Eliminating Fraud At The Roots
September 12, 2006
The IIA thinks we can improve SOX by shifting its focus from control activity to the root causes of public failures:
So while it is true that sufficient attention must be given to root causes of the past, it is not prudent that "this assessment should determine" requirements for management and auditors, although it should be one critical factor in that determination.
The current approach does not address the root causes and therefore does not provide assurance to investors that the SEC and Congress desire.
I kinda side with the SEC on this. Legal requirements can force a company to segregate duties, but it cannot force a change in attitude (although it can nudge it a bit). "Tone at the Top" can be feigned, executive T&E can be to-the-penny perfect, executive management can be hands-on involved in all control areas, and fraud can still be pervasive. I believe governance standards should be implemented, but they are too unquantifiable and too easily flouted to play the cornerstone of confidence that SOX is designed to provide. Better, I think, to focus on controls whose effectiveness is more measurable.As a critical first step, we suggest that SEC Staff perform an assessment of risk related to materially misstated financials, with particular reference to those incidents (companies many of which have become household names) that led to significant investor losses. The root causes should be
identified. We believe that such an assessment will identify more issues
existed within the COSO Controls Environment layer, with little risk within
Control Activities. This assessment of root causes should determine
what the Commission should require both of management and their auditors.
There is merit in assessing the Controls Environment prior to other layers of COSO, as it can help assess risk at the significant account, process, and key control levels. In addition, this layer has been where the root causes were forThe problem with this is that fraud tends to gravitate to the path of least resistance. Therefore, even if an assessment of root causes "will identify more issues existed within the COSO Controls Environment layer," that is likely to be the case only until internal control requirements are implemented within the Controls Environment. Then, watch how more fraud issues will crop up within Control Activities.
most of the public failures (e.g. WorldCom, Enron, etc). - Paragraph 15
So while it is true that sufficient attention must be given to root causes of the past, it is not prudent that "this assessment should determine" requirements for management and auditors, although it should be one critical factor in that determination.