It’s a little hard to believe, but we have been living with the Sarbanes-Oxley Act (the “Act”) for almost a decade. Since 2002, Boards of Directors, Audit Committees, Senior Management and their independent registered public accountants have been learning and embracing the COSO Internal Controls — Integrated Framework and Section 404(a) and 404(b) of the Act. In many public companies, it is now part of the “fabric” of their corporate systems. Like the ISO standards, SOX compliance has become an integral part of the U.S. corporate culture.

There is ample data to suggest that it has reduced a certain degree of accounting fraud and restatements over the last decade. This has not come without a substantial economic cost to U.S. registrants … both in terms of time, effort and dollars.

Today, we are an economy disturbed by a continuing stream of accounting irregularities and fraud discovery. The U.S. experiences global embarrassment over its failure to reduce corporate scandals and the poor judgments that gave rise to the recent financial meltdown. Perhaps we need to assess how to make SOX more robust and effective by timely identification of internal control problems and new cases of financial fraud.

Time to Step It Up

In January, 2009, COSO introduced new guidance on how to significantly enhance the monitoring of internal controls. While this guidance is just guidance, there are some very important messages that Boards of Directors, Audit Committees, CPAs and CFOs should grasp:

1. Move to more continuous monitoring
2. The Board and Audit Committee needs to be more proactive in its oversight role
3. Identify and prioritize risks
4. Accelerate the reporting of issues, control deficiencies and material weaknesses

The New Monitoring Guidance — Four Steps

1. Establish a Foundation for Monitoring
   
   The monitoring guidance underscores the role of “Tone at the Top.” Not only does tone relate to “controls” but also tone relates to the maintenance of those controls to detect problems early. It’s fair to say that with the implementation of SOX approaching its 10 year anniversary, there is a real risk that internal controls are no longer “top of mind.”
   
   The need to frequently communicate tone and to show by example is part of the new monitoring leadership model. This guidance sets forth the role of “evaluators” who are individuals associated with the company who are both competent and objective to monitor controls. These individuals must be able to evaluate control deficiencies on a timely basis. The new monitoring guidance underscores the importance of evaluators having a baseline knowledge about an enterprise’s control systems throughout the year.

2. Design and Execute Monitoring Procedures
   
   Since monitoring is a dynamic process, it should be operating at all times. Effective control monitoring mandates that qualified evaluators assess persuasive information on a regular basis to identify risks. The design of such procedures involves: 1) The prioritization of risks; 2) The identification of key controls; 3) The use of appropriate persuasive information and 4) The development and execution of cost effective steps to determine that the control environment reduces risk to an acceptable level.

3. Assess and Report Results
   
   Monitoring by definition means communication is performed by the appropriate personnel. Reporting involves both the level within the organization to which the information is communicated; and the ability to implement corrective action on a timely basis as needed. The range of reporting recipients extends from the Board of Directors to the independent registered public accounting firms to deep within the organization. In the execution of the COSO framework in compliance with Section 404, there may be a question as to how timely problem areas are reported. There is a potential flaw in the current SOX environment that controls only need to be effective “as of” the last day of the fiscal year. This “as of” date concept is potentially stagnate and the new monitoring guidance moves it to a much more continuous basis such that controls should be effective on a more frequent basis. That concept perhaps more than any other is the “turbo charging” of your SOX program and probably the best risk deterrent any company could implement.

4. Monitoring Can Be Outsourced to Others
   
   While SOX consulting has become an industry unto itself in the last decade, the delegation of large portions of SOX compliance to external parties may well provide for certain efficiencies; but it also by definition may well diminish the monitoring process on a continuous basis. Companies should assess whether they are properly balancing the internal versus external SOX compliance efforts to maintain the appropriate level of monitoring at all times. There are some good continuous monitoring IT tools that can help automate this effort.

COSO continues to provide outstanding tools that should be embraced in order to sustain an effective reliable U.S. reporting system and provide the kind of ethical leadership needed in today’s global economy.