After Sarbanes-Oxley

Corporate Governance Post-Sarbanes-Oxley

Embracing The Tenets of a Strong Internal Control Framework

Internal Audit Accounting Technology Tax


How did we get here?
The Sarbanes-Oxley Act of 2002
In one piece of reactionary legislation, the
United States Congress set wheels in mo-
tion to establish a new corporate para-
digm: “perception is everything!” Sud-
denly, federal law set definitions for ex-
ternal auditor independence, stricter fi-
nancial disclosures, reporting guidelines
and additional public oversight. Al-
though not the first legislation to threaten
jail time for corporate executives (the
Federal Sentencing Guidelines already
did that for convicted corporate violators
of federal laws), it specifically targeted
corporate CEOs and CFOs with severe
punishment for failure to provide appro-
priate checks and balances in the financial
information provided to the investing
public.
There are two extremely intriguing as-
pects of this landmark Act. The first is
that, although the Act presents guidelines
and expectations for executive manage-
ment, the audit committee of the board of
directors and the external auditors, it is
disturbingly silent on the role that the in-
ternal auditor should play in realizing the
corporate governance goals set out by the
Act. The second is that this Act was
fairly predictable, in an armchair quarter-
back sort of way, by followers of corpo-
rate governance for about the last 15
years. The direct cause of the inevitabil-
ity of the Act can be found in the persis-
tent pattern of human behavior in the cor-
porate world.
Throughout the centuries, and specifically
throughout recent chronicles of corporate
history, human behavior has led to amaz-
ing feats, as well as spectacular failures,
in both large and small organizations.
During the latter half of the last century,
great focus was placed on what drove hu-
man behavior in organizations, in order to
improve operations and the bottom-line.
Figures such as Maslow and McGregor
strove to put a sense of understanding
around what drove individuals to behave
in certain ways in organizations, and how
to manage those behaviors.
However, in spite of all of the significant
brainpower that has gone into determin-
ing how people behave at work, and the
resulting efforts undertaken to modify the
work environment accordingly, the funda-
mental behavior patterns that were around
at the dawn of the 20th century are equally
prevalent at the dawn of the 21st. More
importantly, failure to establish a uniform
definition of a control environment has
contributed to the fiscal havoc that results
from some aspects of human behavior. A
tour of recent history validates this the-
ory.
A Brief History Lesson
After a period of significant increases in
productivity and efficiency, brought about
in part by significant increases in technol-
ogy and a laissez fare government, the
business world was experiencing a period
of unequalled growth. Due to year-over-
year increases in corporate revenues,
along with related increases in bottom
lines and earnings yields, investors were
flocking to capital markets, driving the
value of favored organizations ever
higher, so long as they continued to
shower favor on their investors.
In order to continue to produce these
sometimes too-rosy results, companies
began to engage in creative forms of re-
cord keeping, with the ultimate purpose to
continue to reflect positive earnings and
cash, in order to further prime the invest-
ment pump with outside capital. Wall
Street analysts, equally caught up in the
fever, contributed to the unsupportable
façade of corporate well-being that fur-
ther promoted the investment of addi-
tional capital, which led to the over-
capitalization of certain organizations.
As economic indicators began to exert
greater influence than could be explained
by creative accounting and rosy analysis,
the paper tigers that the over-valued com-
panies actually were began to falter. This
led to a run on the market, which led to,
sometimes overnight, de-valuation of
these capital behemoths, leading to the
failure of many of them, and the financial
ruin of a large segment of the investing
market.
Public outcry on the events leading to this
collapse, especially as it pertained to cor-
porate governance, led Congress to react
by passing significant legislation de-
signed to prevent further occurrences of
relying on improper financial disclosures
by the investing public. In summary, the
purpose of this legislation was to require
that investors receive financial and other
significant information concerning securi-
ties being offered for public sale; and in
order to prohibit deceit, misrepresenta-
tions, and other fraud in the sale of securi-
ties, stiff penalties could be meted out to
convicted violators.
