Here are articles we have published:

Complinet logo

 

Market turmoil, risk management and

SOX: part two

Sep 24 2008 Michael Potorti
M Potorti
Michael Potorti
MP Consulting continues its exclusive series of articles on the Sarbanes-Oxley Act of 2002 with an outline of SOX and its effects on entities that trade on US markets. The Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act) requires the establishment of a strong internal control environment within companies which trade on US markets, including their subsidiaries. Timelines for compliance have been staggered since 2004 based on the size of a company's market capitalisation, location of corporate headquarters and filings with the US Securities and Exchange Commission. The law is US-based, although a company anywhere in the world may suddenly be subject to SOX rules if an entity that complies with SOX acquires it.



Market turmoil

Recent events have been very unnerving for many. First, Lehman Brothers filed for bankruptcy, then Merrill Lynch announced that it is to be acquired by Bank of America and now the US federal government has stepped in to bail out AIG. Things even got so bad on the Russian markets that the regulators closed them for a couple of days. The risk management programmes and internal control structures of these entities were poorly designed. The last time that things went wrong (i.e., the public went into a state of panic) was when Enron and WorldCom collapsed. That triggered the US Congress to enact the Sarbanes-Oxley Act. How will the US government (or other governments worldwide, for that matter) react legislatively to the latest turmoil? We can only wait and see.



Risk management aspects of SOX

SOX is not a panacea for all that is happening now, but it points us in the right direction and we can learn some lessons from recent events. The latest standard, Audit Standard No. five, which the Public Company Accounting Standards Board, an entity that SOX set up as the "auditors" of a company's external auditors, issued, states that a "company's risk assessment process" is an "entity-level control" that must be considered during its audit. Have the companies embroiled in the current market turmoil performed an adequate, bona-fide assessment? Given the daily bad news, it seems unlikely. The ramifications of not performing an adequate, thorough assessment are widespread. I spoke to a woman recently who said her elderly mother had a mutual fund with a distressed entity and the fund pays the property taxes on her home. Are these funds safe? The events on Wall Street affect everyone, not just shareholders.


Things to consider in a risk assessment

The recent failures of companies were mostly due not to the company's overall operations, but due to select components of, or specific groups of individuals, at the company.

Here are some questions to ask yourself about your company:

  • Have we done a risk assessment not only of the overall company, but also of individual components and groups of individuals that make up our company (i.e., management authority/actions, employee authority, lines of business, subsidiaries, divisions, products, etc.)?
  • If there was a negative event (i.e., a sudden deterioration of the value of assets, unauthorised commitments of company funds, product recalls, environmental disasters, etc.) that affected the company component, what would the impact be on the company as a whole?
  • Do we have adequate insurance to mitigate the impact of any significant negative events to ensure that our company continues as a going concern?
  • Do we have a solid internal control structure in place that is continuously monitored?
  • Do our employees clearly understand their roles in the internal control structure (via policies and procedures) and consequences for non-compliance?

 

Michael Potorti, CPA is the Managing Director of MP Consulting (www.mpconsultingltd.com), a London and New York based company focused on helping companies with Risk Management including assistance with Risk Assessments, development and enhancement of Internal Control Structures, Sarbanes Oxley compliance and Internal Audit outsourcing.

 

Complinet logo

Sarbanes-Oxley and worldwide compliance: part one

Jul 04 2008 Michael Potorti
Michael

MP Consulting launches an exclusive series of articles on the Sarbanes-Oxley Act of 2002 with an outline of SOX and its effects on entities trading on US markets. The Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley Act or SOX) requires the establishment of a strong internal control environment within companies who trade on US markets, including their subsidiaries. Timelines for compliance have been staggered since 2004 based on the size of a company's market capitalisation, location of corporate headquarters and filings with the US Securities and Exchange Commission. The law is US-based, although a company anywhere in the world may suddenly be subject to SOX rules if they are acquired by an entity that complies with SOX.


Main aspects of the law



What is SOX and what are its objectives?

The US Congress passed the Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley Act or SOX) in response to a wave of high-profile corporate fraud cases, i.e., Enron and WorldCom. Many investors and pension funds lost billions of dollars due to the rapid deterioration of share prices caused by this fraud and the US government reacted quickly to re-establish confidence in the US capital markets.

The Sarbanes-Oxley Act was designed to hold corporate executives personally liable for any fraud having a significant impact on the financial position and results of the company. It requires senior managers to attest to and be held responsible for the design, effectiveness and evaluation of internal controls over financial reporting. The act also requires external auditors to include an opinion on the effectiveness of the internal control environment in their annual reports. In addition, the act established the Public Company Accounting Oversight Board to oversee work performed by audit firms.



What is the timetable?

The act's first deadline was for large US accelerated filers with a market capitalisation of $75m or more and fiscal years ending on or after November 15, 2004. Since then, deadlines have been staggered to include small cap entities and non-US ("foreign") issuers filing a 20-F or 40-F with the Securities and Exchange Commission. Current deadlines approaching are for non-accelerated filers with a market cap less than $75m for fiscal years ending on or after December 15, 2008 (although the SEC has proposed an extension to December 15, 2009).

Newly formed public companies must be compliant with SOX by the issuance of their second annual report.



Who does SOX affect?

SOX affects companies (with a few exceptions) trading on US-based stock exchanges (i.e., NYSE, NASDAQ) and those companies' worldwide subsidiaries. If an entity that complies with SOX purchases a company, it needs to comply as well. This can sometimes cause confusion within the newly acquired company and local management and employees should be educated appropriately. Hiring experienced external resources is a good way to "kick-start" the SOX process by providing local training and implementing corporate requirements.



Implications for firms



The main implication would be a requirement by management to perform an assessment of its internal control over financial reporting and to publicly report on its effectiveness as of the end of their fiscal year. This would be accomplished through inclusion in its SEC filings of a statement by certifying officers (usually chief executive officer and chief financial officer) that it is responsible for establishing and maintaining internal control over financial reporting.



A certification of this nature should be supported by the following:


  • A preliminary analysis of the current internal control over financial reporting environment.

  • Evaluation of key processes and cycles.

  • Uncovering deficiencies in internal controls and remediation of deficiencies.

  • Establishment of standard operating procedures.

  • Education of employees and "setting the tone" by management.

  • Testing to ensure that established procedures are adhered to.

 

Author Biography:
Michael Potorti CPA is the Managing Director of MP Consulting (www.mpconsultingltd.com), a London and New York based company focused on assisting companies to become compliant with Sarbanes Oxley since the law was passed in 2002.

 

Contact us for a free consultation