Internal Control, Peculiarities
of Application of the Requirements
of the Sarbanes-Oxley Act and COSO Model*
Ekaterina TOFELUK
International Finance Faculty, Financial University, Moscow Etofeluk@yandex.ru
Abstract. In this paper we focus on the benefit of effective internal controls, or more precisely, the Sarbanes-Oxley Act (SOX) and COSO model. We examine this issue in the context of the Sarbanes-Oxley Act for corporate control and, consequently, how weak internal control determines the reliability of financial data. This paper examines how SOX 302, 404, 906 disclosures on the internal control environment affect the market for corporate control. Besides that, we analyzed COSO model and how the sections of these laws may be implemented in practice.
Аннотация. В данной статье мы проанализировали преимущества эффективного внутреннего контроля, или точнее сказать, закона Сарбейнса - Оксли (SOX) и модели COSO. Мы рассмотрели, в частности, каким образом закон Сарбейнса - Оксли влияет на корпоративный контроль и как слабый внутренний контроль определяет достоверность финансовых данных. В настоящем документе более подробно были рассмотрены такие разделы закона SOX, как 302, 404, 906, раскрытие информации о системе внутреннего контроля, и как они влияют на рынок корпоративного контроля. Кроме того, мы проанализировали модель COSO, а также каким образом данные законы могут быть реализованы на практике.
Key words: SOX, COSO, audit, internal control, financial reporting reliability, internal control deficiency.
INTRODUCTION
Until recently, the concept of "internal control and audit" has been known to domestic business very remotely. Today, the situation has changed radically. Large companies and enterprises actively create departments for internal control and audit services, preferring to train its own employees (accountants, economists, financiers). At the same time, in foreign countries the audit is actively used since the late nineteenth century by the medium and large industrial enterprises, construction enterprises, organizations of transport and communications, and in other areas with a complex management structure. The high quality of audit is necessary for the effective functioning of the quality management system. The relevance of the work is manifested in the fact that internal audit provides information to the higher-level management of the entire organization about its financial and economic activity, increases the effectiveness of the internal control system to prevent violations, and confirms the validity of the reports of its structural subdivisions. An important trend of development control in the world
globalization is the growing importance of the independent objective audit.
According to the Institute of Internal Audit the internal auditing may be defined as "an independent, objective assurance and consulting activity designed to add value and improve organization's operations". Besides that it may help the organization to reach its objectives by bringing a systematic, carefully disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Nowadays internal audit covers a wide range of different aspects of the organization, helping management to identify and assess risks and to develop measures aimed at reducing the risk and improving the efficiency of systems and processes. Internal audit includes the reliability of financial and operational information, effectiveness and efficiency of business operations, protection of assets, compliance with laws, government regulations, procedures, and contracts. Evaluation of the internal control is one the primary responsibilities of internal auditing.
Compliance with the requirements of the Sar-banes — Oxley Act has become a worldwide practice
* Внутренний контроль, особенности применения требований закона Сарбейнса - Оксли и модели COSO на практике.
of business, and many companies, including Russian companies, apply its provisions. The Sarbanes-Oxley Act was enacted in 2002 after a number of corporate scandals in the United States, connected with disturbances in corporate governance and financial reporting in the cases of Enron, Tyco International, Peregrine Systems, World-Com, which led to multimillion investors' losses. The management of Enron created thousands of legal entities, mainly offshore in order to conceal the true state of affairs. All transactions with electricity were conducted through its subsidiaries, allowing to inflate the cost of the company. As a result, the company grew, the management received multimillion bonuses, increased cost of stock and their packages. The leadership has managed to obtain a profit from offshore. The main financier of Enron, Andrew Fastow, the main ideologist of this whole scheme, was able to get from offshore $ 30 million. For the tax authorities, the company showed all their losses, being unprofitable and received tax refunds in the amount of 380 million dollars. Enron employed the best lawyers and accountants, so one would expect that any action could be recognized as legitimate.
The Sarbanes-Oxley Act of 2002 is also known as the Public Company Accounting Reform and Investor Protection Act, and commonly called "SOX" or "Sarbox".
