SOX ACT 2002 Section 404 and ISO/IEC 38500

Sarbanes-Oxley Act 2002 is a U.S. law. The passage of the bill is to improve quality and transparency in financial reporting and independent audits and accounting services for public companies in the U.S. including companies that are non-U.S. but being traded in any of the U.S. stock exchanges. The SOX during its early days perceived by many it is not reasonable, in some unexpectedly high even to large publicly-traded corporations. It creates even more burden for smaller reporting companies. With the incarnations being made by concerned regulatory organizations, in this instance the SEC and Public Company Accounting Oversight Board (PCAOB), issues mentioned have been continuously addressed and the law become more relevant for organizations to comply (and even adapt in other cases) to make financial reporting accurate as well as reliable and secure information technology for internal control. Since after the 2007 reforms, which is referred to the released of the new PCAOB Accounting Standard 5, the SOX Act Section 404 study in 2009 reported by members of the Office of Economic Analysis, SEC, confirms that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after said reforms).

The PCAOB is created along with the enactment of the bill to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. While Securities and Exchange Commission, like any other SEC's in other countries, oversees the key participants in the securities world, which is also has the oversight authority over PCAOB including the approval of Board's rules, standards and budget. SOX mandates appropriation for SEC to improve resources and oversight.

The Section 404 of the bill is management assessment of internal controls. Which the SEC, shall prescribe rules that state the responsibility of the management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and contain an assessment, as of the end of the fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
The PCAOB Accounting Standard number 5 (AS5) which supersedes AS2 receives lots of comments including broad discussion of material weaknesses and deficiencies on internal control over financial reporting (ICFR) and suggestions to make alignment to the standards being used or available to SEC. AS5, accordingly, establishes requirements and provides direction that would be integrated with an audit of the financial statements. That ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements and the auditor’s objectives is to express opinion on the effectiveness of the company's ICFR. It is also noted that if one or more material weaknesses or deficiencies exist the internal control cannot be considered effective.

In its proposed rule released in 2002, a disclosure required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC mentions: "The Sarbanes-Oxley Act does not explicitly state who at the company should determine whether any of the audit committee members is a financial expert. Management is responsible for preparing the financial statements. Therefore, it seems inappropriate for management to assess the qualifications of audit committee members. Similarly, it does not seem appropriate for the members of the audit committee, alone, to assess their own qualifications. We believe that the board of directors in its entirety, as the most broad-based body within the company, is best-equipped to make the decision."

As to how the corporate governance of IT or ISO/IEC 38500 is relevant to such law (maybe including similar laws like J-SOX of Japan, CLERP9 of Australia, Bill 198 of Ontario, Canada, et al) particularly provisions in Section 404 is how board taking on ICT, in general, to underpin companies' requirement to do business including compliance on government regulations and directives. Which in the case of ISO/IEC 38500, its application is international in nature and one of its functions is to promote effective, efficient and acceptable use of IT in all organizations by assuring stakeholders that if the standard is followed, they can have confident in the organizations corporate governance of IT, or in its simplest term, the delivery and use of IT. That includes the security and reliability of information systems and infrastructure. It also informs and guides directors in their organization's use of IT. Directors mean the board of directors including owners of company. In OECD's principles of corporate governance, there are two types of board of directors and they are: supervisory (or non-management) board and management board. In some cases, the management board usually constitute in the person of the chief executive officer. By making them, either supervisory or management board, aware of the standard they would have a better approach to their IT which is usually being facilitated if not solely directed by an IT able bodied in an organization. The board, or senior managers in other cases, would also realize that their efforts in IT if not done as it is directed or aimed to be, it would not only implicates them considering they are accountable to stakeholders but also could impact negatively how their organization as whole function and operate business.

International standards, whether mandatory or advisory, are not meant to replace legislations. However, careful considerations on adaptation of such can have significant effect, usually useful even uplifting in greater context, on any organization's strive on certain activity e.g. any or combination of ITIL, ISMS, environmental, et al. Legislations or laws have different purposes, it is not something of a choice or privilege, covered individuals and entities are all required to comply, on time, else the penalization would come next.

The ISO/IEC 38500 standard is also relevant to PCAOB particularly AS5 that notes that the identification of risks and controls within IT is not a separate evaluation. That is why AS5 is, an audit of internal control over financial reporting that is integrated with an audit of financial statement. Since corporate governance of IT is a high-level principles-based advisory standard, its aim is to help facilitate, aiming primarily at the board and senior management, just like in the case of SOX, to understand how IT is being carried out and utilized in a wider context and not on organization's individual processes. It did not mention how to address risk or any subject except for good corporate governance of IT, however it suggests that in order to benefit from the standard, adaption and application of other standards required to carry out particular objective is necessary in order for the organization’s use of IT, underpinning business needs, is effective and satisfactory.

The SEC, accordingly, endorsed the recommendations of its staff and directed its staff to focus on the four remaining work areas, one of which is: “Following a principles-based approach to determining when and to what extent the auditor can use the work of others.” In response to commenters’ suggestions that there remained too many instances of the use of the terms “should” and “must” in the proposed AS5, where accordingly, it might drive excessive documentation and possibly unnecessary work, the PCAOB, made modifications to make the final standard more principles-based, and found this approach to internal control auditing convincing, rather than some kind of detailed requirements. 

Not only that both PCAOB AS5 and ISO/IEC 38500 followed principles-based approach, AS5 also contained, though not specifically mentioned, the six principles available in ISO/IEC 38500. Not comprehensive as it is, the AS5, stated the responsibilities clearly of the company’s management, board of directors and auditors; the strategy, acquisition, performance and conformance forms part in the effectiveness of their internal control including management of risk whether or not it needs some improvement to have the financial reporting effective and compliant to the provisions made available for SOX Act Section 404 as enforce by SEC; and the human behavior maintains that the standard may require technical training and proficiency (as for the auditor), independence and exercise of due professional care and scepticism.