Internal Controls After Sarbanes-Oxley: Revisiting Corporate Law\u27s Duty of Care as Responsibility for Systems

Revisiting section 3.4.2 of Clark\u27s Corporate Law (\u27Duty of Care as Responsibility for Systems ) reminds us, however, that the internal controls story actually goes back many decades, and that many of the strategic issues that are at the heart of section 404 have long been contentious. My Article will briefly update Clark\u27s account through the late 1980s and 1990s before returning to Sarbanes-Oxley and rulemaking thereunder by the SEC and the newly created Public Company Accounting Oversight Board ( PCAOB ). My main point builds on one of Clark\u27s but digs deeper. Internal controls requirements, whether federal or state, are incoherent unless and until one articulates clearly for whose benefit they exist, and to what end. There are, in fact, a number of competing articulations. The failure to identify a single and coherent rationale creates significant uncertainty, which has been exploited by players in the legal, accounting, consulting, and information technology fields. Companies are probably spending more time and resources on 404 compliance than a reasonable reading of the legislation and the rules necessarily requires, heavily influenced by those who gain from issuer over-compliance. This rent-seeking compromises the political viability and substantive quality of what is at the heart a beneficial statutory reform

Implementing section 404 of the sarbanes oxley act: Recommendations for information systems organizations

Section 404 of the Sarbanes Oxley (SOX) Act addresses the effectiveness of internal controls, which in most organizations are either fully or partially automated due to the pervasiveness and ubiquity of information technologies. Significant or material control deficiencies have to be reported publicly. The adverse impact on organizations declaring deficiencies can be severe, for example, damage to reputation and/or market value. While there are many practitioner-led manuals and methods for dealing with 404, there has been little published in the academic research literature investigating the role of Information Systems organizations in implementing Section 404. The paper addresses this gap in knowledge. We used institutional theory as the lens through which to examine the experiences of Section 404 implementation in three global organizations. We used the case study method and an abductive strategy to gather and analyze data respectively. Our findings are summarized in six recommendations. We found that institutional pressures play a critical role in the implementation of Section 404. In particular, organizations face coercive pressure to achieve Section 404 compliance, without which punitive sanctions can be imposed by regulators. Organizations tend to imitate one another in the methods they use so that each is perceived to be in line with their competitive environment. Organizations face normative pressures to act in ways that are socially acceptable, which is to achieve compliance. Failure to do so would be a signal to the market that the organization does not take controls seriously. We expand these findings in terms of power and influence tactics that IS organizations can use when implementing Section 404. Our findings provide directions for practice and lines of enquiry for further research

Applying Sarbanes-Oxley Principles to Colleges and Universities

In the wake of the financial scandals that have occurred in the corporate sector, the public is demanding more accountability not only from corporations but also from nonprofit organizations such as universities. Institutions can enhance corporate governance by implementing some of the principles and procedures the Sarbanes-Oxley Act of 2002 (SOX) have mandated for public companies. Because public accounting firms audit universities, the firms can provide a valuable service to such clients by recommending ways in which universities can implement SOX practices that are appropriate and applicable. Although SOX does not currently apply to colleges and universities, it has created a climate in which many colleges and universities are considering ways to increase transparency and accountability in their financial operations. The outlook for mandating SOX-like legislation for nonprofits is unclear, both at the federal and state level. There is evidence, however, of some opposition to the implementation of SOX principles at universities

The Social Construction of Sarbanes-Oxley

The closer one looks at SOX and its origins in the financial scandals of the early 2000s, the blurrier the picture, which lets commentators see what they want to see and draw inferences accordingly. That is why social construction is so crucial. My aim in this paper is to illuminate the social nature of SOX\u27s diffusion into practice. I will leave to the reader the judgment about whether this has been or will be good or bad, and for whom. If I seem to challenge SOX\u27s critics more than its supporters, it is because the critics have been more venomous than is fair. Venom aside, the bite still deserves attention

