Web www.software-risk.co.uk

The Committee Of Sponsoring Organisations (COSO) framework describes 5 components of internal control with regard to financial reporting. Confirming that these controls exist and their effectiveness is the cornerstone of the Sarbanes-Oxley Act, in particular Section 404.

The five elements are control environment, risk assessment, control activities, information and communications and monitoring.

This article concentrates on the Control environment, and in particular ethics and integrity. COSO, shows the the elements to be heavily interrelated and should be viewed holistically as a group. The control environment is an overarching element , which requires senior management to set an appropriate "tone at the top".

COSO does not lay down any rules regarding documentation. Indeed companies may put statements into glossy brochures. However, what matters in terms of effectiveness is their actions and the effect on day to day actions of the company.

A number of factors affect the control environment. Above all is the Integrity and Ethical Values demonstrated by the senior management.

A positive impact is demonstrated when
*  The owners and management must personally have high ethical and behavioural standards
*  The high standards are communicated to staff. Even if this is informal as in many small companies.
* The standards are reinforced.

The current spate of trials involving Sarbanes-Oxley related companies show fascinating insights into the companies involved. The trial of Bernie Ebbers, follows the collapse of WorldCom, and ultimately the introduction of the Act. Richard Scrushy, CEO of HealthSouth is the first CEO to stand trial under a violation of Sarbanes-Oxley.

Clearly in both the WorldCom and HealthSouth debacles there was an absence of ethical behaviour by at least one senior officer.

The Chief Financial Officer of both companies has pleaded guilty to hiding expenses in order to falsely inflate profits. Other accounting staff to a lesser or greater degree colluded in these efforts.

When checking for compliance with Sarbanes-Oxley, how do we check for effectiveness of ethics and integrity.

Dealing with signs. How does the management deal with indications that things are not right? With transparency and a commitment to fix them? Seek advice? Be secretive and brush it under the carpet? Sack the whistleblower?

When the dotcom crash happened in 2000, WorldCom was hit hard. Having massively overpaid for acquisitions and overestimated market growth, the business was unravelling. Rather than admit this to investors and the market, the Scott Sullivan, CFO, implemented a the fraud to hide expenses. (His testimony in court had it that Ebbers was the main driving force.) So not much transparency and goodwill there then. Further, Sullivan's guilty plea, implicates him as a liar, during his term as CFO.

Removal or reductions in incentives. Does the entity have high incentives plans? Particularly based on short-term figures? These incentives can become motives for falsely reporting financial matters. (This is may be very prevalent in the US because of quarterly reporting.) Highly pressurised motivational techniques may also drive people to fraud.

Scott Sullivan testified that Ebbers, constantly pressured him and other executives to "hit the numbers". This might be construed as a temptation. In the HealthSouth case, the alleged motive was to inflate the profit figures, to ensure bonus payments were maintained.

Incentives. Do lax controls put executives or employees in front of temptation. A simple scenario, is a shopkeeper never counting the till money, and leaving an assistant to mind the business.

Examples include:
* Senior management not aware of employees actions
* non-existent controls, such as segregation in sensitive areas
* insufficient or unpublized penalties.

The collapse of WorldCom and the fraud at HealthSouth had heavy indications that executives and accounting staff saw enough gaps in the control process to engineer the fraud. However where the temptation was has still to be established.

Management Intervention. Occasionally management does have to intervene when non-standard and non-recurring transactions take place. COSO recommend that management give guidance when the intervention is to occur.

Bernie Ebbers and HealthSouth CEO, Richard Scrushy both pleaded not guilty in their trials. Their defence lawyers are arguing that they are in some way the victims of wily accountants who pulled the wool over their eyes. Whether the two gentlemen are guilty or not guilty, the companies they ran, were the subject of massive frauds. So maybe they should have had a little more intervention.

Related Articles
SEC Proposes Years Exemption on 404
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Caterpillar and Internal Controls
GAO Supports SOX Cost Claims
Foreign Companies Repeating US SOX Mistakes
SEC Chief Account Defends SOX

Similar Areas

Security Items

Sarbanes-Oxley Items

Finance Items

Private Company Items

Regulation Items

Selected Books

Keywords

Sarbanes-Oxley

Sarbanes-Oxley Act

Section 404

internal controls

whistleblower

internal control

COSO

ethics and integrity

business ethics

control environment

Sarbanes-Oxley compliance

incentives and temptations

Bernie Ebbers

Richard Scrushy

management intervention

WorldCom and HealthSouth trials