Interface of Internal Control for Telecom Company

Introduction

US Congress enacted the Sarbanes – Oxley Act of 2002 (SOX) on July 30, 2002, to ensure proper financial reporting and disclosure. The objective of passing this legislation was to rebuild the public trust in corporate business reporting, which was lost due to accounting and other frauds that happened in the United States around the early 2000s. ¹One of the salient aspects of SOX is Section 404. This section specifically deals with the efficacy of the internal control activities over the preparation and presentation of financial reports. According to the provisions contained in this section, most companies that present their financial reports after November 15, 2004, have to obtain a certification from an external auditor about the adequacy and effectiveness of the internal control systems being followed by the respective companies.

As a consequence of the passing of this legislation, compliance with Section 404 of SOX has occupied the top of the agenda of a number of corporate management. However, one common problem with SOX is that Section 404 is not clear about the levels of internal control that are sufficient to pass the requirements of SOX. In other words, Section 404 does not specifically state what internal control level is eligible to receive an unqualified attestation from an external auditor. This has its impact on internal IT security, more specifically on the areas of access control, the integrity of data, and data transmission.²

Interface of SOX and Internal Control

As per the provisions of Section 404 of SOX, the Corporations should ensure adequate documentation to ensure significant control so that the internal controls include; (i) a link between the internal control objective and the local control, (ii) a descriptive account of the local control that elaborately describes the manner in which the local control could prevent the happening of any associated risk or the early detection of such risk when it occurs, (iii) a detailed description of the ways in which the local control is to be applied, the determination of the person responsible for exercising the control, the periodicity in which the control is to be exercised, and the way to record the evidence regarding the exercise of the control.

The interface of internal control and SOX requires that there is an identification of the controls within the ‘Corporate Standard Templates.’ The controls also need to be cross-referenced to the process flow documentation. This is specified for the purpose of ensuring that significant steps in the process are adequately controlled. It is also essential that the controls are identified and documented within the process flow documentation for those significant steps in respect of which the ‘Corporate Standard Template’ does not contain a corresponding control document.

Purpose and Design of Internal Control

The purpose of establishing an internal control system is to ensure the mitigation of an expected risk to the organization or alternatively to achieve a specific control objective that is preset. A proper design on an internal control system should find plausible answers to the questions like the type of control being performed (control type), the person responsible for exercising the control (control owner), the periodicity during which the control needs to be exercised (control frequency), the evidence for exercising the control (control evidence), and the procedures to be followed in exercising the control (control procedure)³

Aims and objectives

This study aims to assess the effectiveness in the interface between internal control systems and SOX with particular reference to the internal control systems in place in Nortel Networks, a large telecom corporation. With a view to accomplish this aim, the study follows achieving the following objectives:

1. To undertake an in-depth analysis of the basic requirements for instituting an effective internal control system in any large corporation.
2. To study the salient provisions of the Sarbanes – Oxley Act with reference to the institution and monitoring of internal control system.
3. To assess the impact on the effectiveness of the internal control system as a result of the interface between the internal control and SOX.
4. To study the efficacy of the interface between the internal control system and SOX in the context of Nortel Networks and to report on the ways in which the interface facilitates the effectiveness of the internal control system in Nortel, especially with reference to the activities of the finance department.

Rationale behind the study

In the present day business context, large corporations like to have an effective internal control system in place so that they will be able to make a proper and accurate presentation of the financial statements to those who are in need of these statements. The corporations found it effective to ensure the appropriateness of the financial reporting once a proper internal control system is in place. Further, the legislative requirement imposed by the Section 404 of SOX necessitates the institution of an effective internal control system. It has been observed from the theoretical studies that the interface between the internal control and SOX greatly improves the efficiency of the reporting requirements under the Act. However, this study is intended to test the practicality and utility of the interface between internal control and the requirements under SOX as to how far the interface helps in the process of preparing and presenting appropriate financial reports. Thus the objective of this study is to gain practical knowledge on the utility of the interface of internal controls and the impact of SOX.

Structure of Presentation

In order to present a meaningful and comprehensive thesis on the interface of internal control and SOX, this report is designed to have exclusive chapters. Chapter 1, while introducing the subject matter of study, also details the aims and objectives, and rationale behind undertaking this study. Chapter 2 presents a detailed review of the available literature on the interface of internal control. In chapter 3, a descriptive account of the salient features of the social research methods, the respective pros and cons, and the justification for the selection of the particular research method are presented. This chapter also details the research approach followed for the current study. Chapter 4 contains the findings of the research and a detailed analysis of the findings. Finally, some concluding remarks recapitulating the issues discussed under the text are presented in chapter 5, and a few recommendations are contained in chapter 6.

Conclusion

This chapter presented a brief overview of the subject matter of the study along with the aims and objectives of the study. The rationale behind undertaking the study was also discussed in this chapter. A detailed review of the available literature on the interface of internal control will be presented in the next chapter.

Literature Review

Introduction

The requirements of Section 404 are specified with reference to the process the corporations need to make use of for generating the financial statements. This section stipulates that the process should be accurate and should meet the standards generally accepted by the industry. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is a process that provides a reasonable guarantee about the ways in which the company achieves its established objectives in the areas of operational efficiency and reliability of financial reporting and compliance. The objective of this chapter is to present a comprehensive review of the literature available on the topic under study.

The regulations prescribed under SOX are implemented by the Securities Exchange Commission (SEC). SEC rules require the corporations to make use of an established internal controls framework. COSO specifically mentions the internal control framework that needs to be followed by the corporations⁴. It is COSO that has provided the Framework for defining and evaluating the internal control systems. However, there is an inherent shortcoming of the Framework suggested by COSO in that it addresses only IT controls in a more general way. It is the suggestion of COSO that an IT control framework like Control Objectives for Information Technology (COBIT) can be employed to ensure the adequacy of internal control.⁵ Despite this shortcoming, the corporations have the mandate to get an attestation from an external auditor about the effectiveness of the internal control system. This has necessitated the interface of internal control so that the requirements of SOX can be fulfilled. This chapter details the interface of internal control and the ways of using the interface to meet the compliance requirements of SOX.

