Skip Stein
Consulting Services

A Transaction Approach to Internal Controls Compliance


The Sarbanes-Oxley Act (SOX) was signed into law on 30th July 2002 , and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".

As a key component, SOX specifically addresses the requirements for stringent internal controls both for general governance as well as Information Technology (IT) systems.  While SOX does not specifically define what it means by ‘Internal Controls’, Generally Accepted Accounting Principals (GAAP) and existing internal/external audit guidelines are specific.

An effective control system provides reasonable, but not absolute assurance for the safeguarding of assets, the reliability of financial information, and the compliance with laws and regulations. Reasonable assurance is a concept that acknowledges that control systems should be developed and implemented to provide management with the appropriate balance between risk of a certain business practice and the level of control required to ensure business objectives are met. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment. When business controls are found to contain weaknesses, they must choose among the following alternatives: 

  • Increase supervision and monitoring;
  • Institute additional or compensating controls; and/or
  • Accept the risk inherent with the control weakness (assuming board/management approval).

In sections 302 and 404 of Sarbanes-Oxley Act, specific responsibilities are defined when discussing internal controls.  Section 302-4 states: 

“(4) the signing officersó

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;”

Further and more specific, section 404 states:

“(b) INTERNAL CONTROL EVALUATION AND REPORTING.óWith respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.” 

This law specifically places the burden of insuring adequate internal controls on the officers of any given company.  Further, it specifically states that the assessment of internal controls by a public accounting firm cannot be done under a separate consulting engagement but must be inclusive in the general financial audit.  Additional restrictions are placed on public accounting firms (and their associated consulting practices) that prohibit them from developing, deploying or servicing accounting systems for the same companies that they audit.

The burden of internal controls is on the company and its officers serving in a fiduciary capacity for the stockholders.  While internal controls have always been a significant issue with any audit, it now becomes paramount, in that individual officers of the company are held personally liable for any deficiency as a result of inadequate internal controls.

Internal Controls & Audit

In the past, the assessment of internal controls has been accomplished by ‘testing’ selected transactions ‘around’ information technology systems.  In other words, the auditor never examines the technical system and computer operations, but ‘tests’ the transaction on the front end and to see if the same results come out at the ‘other’ end; bypassing any examination of the data manipulation that occurs in any automated information processing system.  While in the past, this was deemed sufficient, SOX now is placing additional scrutiny on the IT systems that process financial related transactions.  Since any operational transaction (inventory movement, sales, distribution, personnel acquisition, etc.) impacts the company revenue or expense, all transactions are thus covered by any internal control structure.

Any internal controls or audit documentation project requires a background in accounting, systems and technology to understand the intricacies of the data manipulation that occurs within any IT processing system.  Typically this mix of skills are not found in the traditional financial auditor; they only receive passing training on the operation and functioning of a complex data processing and information technology department.  This is one of the main reasons that public accounting firms depend on their ‘consulting arm’ to provide the IT expertise required to perform a technical systems review and internal controls audit.  SOX specifically prohibits the separate engagement of the public accounting firm’s consultants to perform activities that address internal controls.

This now provides the opportunity for the company to address internal controls for themselves and reduce the high fees associated with a public accounting firm’s internal control consulting engagements.  Now companies must either perform these compliance reviews and attestation themselves or engage independent consulting companies to assist them.

By performing these internal control reviews and compliance audits (as well as any projects required to implement adequate internal controls and procedures) prior to the independent audit will reduce audit fees and shorten the audit engagement conducted by the independent audit firm.  Working papers (properly prepared and documented) can be provided to the independent auditors that will attest to the adequacy of the internal controls and provide documentation of the thoroughness of the testing of such controls.

Training and Awareness

In many companies the IT group doesn’t have a firm grasp of control objectives, why they are necessary or what they address.  The idea of internal control for many IT professionals consist of the ‘dreaded documentation’ so many abhor.  Their training (or lack thereof) in the development and implementation of IT projects in the past has skirted or ignored the basic requirement in any methodology for documentation, procedures and controls.  The ‘push’ and tight budgets that constrain the IT departments in many/most companies preclude the time and expense necessary for the proper implementation of internal control systems and procedures.  This often impacts the basic operation of the system because there is little training or documentation, making the addition or replacement of employees costly in that there is nothing for them to reference when attempting to perform their duties when involving IT systems (which are the basic operational backbone of all business organizations today).  This further acerbates the internal control deficiencies and ultimately increases the operational costs for the company.

Company management must address the requirements of internal controls at the very basic level in their IT departments.  Senior management must fund the training of staff in the awareness and fundamental objectives of internal controls and why they must exist.  Future implementation or development of any transactions based IT system must include an internal controls analysis and if necessary the appropriate remediation to insure their existence and compliance with corporate governance.

A Transaction Approach

Because every business activity in an organization results in the generation of a transaction in some form that ultimately generates a debit or credit impacting the organizations finances, it becomes an integral component of an internal controls analysis to understand the flow of transactions and manipulation of data as these transactions flow through the various IT systems in the company.  The Electronic Transaction Flow Management (ETFM) approach is one way to document and analyze the corporate transaction movement and data manipulations.

In order to solve the current problems with inadequate internal controls and avoid future issues, it is imperative that every business organization completely understand and has documented its internal controls and business process model as it relates to the Electronic Transaction Flow Management process.  Irregardless of current legislative issues (i.e. Sarbanes-Oxley Act of 2002), embracing the concept of Electronic Business Flow Management can lead to better organization and ultimately increased profit to the company.  The EBFM model with its inherent ETFM functional model can help communicate and document the business process to the organization. Furthermore, implementation of the ETFM process model in conjunction with an understanding of the overall EBFM methodology will reduce potential exposure (both internal and external) of audit and control issues.  As with any organization, communication and information flow is critical to overall business success.  Data management and control are essential to any business operation.

Implementation of good internal controls will ultimately provide the organization with a better understanding of how it operates and how it generates revenue.  This provides the basis for enhanced operations and improved cash flow and revenue generation as well as reduced expenses by improving the overall transaction efficiency and operational procedures of the company.


Skip Stein is Based in Orlando Florida, conducts system controls and audits for a variety of organizations.  With a focus on revenue generation and cost containment, Mr. Stein’s consulting activities result in improved internal controls, reduced expenses and increased profits.