005, ¶5).

Benefits of Maintaining Internal Controls

While private companies may shy away from going public to avoid the costs and complexity associated with SOX compliance, every company can benefit from maintaining internal controls for accounting practices. "The world of internal controls is not only for public companies. Private companies as well should be analyzing and improving their internal controls" (Diamond, 2007). Accounting systems and internal controls have become synonymous with corporate compliance and Sarbanes-Oxley. While publicly traded companies must bear the "burden" and cost of federal legislation and compliance, it is important to remember that internal controls are put in place to benefit the company. Compliance issues aside, there are many benefits that can be gained by implementing effective internal controls at private companies. The following list offers the benefits to both public and private companies.

Internal controls can:

  • Create value by helping to maximize potential and enable growth.
  • Reduce the risk of financial statement fraud.
  • Promote a culture of integrity and high values.
  • Give confidence to customers and shareholders.
  • Improve processes and operational efficiency.
  • Prepare for the process of becoming a public company (Diamond, 2007).

The AICPA recently issued (SAS no. 104-111) Risk-Based Audit Standards. Auditors will be assessing the need to conduct risk-based audits; their criteria will include industry, business size, and internal control structure. COSO has recently issued guidelines to assist small companies with internal controls frameworks. The benefits of maintaining strong and well designed internal controls for accounting practices cannot be overstated. While it is easy to associate the need for accounting systems and controls with government mandates, this is a short-sighted view. Strong accounting systems and supporting internal controls are tools that can help any company maintain sound financial practices, high ethical standards and many other best practices that can help with an overall enterprise risk management strategy.

Conclusion

According to a 2007 Ernst & Young survey of Chief Audit Executives (CAEs), there's a renewed interest by boards in monitoring internal controls through the audit process. Greater scrutiny and knowledge about internal controls is providing greater assurance to stakeholders about the responsiveness of organizations to risk. The "adequacy and operational effectiveness of internal controls" is paramount — and analysis of the effectiveness of controls has become a major driver for decision-making (Gregory, 2007). Communication is now expected to be near real-time and very exhaustive in its scope. Comprehensive reporting should help identify the root cause of identified problems and subsequent feedback to improve the controls. The following list outlines some future trends that are seen as essential in leveraging internal controls and audits for improved operational efficiency. According to Gregory,

  • An organization should be able to draw conclusions on the quality of risk management and internal control by each major business area within the company.
  • The most significant control exposures the group face should be defined in detail; the impact and root cause of control weaknesses should be highlighted and the appropriateness of management's remediation plans documented.
  • Management needs a clear understanding of the risks and must also have the capability to manage the most crucial risks.
  • Identify new and emerging control themes that the business needs to address.
  • Ensure consistency with the views of other risk and assurance related functions to create an overall risk strategy.
  • Compare risk strategies and solutions against other firms as a chance to take advantage of new trends and best practices.
  • Prioritize company portfolios of improvement opportunities arising from reviews of the control environment.
  • Communicate views on management's proposed approach and capability to fix control weaknesses and their track record in fixing known issues.
  • Assess the suitability of internal controls in the light of strategic plans/anticipated change; both market and internally initiated.
  • Take advantage of opportunities to reduce the overall cost of Controls (Gregory, 2007).

Terms & Concepts

Accounting Controls: Procedures to assure accuracy in record keeping functions; using a system of controls to insure that data and reports are accurate and correct.

Accounting System: Comprised of computer software that records transactional and financial data along with the documentation, procedures and strategies that control implementation and administration of the system.

The American Institute of Certified Public Accountants (AICPA): The national, professional organization for all Certified Public Accountants. Its mission is to provide members with the resources, information, and leadership that enable them to provide valuable services in the highest professional manner to benefit the public as well as employers and clients (AICPA).

Assurance: CPA examination of a given process or system which attests to the correctness or appropriateness which therefore allows a given level of confidence that the system or process under review is correct in its reporting.

Chief Audit Executive (CAE): Refers to an executive level position responsible for helping to determine an enterprise's risk/reward picture and keep management informed of scenarios. The CAE must take a holistic approach to the management of risks across the enterprise.

Committee of Sponsoring Organizations of the Treadway Commission (COSO): A voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance (COSO.org).

Control Environment: The general attitude of management or others who administer the internal controls of an organization. Can be thought of as level of commitment or adherence to controls by management.

Corporate Compliance: The rules and regulations imposed by federal law to insure that organizations comply with a given regulatory environment — typically refers to compliance in financial reporting under Sarbanes-Oxley Section 404.

External Audit: An audit or assessment of controls that is conducted by someone that does not work for the company being audited (aka independent audit).

Internal Controls: Broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in financial reporting and record keeping (COSO.org).

Private Company: A company whose shares are not publicly traded on the open market.

Public Company: A company whose shares are publicly traded or publicly held. A public company offers securities for trade in an open market (stock market).

Public Company Accounting Oversight Board (PCAOB): A private sector, non-profit corporation created by the Sarbanes-Oxley Act of 2002. The role of the PCAOB is to oversee auditors of public companies and protect the interests of investors and to insure that the creation of independent audit reports (PCAOB.org).

Risk-based Audit: An audit of one of an organization's major activities; processes or activities are ranked according to strategic importance and where risk may have the greatest impact on the organization from a financial or reputational risk standpoint.

Sarbanes-Oxley (Sarbox or SOX or SOA): AKA Public Company Accounting Reform and Investor Protection Act of 2002. Wide-ranging legislation which establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act was created and implemented after a number of high profile corporate accounting scandals in early 2000s.

Sarbanes-Oxley-section 404: Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures (Sarbanes-Oxley Act Section 404, 2004).