Internal Control – an Overview

The promulgation of Sarbanes – Oxley Act was driven by the large accounting and other frauds committed in the corporations like Enron, Tyco, Worldcom, and the like in the United States around the period of early 2000s. These scandals have led to huge financial losses to the employees and investors of these corporations, and they also created mistrust for the investors on the financial reporting. These events raised an overall concern regarding the impact of the events on the operations of the stock market and the economy as a whole. The purpose of enacting the legislation was to address the accounting deficiencies and to prevent the reoccurrence of such events in the future. The provisions of SOX have fixed the responsibility on the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO). They have been made criminally and civilly accountable for a proper presentation of the financial reports of their respective companies. Internal controls and the audit of the controls are made the primary tools of implementation of the provisions of the Act.

Section 404 of SOX provides for the “Management assessment of internal controls.” SEC has interpreted internal control as

“controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards # 319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board.”

The function of the Public Company Accounting Oversight Board substantiates the preparation of informative, accurate, and independent audit reports.⁶ At first, Sarbanes Oxley Act creates a nonprofit corporation that is a “public company accounting oversight board” or PCAOB. Its “five SEC-appointed members (of whom two will be CPAs), financed by new public company fees, will register, inspect and discipline public accounting firms, including foreign firms in certain cases, as well as establish and enforce auditing, quality control, and independence standards.” ⁷

However, for all practical purposes, it is for the external auditor to specify those aspects of the overall operations of the corporations which, in their opinion, are material. In fact, the external auditor should also mention the degree and level to which these aspects need to be controlled. The selection of control elements would largely depend on several criteria, including the control objectives established by the company. There may be some systems that might be deemed to be critical, while few others might be considered as mere supporting systems. However, the companies can expect to receive only guidance from the external auditors on the establishment of control objectives. This is so because the auditors are not supposed to audit their own work and report thereon. Therefore the responsibility for the determination of the scope of the control systems and the establishment of the control objectives fall on the internal auditor, who is normally the employee of the company.⁸. It must, however, be remembered that the establishment of control objectives is, in reality, a business perspective to ascertain the matters that are important for control purposes, the extent of their importance, and the acceptable level of risks associated with those issues identified.

Role of Information Technology in Internal Control

Since most of the business transactions today are carried out through the use of computers and advanced information and communication technology (IT), IT plays a predominant role in the institution and monitoring of the internal control systems. It is reported that more than 97% of the material weaknesses in internal controls can be mitigated through the use of IT. In practice, there are the following ways in which the IT can help to have the internal control system in place; (i) IT general controls as advised by COSO and (ii) IT as a component of a non-technological internal control over financial reporting – quite often this is seen as an application-level control. The role of IT in internal controls can be explained on the basis of the following IT architecture used by a public company.

General Controls through IT

There are various general controls that can be supported by IT. One example in this connection can be found in the following control objective:

“Control Objective: Controls provide reasonable assurance that financial reporting systems and sub-systems are appropriately secured to prevent unauthorized use, disclosure, modification, damage, or loss of data.”

With respect to the above internal control objective in the context of the IT architecture shown in the figure above, it is necessary to test the effectiveness of the internal controls that can vouch for the security of the architecture. For this, the internal auditor has to test and document the effectiveness of the internal controls. More specifically, the internal controls should be so secure that any unauthorized access to the General Ledger System, the Warehouse System, and the Customer Portal. It is necessary that the system should establish adequate and strong password protections, firewall protections, and hardening guidelines. The institution of these controls is necessary to assure the external auditor that the systems under review are adequately secured.

Non-Technological Controls and IT

It is observed that many of the internal controls over financial reporting are often found to be non-technological in nature. For instance, the valuation of some asset items in the balance sheet is subjective in nature that involves processes to be carried out manually. However, a number of such processes use IT for an effective valuation. By adopting the Framework suggested by COSO, an internal control system for the company shown in the figure above might take the form of associating the control objective, risk, and control practice as depicted in the following table:

Following the Framework suggested by COSO, all internal controls can be expressed in the format as depicted in the above table. Although, in reality, the details pertaining to different situations would be different, the basic principles remain the same. It is to be noted that the purpose of establishing internal controls over financial reporting is to set out a control objective that is intended to mitigate a risk using the relevant control practice. Although the internal control exhibited in the above table may be entirely manual, there is the likelihood that the system is based on IT capabilities. In the example cited, it must be ensured that the general ledger system receives accurate and timely data from the warehouse system and the customer portal. The audit of internal control systems may require the IT department to document and test these technological factors which support this procedural control.

Relevance of SOX to Information Technology based Internal Control Systems

Although SOX is mainly concerned with financial reforms, it has a close association with information technology as in the present-day context. The accounting systems are based on the developments in information technology (IT). Since ‘accounting systems’ are considered material for the purpose of SOX, there exists a relationship between SOX and information technology. In other words, in the financial reporting domain, any system or process that has real consequences assumes greater importance. However, it should be noted that even within these systems, the level of importance varies depending on their overall impact on the control aspect. Applying this analogy, it must be observed that there are a number of things that were previously carried out through informal processes that are to be brought into defined processes and procedures to ensure adequate control. For instance, the controls over the access to production data and the persons who can access the data have undergone considerable change since the passing of the Act to ensure proper compliance. Previously there was no significance about the production data with respect to the financial reporting.

It is true that some aspects of IT might not appear relevant to ensure the effectiveness of the control systems. But still, there will be the need to maintain these systems to get the attestation from the external auditor that adequate internal control systems are in place.

