Sarbox Has Tightened Controls, But Has It Reduced Fraud Risk?

Lora Bentley

A report out this week from compliance technology provider Oversight Systems suggests that changes in Sarbanes-Oxley implementation and the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard 5 have helped companies simplify their internal controls and reduce costs. However, the report also says the changes have created new problems for financial execs.


A little background: Oversight Systems, based in Atlanta, Ga., sells continuous transaction monitoring software. The "2008 Financial Executive Report on Sarbanes-Oxley" is the fifth in a series, and it is based on the company's invitation-only online survey of financial executives such as CFOs, controllers, internal auditors, vice presidents and audit officers from all over the U.S.


What I find interesting about this research are the issues that survey participants are most concerned about now that Sarbanes-Oxley compliance costs are truly dropping.


First, the research says more than half (56 percent) of the financial execs who participated in the survey aren't confident in their ability to identify the areas of their businesses that create the most risk -- which is part of what the new Sarbox 404 guidelines and AS 5 require.


Then, once those areas are identified, 39 percent say they aren't sure how to adequately keep track of everything that goes on in those high-risk areas -- especially since the goal of AS 5 and the new Sarbox guidelines is to reduce the number of internal controls that are necessary to achieve compliance. (This is where Oversight's pitch for continuous monitoring software comes in, and to a point it's justified. More efficient monitoring usually does involve automation technology, but anyway...)


Even beyond that, though, despite the fact that Sarbanes-Oxley costs have dropped and most survey participants say Sarbanes-Oxley compliance has made their financial statements more accurate and their internal controls tighter, only 29 percent of respondents say Sarbox compliance has decreased their companies' risk of financial fraud.


Does that seem odd to anyone else? If the financial controls are tighter and financial statements are more accurate, isn't the risk of fraud necessarily reduced? Maybe the questions weren't clear -- pure speculation on my part, I have no way of knowing -- but regardless, someone is confused.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Jul 28, 2008 11:19 AM Patrick Taylor Patrick Taylor  says:
Lora-Thanks for your very thoughtful assessment of our recent survey report. Id like to clarify the seeming contradiction you bring up in the final paragraph of your post. I think the confusion you mention comes, first, when inferring that more accurate necessarily means the improvement was due to a reduction in fraud (as opposed to an improvement in processes that resulted in a reduction in errors, for example). Further, the inference that tighter controls are all it takes to reduce fraud risk is called into question by the SEC directive issued last year that specifically states: "ICFR ('internal control over financial reporting') cannot provide absolute assurance due to its inherent limitations; it is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be circumvented by collusion or improper management override. Because of such limitations, ICFR cannot prevent or detect all misstatements, whether unintentional errors or fraud. (Source: SEC Release No. 33-8810, June 27, 2007). At the risk of overstating the case, this is where an automation technology like continuous transaction monitoring can close the gap. In any case, this is how and why its possible for these executives to feel (and rightly so) that they have made great progress in SOX compliance, without feeling that these compliance efforts have sufficiently decreased their risk of fraud. Reply
Jul 29, 2008 3:52 PM Lora Bentley Lora Bentley  says:
Thanks for reading, and thanks for the clarification, Patrick. Reply
Aug 1, 2008 4:53 PM Jeff Ryall Jeff Ryall  says:
Hi Lora,Yes, it does seem counter-intuitive.I would offer the following perspectives:1. We all agree that automated controls offer improvements in both cost (subject to initial payback calcs) and effectiveness. However, the controls MUST be targeted to risks, and I wonder if execs truly understand the nexus between compliance and risk management. Controls effectiveness is therefore reliant on a comprehensive operational assessment of risks, across multiple consequence perspectives. The output of such an assessment typically numbers in the thousands. I think that this is what the COSO framework is pointing to, but I'm not sure it is widely understood; perhaps it all seems too hard...2. Here in Australia, Standard AS 3806 for Compliance Programs highlights that compliance management is ultimately a behavoural system, supported by technology and automated/manual internal controls. Here is the dilemma: to achieve effectiveness, it requires BEHAVIOURAL change at the top, deployed throughout the organisation.Hope this adds something to the debate. Keep up the great work.J Reply
Aug 6, 2008 4:09 PM MitchatGWAVA MitchatGWAVA  says:
I think that part of the confusion for many organisations bent on eliminating fraud and theft is the vagueness of the verbiage in the legislation. It appears to me that as texting, email and other forms of electronic communication have become the defacto tools of business, today, legislators have recognized that they need to be able to access all of this.What this does to organisations is muddy the waters as to what they need to do and what they do not need to do in terms of retention and compliance to SOX, FINRA HIPPA etc. As we reach out to many organisations it is suprising how many simply cannot get their arms around this, get definitive legal opinions and interpretations and simply do what they feel is appropriate Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.