The law has 11 sections, which address the issue of auditor independence, corporate responsibility, full financial transparency, conflicts of interest, corporate financial reporting, etc. According to the Law, every public company must be listed by the audit committee. The Sarbanes — Oxley Act is mandatory for all companies whose securities are registered with the Securities and Exchange Commission (U.S. SEC), residents and non-residents of the USA, whose shares are listed on the American stock exchanges (NYSE or NASDAQ). Even Russian companies apply the mandatory provisions of SOX — such as VympelCom, MTS, Mechel — as well as numerous subsidiaries of foreign issuers registered with the SEC.
SARBANES OXLEY AUDIT REQUIREMENTS
The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. It means that a company's financial data are accurate and adequate controls are in place to safeguard financial data. Year-end financial reports are also a requirement. A SOX auditor is required to review controls, policies, and procedures according to a Section 404 of the law. SOX auditing requires that internal controls and procedures can be audited using a control framework.
In accordance with the Sarbanes-Oxley Act, each public company should establish an audit committee, whose members are independent and are part of the Board of Directors. In this case, to ensure the independence of the members, the audit committee may not receive from the company any payments for advice and to have any relationship with the company or its subsidiaries, except to perform the functions of members of the Board of Directors. The audit committee must have at least one financial expert with knowledge of generally accepted accounting standards (GAAP) and financial statements, as well as with experience of auditing financial statements. The duties of the audit committee include the appointment, control, payment services internal auditors, who report directly to the committee, as well as all audit and other services provided by the company's external auditors. The main influence of the SOX on the organization, and main responsibilities and business connections between departments are shown below in the Exhibit 1 (Source: Arthur Franczek).
Financial statements of the listed companies and submitted to the Securities and Exchange Commission, signed by the CEO and CFO. In case of reissuing financial statements in connection with the failure to coincide with the requirements for its preparation, the CEO and CFO should lose the bonus and any additional payments, and income from the sale of securities of their company, in their possession, which are received within 12 months after the publication of the financial statements, containing inaccurate data.
Perhaps the most controversial parts of SOX are its additional requirements on internal controls (Sections 201, 302, 404 and 906).
Section 201 has made it illegal for a registered public accounting firm to contemporaneously perform both audit and non-audit services for a client. The prohibitions include internal auditing, many areas of consulting and senior officer financial planning. Other services prohibited are:
• Financial information systems design and implementation;
• Bookkeeping and financial statement services;
• Management and human resource functions;
• Actuarial, investment advisor and audit-related legal services, but tax services are not prohibited.
Section 302 requires CEOs and CFOs personally to certify the accuracy of the financial statements and the effectiveness of internal controls, in addition to management's evaluation and certification. Three conditions must exist for a registrant to disclose an internal control deficiency under Section 302. Firstly, an internal control deficiency must exist; secondly, management or the independent auditor must discover the deficiency; and thirdly, management, per-
Figure 1. How SOX influences an organization.
haps after consultation with its independent auditor, must conclude that the deficiency should be publicly disclosed. Under the provisions of Section 302, the review of internal control is subject to less scrutiny by both management and the auditor and the disclosure rules are less specific than subsequently exist under Section 404 (Hollis Ashbaugh-Skaifea, Daniel W. Collins, William R. Kinney Jr, 2007).
Section 404 requires independent auditors to certify management's assertion of the effectiveness of its internal controls (Ge, W., McVay, S., 2005). Section 404 requires top management to assess the effectiveness of internal controls over financial reporting and the external auditor to attest and report on management's assessment. The dispute surrounds the costs and benefits of the required disclosures. Direct benefits seem to be elusive (e.g., Ogneva, Subramanyam, and Raghunandan, 2007). Costs appear to be high: empirical evidence suggests that SOX imposed net costs on shareholders (Zhang, 2007, Ashbaugh-Skaif et al., 2009) and bondholders (DeFond, Zhang, 2007).
SECTION 404 MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
Section 404 is the most complicated, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an internal control
structure, and an assessment by management of the effectiveness of the control structure. Any defects in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective.
