SOX 2004 in Review
The Sarbanes-Oxley Act of 2002 is the legislative response to the shameful corporate behavior which ruined
thousands of careers and individual retirement funds. Having survived the initial year of SOX implementation and
audit, both as an Audit Committee Chair at LivePerson, and in the trenches at CP+B, I'm sure I join many
colleagues in wondering if the cure is worse than the affliction. I have great sympathy for my public accounting
friends, who overnight have gone from welcomed business advisors to dreaded preprogrammed regulators. I feel
equally sorry for the business owners and shareholders who have incurred obscenely-large costs in an often
futile attempt to respond to every stretch-of-the-imagination scenario conjured up to confirm the possibility of a
control deficiency. Personally, I preferred the good old days when auditors and clients discussed cost/benefit,
i.e. does the potential benefit of the control justify the cost. There is no way that the amount of money spent on
SOX compliance for fiscal 2004 remotely justifies the incremental assurance, if any, afforded the shareholder.
Hopefully reasonable heads will swing the regulatory pendulum towards the practical middle as the business world
grapples with SOX compliance for 2005 and beyond. P.S. Can anyone find an investor who cared that their
otherwise very successful company suffered from material weaknesses in internal control? [Editor's note: The
educated investor knows that the threshold for "material weakness" has been lowered in a fashion similar to the
standard of play for the New York Knicks; the uneducated investor is still stuck at P/E.]
My favorite SOX war story from 2004 comes out of a conversation between a CP+B executive and an auditor. In
fact, the accounting processes and systems at CP+B got somewhat overwhelmed by CP+B's huge success. The
auditor's observation was something like "You should only grow 5% per year...that way, you won't overload your
internal controls". I swear she wasn't joking. Ah, words to live by in this new age when segregation of duties is
more of a focus in annual reports than celebration of new client wins.
A close second was one of the official control "deficiencies" at LivePerson, citing that if the Company continues to
grow, our tax issues will become more complex, and we will need a stronger skill set for doing taxes. I distinctly
remember the days when companies tried not to staff up ahead of their growth, and certainly didn't staff for things
they didn't need now or in the very near future. At least the auditors stopped short of listing a deficiency for a
potential meteor strike at 35th and 7th.
So as great philanthropists like Ken Lay roam free (you must check out www.kenlayinfo.com), many successful
entrepreneurs with thriving, growing and honest businesses have been made to feel like failures because they
don't have an employee independent of almost everyone else opening, sorting and listing the incoming mail. Just
as Congress intended, we have Sarbanes-Oxley...slower growth and lower profits for America.
thousands of careers and individual retirement funds. Having survived the initial year of SOX implementation and
audit, both as an Audit Committee Chair at LivePerson, and in the trenches at CP+B, I'm sure I join many
colleagues in wondering if the cure is worse than the affliction. I have great sympathy for my public accounting
friends, who overnight have gone from welcomed business advisors to dreaded preprogrammed regulators. I feel
equally sorry for the business owners and shareholders who have incurred obscenely-large costs in an often
futile attempt to respond to every stretch-of-the-imagination scenario conjured up to confirm the possibility of a
control deficiency. Personally, I preferred the good old days when auditors and clients discussed cost/benefit,
i.e. does the potential benefit of the control justify the cost. There is no way that the amount of money spent on
SOX compliance for fiscal 2004 remotely justifies the incremental assurance, if any, afforded the shareholder.
Hopefully reasonable heads will swing the regulatory pendulum towards the practical middle as the business world
grapples with SOX compliance for 2005 and beyond. P.S. Can anyone find an investor who cared that their
otherwise very successful company suffered from material weaknesses in internal control? [Editor's note: The
educated investor knows that the threshold for "material weakness" has been lowered in a fashion similar to the
standard of play for the New York Knicks; the uneducated investor is still stuck at P/E.]