Business Process Risk Management, Compliance and Internal Control: A Research Agenda

Integration of risk management and management control is emerging as an important area in the wake of the Sarbanes-Oxley Act and with ongoing development of frameworks such as the Enterprise Risk Management (ERM) framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on an inductive methodological approach using literature review and interviews with managers engaged in risk management and internal control projects, this paper identifies three main areas that currently have management attention. These are business process risk management, compliance management and internal control development. This paper discusses these areas and identifies a series of research questions regarding these critical issuesRisk management; Internal control; Business processes; Compliance; Sarbanes-Oxley Act; ERP systems; COSO; COBIT

Private Enterprise, Public Trust: The State of Corporate America After Sarbanes-Oxley

The highly visible accounting scandals that surrounded the collapse of Enron, WorldCom, and several other major companies -- together with the revelation of fraud and other acts of malfeasance by corporate executives -- aroused public outrage, called into question the values and ethics of business leaders, and undermined the public's confidence in public companies. CED is concerned about the reality, as well as the appearance, of corporate impropriety. This policy statement examines the state of corporate governance in the United States and offers practical recommendations for restoring public trust in business. Recommendations include:- Making Audit Committees Autonomous and Vigorous- Ensuring that users understand that financial information is based on judgments- Giving Sarbanes-Oxley a chance to work- Taming excessive executive compensation- Using independent nominating committees to select and appraise director

Legislating the Normative Environment: Nonprofit Governance, SarbanesOxley and UPMIFA

Regulation of nonprofit investment and governance practices has migrated from traditional common-law principles to codified statutory law, affecting areas of nonprofit governance not addressed in the original legislation. Trustees will do well to heed this development.A phenomenon with far-reaching effects on nonprofit investment management and governance has become a little-noticed yet powerful force in boardrooms over the past decade. Despite its wide-ranging implications, this development has largely gone undocumented.This paper seeks to draw attention to this change and its implications, and to trace a transformation in thinking that has gained momentum in recent years. Briefly stated, regulation of key aspects of nonprofit governance and investment has, in important ways, ceased to be a matter of unwritten common law and has become primarily a matter of codified statutory law. While interpretation by courts remains fundamental to the application of these laws, it is nevertheless true that standards which previously varied from state to state around a set of core fiduciary principles are now being interpreted against much more uniform statutory standards

The Changing Role of Auditors in Corporate Tax Planning

This paper examines changes in the role that auditors play in corporate tax planning following recent events, including the well-known accounting scandals, passage of the Sarbanes-Oxley Act, and regulatory actions by the SEC and PCAOB. On the whole, these events have increased the sensitivity to and scrutiny of auditor independence. We examine the effects of these events on the market for tax planning, in particular the longstanding link between audit and tax services. While the effects are recent, they are already being seen in the data. Specifically, there has already been a dramatic shift in the market for tax planning away from obtaining tax planning services from one's auditor. We estimate that the ratio of tax fees to audit fees paid to the auditors of firms in the S&P 500 decline from approximately one in 2001 to one-fourth in 2004. At the same time, we find no evidence of a general decline in spending for tax services. In sum, the evidence indicates a decoupling of the longstanding link between audit and tax services, such that firms are shifting their purchase of tax services away from their auditor and towards other providers.

The Qualified Legal Compliance Committee: Using the Attorney Conduct Rules to Restructure the Board of Directors

The Securities and Exchange Commission introduced a new corporate governance structure, the qualified legal compliance committee, as part of the professional standards of conduct for attorneys mandated by the Sarbanes-Oxley Act of 2002. QLCCs are consistent with the Commission\u27s general approach to improving corporate governance through specialized committees of independent directors. This Article suggests, however, that assessing the benefits and costs of creating QLCCs may be more complex than is initially apparent. Importantly, QLCCs are unlikely to be effective in the absence of incentives for active director monitoring. This Article concludes by considering three ways of increasing these incentives