Section 404 of the Sarbanes-Oxley Act requires that when preparing reports according to the SEC the company executives provide confirmation of the effectiveness of internal control procedures over financial reporting. This unit should include in the annual report the company's own assessment of the work of the management in accordance with accepted standards. This section causes the greatest difficulty in application, because most companies did not use detailed reporting to manage their cash flow. The responsibility of companies is the implementation of internal control systems, testing their effectiveness, assessing their vulnerability. Subject to section 404 of the company faces the challenges of shortage of qualified and experienced personnel, inefficiency of the internal control system, the lack of reliable methodology for financial reporting, the lack of human, technological and financial resources. All this resulted in the need to engage the services of outside advisors and auditors. The need to audit the internal control systems of companies, as required by section 404, has led to the increase in the cost of audit by an average of 30 per-
cent. When conducting research on the effects of Sar-banes-Oxley on the cost of equity results showed that the cost of own capital of the investigated companies fell after the entry into force of the law. However, when small and large firms are considered separately, it was found that the reduction in the cost of capital is typical for small firms.
The Sarbanes-Oxley Act has caused many companies to completely change the methods of reporting. These transformations do not occur without cost, but the benefits have repeatedly outweighed the costs. Many companies have benefited from the changes, the accounting standards have become more stringent during the period of validity of the law; the U. S. economy was able to avoid many corporate crises. Nevertheless, there were also plenty of companies that have failed to comply with the law. Many of them either are not market participants or were forced to place their shares outside the United States. Currently, according to corporate executives, the cost of internal audit is gradually reduced and is 30-40% less than when the system of internal financial audit was only introduced. The decrease in expenses is due to the fact that the employees of the companies are constantly engaged in the collection and control of financial information. When American corporations faced the need to adapt to the requirements of the new law, they were forced to apply to consulting firms and external auditors to assess the flows of financial intelligence. To date, all necessary procedures have been defined and a number of internal audit issues of the company can be solved on their own, which reduces the costs of external consultants.
SECTION 906
Section 906 of SOX in some ways may be determined as a repeat of section 302 of SOX. It requires the CEO and CFO to certify in a written statement accompanying financial statements filed with the SEC the following:
• the report "fully complies with the requirements of section 13 (a) or 15 (d) of the Securities Exchange Act of 1934,"
• the information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer."
Section 302 certification requires that the CEO and CFO make a statement based on their knowledge. No such qualification is provided for section 906. Either the statements fairly present or they do not. Besides that, section 906 adds a criminal provision to US laws. If a CEO and/or CFO provides an untrue certification, then it will be the US Department of Justice — not the SEC — that deals with the falsehood.
To be criminally liable, they have to have had knowledge. That is, under section 906, a CEO and/or CFO will be subject to criminal penalties only if it was proven that they knowingly made a false certification or willfully provided a false certification (U.S. Code § 1350).
Below is shown differences between Sections 302, 404 and 906 of the SOX.
THE EFFECT OF SOX ON NON-US COMPANIES
Some specialists have asserted that Sarbanes-Oxley legislation has helped displace business from the USA and, specially, from New York to the United Kingdom, and its financial capital, London, where the Financial Services Authority regulates the financial sector with a lighter touch. In the UK nonstatutory Combined Code of Corporate Governance plays somewhat similar role to SOX. A greater amount of resources is dedicated to enforcement of securities laws in the UK than in the US (Howell E. Jackson, Mark J. Roe). The Alternative Investment Market claims about its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg, New York's mayor, and Charles Schumer, a U. S. senator, expressed their concern (Bloomberg-Schumer Report). The Sarbanes-Oxley Act's effect on non-US companies cross-listed in the USA is different on firms from developed and well regulated countries than on firms from less developed countries, according to Kate Litvak. Companies from less and badly regulated countries benefit from better credit ratings by complying to regulations in a highly regulated country such as the USA, but companies from developed countries only incur the cost, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange.
INTERNAL CONTROL UNDER COSO MODEL
Evaluating internal controls is one of internal audit's primary responsibilities. The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as following: A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. The high management of the organization should plan, organize, and even direct the sufficient actions in order to provide reasonable assurance that all strategic objectives and targets will be hit.
