We support you during the implementation of internal risk management systems according to Sarbanes Oxley Act requirements (SOA section 404) and to legal requirements KonTraG (section 91 par. 2 of joint stock company law):

› Sarbanes Oxley Act (SOA) Sektion 404
› KonTraG (§ 91 Abs. 2 AktG)

Given the so-called Sarbanes Oxley Act (SOA or SOX) of 2002, which aims at fully protecting investors, U.S. and foreign joint-stock companies are confronted with strict legal accountability obligations. The greatest challenge for affected companies is posed in section 404, which demands an effective monitoring system, in particular at the business processes level, for controlling financial risks.

The many recent reforms in corporate governance are the result of large, well-publicised financial frauds. In response to those frauds, the U.S. Congress passed the Sarbanes-Oxley Act (SOA or SOX) of 2002. The Securities and Exchange Commission adopted many new rules and the major stock markets, including the New York Stock Exchange and Nasdaq Stock Market, changed their standards governing listed companies.

Generally, the Act applies to U.S. and non-U.S. public companies that have registered securities (debt or equity) with the SEC under the Securities Exchange Act of 1934 (the "Exchange Act"). Given its complexity, the applicability of each section of the Act, and any SEC and exchange implementing rules must be carefully checked (to determine if a specific provision applies to any particular situation).

A big challenge for companies is under Section 404 of the Act; the SEC requires the company’s auditor to attest to and report on management’s assessment of the effectiveness of the company’s internal control over financial reporting. The company must also file the attestation report of the auditor as a part of its annual report.

Commitment of general management – there is no way without it

Often, companies underestimate the complexity and significance of SOA projects. In particular, those companies that have no experience in risk management are likely to end up with a half-hearted SOA project that ultimately intensifies into a show of strength with hectic rescue attempts going on at all levels.

The general management, therefore, would be grateful for a project management that will invoke the commitment of all involved parties right from the word go, control it at all levels of the company in the course of the project and assert it uncompromisingly when necessary.

So it is vitally important for the CEO and CFO to have recognised the immense importance of the SOA Act. Starting in time with an SOA project is necessary and it is important to consider whether the procedures allow enough time to prepare full and accurate disclosure - even, say, to guarantee and to maintain tranquillity in the company and between the company's employees. The CEO and CFO should each participate in these activities, but even so they will be very grateful for a project committee that will guarantee a good and efficient workflow from the very beginning.

Steps for following the successful implementation of an internal control system for all financial / financially relevant processes according to SOA requirements, section 404:

- Scoping
- Analysis and documentation of financially relevant processes, risks and controls
- Process walkthroughs
- Remediation
- Testing

Our consulting approach supports all project phases

Scoping

Following the philosophy of U.S. law, the SOA, and in particular its rules of interpretation, is indeed open to and in need of interpretation. Keeping that in mind, we recommend you to consult a certified accountant early on, in order to hedge the scope.
The first step is to define those business processes that are relevant to cost accounting. This is accomplished by identifying significant balance sheet items from a risk point of view of underlying account groups.

Achieving a clearly structured and well-defined process overview, which is vital for the following procedure, can be seen as a challenge.

The Act and its related SEC rules require companies to maintain procedures to evaluate and make certain disclosures concerning their “disclosure controls and procedures” and “internal control over financial reporting”. Reporting companies must also include an attestation from their auditors confirming management’s conclusions in its evaluation of the internal control over financial reporting.

There are some differences to be mentioned between internal control over financial reporting and disclosure controls and procedures. The definition of internal control over financial reporting overlaps definition of disclosure controls and procedures in important aspects.

Analysis and documentation of relevant processes, risks and controlling

This phase consists of detailed analysis and documentation of the chosen processes and of their risks and controlling measures. Precise and binding guidelines guarantee efficiency and quality of the documentation. It is important for “disclosure controls and procedures” to exist, since they include controls and procedures designed to ensure that information / reports / guidelines are accurate, complete and filed on time. A skilful team (project team, consultant team) shall make sure the documents are correctly organised. An exact description of control measurements is of major importance to the upcoming project phases. That means an accurate guideline / report is guaranteed.

Evaluation of controlling measures

Evaluating the effectiveness of the controlling measures, in relation to the relevant process risks, reveals the deficiencies. A remediation plan is then compiled to eliminate these deficiencies. The number of key controls to be defined determines the general scope of the subsequent project phases.

Process/Procedures Walkthroughs

Once the documentation phase has been completed, process walkthroughs are required in order to check the documentation results. This assures the fulfilment of highest quality demands on process documentation and controlling evaluation.

Remediation

This is where the measures in the remediation plan are taken. That means the implementation or revision of processes or controls. Remediation is deemed finished when the organisation is living out all key controls and when such controls efficiently contribute towards managing risks.

Testing

Running tests of all key controls is a must according to SOA. A detailed testing plan describes the procedure of the test (definition of populations, drawing of the sample, definition of test criteria, etc.) as well as the test results. Testing must be understood as the last chance to remediate controls before auditing.

With the enactment of the "Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG)“ (Law for control and transparency in companies) on the 1st of May 1998, new requirements regarding the management of operational risks were established and existing regulations were concretised.

Our service portfolio for implementing risk management systems according to the legal requirements of KonTraG (section 91 par. 2 AktG):

› Definition of risk strategy
› Risk identification and evaluation
› Definition and tracking of risk controlling activities
› Design of risk reporting
› Documentation of risk reporting according to auditor’s principles (IDW PS 340)