TBS: Helping Companies Meet Sarbanes-Oxley's Internal Control Standards

Wednesday, September 1, 2004 - 00:00

The Editor interviews Saul Berkowitz, The Managing
Director in charge of the Sarbanes-Oxley Consulting Team, American Express Tax
and Business Services ("TBS").

Editor: Describe your organization.

Berkowitz: In 1998, TBS acquired the tax and consulting practice of
Goldstein Golub Kessler & Co., P.C., CPA's ("GGK"). TBS, is a wholly owned
subsidiary of American Express, and performs tax and consulting engagements
formerly done by GGK. My team undertakes consulting engagements relating to
Section 404 of the Sarbanes-Oxley Act ("the Act").

GGK is a forty-year-old middle market accounting firm and it continues its
separate practice as certified public accountants.

Both now and after its acquisition by TBS, GGK has had an active forensic
accounting practice. As a result of this practice our people are used to working
with legal counsel (both company and outside). We have always been proponents of
making sure that clients adequately document the procedures that are in place
within their company so that in the event of a problem, they can go back to
written documentation that was created contemporaneously with the particular act
that may be questioned.

Editor: What is the scope of your team's activities?

Berkowitz: We assist public companies in becoming prepared for their
auditors to provide the attestation required by Section 404 of the Act and for
the CEO and the CFO to provide the appropriate attestations under that law.
Working with management, we help them to set up a framework to comply with the
requirements of Section 404 of the Act. This framework is designed to put our
clients in a position where the external auditor can attest to a company's
methodology and can attest that its controls are working as designed.

Editor: What is COSO and why is it so important?

Berkowitz: The Public Company Accounting Oversight Board (PCAOB) was
created by the Sarbanes-Oxley Act to oversee the auditors of public companies.
Its rules provide that in order for a company's auditors to attest to management
assessment about the effectiveness of its internal controls, the company must
use a suitable framework established by a body of experts. The Committee of
Sponsoring Organizations of the Treadway Commission (COSO) has published a
suitable framework that enables auditors to apply the concepts and guidance of
the PCAOB rules.

COSO views internal controls as consisting of five interrelated components:
Control Environment, Risk Assessment, Control Activities, Information and
Communication and Monitoring. It points out that these are derived from the way
management runs a business and are integrated with the management process.

In the COSO model, the "tone at the top" - the control environment - is the
foundation upon which an effective internal control system is built. If the
control environment is deficient and there is not the right tone at the top,
then the fact that there are controls in place may not necessarily mean that
those controls are being followed. Our evaluation includes checking to see
whether the company is actually following the controls that they have put in
place. Much of our testing focuses on this and on the documentation that
supports the existence of a satisfactory control environment.

Editor: What are the effective dates for the requirement for the
attestations of the external auditors under Section 404 of Sarbanes-Oxley?

Berkowitz: There are two effective dates. For accelerated filers,
meaning companies that have a market capitalization greater than $75 million,
their auditors are required to provide their attestation with respect to annual
reports for fiscal years ending after November 15, 2004. The date for other
companies is for fiscal years ending after July 15, 2005.

Editor: Given the proximity of the filing date for the accelerated filers,
I would assume that you are quite busy.

Berkowitz: Yes, those engagements started during 2003 because the time
required for the larger and more complex companies (accelerated filers) is
longer than for smaller, simpler companies. The external auditors of those
accelerated filers as well as the company need additional time to continuously
monitor internal controls to be sure that they are really working. If, by the
filing date, the auditor finds that the company hasn't made the effort to be
ready for the evaluation of its internal controls under Section 404, then the
company could very well not get a clean opinion with respect to the
effectiveness of their internal controls.

Every reasonable public company will want to prepare for the auditors'
evaluation well in advance of the filing date. It is a big job. The PCAOB rules
require companies to identify significant processes to assess the effectiveness
of their internal controls over financial reporting. In most companies there can
be anywhere from twelve to twenty significant processes. A series of steps need
to be performed with respect to each process. Each company's process is
different. The company needs to make members of its staff available to our team
to help us become knowledgeable about each of these processes. We bring to the
table a methodology for undertaking a step-by-step approach where we map a
process, create a risk and control matrix and design tests and controls.