Comparison of Sections joa, 404 and 906
Section 301 Section 404 Section^
When is it effective? August 29,2002 fiscal years ended on or after: • November! 2004, for U.S. accelcrated filers* • July i;, 2006, forforeign accelerated filers* • December 15,2007, for others I July 30,2002
Who signs off? •CEO •CFO • Management • Independent accountant •CEO •CFO
What's it about? * Executive certification issued quarterly • Internal control report annually • Independent accountant attests to annual report • Quateriy review for change • Abbreviated certification issued quarterly • Criminal penalties
How often are the evaluations? • Quarterly evaluation •Annual assessment •Quarterly review for change • Quarterly evaluation
Figure 2. Comparison of SOX sections.
The main purposes and objectives of the evaluation the internal control system may be defined as follows:
• Identification, assessment of the revealed violations and shortcomings for the purpose of informing the highest officials of the credit institution, heads of departments, elimination and prevention of violations and shortcomings in the future;
• Coordination of the strategic objectives of the credit institution in respect of the development of the internal control system with the operational objectives and tasks of the divisions and employees of the credit institution;
• Improving the risk management culture and level of control environment in the organization;
• Collecting data on risks for effective management;
• Checking compliance with normative acts of the Government and regulatory authorities on issues of organization and implementation of internal audit and control in business sphere of the organization;
• Timely and adequate response of the internal control system to change the terms of a credit institution activities (including changes in organizational structure, business processes with respect to their refinement and the introduction of additional control procedures), development of new and updating of existing regulations;
• Development of recommendations for to improve the reliability and efficiency of the components of the internal control system;
• Improvement of the internal control system.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) gives the definition of internal control, which came from the report in 1992, as follows: Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private organization established in the United States and intended for making appropriate recommendations to corporate management on critical aspects of organizational governance, business ethics, financial reporting, internal control, risk management companies and fraud.
COSO is dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. Five nonprofits are its sponsoring organizations: AAA (American Accounting Association), AICPA (American Institute of Certified Public Accountants), FEI (Financial Executives International), IIA (Institute of Internal Auditors), and IMA (Institute of Management Accountants). On May 14, 2013, COSO released an updated version of its Internal Control — Integrated Framework. COSO has developed a general model of internal control, in comparison with which companies and organizations can assess their control systems. The COSO model was especially important because the emphasis was made
on the responsibility of the leadership of organization for the state of control.
Basic concepts of the COSO model may be defined as follows:
1. Internal control is a process, that is, a means to an end, not an end in itself.
2. Internal control is carried out by people, so not only (and not so much) rules, procedures, and other guidance documents are important, but people at all levels of the organization.
3. From internal control owners and management one can only expect a reasonable level of assurance of achieving their goals, but no absolute guarantee of error-free operation.
Conceptual framework of internal control continues to act as the broadly accepted standard for satisfying the data requirements for reporting, however, in 2004 COSO published a conceptual framework of enterprise risk management. COSO believes that this model continues the review of internal control, with an emphasis on the broader concept of risk management.
Internal control ensures the achievement of a goal or several goals in related areas. According to COSO, internal control is a process carried out by the highest or supreme body of the company, determining its policy (Board of Directors, which represents the owners of the company), its managerial staff of the highest level (management) and all other staff, to ensure the achievement of following goals: feasibility and financial efficiency (including safeguarding of assets); reliability of financial reporting; compliance with applicable laws and regulatory requirements.
The conceptual basis of risk management organizations remains focused on the objectives of the organization; however, now includes four categories:
1. Strategic objectives (strategic) — high-level goals, aligned with mission/vision of the organization.
2. Operational objectives (operations) — effective and efficient use of resources.
3. Reporting objectives, objectives reporting (reporting — reliability of reporting.
4. Legislative objectives, objectives compliance (compliance) to compliance with applicable laws and regulations.
FIVE BASIC COMPONENTS OF THE SYSTEM OF INTERNAL CONTROL. COSO MODEL
The COSO Report defines five interrelated components of internal control that must be realized in practice:
1. Control Environment — The Control Environment sets the atmosphere in the organization, influ-
encing the control consciousness of its staff. It is the basis for all other components of internal control, providing discipline and structure. The factors of the control environment include the integrity, ethical values, style of management, the system of delegation of authority and management processes and staff development in the organization.