Sadly enough, most armchair historians
know that the legislation referred to
above was not the recent Act. Instead,
the circumstances described above: ex-
tremely prosperous times, technological
advancements and less than scrupulous
financial representations in order to con-
tinue to prop up the market, were condi-
tions that contributed to the market col-
lapse of 1929, and the ensuing Great De-
pression. Public outcry at that time led to
bellwether legislation known as the Secu-
rities Act of 1933 and the subsequent Se-
curities Exchange Act of 1934, which cre-
ated the Securities Exchange Commission
(SEC), the “watchdog” of corporate gov-
ernance (The 1934 act became fondly
know by public accounting practitioners
as the “full auditor employment act,” in
that it required all publicly-traded compa-
nies to be independently audited on an
annual basis) The “sadly” part, of course,
refers to the fact that such extreme meas-
ures, brought about in large part by acts
of bad human behavior by corporate man-
agement and analysts, still failed to pre-
vent very similar consequences almost 70
years later.
After the two acts that were passed into
law in 1933 and 1934, the business com-
munity was not directly targeted on the
corporate governance issue for over 40
years. At that time, due to widespread
“improprieties” performed by global or-
ganizations in subsidiaries not located on
U.S. soil, Congress was again pressured
to address “bad behavior” by passing the
Foreign Corrupt Practices Act (FCPA) of
1977.
Not quite a decade later, Congress was
once again strongly considering stepping
in with legislative muscle regarding cor-
porate governance and the intended role
of external auditors. Over this relatively
brief span of time, massive corporate
scandals had once again resurfaced the
need for the definition of a universally
accepted concept of internal controls, cor-
porate governance and independence
guidelines, something that prior legisla-
tion had always left in the hands of the
public accounting professionals and their
own private oversight bodies.
In an effort to keep the government from
legislating these definitions, The Commit-
tee of Sponsoring Organizations (COSO),
composed of the Institute of Internal
Auditors (IIA), the Financial Executives
Institute (FEI), the American Institute of
Certified Public Accountants (AICPA),
the American Accounting Association
(AAA) and the Institute of Management
Accountants (IMA), was formed to
jointly develop findings and recommen-
dations necessary to provide an integrated
framework of internal control for corpora-
tions. This was accomplished by first
publishing the Report of the National
Commission on Fraudulent Financial Re-
porting in 1987, known as “The Tread-
way Report,” and the definitive Internal
Control – Integrated Framework in 1992.
The COSO Report, as the Framework be-
came known, was the first-ever attempt in
corporate America to establish a universal
definition of internal control, along with
proposed guidelines for governance, inde-
pendence and quality assurance. The
COSO Report was considered such a
strong collaborative effort by the govern-
ing associations that Congress backed off
at that time of enacting legislation to gov-
ern the accounting and auditing profes-
sions.
In between these two private sector re-
ports, the federal government did provide
further federal mandates in two key areas:
The Federal Sentencing Guidelines were
amended in 1991 to include corporate
crimes into its original scope. For the
first time, executives of corporations
could face both fines and jail time when
their organizations were found guilty of
violating federal laws such as the Clean
Air Act, if it was determined that the in-
ternal control structure and overall corpo-
rate tone as it pertained to governance
was so lax that it contributed to the or-
ganization’s violation(s). In addition,
federal judges could also appoint trustees
to monitor guilty organizations until it
was determined that their internal control
environment had been corrected. Also in
1991, due to the number of significant
banking scandals, the Federal Depositor
Insurance Corporate Improvement Act
(FDCIA) was passed in order to provide
stricter guidance to the banking industry.
In spite of all the legislation described
above, in the latter 1990s and early 2000s,
corporate America once again found itself
heading for a market where, due to lapses
in corporate governance in major organi-
zations, “paper tigers” were once again in
place, waiting for the inevitable devalua-
tion slide. Of course, as recent headlines
now show, it became readily apparent that
corporate governance had yet again taken
a back seat in certain large organizations
where public investors reasonably felt
most secure.
Whereas it is always much easier to sec-
ond-guess the past, the purpose of this
“history lesson” is only to make one key
point: Said again, in spite of all the prior
well-intentioned legislation passed by
Congress, history repeated itself, because
the mistakes of the past were never truly
corrected.
Ironically, business and the affected pro-
fessions came agonizingly close in the
latter 1980s and early 1990s to providing
the missing piece of the overall govern-
ance issue: An integrated framework of
internal control – The COSO Report
(which, of course, is now the inferred un-
derpinning of the Act, based on the opin-
ion of most pundits.) What prevented this
framework from having the intended ef-
fect was leaving it as a “voluntary best
practice” as opposed to a federal mandate.