Editor: What are the advantages of using a consultant like TBS rather than
doing it in-house?

Berkowitz: I have just described the complex process involved in
evaluating the effectiveness of internal controls. As consultants, we have a
tested methodology and work with a number of companies across a broad spectrum
of businesses. This gives us a wealth of experience that can reduce the need for
us to reinvent the wheel - chances are, that we will have already confronted a
similar situation serving other clients. It is unlikely that a company could
find someone within its own organization who could bring these attributes to the
table. Even if it found someone at a high level who was knowledgeable about all
areas of the company and could take the time to learn the methodology, he or she
would probably lack the experience to know the expectations of the auditors or
what other companies are doing.

It is also a time consuming process. The existing staff at many companies are
already stretched thin and may not be prepared to take on a project of this
magnitude. Some companies ask us to handle the project management aspect of it
and use their own people to do most of the legwork. Even where we undertake a
full blown consulting engagement, the client still must provide us with people
in their organization who are subject matter experts and knowledgeable about the
processes that are currently in place within a company (we call them "process

Editor: Sarbanes-Oxley is relatively new and the Section 404 requirements
have not yet gone into effect. How did TBS prepare itself to undertake the
consulting engagements you described?

Berkowitz: The PCAOB rules have only been effective since March 2004,
however the Act was passed by Congress in 2002. We began by training our people
to be able to apply the COSO framework and we have been performing consulting
enegagements for the past 18 months. We developed a program to follow that is
modifiable for individual company's circumstances.

Editor: Tell us about the traditional relationship between lawyers and

Berkowitz: The auditors and lawyers have the responsibility under the
ABA/AICPA joint policies to communicate with each other. The lawyers are obliged
to provide an opinion to the company and to its auditors in response to an audit
request about the company's liability exposure in pending matters to which they
have been requested to devote substantial time. Of course many lawyers both
inside and outside may be involved in matters that do not give rise to such
exposure. They may have had a million dollars in fees, yet none of those fees
may have encompassed matters involving exposure to liability. Their response to
an auditing inquiry may be that they have not been involved in any such matters.

Editor: Does Sarbanes-Oxley increase the lawyers' involvement with the

Berkowitz: A company's lawyers, whether internal or external, have
always been involved in the annual filings of public companies. In the case of
internal controls, the process of oversight starts first with the company's
board of directors and its audit committee. With the enactment of Section 404,
it can be anticipated that both the board and the audit committee will look to
the company's lawyers for advice about whether the company's internal control
system will survive the scrutiny of the auditors. As we evaluate a company's
internal control system, its CEO and CFO and other people internally within the
company will use the lawyers appropriately to guide them and advise them through
the process.

Furthermore, before the CEO and CFO make the certifications required by
Sarbanes-Oxley, they should obtain sign-offs from the top people in each area,
including the company's internal counsel. These top people should in turn obtain
sign-offs from each person going down their respective channels as to their
areas of responsibility. In this way, the CEO and CFO will have documented
confidence that the management below them have all docmented the processes in
their respective areas and signed off. Another important aspect of this process
is that procedures should be in place that afford an opportunity to lower level
personnel to communicate their disagreement with certain controls and to set in
motion a process that will alert executive management to the problem and, if
necessary, trigger corrective action. One of the important aspects of internal
control is to have a methodology that allows anyone in the organization to
report suspicious activity or a possible or potential violation of law.

COSO's key concept is that internal controls are a process effected by an
entity's board of directors, management and other personnel designed to provide
reasonable assurance regarding the achievement of objectives in the following
categories: 1) effectiveness and efficiency of operations; 2) reliability of
financial reporting, and 3) compliance with applicable laws and regulations. The
lawyers are responsible for assuring that the company is operating its business
in compliance with the applicable laws and regulations. The legal profession in
the ABA's Cheek Report has recognized the responsibility of the lawyers for a
company's legal compliance system. Attesting to the effectiveness of an internal
control system under Section 404 requires a determination concerning the role of
the lawyers in the company and whether a company has an adequate legal
compliance system, including such things as a code of conduct, employee
compliance training and a hotline for reporting potential violations of