1. Sarbanes-Oxley: Implementing Internal
Control Management System
Sarbanes-Oxley Act of 2002 (further - SOX) was created "to protect investors by improving the
accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other
purposes". Some of the reasons were several cases of fraud concerning financial documentation in
some large companies. According to this act, companies, stocks of which are traded on US stock
market and are subject to the Securities Exchange Act of 1934, have to be in compliance with SOX.
In particular with the following: these companies have to establish internal control system of financial
reporting and prove it’s reliability and effectiveness to the Public Company Accounting Oversight
Board. CEOs and CFOs of companies have personal responsibility for the system.
Following is the description of a company which could be interested in the placement of it’s stocks on
US stock markets:
 Assets value or annual turnover is more than US$150-200 million
 Average pace of development of industry where company works is not less than 10-20% per
annum
 Over the last 2-3 years company has stable gain or assets growth preferably at least by 30%
per annum
On the other side in SOX there is no strict definition of an internal control system (further – ICS) and
before start the company has to get answers to the following questions. What are the types of ICS?
How ICS is created? What tools are needed to automate ICS? How much time will it take to deploy
ICS?
The answer for the question about the concepts of ICS we could find in the document "Concepts of
the internal control" by COSO (Committee of Sponsoring Organizations of the Treadway
Commission). This document, as COSO says: "is the common standard for financial reporting
requirements compliance".
Let’s start with the beginning – what is ICS? In general, internal control is a process, effected by an
entity's board of directors, management and other personnel, designed to provide reasonable
assurance regarding achievement of objectives in the following categories: effectiveness and
efficiency of operations, reliability of financial reporting and compliance with applicable laws and
regulations.
System of internal control is a set of tools that helps the board of directors and management to have
reasonable assurance that they understand the extent of entity's operations objectives achieved,
published financial statements are being prepared reliably and applicable laws and regulations are
being complied with.
According to COSO internal control has to include the following components:
 Control Environment.
Control environment sets the tone of an organisation, influencing the control consciousness of its
people. It is the foundation for all other components of internal control, providing discipline and
structure. Control environment factors include integrity, ethical values and competence of the entity's
people; management's philosophy and operating style; the way management assigns authority and

2. responsibility, and organizes and develops its people; and the attention and direction provided by the
board of directors.
 Risk Assessment.
Every entity faces a variety of risks from external and internal sources that must be assessed. A
precondition to risk assessment is establishment of objectives, linked at different levels and internally
consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be managed. Because economic,
industry, regulatory and operating conditions will continue to change, mechanisms are needed to
identify and deal with the special risks associated with change.
 Control Activities.
Control activities are the policies and procedures that help ensure management directives are carried
out. They help ensure that necessary actions are taken to address risks to achievement of the entity's
objectives. Control activities occur throughout the organization, at all levels and in all functions. They
include a range of activities as diverse as approvals, authorizations, verifications, reconciliations,
reviews of operating performance, security of assets and segregation of duties.
 Information and Communication.
Pertinent information must be identified, captured and communicated in a form and timeframe that
enable people to carry out their responsibilities. Information systems produce reports, containing
operational, financial and compliance-related information, that make it possible to run and control the
business. They deal not only with internally generated data, but also information about external
events, activities and conditions necessary to informed business decision-making and external
reporting. Effective communication also must occur in a broader sense, flowing down, across and up
the organization. All personnel must receive a clear message from top management that control
responsibilities must be taken seriously. They must understand their own role in the internal control
system, as well as how individual activities relate to the work of others. They must have a means of
communicating significant information upstream. There also needs to be effective communication with
external parties, such as customers, suppliers, regulators and shareholders.
 Monitoring.
Internal control systems need to be monitored – a process that assesses quality of the system's
performance over time. This is accomplished through ongoing monitoring activities, separate
evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It
includes regular management and supervisory activities, and other actions personnel take in
performing their duties. The scope and frequency of separate evaluations will depend primarily on an
assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control
deficiencies should be reported upstream, with serious matters reported to top management and the
board.
Internal control is most effective when controls are built into the entity's infrastructure and are a part of
the essence of the enterprise.
Internal control system will pass the external audit for the SOX compliance if it was developed
according to COSO methodology, if it was documented in the format clear to auditors and is actual
(that means actual regulations are used), results of the control activities are documented, for the