In this connection, the COBIT Framework, as suggested by the Information Systems Audit and Control Association, presents an IT perspective that can be employed by corporations to ensure the adequacy of internal controls. The specialty of the COBIT framework is that by adopting this, the corporations would be able to obtain a clear definition of Control Objectives that are broken down into a logical and systematic progression that ensures the easy flow of information and an ultimately effective internal control.⁹

Interface of Internal Control

As observed earlier, SOX has clearly pinpointed the responsibility for the accuracy and timeliness of financial reporting on the top executives of the corporation. Before SOX was enacted, integrating the complete data on the enterprises’ operations was not taken seriously by the IT managers. However, the introduction of the Act has changed the scenario. There are three key requirements of SOX that necessitate the interface of the internal control systems in any corporation.

Requirements of SOX

Present-day organizations face serious challenges in complying with three major requirements of SOX. They are:

• Section 302 requires the presentation of financial reports with established standards for tracking and reporting. This section has also made the CEOs and CFOs personally responsible for the accuracy of financial statements, and failure to comply with the provisions would entail these top executives’ personal penalties that are of both civil and criminal nature.

In this case, the implementation of the defined standards poses a real challenge to the executives. The standards incorporate the provision of numerous details, including the person responsible, the issues to be addressed, the evidence for the information, and the timeliness of presentation. The process of tracking and reporting the defined standards also poses a serious issue for the officers of the corporations. In this connection, it is to be noted that the manual processes are subjected to a wide variety of errors, and processing them also consumes more time.

• Section 404 on the internal controls requires a managerial assessment of the internal controls and reporting on the existence of such controls instituted. In addition, there should be an evaluation and assessment of the effectiveness of the internal controls and procedures.

In order to create a report on the internal control, it is for the management to make an identification of all the data sources which are employed in financial reporting. The management also has to determine the validations of these data. In addition, there needs to be the testing of the audit processes, if any, associated with the extraction of data from the data sources. In the absence of a central place where the total enterprise data could be accessed, the process of reporting on internal controls would be difficult for the management. Similarly, when only manual processes are employed for extracting the required data, it is impossible for the management to assess the effectiveness of the internal control systems and procedure and make a report thereon. The manual systems are hard to document as well as their application of them is also very complex and difficult.

• Section 409 of SOX requires real-time disclosures. This section has placed an obligation on the corporations to disclose information in material changes in financial conditions on a rapid and current basis.

This requirement of SOX makes it obligatory on the part of the corporations to make a complete and immediate reporting on acquisitions, divestitures, and reorganizations that reflect the current and historical financials accurately. Any data that is missing or incomplete on these important business events would affect the internal forecasts as well as external reporting.¹⁰

All of these three requirements of SOX with respect to financial reporting, especially the requirement of Section 404 on the internal controls, call for the collection and aggregation of data from multiple sources and business units. This, in turn, calls for a proper interface of the internal controls systems so that the management can get the existence and effectiveness of the internal control systems duly attested by an external auditor.

Interface of Internal Control and IT

The additional burden of accurate and timely financial reporting as imposed by SOX is viewed as one of the critical business issues by many large corporations. This has put the responsibility of producing more accurate information at the least time possible and at the same time, maintaining the accuracy of the information is also of paramount importance. It has been concluded that carrying out the process of extracting and consolidating the information through a manual process is highly time-consuming and would also involve an additional cost burden on the companies. Therefore the only answer to meet this challenge is to interface all the internal control so that the data is gathered in a centralized place in a secured manner and accessed when necessary.

However, gaining secure access to data available in various transaction systems is yet another problem that needs to be addressed by almost every business today. This is because the data available in the various streams of transactions within the business is designed to cater to the needs of the individual departments and therefore are spread out and formatted. This makes accessing the data difficult and the reporting thereon also becomes complex.

Development of the Conceptual Framework

The interface thus is the matter of identifying the key areas of control and assembling them in such a way that it creates the whole picture of the control mechanism. Once the company is able to put this system in place, then it can easily be presented to the external auditor for attestation. In this process, it is important that the control mechanism is created just not only as an illusion of control, but it completely understands the areas where the auditors will focus for the purpose of certifying. The system should work on providing those deliverables which are important from the perspective of the auditors, and it should be capable of meeting those expectations. The use of the best practices in the key areas as followed by the industry is sure to produce the best results and, in the process, will help the organization to fulfill the responsibility under SOX more efficiently. This will also satisfy the external auditors with respect to their requirements for attestation of the effectiveness of the internal control mechanism. The most important point here is that the internal control system so developed works best when the system is driven on the basis of the needs of the business rather than on the basis of the convenience of IT.

The internal controls in this Framework may incorporate the following elements:

1. Operational and infrastructure documentation
2. Application systems and interfaces
3. Business impact analysis
4. Access control and security
5. Single points of failure analysis
6. Business continuity management and
7. Project and risk management

Thus the system should provide for all the functional requirements as well as cater to the exception processing procedures. The interface will work well on a proper understanding of the features of the system and the purpose of each of the elements involved. The software package with customization as well as the hardware, such as the platforms that support the software and the network involved, is an integral part of the internal control interface framework. When assessing the suitability of the system, it is important that aspects like the dependencies of the components, the impact on financial reporting, persons that need to have access to the system, and the environmental conditions for the safe functioning of the system are considered before arriving at the interface decision.

Conclusion

Thus the review of the available literature threw light on the basic aspects of internal control and the relevance of information technology to the internal control and the requirements of SOX. This chapter also dealt with the specific requirements of SOX in the areas of financial reporting and the salient aspects of the interface of internal control. The next chapter on research methodology will provide a basic understanding of the social research methods and their relative merits and demerits.

Research Methodology

Introduction

The objective of this chapter is to provide a basic understanding of the various characteristics of social research methods. This objective is achieved by detailing the features of the research methods and their relative merits and demerits. The current study was completed using both qualitative and quantitative research methods, which are the popular research methods being used in the field of social research. This chapter also details the justification for the selection of the specific research method.