My favorite SOX war story from 2004 comes out of a conversation between a CP+B executive and an auditor. In
fact, the accounting processes and systems at CP+B got somewhat overwhelmed by CP+B's huge success. The
auditor's observation was something like "You should only grow 5% per year...that way, you won't overload your
internal controls". I swear she wasn't joking. Ah, words to live by in this new age when segregation of duties is
more of a focus in annual reports than celebration of new client wins.
A close second was one of the official control "deficiencies" at LivePerson, citing that if the Company continues to
grow, our tax issues will become more complex, and we will need a stronger skill set for doing taxes. I distinctly
remember the days when companies tried not to staff up ahead of their growth, and certainly didn't staff for things
they didn't need now or in the very near future. At least the auditors stopped short of listing a deficiency for a
potential meteor strike at 35th and 7th.
So as great philanthropists like Ken Lay roam free (you must check out www.kenlayinfo.com), many successful
entrepreneurs with thriving, growing and honest businesses have been made to feel like failures because they
don't have an employee independent of almost everyone else opening, sorting and listing the incoming mail. Just
as Congress intended, we have Sarbanes-Oxley...slower growth and lower profits for America.
Download the Sarbanes-Oxley Act in .pdf format...right-click here and choose "Save target as"
SOX Glossary
There are many useful websites covering the rules and requirements related to the Sarbanes-Oxley Act. In
addition, I have attended periodic seminars and forums offered by PWC and KPMG, and I'm sure many other
organizations are offering similar opportunities. As this website evolves, I'll try to add some particularly useful
links. In the meantime, I'll post my thirty-second version of Sarbanes-Oxley-related highlights:
COSO - The Committee of Sponsoring Organizations was formed in 1985 to in response to fraudulent financial
reporting incidents. (The first Chairman was James Treadway, who had been a commissioner of the SEC...and
so this commitee is probably more commonly known as The Treadway Commission.) The organizations include
the America Institute of Certified Public Accountants, the Financial Executives Institute and the Institute of
Internal Auditors, and the committee included members from the public accounting firms, investment firms and
private industry. The COSO issued guidance to enhance internal controls and improve corporate governance.
The internal control framework developed by COSO is referenced for guidance when planning compliance for
Sarbanes-Oxley.
PCAOB - The Public Company Accounting Oversight Board was authorized under Sec. 101 of Sarbanes-Oxley
to oversee the audit of public companies. The PCOAB issues rules (which must be approved by the SEC) and
conducts investigations. You can click here to get up-to-date information on standards issued by the PCAOB.
We'll have to watch how the interplay between the auditing standards issued by the PCAOB (currently two are
issued) and the standards issued by the Auditing Standards Board of the AICPA evolves.
SOX or SARBOX - commonly used abbreviations for the Sarbanes-Oxley Act of 2002. `There are no
unimportant or less relevant sections of SOX, and you should really read it if it potentially affects you. But for
purposes of this discussion, I'll highlight three sections of SOX:
SOX404 - This section requires management to make an assessment of internal controls including Internal
Controls Over Financial Reporting (ICOFR), and it requires the independent auditor to opine on that
assessment as part of their opinion issued on the financial statements. Management must inventory, test and
correct their systems of internal control, and do this on a timely enough basis so that the independent auditor
can perform their tests of management's work. Many companies are hiring additional employees and/or
part-time specialists to achieve compliance. It's important to note that the COSO guidance related to internal
controls extends well beyond ICOFR, and companies must assess, for example, controls over changes to
operations computer programs and security for all computer systems. It also suggests documentation for things
like approval for changes in accounting policies.
SOX302 - This section requires the CEO and CFO to certify that their financial statement are fairly stated and
that they have designed and evaluated internal controls in support of financial reporting and in support of proper
flow of material information. The work required by SOX404 provides the support for the certification required by
SOX302.