Of course, when left voluntary, most
business people tend to treat it as a
“desired” rather than a “required,” which
then leads to procrastination and rationali-
zation as to why there are more impor-
tant, “cost/beneficial” things to consider.
Human Nature
In order to accept the fundamental need
for objective corporate governance, it is
only necessary to come to terms with the
dynamic role simple human nature plays
in an organization. As noted previously,
a great deal of effort has been placed on
determining why people behave as they
do, in order to effectively manage them.
Working off the “hierarchy of needs” pro-
moted by Maslow, McGregor saw the
need to bring a “behavioral style” to busi-
ness management, and deemed the two
different approaches to managing behav-
ior “Theory X” and “Theory Y.” By
building on Maslow’s concept of self-
actualization, McGregor was able to in-
fluence management practices, thereby
controls, of most organizations by distin-
guishing between the two styles: Theory
X – strong, dictatorial, driven by staff’s
inherent desire to not comply with de-
fined procedures unless both threatened
and rewarded; and Theory Y – empa-
thetic, facilitative, driven by a belief that
staff is as motivated to work as to play or
rest. (Theory Y is credited with influenc-
ing later contributors [Herzberg, Peters]
in their formulation of the concepts of
“job enrichment” and “empowerment.”)
What tends to be overlooked by many
organizations as they incorporate aspects
of Theory Y and Theory X into their
management styles is the fundamental
importance of understanding the key
characteristics of a self-actualized
worker: “Like any other person, they still
display frailty and failings, ‘ups and
downs.’ They still express their emotions
and can be critical and demonstrative to-
wards others. They can lose their cool and
be everything from ruthless to be con-
sumed with the sulks. They typically
wish to decide things for themselves,
want reasons, ask questions and do not
necessarily wish to conform. Finally,
while they may accept the need for con-
formity sometimes in order to service
their interests, and not to be selfish and
ego-centered in ways that deny the ability
of others to act in their own right, they
may also say ‘no,’ and from time to time
be unpredictable, as they desire to make
up their own minds and be in charge of
their own destinies.” {Excerpt source:
Chris Jarvis for the BOLA project
(Business Open Learning Archive).}
Another behavioral model necessary for
understanding the role of human nature in
governance dynamics centers around an
individual’s personal understanding on
any given topic, and is normally depicted
as the “competency square.” In this
square, the upper left hand corner is the
home of the “unconsciously incompe-
tent” (UI), someone who is blissfully un-
aware of how little they do not know until
an event requiring the use of the missing
knowledge is thrust upon them. At that
time, they move to being “consciously
incompetent” (CI) the lower left corner,
cognizant of the fact that they are lacking
the necessary understanding to deal with
the issue. As the person decides to better
their understanding and seek out knowl-
edge, they proceed to the lower right cor-
ner of the square, the “consciously com-
petent” (CC) section, now having a work-
ing knowledge of the issue at hand. Fi-
nally, if the person desires to be a
“subject matter expert” vs. merely a
“CC,” they will strive to move to the up-
per right hand quadrant, or
“Unconsciously Competent” (UC), thus
completing their journey through the
square.
In assessing the dynamics of this model,
the question arises as to whether the
“competency square” should actually be a
“competency circle.” When factoring
human behavioral characteristics into the
equation, the cyclical nature of the model
becomes evident: an individual moves
from CI to CC to UC, and then runs the
risk of “resting on their laurels,” i.e., not
investing the ongoing energy required to
keep their UC level of knowledge current.
This static state may work for a short du-
ration. However, over time, the individ-
ual will eventually drift back into UI, as
their current knowledge degrades to a
non-relevant status.
Therefore, it is necessary for some type of
“barrier” to be erected between UC and
UI in the cycle. Using professional certi-
fications as an example, this is accom-
plished by an “independent” governing
body requiring “compliance” with annual
continuing education requirements,
thereby keeping the knowledge timely
and relevant, in theory if not in practice.
Without this ability to govern the ongoing
competency of the person, the negative
consequences brought about by the slide
from UC to UI are almost inevitable.
A final aspect of human behavior to keep
in mind is the universal application of
certain traits, namely: curiosity, greed,
self-rationalization and pride. In foren-
sics literature, the key contributing factors
for fraud, which is defined as a deliberate
circumvention of a control environment,
is known as: 1.) A perceived need by the
individual; 2.) An understanding of the
control environment, especially as it per-
tains to identified weaknesses; and 3.) A
perceived culture where minor wrongdo-
ings are tolerated, perhaps even over-
looked. The four traits noted above play
major roles in the factors contributing to
fraud: curiosity will identify the control
environment, greed will typically drive
the need to act, self-rationalization will
justify the individual’s behavior and pride
will typically minimize the organization’s
desire to appropriately punish the wrong-
doer.