The review of the literature available on the topic provided the basis for getting an insight into the topic of the interface of internal control. The literature reviewed highlighted the requirements of SOX with respect to financial reporting by corporations and the need for centralizing all transaction data. The objective of this research is to assess the impact of the interface of internal controls in Nortel Networks, a telecom major. Under this chapter, the research approaches, processes involved in the gathering of information and data, framing of the questionnaire, and collection of information through the survey are discussed at length.

Overview of Research Methodology

Before a comprehensive report can be produced on any social issue researched, it is important that a thorough understanding of the different options of research methods available is gathered. It is equally important that the research approaches, tools, procedures, and techniques that can be employed are studied in their perspectives, and a suitable research process is established. Johnson (1995) defines social research as a process of inquiry conducted in ways that are systematic.¹¹ It is the purpose of this inquiry to extend to areas beyond the knowledge and general perceptions of the people and to acquire detailed and comprehensive information on the issues being researched. On the basis of the knowledge and information gathered, the researcher makes his/her own analysis to present a meaningful report to those who are interested in the research. Since social research is a process of investigation that needs to be taken up in a systematic manner, it becomes necessary for the researcher to adopt the appropriate research method based on the subject of study. In a similar way, the other research techniques are chosen by the researcher.

Description of Research Methods

White (2000)¹² points out that the research approach being followed by the researcher can be construed as the research methodology.

White, B. (2000). ‘Dissertation skills for Business and management students’ Cassell London p 25.

The methodology is the philosophical base on which the research is progressed, and it is for the researcher to embark upon the proper research approach to carry out the research in an efficient manner. Social scientists and academicians have identified two major research methods that possess the necessary features for conducting successful research. The research methods are qualitative and quantitative research methods.

There are a number of data collection methods available to enable the researcher to collect the required information and data. The researcher has to choose the appropriate data collection method that will best suit the purpose of accomplishing the research objectives established. For conducting the research on the interface of internal control, both the qualitative and quantitative research methods have been chosen after due consideration of the pros and cons of all the research approaches. The following sections describe the important elements of both the qualitative and quantitative research methods.

Definition of Quantitative Research

According to White (2000)¹³ quantitative research is an investigation process in which results are expressed in numerical indices. It is usual that these numerical results are mathematically and statistically analyzed to evaluate the findings of the research. Since only numerical values represent the results, it becomes necessary for the quantitative method to employ objective ways of collecting the data and interpreting them later on. As this method involves scientific approaches in the evaluation process quantitative method is considered as having a ‘positivist approach.’ The research techniques employed under this method focus on gathering quantitative information for analysis.

Definition of Qualitative Research

According to Cresswell (1994)¹⁴ qualitative research is an inquiry process that focuses on the understanding of any social issues. It always depends on the views and opinions of the informants based on which the researcher develops his/her own theory. These views are expressed by the informants over a natural setting, and the method is based on a holistic picture based on the narratives of the informants. The core area of focus for the qualitative research is the set patterns of meanings that emerge from the information collected from the respondents. The researcher identifies these patterns that exist in the views and opinions of the respondents and present an analytical report of these patterns in a readable manner. It is important that the researcher considers the views of the participants in the real world situation and as perceived by the participants.

A naturalistic and interpretative approach is attributed to the qualitative research by Denzin & Lincoln (1994)¹⁵. This is so because qualitative research is conducted in a natural setting. Stallings (1995)¹⁶ stresses the importance of qualitative research in the educational field. This method presents a descriptive report based on the viewpoints of the respondents.

Important Elements of Qualitative Research Approach

Research scholars like Bogdan & Biklen (1982)¹⁷, Lincoln and Guba (1985)¹⁸, Patton (1990)¹⁹ and Eisner (1991)²⁰ have identified different aspects of the qualitative research method. These authors have found the following salient features of qualitative research. They are; (i) the researcher under qualitative research has to make the study under natural setting and has to necessarily maintain emphatic neutrality, (ii) the researcher may use inductive analysis method for analyzing the data collected under the qualitative research method, (iii) there are different tools that can be employed to test the trustworthiness of the data and (iv) the qualitative research possesses an interpretative character that enables the researcher to discover the hidden meanings in the words of the respondents.

Justification for Selection of the Research Method

Strauss and Corbin (1990)²¹ advocate that qualitative research could provide a thorough understanding of the issues of which there is no prior knowledge of information. The ability of the qualitative research method to enable a thorough analysis is the major reason for choosing the qualitative method. This ability is considered beneficial for the researcher as well as the users of the report. Since the reports presented as a result of the qualitative research give more in-depth insight into the experiences of the respondents, it makes them more meaningful. (Stake 1978)²² According to Myers (1997)²³ the qualitative research method enables the researcher to make an in-depth analysis of the contexts and actions of the respondents. The contexts normally extend to the social and cultural contexts that decide the actions of the people.

Description of Survey Method

A survey method is a non-experimental and descriptive method of social research. The survey method is being employed by the researchers when they would like to collect information and data on issues that cannot be directly observed. Under the survey method, the data are usually collected through the distribution of questionnaires, and in some cases, interviews are conducted to gather the required information and data. One of the major criticisms of the survey method is that the method is often designed and administered in a poor manner which leads to the collection of inaccurate data. According to Meyer (1998)²⁴ representative sampling and the design of the questionnaire are two important additional considerations. A sample can be considered representative when it accurately represents the population under study. Therefore a careful selection of samples is of primary importance for successfully conducting the survey. Similarly, it is important to frame the questions tactfully and carefully. A poorly designed questionnaire would lead to results that are meaningless. Thus the information and data collected from the samples represent the views of the total population, and therefore the information need to be gathered through intelligent questions addressed to the chosen samples (Cresswell 1994; Neumann 2002²⁵; Fink 1995²⁶)

Research Approach for Current Study

After a thorough review of the merits and demerits of both the qualitative and quantitative methods, both of these research methods have been chosen to accomplish the objectives of this research. For assessing the impact of the interface, it was considered necessary to gather the views of the employees of Nortel Networks. Therefore the survey approach under the quantitative research method was undertaken. For assessing the impact of the interface of internal control, which is a subjective issue, the quantitative method was considered appropriate. It was also considered necessary that sufficient information is gathered through secondary sources like articles from professional journals and research publications. Therefore the qualitative research method is also employed in addition to the quantitative method. The quantitative data on the basis of the responses to the questionnaire are tabulated and analyzed for ascertaining the relevant answers to the research questions.

