Taking Control of Controls – Lessons from the Sarbanes Oxley Act for Nigerian Companies
Background
In the wake of a series of gross corporate abuses around the turn of the 21st century, the United States Congress passed Sarbanes-Oxley Act, which intended to make corporate governance more rigorous, financial reporting more transparent, and management criminally liable for lapses. The first year of implementation was costly and burdensome, far more than companies expected. In the view of a few open-minded enterprises, however, the second year of compliance turned out to be not only less costly and less burdensome, but also a source of valuable insights into operations, which management has translated into improved efficiencies and cost savings.
The areas for improvement as intended by the Act went well beyond technical statutory compliance. They include a strengthened control environment; more reliable documentation; increased audit committee involvement; better, less burdensome compliance with other statutory regulations; more standardized processes for IT and other functions; reduced complexity of organizational processes; better internal controls within companies; and more effective use of both automated and manual controls. The result is not only shareholder protection, being the official purpose of the Act, but also enhanced shareholder value.
An Effective Corporate Governance Practice Requires Taking Control of Controls
It is noteworthy that designing and putting in place internal control mechanisms in organisations is not a job by the management. Effective corporate governance requires leadership responsibility for internal control. In our presentations at business seminars and conferences over the years, we are often asked why we emphasise the control environment so heavily. Our questioners seem to believe that good internal control is predicated on the controls themselves – the cross-checking, the reconciliations, and the data verification. We reply that without a strong control environment, a company will never attain good governance. A focus on the control environment helps ensure that the controls themselves are the second and third lines of defence, not the first. Employees who have been made to understand that it is not all right to strike side deals with customers, to recognize revenue prematurely, to conceal possible conflicts of interest, or to look the other way when these types of activities are going on would not be busy circumventing the control system at every turn.
Lessons from Section 404 of SOXA for Nigerian Companies
This section of the Act calls for an annual evaluation of internal controls and procedures for financial reporting. Like Section 302, Section 404 requires CEOs and CFOs to periodically assess and vouch for their effectiveness. More importantly, the section also obliges companies to include the following in their annual report:
- A statement identifying the internal-control framework used to evaluate the effectiveness of internal control over financial reporting.
- An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the most recent fiscal year.
- Disclosure of any material weaknesses in the company’s internal control over financial reporting (if any material weaknesses exist, then internal control over financial reporting is deemed ineffective).
- A statement that the independent auditor has issued a report on the company’s assessment of internal control over financial reporting.