When the behavioral/learning/emotional
traits discussed previously are combined,
the argument for independent governance
is compelling. Using recent history as an
example, the push for empowerment in
some organizations, without first deter-
mining the adequacy of the underlying
control environment, provided the neces-
sary conditions for irregularities to occur.
Also, in organizations where an under-
standing of the importance of internal
controls was once significant, without an
adequately defined and maintained inde-
pendent governance mechanism neces-
sary to create the “barrier” between UC
and UI, control environments were al-
lowed to atrophy, creating the same types
of situations where irregularities were
possible. The creation of evolved busi-
ness models, without fully embracing the
importance of governance, controls and
monitoring, have left corporate America
ripe for the cyclical pattern of corporate
blow-ups that has peppered recent his-
tory.
Perhaps the most glaring example in re-
cent history of bad behavior run amok is
the “urban legends” that have already
emerged regarding the excesses of the
“dot-com/dot-bombs” that came and went
over the last few years. During the hey-
day of the dot-com investor buying spree,
it was not unusual at all to see $100 mil-
lion IPOs based solely on potential versus
actual revenue. This capital was then, in
many cases, put into the hands of “CEOs”
and “CFOs” with very little applied ex-
perience in their roles, and absolutely no
financial infrastructure to monitor them.
These situations became immediate disas-
ters waiting to occur: simple greed would
lead to exorbitant profit-taking on clearly
unprofitable organizations, while little to
no fiduciary oversight or governance al-
lowed excessive capital expenditures on
“loft furniture” and “gourmet coffee ma-
chines.” Almost unbelievably, this lack
of effective monitoring led to instances
where the $100 million IPO noted previ-
ously would evaporate in nine to 12
months, leaving investors to speculate
where their capital went, and suddenly
jobless executives to look for their next
unsuspecting dot-com in need of a
“seasoned start-up expert.”
Regrettably, many organizations, past and
present, have intentionally chosen not to
advance the development of their internal
control structure, often citing the most
common of reasons: “It’s not cost-
beneficial,” or “It’s the external auditor’s
job to identify control weaknesses.”
Hopefully, as corporate America has re-
cently been jolted from a UI position re-
garding the importance of internal con-
trols to, at a minimum, a CI appreciation
for why those two statements are no
longer valid under the Act, the opportu-
nity to prevent history from repeating in
another 70 years (or less) is a common
goal, and that goal must be founded in an
understanding (CC or UC is up to the in-
dividual organization) of a strong inter-
nal control framework.
Risks and Controls
While not specifically mandated in the
Act, current conventional wisdom puts
the framework recommended in The
COSO Report as the best guidance for
compliance with the Act. At the core of
the COSO Report are the universal defini-
tions of risk and internal control.
Put simply, a risk is an event that, if it
occurred, would have an adverse impact
on the organization’s objectives. Risks
are commonly evaluated by the severity
of the impact on the organization, and the
likelihood of the event occurring. Inher-
ent Risks are events that occur regardless
of the effects of controls, Managed Risks
are those mitigated by the use of internal
controls and Residual Risks are the re-
maining risks after the application of the
internal controls against the risks. In each
organization, emphasis should be placed
on determining the cost of an internal
control against the benefit of the mitiga-
tion of the risk to an acceptable,
“residual” level.
Internal control, as defined by the COSO
Report, is: “broadly defined as a process,
effected by an entity's board of directors,
management and other personnel, de-
signed to provide reasonable assurance
regarding the achievement of objectives
in the following categories: Effectiveness
and efficiency of operations; Reliability
of financial reporting; [and] Compliance
with applicable laws and regulations.”
The COSO Report goes on to identify
five unique components of internal con-
trol, which are fully integrated into man-
agement processes. The five components
are: Control Environment, Risk Assess-
ment, Control Activity, Information and
Communication and Monitoring, and are
usually illustrated as either a “cube” or a
“pyramid.” The “cube” illustration is pre-
sented here:
Based on the COSO illustration (copyright 1994) by the Com-
mittee of Sponsoring Organizations (COSO).