Selection of Samples

A total of 100 employees from the Telecom major Nortel Networks were selected as samples for the distribution of the questionnaire. Several demographic elements were taken into account while arriving at the respondent’s to be contacted. The chosen samples were stratified on the basis of their length of service and the departments in which they worked to arrive at the randomly selected sample of 100 participants. Out of the 100 participants, 82 of them only chose to reply to the questionnaire. This leaves a participation rate of 82%, which can be considered a good index for research of this kind.

Questionnaire

In order to have a proper understanding of the target population as well as their knowledge and viewpoints on the internal control and the impact of SOX, this project used the survey questionnaire method. The questionnaire was constructed with questions on the demographic background as well as questions relating to internal control and the impact of SOX on the financial reporting of the company. With a view to ensuring that the questionnaire reaches all the selected respondents, the questionnaire was sent via email of the samples. Closed-ended questions giving the respondents the choice of selecting the answers from the responses indicated in the questionnaire were used to construct the questionnaire. The Likert scale was used to enable the respondents to mark their answers.

The questions were divided into two distinct parts; the first one dealt with the details on the demography of the samples, and the second one had questions relating to internal control and the impact of SOX, being the subject matter of the study. The details regarding the demography covered questions that required the respondents to give information on their ages, gender, periods of service with the company, and income level. The objective of incorporating the questions relating to the demography is to analyze the nature and characters of the samples as representative of the whole population under study. The later part of the questionnaire covered questions that detailed the perceptions of the respondents on the implementation of SOX. Appendix 1 exhibits a copy of the questionnaire that was sent to the samples.

Conclusion

This chapter presented a detailed account of the research methods that were used to complete the current research. The important aspects of the research methods and the justification for the choice of the research methods are also presented. The next chapter presents a detailed discussion on the findings of the research and an analysis of these findings.

Findings and analysis

Introduction

The objective of this chapter is to report on the findings of the research. The data and information were collected on the basis of responses received from the respondents (n=82). Out of the total number of 100 questionnaires sent to the chosen samples, 82 of them returned the questionnaire duly filled. The responses received were tabulated and analyzed for presenting the findings. This chapter also presents a detailed analysis of the findings by reviewing the opinions and views expressed through the responses to the questionnaire.

In order to institute an internal control system that works effectively and efficiently, it is considered necessary to make an interface of all the internal control systems, and for making such an interface using customized computer software applications only has been found to be the feasible solution. This also fits well with the requirements of SOX under Section 404. Further, as per the recommendation of SEC, the Framework suggested by COSO can be employed for internal controls, which very well acknowledges the use of computerized applications. This study purports to find out the impact of the interface of internal controls in the case of Nortel Networks and the role of the interface in the compliance of the regulations of SOX through the questionnaire circulated to the employees of Nortel Networks. This chapter presents the findings and an analysis of the findings from the survey results.

Nortel Networks – an Overview

Nortel Networks is a giant corporate in the telecom industry based in Canada and headquartered in US “Nortel network is a global leader in data, telephony, wireless and wireline solution for the internet, with customers which include public and private enterprises and institutions, internet services provider; local and long-distance cellular and PCS communication companies; cable television carriers; and public utilities.”²⁷ Nortel network is to be said as an IT firm and is a major participant in the field of ITU-T and bear a huge number so study chair. The Internet service provided by the Nortel networks is more reliable and faster than ever. It has the ability to redefine the economics and quality of the networks. Nortel always focuses on service providers and carrier group providers to fulfill the high expectation of the customer. Nortel networks have a great advantage to do that via leadership in the building network of every type around the world.

Findings

This study intends to make an assessment of the effectiveness of the internal control mechanism present in Nortel Networks and the contribution of the interface of the internal control to compliance with SOX regulations. In this connection, questionnaires were distributed to 100 employees of Nortel Networks, out of which 82 people responded. The selected samples were given a briefing on the overview and purpose of the survey. They were also advised about the layout of the questionnaire to enhance their understanding. The employees who were participating in the survey were assured that the information they provided would be kept strictly confidential as the results will only contain a summary of the results. The findings are discussed below:

Demography Details of Respondents

Although the importance of this part of the questionnaire cannot be explicitly seen, it is important that any survey collects the information on the demography of the respondents to the survey. The age groups under which the respondents fall have been ascertained by asking them to indicate the group in which they fall. The respondents fell under four major age groups. 52.44% of the respondents were found to be in the age group of 26-35 years. There were a small number of 9 people who were falling in the group of above 41 years of age. The following table exhibits the number of people falling in the different age groups.

Age Group of Samples

There were a total of 67 males who responded to the survey out of the total number of 82 people contacted. The male population of the sample represents 81.71% and the remainder females. The table and the diagram following the table present a diagrammatic presentation of the data collected on the gender of the samples.

Gender of Samples

It is interesting to note the distribution of samples on the different groups of educational backgrounds. Out of the total 82 respondents, 45 of them have completed degree-level education. This is quite a good percentage of the educational background of the respondents, and this would have a positive impact on the reliability of the survey. Further, 21 of the respondents have been observed to have completed master’s level education which adds to the value of the survey. The information collected is presented in the following table and the diagram.