3. remarks there are effective corrections, there is a permanent monitoring, rules for internal certification
of the system are developed and controlled by the management. The responsibility for such a system
in a company has to be split and CEO and CFO have to attest that periodic financial reports fully
comply with Securities Exchange Act of 1934 and that the information contained in the reports fairly
presents the financial condition and results of operations of the company (Section 906 SOX).
COSO doesn’t say anything about which auditor to choose for internal control system implementation,
but during the process of this implementation in the company it's worth engaging the specialists from
the so-called “Big Four”: PricewaterhouseCoopers, Deloitte, Ernst & Young and KPMG, because
COSO is in cooperation with some of them when they develop their concepts for audit.
Development of the ICS is not only the process of creating documents and other entities which makes
the so-called control environment, but also some activity to integrate components of internal control
into all business processes which are connected with financial reports creation, staff training to
maintain effectiveness of the system and development of automated system which can help making
documentation about the execution of control activities, data storage for confirmations of completing
the control, analysis of the quality of the coverage of risks with control activities, possibility of testing
of the system elements and creating reports about the entire system performance and state. It would
be rather wise to build an automated system which could do all this routines. The necessity of the
automation is also in the fact that management has to control risks of all business processes of the
company in order to comply with COSO’s requirements and it’s impossible to do this without tightly
integrated business collaboration solution which links data about the business process with data
about risk management of this business process. Automated system can help to implement the
process of internal control in the context of business processes.
Since it is very important to have the ability to assess the ICS using analytical reports about the
functionality of the system it has to be transparent for management of the company by providing
reports about system’s state and efficiency. There are two ways of internal control system
implementation: modules of ERP-systems or other software for business process management and
custom solutions. Example of solutions of the first type is Mercury Sarbanes-Oxley Corporate
Assessment Accelerator (further MSOXCA) which is the part of Mercury IT Governance Center
(further ITGC) and it was developed on Java 2 platform. ITGC is the system for IT projects
management in a company and it organizes the processes of internal relationships within the IT
department and their links with other departments and also through the system of reports about IT
projects and their infrastructure. MSOXCA is the package of settings for module of requests
management of ITGC. First of all the description of internal control system is written in the XML-
document it is imported into the system and then we can set up the rules of control process. The other
built-in solution for SOX compliance is Oracle Internal Controls Manager (further OICM) which is the
part of Oracle E-Business Suite, but it must be licensed separately. It is developed on the Oracle
platform and consists of three levels: database (Oracle Database), application level which manages
the modules of Oracle E-Business Suite and user level in the form of Java plug-in for Web browser.
OICM gathers together components for internal control which are responsible for documentation,
testing, monitoring of internal control and it’s compliance with laws and regulations. The other
example of such system is SAP Management of Internal Controls (further MIC). It is included in SAP
R/3 ERP. Its main advantage comparing to the systems described above is that it can be integrated to
almost any popular operational system, database system, reporting system and user application. It is
not technically correct to say about MIC as about the subsystem. It is more the integration of different
SAP mechanisms for building an automated ICS. Built-in systems let you not only creating of separate
descriptions of business processes, but also integrating internal control with the already developed
business logic of ERP-solution. So it is time and resource consuming when you try to deploy the
autonomous ICS and try to make it work with other business applications. Implementing a module of

4. ERP-system to work with already tuned process of financial documentation is much simpler. Despite
of the fact that ERP-systems are made to be the top systems for business automation it’s possible to
make them work with other solutions: SAP R/3 has interface modules for import/export data and for
communication with external applications, Oracle EBS has interface database tables and processes
for interoperability, Mercury ITGC – Web-services support and SOAP also there are interface tables in
database and batch import among with the support of portlet technology. The example of first type
could be a custom accelerator for Sarbanes-Oxley which is based on SharePoint 2010 Server.
Components of the ICS can be described in Microsoft Office Excel 2010 and then can be imported to
the system or the user can create them and edit via the user interface in the system. Description of
control environment elements and objects (business processes, operations, control activities etc.) are
created in the system using regulations from intermediate documents and could be integrated with
other software which automates business processes within the company. All the systems described
above let the company comply with the SOX requirements in particular with sections 302 and 404.
Automation of ICS takes from 40 to 400 days depending on the complexity of project and chosen
software. It is essential to create logical and informational structure of the system and only after that
implement the internal control process automation. SAP products are licensed for each user of the
system. So the deployment of SAP MIC will include only the cost of consulting and additional cost
only in the case of increasing the number of people in the ICS department. Information about license
for Oracle ICM and Mercury MSOXCA you can obtain from their vendors. Minimum number of client
licenses for Oracle ICM is 500.
From the experience of consultants in Wylde Solutions which is one of the first Australian companies
that started implementing business collaboration solutions using SharePoint 2010 there are some
problems which can be met during the process of implementation of such systems:
 Necessity of building a conceptual model of ICS together with the development of software
solution and technical background of automated system. For each company there is a unique
risk management mechanism which is developed by auditors and at the moment of
developing the automated ICS there is no software solution which can make it possible to set
up the logic of internal control. As a result some parts of the future system have to be
developed during the setting up regulations and rules of internal control itself bearing in mind
changing customer requirements. To overcome these obstacles full lifecycle of software
development has to be established: requirement analysis, design, development, testing in an
agile manner.
 In the nationally distributed holdings there are some requirements to the system: security and
at the same time information consolidation about state and effectiveness of the entire system
and data access management. For separating the data several logical and physical storages
can be organized for each branch which can also solve the problem of access from different
branches. Consolidation of information about status and effectiveness from different divisions
is made during the process of report generating which can be achieved by leveraging
separate reporting database.
If you would like to implement a solution which is complying with COSO methodology and SOX
requirements it's a good idea to choose Microsoft SharePoint 2010 Server. This system is very
powerful and can support the risk-based performance methodology and other widely used
performance and risk frameworks.
Slava Gorbunov
June 2007, Sydney, Australia