The cube makes for an excellent depic-
tion of the framework, in that everything
rests on the base of a strong control envi-
ronment, often referred to as the “tone at
the top,” requiring a culture intolerant to
unethical behavior, and is evident in all
directions from both the board of direc-
tors and executive management. After
that, a defined process where risks are
identified and analyzed in order to deter-
mine the degree of mitigation necessary
to achieve corporate objectives is neces-
sary, followed by the control activities
(policies and procedures) put into place in
order to mitigate those risks.
Communication must flow both up and
down the organizational chart, and infor-
mation must flow from both in and out-
side of the organization, in order to en-
sure that all parties, both internal and ex-
ternal, understand their individual roles in
the control framework, and how their spe-
cific roles interact with others in the
framework.
Finally, management must ensure that
there is adequate monitoring to ensure the
quality of the framework’s performance
over time. This is achieved both by ongo-
ing management activities, as well as ob-
jective evaluations by independent par-
ties. The COSO Report recommends that
this is an effective role for an organiza-
tion’s internal audit function to play.
Over the years, this writer has developed
a modified “hierarchy of internal control
needs” in order to describe the nature of
internal control monitoring
As depicted in the pyramid, the basis of
all internal control monitoring rests in
compliance with existing policies and
procedures. Since this is a highly reactive
approach, with only a “yes” or “no” out-
come, the next layer (operational audit-
ing) is more proactive in nature, not only
identifying control breakdowns, but also
working with management in determining
and recommending appropriate corrective
action to prevent future occurrences.
Even more proactive is having internal
control experts “consult” on the front end
of any process development and/or re-
engineering projects, in order to ensure
that effective controls are not sacrificed
for “efficiency reasons.” (It should be
noted that independence guidelines would
prohibit the same control consultant from
performing the “testing” of the new con-
trol, in order to eliminate the perception
of a lack of objectivity.) Finally, “self-
actualization” comes when internal con-
trols, and proactive risk management, is
embraced in such a way that management
incorporates control self-assessments
(CSAs) into the overall internal control
framework.
If a layer were to be added to the bottom
of the pyramid as the foundation of the
entire hierarchy, it would be the need for
the perception of objectivity in perform-
ing the monitoring portion of the inte-
grated framework. Then, of course, un-
derneath the “foundation” of objectivity
would have to lay the “bedrock” of inde-
pendence.
Independence
One of the most significant tenants of the
COSO Report is the understanding that
the internal control framework is solely
the responsibility of management. More
importantly, Section 404 of the Act re-
quires management to acknowledge this
responsibility in an annual internal con-
trol report, which in turn must be inde-
pendently attested to by the external audi-
tor.
Many positions have been taken by vari-
ous organizations since the passage of the
Act regarding the appropriate roles that
should be played by the audit committee
of the board, management and the exter-
nal auditor in ensuring the independence
of each function in their respective roles.
As mentioned previously, an unfortunate
omission in the Act is the specific role
that internal audit can and should play in
pursuing the COSO Report’s stated objec-
tive of an independent evaluation of the
internal control framework.
Some external auditors, who want to do
much more than just the attestation work
associated with management’s assertions,
have embraced a more aggressive inter-
pretation of the independence issues at
the heart of Section 404 than is believed
to be intended. For example, some exter-
nal auditors go so far as to offer to serve
as the “smart arms and legs” of the client
company’s project management office in
the preparation of the supporting docu-
mentation for the Section 404 assertions
by management. That position appears to
conflict with the spirit, if not the letter, of
the new law’s independence rules because
external auditors would be
“independently” attesting to work that
they assisted in preparing. ing management by having the reporting
line directly to the Audit Committee, in-
A useful thought process to consider ternal auditors can assist management
when evaluating auditor independence with the creation of the control environ-
issues is “four, three, two,” a mantra that ment, the assessment of risk, the determi-
refers to the Sections 404, 302 and 201 of nation of control activities, the determina-
the new law. It’s helpful to run through tion of adequate processes for both ob-
the key questions at the core of each of taining and communicating information,
those three sections in that order. First, and the ongoing monitoring of the overall
under 404, can external auditors effectiveness of the control framework.