Educational Level of Participants

The number of years of service with the company is another important piece of information that goes to enhance the value and utility of the results of the survey. This information tells upon the ability of the samples to express their views on the implications of SOX on the financial reporting, the subject being studied. The questionnaire contained a question on the number of years of service the respondents had with the company. It is observed from the responses that 39% of the people have worked with the company for a period of 6 to 10 years. The distribution of the samples has been fairly wide in all the groups, as may be found in the following table.

Service Period with the Company

It was also considered important that the information on the department to which the respondents belong. This information was gathered by including a closed-ended question and including the names of several departments to enable the samples to choose the particular department to which they belong. This information was considered vital to assess the extent of awareness of the samples on the issue of financial reporting and the impact of SOX on it. As per the information provided by the respondents; there were 46 people (56%) belonging to the Finance department, 4 (5%) from Sales and Marketing, 16 (19%) from the IT department, 9 (11%) from the Human Resources department and 7 (9%) from other departments.

Department of Respondents

There were different levels of employment that were considered for the purpose of selecting the samples to respond to the questionnaire. The samples were asked to identify the levels to which they belong and the table appended below provides the details of the employment levels.

Levels of Employment of Respondents

The information is presented in the following diagram.

Implementation of SOX

The second part of the questionnaire contained questions on the practice of the Sarbanes Oxley act and the knowledge of the employees on those practices. The questions were devised to extract the viewpoints of the employees on the effectiveness of the implementation of SOX being implemented by the company.

Awareness of SOX

In the questionnaire, there was a question that reflects the awareness of SOX. 68 out of 82 participants replied that they have knowledge about the rules and regulations of SOX and its implementation. This constitutes 83% of the respondents of Nortel Networks employees. Fourteen of the respondents did not have knowledge about the function of SOX and its implementation. The following chart shows the preference of SOX among the Nortel employees.

Among the total participants, 56 said they are aware of the workshops on the implementation of SOX conducted by the company, which represents 68% of the respondents, and the rest 26 said they have no knowledge about any workshops on the implementation of SOX.

The following chart shows a clear picture of these responses:-

Impact on the Organizational Functions

On the question of the personal preferences on SOX and the provisions thereof, the respondents are more divided. Out of 82 respondents, 52 (63) have intimated that they are not in favor of implementing the SOX provisions. The remaining 30 replied they are in favor of. Similarly, on the question of satisfaction with the process of implementation of SOX within the company, the respondents have given a mixed opinion. 61 (74%) of them replied that they are not satisfied with the process of implementation, and 21 of them are satisfied with the way the company is progressing in SOX implementation.

Impact of SOX within the Company

The next question on the questionnaire was to get the opinion of the participants on the impact of SOX within the company. Seven different options were where there is the impact of SOX were provided in the questions, and respondents were asked to rank them in the order of priority in their opinion. Since each of the 82 participants chose to attribute different rankings to the different attributes stressing the impact of SOX, the mean value of the responses was calculated, taking into account the weighted average of the rankings given by the employees. The mean values are shown in the following table:-

Impact of SOX within the Company.

On the question of the activities where the implementation of SOX had an impact, the respondents have expressed the following opinions (represented by the mean values)

Impact of SOX on Company Activities.

Impact of SOX while on implementation

The next question was to get the opinion about which area or department of Nortel Networks had the most degree of impact on the implementation of the provision of the SOX Act. All of 50 respondents said about the finance department, and also mentioned about IT 90%, sales 46%, human resources 38%, customer service 34%, marketing 18%, and other 10%.

Departments Impacted by SOX. Source: (Exler, 2003).

Resources Needed to Enhance SOX Implementation within the company

When asked to indicate their preferences on the action that the company needs to take to add the resources that will help enhance the pace of the implementation process of SOX, the respondents indicated the following choices:

Resources Needed to Enhance SOX Implementation.

Analysis

On an analysis of the findings of the research, it can reasonably be concluded that although the importance of compliance with the provisions of SOX has been made known to organizational members at all levels, a majority of them still feel that the responsibility still lies with the finance department people. However, this general view cannot be taken for granted as the internal control norms apply equally to all departments, and it is for the management to ensure that the rules relating to internal control procedures are communicated to all the departments so that they are adhered to strictly. Therefore it follows that irrespective of the age, years of service, department, or level of employment, it is vitally important that the organizational members are aware of their part of responsibility in adhering to the internal control procedures. From the survey, it is observed that the company Nortel has not effectively communicated either by way of workshops or through other communication means the importance of the internal controls and its impact on the compliance with the SOX regulations. This is evident from the fact that for the question on the impact of SOX within the company, a majority of them have identified only the ‘detection of frauds’ as the prominent impact of the implementation of SOX. There has been a poor response to the answers ‘enhancing the financial disclosures’ and ‘compliance with laws and regulations.’ In fact, compliance with the regulations is the main impact of the implementation of SOX, which was given a very low mean value index by the respondents.

Another important finding of the study is that 74% of the respondents have replied that they are not satisfied with the implementation of SOX provisions by the company. Here there is a major deviation has occurred in the research. While most of the respondents (83%) are aware of the provisions of SOX, they must also be aware of the compliance requirements of the Act. Hence they cannot say they are not satisfied with the implementation process, as it is for the company to have the internal control mechanism in place so that it can get the attestation from the external auditor about the effectiveness of the internal controls. Here since there was no response column for ‘No Knowledge,’ the respondents might have simply answered ‘Not satisfied.’

Limitation of Sarbanes Oxley Act 2002 and Internal Controls in Nortel

Section 404 requires the management companies to submit a report on the effectiveness of the internal control systems operating in the company attested by the external auditors. The auditors have to attest to the ability of the internal control systems to improve the financial reporting.²⁸ It is to be noted that the concept of internal control has been in existence for quite some time, although the requirements in this respect have been reintroduced lately by Section 404 of SOX. The major thrust of this section is that the effectiveness and adequacy of the internal control systems should be certified by the external auditors. This section was introduced to ensure that the companies, by installing effective internal control systems, would be able to prevent the occurrence of any financial and accounting frauds by resorting to the controls being provided by the systems.