2. Risk Assessment — Management ascertains regulations for analyses of risks related to their achievement. A precondition to risk assessment is to identify the objectives, therefore, risk assessment involves the identification and analysis of relevant risks associated with achieving the set objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
3. Control Activities — Any internal regulations, processes and procedures which help management in the implementation of their decisions. Controls are carried out within the entire organization, at all levels and in all functions. They include a range of activities such as approvals, authorizations, verifications, reconciliations, reports current activities, security of assets and segregation of duties.
4. Information and Communication — Organization of information flows, the collection, analysis, sharing of information.
5. Monitoring — Regular evaluation processes of the quality system elements, identifying deficiencies and their causes, correction of errors, monitoring of current activities.
COSO draws attention to the limitations of the internal control system, as well as on the roles and responsibilities of the parties, which affect the system. Restrictions include erroneous human judgment, misunderstanding of instructions, mistakes, misuse of managers, collusion, the ratio of costs and benefits. The COSO report identifies shortcomings as conditions of the system of internal control that merit attention. The statement of deficiencies shall be provided to the employee who is responsible for a plot, and to senior management. It is believed that the system of internal control is effective if all 5 components exist and function efficiently in relation to operations, financial reporting and compliance.
THE EIGHT COMPONENTS
OF THE COSO MODEL RISK MANAGEMENT
Eight components of risk management include the previous five components of the conceptual foundations of internal control extended to meet the growing demand for risk management:
• Internal environment. The internal environment defines how risk is perceived by the employees of the organization, and how they may respond to it.
Figure 3. COSO Internal controls approach (COSO's cube).
The internal environment includes the risk management philosophy and risk integrity and ethical values, and also the environment in which they exist.
• Setting goals or objective setting. Goals must be defined before the start guide to identify events that could potentially have an impact on their achievement. The risk management process provides "reasonable" assurance that the company's management has properly organized process selection and formation of goals, and these goals are consistent with the organization's mission and the level of its risk appetite. Internal and external events affecting the objectives of the organization should be determined taking into account their separation on risks or opportunities. Opportunities should be taken into account by management in the process of developing a strategy and setting goals.
• Risk assessment. Risks are analyzed, considering impact and likelihood, with the aim which determines what actions they need to take. Risks should be assessed from the point of view inherent and residual risk. The management selects risk responses — avoiding risk, accepting, reducing, or sharing risk — developing a set of activities that allow lead identified risk in line with their risk tolerance and risk appetite of the organization.
• Control activities. Policies and procedures should be designed and installed so that to provide "reasonable" assurance that the response to emerging risks are provided effectively and in a timely manner.
• Information and communication. The necessary information should be determined, recorded and communicated in a form and timeframe that enable people to carry out their functional responsibilities.
• Monitoring. The whole process of enterprise risk management is monitored and if necessary it is adjusted. Monitoring is accomplished through ongoing management activities, or by providing periodic assessments.
COSO hoped that the conceptual framework of enterprise risk management will allow management of organizations to determine directly the relationship between the components of the risk management system and objectives that will satisfy the need for the introduction of new laws, regulations and even new requirements for registration of securities on stock exchanges and expected that it would receive wide recognition by companies and other organizations and stakeholders.
In May 2013 there were published new version of COSO model and its Internal Control-Integrated Framework (Framework). Below are the titles of the 17 principles of internal control by COSO's 2013 Framework, as follows:
Control Environment
1. Demonstrates commitment to integrity and ethical values.
2. Exercises oversight responsibility.
3. Establishes structure, authority, and responsibility.
4. Demonstrates commitment to competence.
5. Enforces accountability.
Risk Assessment
6. Specifies suitable objectives.
7. Identifies and analyzes risk.
8. Assesses fraud risk.
9. Identifies and analyzes significant change.
Control Activities
10. Selects and develops control activities.
11. Selects and develops general controls over technology.
12. Deploys through policies and procedures.
Information and Communication
13. Uses relevant information.
14. Communicates internally.
15. Communicates externally.
Monitoring
16. Conducts ongoing and/or separate evaluations.
17. Evaluates and communicates deficiencies.
Everyone plays a part in the internal control system. Ultimately, it is the management's responsibility to ensure that controls are in place. That responsi-
bility should be delegated to each area of operation, which must ensure that internal controls are established, properly documented, and maintained. Every employee has his own responsibility for making this internal control system function. Therefore, all employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.