“independently” test and opine on man-
agement’s report on internal controls if
they played any role in preparing the
documentation? Second, under 302, is
management comfortable with this deci-
sion in light of pending guidance on dis-
closure protocols, and the subsequent po-
tential harm if something was deemed
“inappropriate” about the external audi-
tor’s role at a later date? And third, under
201, since this assistance of operating
management in preparing their assertion
falls outside the scope of actual external
audit work, does it require audit commit-
tee approval, and is management there-
fore comfortable asking for it? In the final
analysis, it clearly makes sense to err on
the side of caution when deciding whom
to use to assist with the preparation of the
Section 404 compliance work.

A proposed solution…..look to internal

control experts where no appearance of
conflict of interest exists. In bringing
together the importance of governance
and a defined control structure, and justi-
fying it by fundamental aspects of human
behavior depicted in repetitive historical
cycles, the advent of the Act strongly em-
phasizes the need for an objective moni-
toring function within the organization
that can assist management. As experts
in risks and controls, and by establishing
the function as “independent” of operat-
By mapping the “hierarchy of control
needs” provided before to the “COSO
cube” components, it becomes apparent
how internal control expertise can provide
assistance to management in every layer
of the cube:
As depicted above, compliance auditing
is an essential part of the monitoring com-
ponent, performed independent of man-
agement by the internal audit group, in
order to be perceived as objective in their
viewpoint. The more “proactive” opera-
tional auditing focuses on the components
of information & communication and
control activities, actively working with
management in finding solutions to con-
trol issues, as opposed to simply identify-
ing the issue. Control consulting applies
risk and control expertise to both the con-
trol activities and risk assessment compo-
nents, ensuring that adequate considera-
tion is given to risk control consequences
when identifying and mitigating risks, in
addition to the “cost/benefit” aspects.
Finally, instilling ownership of control
self-assessments into management’s con-
trol environment by facilitating the proc-
ess is the most proactive way for internal
auditors to ensure that management is
constantly addressing its fiduciary re-
quirement to its board and investors to
“own” the internal control framework.
A wise approach to auditor independence
rules does not mean curbing communica-
tions with external auditors. On the con-
trary, management, internal audit and ex-
ternal auditing partners should interact
continually throughout the year, both in
the determination of the ability of the ex-
ternal auditors to rely on the work per-
formed by the internal auditors as defined
in the Statement of Auditing Standards
(SAS) number 65, and in the determina-
tion of the minimum requirements needed
to satisfy section 404 of the Act. That line
of communications helps ensure compa-
nies that its assessments, documentation,
testing and reporting are heading in the
right direction and should subsequently
lighten the attestation load (not to men-
tion the cost of that work) external audi-
tors bear at year-end, as proscribed in
SAS 65.
The “End” or the “Means?”
As an important point of clarification, nu-
merous comments already made by key
individuals, including SEC Commission-
ers, have made it clear that the Act was
not intended to be perceived by manage-
ment as the “end of all means” as it re-
lates to providing the investing public,
and the federal government, with comfort
regarding an organization’s operations.
Rather, the Act was intended as a “means
to an end,” which would be the establish-
ment of an integrated control framework,
as proscribed in the COSO Report, which
by definition would then include the all
aspects of the Act as a part of the overall
defined corporate governance.
While many organizations responded rap-
idly in a “tactical” mode to key sections
of the Act, such as deploying “cascading
certifications,” i.e., having all layers of
management perform the same certifica-
tion as required by the CEO and CFO on
all SEC quarterly and annual reports,
many have adopted a “wait and see” atti-
tude when it comes to the more far-
reaching “strategic” components of the
Act, such as: disclosure guidelines, whis-
tleblower protocols and the incorporation
of a uniform control structure, such as the
COSO Report, across all processes in the
organization, both “financial” and “non-
financial.”
The lack of clarity regarding the role of
internal audit in the Act has led some or-
ganizations, as part of their “tactical” re-
actions, to have both positive and nega-
tive effects of the intent of creating the
ideal control environment. A positive
effect is where audit shops that had relo-
cated to the top of the hierarchy pyramid
over the last decade or so, lured by the
“sexiness” of the consultant’s role, and
had forgotten the base, have been ordered
back into compliance testing by their
boards, especially pertaining to financial
reporting processes. The development of
CSA was never meant to replace the inde-
pendent monitoring done by internal au-
dit, and is yet another example of unin-
tentional decay from UC to UI when in-
ternal auditors quit independently verify-
ing through compliance testing the asser-
tions provided by operating management
through the results of their CSAs. How-
ever, some negative effects seen post-Act
involve management’s desire to incorpo-
rate the internal auditor into the actual
processes developed as “tactical” reac-
tions to components of the Act, such as
requiring the Internal Auditor to sign off
like management on the “cascading certi-
fications,” and by having Directors of In-
ternal Audit have active roles on the Dis-
closure Committees set up as part of Sec-
tion 302. Whereas the underlying intent
of such actions is understandable by man-
agement, having internal auditors become
active participants in the actual control
activities and information & communica-
tion components of the framework clearly
dilute the perception of independence,
which erodes the ability to monitor objec-
tively.