However, the real purpose of this section could not be realized due to many reasons. The internal control systems that were dealt with by Section 404 have not been defined conceptually so that they will serve the intended purpose. It is to be noted that the internal control systems and procedures as adopted by the business organizations earlier were meant mainly to prevent the occurrence of mistakes in the accounting transactions. They were not designed to take care of other business systems. But the internal control within the scope of Section 404 is expected to cover a wide range of business functions, including accounting and financial reporting. Therefore the internal control systems as they are currently present in the business organizations do not support the scope of the control as envisaged by SOX. This also prevents the auditors from limiting their scope of certifying the effectiveness of the internal control system to the extent they cover the accounting transactions.

Despite the basic inadequacy of the conceptualization of the internal control under Section 404, the external auditors of Nortel Networks could find out and report on some material weaknesses in the internal control systems being followed by Nortel.

These weaknesses have been reflected in their financial reporting also. Totally the independent auditors have commented on six material weaknesses as identified by them in the internal control systems that are in operation in Nortel, which might have their impact on the financial reporting.

The impact of the internal control systems being followed by Nortel has been assessed on the basis of the perspectives of section 404 of the Sarbanes Oxley Act of 2002 and the rules framed there under that covers the financial reporting of the company for the year ended December 31, 2004. The company has employed the methods suggested by the Committee of Sponsoring Organization of the Treadway Commission, shortly known as COSO. The following are some of the material weaknesses that have been reported by the internal auditors.²⁹:

1. The company has not followed the prescribed procedures for monitoring and adjusting the balances in the books of accounts that represent the provisions and accruals. These provisions, in some cases, include restructuring charges and some accruals on account of contracts and customers’ accounts.
2. The company has failed to apply the appropriate application procedures of GAAP with respect to the recording of certain liabilities. These liabilities, in some cases, cover those enumerated in SFAS No. 5 and 52.
3. The company could not have in its rolls sufficient staff that possessed an appropriate knowledge and experience US GAAP. The available people also did not have enough training on the analysis and documentation of the application of US GAAP to transactions. This has led to improper accounting of revenue transactions.
4. There was no proper organization that had a clear demarcation between responsibilities and accountability in so far as the accounting function is concerned. The structure of the organization was not clear, which is most likely to lead to evasion of responsibilities. This affected the effectiveness of supervision over the accounting functions. Due to proper organization, too many manual interventions in the financial reporting had to resort which vitiated the results of the financial reporting and
5. The personnel of Nortel did not have adequate awareness of the internal controls systems and their impact on the financial reporting by the company. With the result that they could not initiate timely action, which is important from a control point of view.

Conclusion

This chapter presented a tabulated and pictorial representation of the findings of the study on the interface of internal controls and the impact of SOX. The analysis of the internal controls in company Nortel has also been dealt with by this chapter.

Conclusion

Few concluding remarks that recapitulate the issues dealt with by this text form part of this chapter. This chapter also discusses some limitations of this research study.

The year 2002 witnessed the passing of the Public Accounting Reform and Investor Act which is otherwise known as Sarbanes – Oxley Act (SOX), with a view to restoring the investor confidence shattered by the accounting frauds that have taken place in companies like Enron, WorldCom, and Tyco. The Act has been regarded as one of the most important pieces of legislation implemented in the area of financial reform after the year 1930. The accounting and other frauds committed in these large corporations bring to light the existence of fraudulent financial reports that misguide the investors, which ultimately shaken the confidence of scores of investors as well as employees of the corporations on the accounting practices and the financial reports being produced by the accounting professionals within these corporations.

Compliance with SOX regulations has been made mandatory for all publicly traded companies registered with SEC. Corporations and their respective officers who are in default of complying with the annual and quarterly filings under the provisions of SOX are liable to civil and criminal punishments. SOX focuses on holding the CEOs and CFOs personally responsible for the accuracy and timeliness of financial reporting and ensuring the institution and monitoring the internal controls processes that are vital in the preparation of these reports.

It has to be mentioned that the Sarbanes Oxley Act of 2002 treats differently in accordance with the size of the organization. The implementation is one type to the big organization like Nortel and different to the small organization. This Act was signed into law on July 30, 2002, in order to restore the confidence of the investors and to hold the CEO and CFO of public companies responsible for statements of the financial reports provided by their companies. If those certifications founded untrue, the individuals have to face criminal penalties. The Sarbanes Oxley Act also has established the Public Company Accounting Oversight Board (PCAOB), which is overseen by the Securities and Exchange Commission (SEC). So, from this perspective, SOX creates a potential need for additional information and reliability for the investors and the overall public. For example, section 404 provides the rules for which the company needs to provide an internal control report in its annual report.

Section 404 requires that the processes used in the making of the financial reports should be maintained accurately. In this connection, the companies are obligated to meet the standards established by the Committee of Sponsoring Organizations of Treadway Commission (COSO). COSO has established an Internal Control Framework in the year 1992, which serves as the standard under SOX. This Framework enables the companies to establish, document, and assess business control systems. There are five components of an internal control process as prescribed by COSO – control environment, risk assessment, control activities, information and communication, and monitoring.

In effect, SOX seeks to regulate the business processes and practices, and regulating the technology is not its main motto. However, it needs to be understood that in the present-day business environment, technology plays a key role in the institution and maintaining of the internal control systems. But COSO has not evolved any controls on the IT processes that can be adopted in congruence with the internal controls. Control Objectives for Information Related Technology (COBIT) developed by IT Governance Institute fills up this gap, and COBIT can be used in line with the COSO framework, and COBIT helps translate the COSO framework into practice that can be adopted by any organization depending more on IT for its internal controls.