Implementation of the internal control system required by COSO model for its effective functioning can have significant positive impact on the financial activities of the organization, as they provide management and owners the opportunity to focus on setting and achieving the company's goals (where to go, what and to whom financial services to offer taking into account inherent risks, etc.)
CONCLUSION
The reliability of financial reporting is claimed to be a function of the effectiveness of a firm's internal control (PCAOB 2004). In this paper were used recently available data on the effectiveness of firms' internal controls coordinated by the Sarbanes-Oxley Act (SOX). We insist that if a firm has weak internal control, managers are less able to determine reliable financial data, and a consequence of these unintentional misrepresentations is that financial information is less reliable. Besides that, managers of firms with weak internal control can more readily override the controls and intentionally prepare biased accrual estimates that facilitate meeting their opportunistic financial reporting objectives.
Opponents of the law believe that the costs of compliance are too onerous for small businesses and it makes it difficult to realize benefits from the use. Supporters, on the contrary, believe that the law has increased the efficiency of small firms by reducing the overall riskiness of their activities and enhanced transparency.
This article is intended to help financial management to improve the business practices and processes, drive better performance, and transform the perception of the finance organization into that of a value-added key contributor to the company. For discussion, financial manager refers to anyone who is a CFO, controller, vice president of finance, divisional CFO, or a
manager who directly works for someone in such a position. This article focuses on the aspects of Sarbanes-Oxley and COSO that impact those employees working directly or indirectly for the CFO.. From the perspective of the COSO model, the main aim of the regulatory documents should be to reduce the level of systemic risks in the financial system of the country, by projecting mitigating risk controls at the level of the individual financial institution. Nobody can guarantee that once invented financial control authorities will actually buffer the impact of risk in the modern, highly variable conditions, if the system does not receive signals about the level of risk through feedback channels.
Identification of shortcomings or violations can be a signal of a possible problem related to the absence or improper operation of control, and this signal requires an in-depth analysis of the causes and understanding of the business process.
REFERENCES
Ashbaugh-Skaife, H., Collins, D., Kinney Jr., W., Lafond, R., 2009. The effect of SOX internal control deficiencies on firm risk and cost of equity. Journal of Accounting Research 47, 1-43.
Arthur Franczek. The SOX effect (presentation). DeFond, M., Hung, M., Karaoglu, E., Zhang, J., 2007. Was the Sarbanes-Oxley Act good news for corporate bondholders? Working Paper, University of Southern California. Howell E. Jackson, Mark J.Roe. "Public Enforcement of Securities Laws: Preliminary Evidence," (Working Paper January 16, 2007).
Hollis Ashbaugh-Skaifea, Daniel W. Collinsb, William R. Kinney Jr, 2007. The discovery and reporting of internal control deficiencies prior to SOX-mandated audits. Journal ofAccount-ing and Economics 44: 166-192. Ge, W., McVay, S., 2005. Disclosure of material weaknesses in internal control after theSarbanes-Oxley Act. Accounting Horizons, 19 (3), 137-158. PCAOB, Public Company Accounting Oversight Board, 2004 Annual report.
Ogneva, M., Subramanyam, K., Raghunandan, K., 2007. Internal control weakness and cost of equity: Evidence from SOX Section 404 disclosures. The Accounting Review 82 (5), 1255-1297.
SSRN-The Effect of the Sarbanes-Oxley Act on Non-US Companies Cross-Listed in the US by Kate Litvak. Zhang, I., 2007. Economic consequences of the Sarbanes — Ox-ley Act of 2002. Journal of Accounting and Economics 44: 74-115.