Organizations that either already had in
place internal control frameworks based
on the COSO cube, or have since imple-
mented such programs, are on the path to
complying with the true “spirit” of the
Act. These organizations:
• Have an independent internal audit
function reporting directly to the audit
committee of the board of directors,
and administratively to executive
management;
• Have board-approved charters for
both their audit committees and intern
audit departments;
• Have management and internal audit
jointly perform risk assessments
(enterprise-wide and entity/process-
specific) on a regularly defined basis
(ideally annually, but no less than
every three years);
• Prepare annual audit plans based on
the result of those risk assessments;
• Have internal audit test and report on
the effectiveness of the existing con-
trol activities, and management’s on-
going efforts to correct deficiencies as
noted;
• Ensure that their internal auditors play
the role of corporate “teachers of in-
ternal control,” in that they instruct
management in their core expertise:
risk assessments and internal controls,
and “test” the effectiveness of their
instructions through auditing the op-
erations for compliance with all perti-
nent policies and procedures, along
with evaluating the efficiency and ef-
fectiveness of the overall control envi-
ronment, both in financial and non-
financial areas of the organization;
and
• Also ensure that, through their col-
laborative interactions with manage-
ment, their internal auditors are part
of the process of continuous improve-
ment of the control framework,
thereby assisting management with
their ability to prepare quarterly and
annual assertions as to the overall ef-
fectiveness of their control frame-
 work, as defined by the Act.
An interesting note: Thought-leading
organizations were doing most, if not
all, of the above prior to the Act, and
were not even necessarily publicly
traded! Their reason for being so
“visionary” was simple: Long before
Congress legislated it, these organiza-
tions understood that the “benefit” of in-
creased efficiencies and effectiveness of
operations, along with a “tone at the top”
of zero tolerance of improprieties and
unethical behavior, was well worth the
associated “cost” of an integrated control
framework, including independent, ob-
jective monitoring.
Lessons from History
Using the competency cycle described
previously, a “thumbnail sketch” can be
prepared of the historical trends that lead
to the Act:
• In spite of numerous attempts in
the past by Congress to “legislate”
corporate governance, no clear-cut
definition of an adequate internal
control framework was ever man-
dated.
• In addition, professional services
firms were left to themselves to deter-
mine what was deemed appropriate in
maintaining a perception of independ-
ence in performing their work.
• Over time, some organizations that
considered themselves “UC” when it
came to understanding their opera-
tions and control environments atro-
phied into “UI” in regards to key ar-
eas of governance, thereby creating an
“environment” that allowed inappro-
priate behavior to go undetected,
since they had not adequately erected
the required “barrier” between UC
and UI: An “independent” evalua-
tor of compliance in the monitoring
process.
• Finally, the professional services
firms suffered a significant shift in the
investing public’s perception of what
constituted “independence,” espe-
cially when it came to monitoring cli-
ents where other, management-
directed, work was performed.
Thus, the dominoes were lined up, wait-
ing for a push: A lack of perceived inde-
pendence, leading to a lack of a defined
barrier in the competency cycle, leading
to a artificial reliance in existing control
frameworks, leading to opportunities for
manipulation of financial data, leading to
the collapse of large (and small) institu-
tions, leading to the devaluation of inves-
tor portfolios, leading to public outcry,
leading to the passage of the Sarbanes-
Oxley Act.
Hopefully, the adage of “those who do
not learn from history are bound to re-
peat it,” will be the new watch phrase of
corporate America. Most importantly,
although not specifically defined in the
Act, the necessity of an independent
monitoring function in the internal control
integrated framework will become the
definitive “barrier” that prevents the dom-
ino cycle from reoccurring, and history
from once again repeating itself. Only
time, further governmental guidance and
proactive management action, will tell if
the lesson has been finally learned.