(SAS no. 104-111) Risk-Based Audit Standards: New standards to enhance the application of the long-standing audit risk model and improve the quality of audits because they specifically require auditors to: Have a more comprehensive understanding of the client's business and its environment, including its internal control; perform a more exacting assessment of the risk of material misstatement resulting from such understanding, and; perform procedures that more clearly link the risk assessment to the decision of what audit procedures to perform, and when (Freelibrary.com).

Securities and Exchange Commission (SEC): The primary federal regulatory agency for the securities industry, whose responsibility is to promote full disclosure and to protect investors against fraudulent and manipulative practices in the securities markets (Investorwords.com).

Bibliography

Center for audit quality submits comment letter to the SEC on internal control proposals. (2007). AICPA. Retrieved November 2, 2007, from Center for Audit Quality. http://thecaq.aicpa.org/Resources/SEC/SEC+Rules+and+Regulations/Other+Relevant+SEC+Proposed+Rules/CAQ+Submits+Comment+Letter+to+the+SEC+on+Internal+Control+Proposals.htm

Chelikani, S., & D'Souza, F. (2011). The impact of Sarbanes-Oxley on market efficiency: evidence from mergers and acquisitions activity. International Journal of Business & Finance Research (IJBFR), 5, 75-88. Retrieved November 10, 2013, from EBSCO Online Database Business Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=59982579&site=ehost-live

Diamond, E. (2007). What private companies need to know about internal controls. New Jersey Tech News, 11. Retrieved November 2, 2007, from Amper, Politzner & Mattia Certified Public Accountants and Consultants site. http://www.amper.com/publications/private-companies-internal-controls.asp

Developing an internal accounting control system. (2007). Retrieved October 31, 2007 from, Labyrinth Inc. http://www.labyrinthinc.com/SharedContent/SingleFaq.asp?faqid=55

Fitzsimons, A., & Lange, G. (2006). SEC staff issues guidance on the implementation of internal control reporting requirements. Bank Accounting & Finance (08943958), 19, 41-52. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=21903441&site=ehost-live

Florin, B., & Carmen, B. (2013). Management control systems: a review of their components and their underlying independence. Annals of the University of Oradea, Economic Science Series, 22, 1424-1433. Retrieved November 10, 2013, from EBSCO Online Database Business Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=90545838&site=ehost-live

Gregory, S. (2007, October 4). Internal audit: Power surge. Accountancy Age. Retrieved October 31, 2007 from http://www.accountancyage.com/accountancyage/features/2200527/internal-audit-power-surge

Hall, L., & Gaetanos, C. (2006). Treatment of section 404 compliance costs. CPA Journal, 76, 58-62. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20727816&site=ehost-live

Hampton, J. (2006). 'Push' and 'pull' in enterprise risk management. Business Insurance, 40, 19-19. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20445702&site=ehost-live

Hartman, T. (2007). The cost of being public in the era of Sarbanes-Oxley. Foley & Lardner, LLP, Annual Report. Retrieved July 29, 2010 from Foley & Lardner http://www.foley.com/files/tbl_s31Publications/FileUpload137/3736/Foley2007SOXstudy.pdf

Internal controls. (2007). Office of Audit and Compliance Review. Retrieved November 1, 2007, from http://oacr.ufl.edu/Internal%5fControl.htm

Koehn, J., & DelVecchio, S. (2006). Revisiting the ripple effects of the Sarbanes-Oxley Act. CPA Journal, 76, 32-39. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=21701231&site=ehost-live

Langevoort, D. (2006). Internal controls after Sarbanes-Oxley: Revisiting corporate law's duty of care as responsibility for systems. Journal of Corporation Law, 31, 949-973. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22800268&site=ehost-live

Lenn, L.E. (2013). Sarbanes-Oxley Act 2002 (SOX)-10 years later. Journal of Legal Issues & Cases In Business, 2, 1-14. Retrieved November 10, 2013, from EBSCO Online Database Business Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=91096089&site=ehost-live

Rosenbush, S. (2005, March 29). The allure of going private. Business Week. Retrieved November 2, 2007 from http://www.businessweek.com/bwdaily/dnflash/mar2005/nf20050329%5f7454%5fdb016.htm

Sarbanes-Oxley Act Section 404. (2004) SoxLaw.com. Retrieved November 1, 2007, from http://www.soxlaw.com/s404.htm

Taylor, C. (2007). SOX costs could be cause of surge in private equity buyouts, study finds. Electronic News (10616624), 52, 2-2. Retrieved October 31, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=26278379&site=ehost-live

Turner, L., & Weirich, T. (2006). A closer look at financial statement restatements. (Cover story). CPA Journal, 76, 12-23. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=23532370&site=ehost-live

Suggested Reading

Flexible finance systems. (2007). Accounting Technology, 23, 19. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=25635690&site=ehost-live

Kranacher, M. (2006). Transparency and accountability (for some?). CPA Journal, 76, 80. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22080058&site=ehost-live

Wojcik, J. (2007). Risk managers bringing data in-house to gain greater control. Business Insurance, 41, 57-57. Retrieved October 31, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=27141379&site=ehost-live

Essay by Carolyn Sprague, MLS

Carolyn Sprague holds a BA degree from the University of New Hampshire and a Masters Degree in Library Science from Simmons College. Carolyn gained valuable business experience as owner of her own restaurant which she operated for 10 years. Since earning her graduate degree Carolyn has worked in numerous library/information settings within the academic, corporate and consulting worlds. Her operational experience as a manger at a global high tech firm and more recent work as a web content researcher have afforded Carolyn insights into many aspects of today's challenging and fast-changing business climate.