SOX407 - Companies must disclose that they have designated an Independent Audit Committee Financial
Expert (IACFE). This person must have a knowledge of generally accepted accounting principles (GAAP) and
must have experience in preparing and/or auditing financial statements. Specifically, SOX407 requires that the
IACFE have experience in applying GAAP for estimates, accruals and reserves. As part of their work, the
independent accountant will evaluate the effectiveness of the IACFE; similarly, the IACFE must take a leadership
role assessing the work done by the independent accountant. (As a reminder, I am the designated IACFE for
LivePerson, Inc., and I aspire to be appointed to the same position for two additional companies.)
I hope you find this helpful. If you have any comments or suggestions, I'd be happy to have them sent to
kevin@kevinlavan.com.
Copyright 2006 Kevin Lavan
addition, I have attended periodic seminars and forums offered by PWC and KPMG, and I'm sure many other
organizations are offering similar opportunities. As this website evolves, I'll try to add some particularly useful
links. In the meantime, I'll post my thirty-second version of Sarbanes-Oxley-related highlights:
COSO - The Committee of Sponsoring Organizations was formed in 1985 to in response to fraudulent financial
reporting incidents. (The first Chairman was James Treadway, who had been a commissioner of the SEC...and
so this commitee is probably more commonly known as The Treadway Commission.) The organizations include
the America Institute of Certified Public Accountants, the Financial Executives Institute and the Institute of
Internal Auditors, and the committee included members from the public accounting firms, investment firms and
private industry. The COSO issued guidance to enhance internal controls and improve corporate governance.
The internal control framework developed by COSO is referenced for guidance when planning compliance for
Sarbanes-Oxley.
PCAOB - The Public Company Accounting Oversight Board was authorized under Sec. 101 of Sarbanes-Oxley
to oversee the audit of public companies. The PCOAB issues rules (which must be approved by the SEC) and
conducts investigations. You can click here to get up-to-date information on standards issued by the PCAOB.
We'll have to watch how the interplay between the auditing standards issued by the PCAOB (currently two are
issued) and the standards issued by the Auditing Standards Board of the AICPA evolves.
SOX or SARBOX - commonly used abbreviations for the Sarbanes-Oxley Act of 2002. `There are no
unimportant or less relevant sections of SOX, and you should really read it if it potentially affects you. But for
purposes of this discussion, I'll highlight three sections of SOX:
SOX404 - This section requires management to make an assessment of internal controls including Internal
Controls Over Financial Reporting (ICOFR), and it requires the independent auditor to opine on that
assessment as part of their opinion issued on the financial statements. Management must inventory, test and
correct their systems of internal control, and do this on a timely enough basis so that the independent auditor
can perform their tests of management's work. Many companies are hiring additional employees and/or
part-time specialists to achieve compliance. It's important to note that the COSO guidance related to internal
controls extends well beyond ICOFR, and companies must assess, for example, controls over changes to
operations computer programs and security for all computer systems. It also suggests documentation for things
like approval for changes in accounting policies.
SOX302 - This section requires the CEO and CFO to certify that their financial statement are fairly stated and
that they have designed and evaluated internal controls in support of financial reporting and in support of proper
flow of material information. The work required by SOX404 provides the support for the certification required by
SOX302.
SOX407 - Companies must disclose that they have designated an Independent Audit Committee Financial
Expert (IACFE). This person must have a knowledge of generally accepted accounting principles (GAAP) and
must have experience in preparing and/or auditing financial statements. Specifically, SOX407 requires that the
IACFE have experience in applying GAAP for estimates, accruals and reserves. As part of their work, the
independent accountant will evaluate the effectiveness of the IACFE; similarly, the IACFE must take a leadership
role assessing the work done by the independent accountant. (As a reminder, I am the designated IACFE for
LivePerson, Inc., and I aspire to be appointed to the same position for two additional companies.)
I hope you find this helpful. If you have any comments or suggestions, I'd be happy to have them sent to
kevin@kevinlavan.com.
Copyright 2006 Kevin Lavan
 | |  | |  | |  |
KevinLavan.com
Sarbanes-Oxley