The literature reviewed under this study indicates that in order to take the fullest advantage of IT-based internal control mechanisms in the context of compliance with SOX regulations, it is important that all the internal controls are interfaced by using the relevant software customized to meet the organizational challenges. It is also equally important to use the associated hardware like the appropriate platforms that support the software more efficiently.

It is to be noted that the claims of some vendors to offer the SOX compliance in a box solution for Sarbanes – Oxley cannot be considered true. In reality, software and hardware solutions can only act as supporting tools for the implementation of the internal control processes and procedures that are at the root of SOX requirements. Therefore it becomes important for the organizations to be careful in evaluating and selecting the proper hardware and software supports by interfacing the internal controls effectively.

Limitation of the Study

The collection of information and data from professional journals, articles, and other sources has been time-consuming. Therefore, the time limit set for the completion of the project could not be adhered to strictly. The other limitation that the research faced was in getting the correct information from the respondents. The level and degree of awareness of the respondents on the chosen topic of SOX really posed a limitation to the study. The topic is slightly technical could not be understood in all its perspectives by the respondents, and this could have vitiated the results of the study to some extent. Besides this, complexity in the data collecting system may be considered as one other limitation of the study. Multifaceted questions and difficult language was an obstacle to getting the proper records. However, easy and understandable language has been used to extract information from the respondents.

Recommendations

Since the provisions of SOX in respect of the responsibilities of the senior executives of the corporation in the matter of financial reporting are clear and mandatory, it becomes necessary that they need to have complete confidence in the integrity of the financial systems and the data security. Assurance regarding the integrity of financial data and security thereof is achieved by installing a combination of procedures and internal controls that are interfaced with each other using an effective and efficient IT system. However, it becomes essential that such a system ensures

1. There are proper authorizations for entering and recording financial transactions by different users, and they also record the relevant authorizations.
2. There are systems to ensure that the data are not tampered with using authorized or unauthorized means.
3. There are systems to ensure that the interchange of data is completely monitored to prevent any unauthorized alterations or changes.

Thus the internal controls call for a sound data security policy and measures to be implemented at the perimeter level as well as at the application level. Although the data stored in the financial systems is of primary importance, the sub-systems like the purchasing and payroll interfaces with the financial systems should also be looked into for any loopholes.

A periodic review and assessment of these interfaces would go a long way in ensuring data integrity, and this is an essential phenomenon in maintaining a tighter control on the internal control systems.

In addition, it is for the IT managers to ensure that the systems they select to take into account the complete business requirements in the context of internal control systems and procedures required to ensure accuracy and timeliness of various reports that go in the construction of the final reporting for the purpose of SOX compliance. There should be a proper evaluation procedure of the different software and hardware products before making any purchasing decisions. It is also necessary that a proper working contract with the vendors is entered into so that any modifications in the systems or hardware to meet a renewed requirement can be had without incurring additional cost.

It is advisable the organization forms a SOX compliance team consisting of executives from the finance and IT department. This team should be strong enough to gather and present the required information accurately and in a timely manner. The technical expertise and business knowledge of the IT department executives at all levels should be properly tested before forming a team that meets the compliance requirements of SOX.

Bibliography

AICPA ‘Sarbanes – Oxley – The Basics’. Web.

Bogdan, R. C., & Biklen, S. K. (1982) Qualitative research for education: An introduction to theory and methods. Boston: Allyn and Bacon, Inc.

Brazelton, Julia K. and Ammons, Janice L. Enron and Beyond. CCH Tax and Accounting, 2002.

Carpenter M. Gina. Good Corporate Governance: Responding to Today’s New Business Environment. Management Quarterly, Vol. 45, 2004.

Creswell, J. (1994) ‘Research Design: Quantitative & Qualitative Approaches’, Sage Publications, Thousand Oaks, CA p 8-22.

Denzin, Norman K. & Lincoln, Yvonna S. (1994) ‘Introduction: Entering the Field of Qualitative Research’ in Norman K Denzin & Yvonna S Lincoln (Eds.) Handbook of Qualitative Research, Thousand Oaks, CA, New Delhi, London: Sage Publications.

Eisner, E. W. (1991). The enlightened eye: Qualitative inquiry and the enhancement of educational practice. New York, NY: Macmillan Publishing Company.

Fink, A. (1995). ‘How to ask survey questions’ Thousand Oaks, CA: SAGE Publications. p 91.

Henry N. Butler and Larry E. Ribestein ‘The Sarbanes – Oxley Debacle: What We’ve Learned; How to Fix it’ AEI Press Washington.

Hugh Taylor (2006) ‘Managing SOX in the Age of SOA’. Web.

Johnson, S. D. (1995). Will our research hold up under scrutiny? Journal of Industrial Teacher Education, 32(3), 3-6.

Lincoln, Y. S., & Guba, E. G. (1985) Naturalistic inquiry Beverly Hills, CA: Sage Publications, Inc.

McAlevey, Michael R. Understanding the Sarbanes-Oxley Act of 2002, Practising Law Institute. 2002.

Meyer, Jon’a F. (1998) ‘Early Steps in Research’ Research Methods Tutorial. Web.

Myers, M. D (1997) ‘Qualitative Research in Information Systems’ MIS Quarterly, 21(2),  241-242.

Neumann, Iver. (2002) “Returning Practice to the Linguistic Turn: The Case of Diplomacy.” Millennium 31 p 627 – 652.

Nortel Networks (n.d.) Web.

Nortel Networks Corporation, UNITED STATES SECURITIES AND EXCHANGE COMMISSION, Washington, D.C. 20549 2005. Web.

Patton, M. Q. (1990). Qualitative Evaluation and Research Methods (2nd ed.). Newbury Park, CA: Sage Publications, Inc.

RODIN ‘Do you Trust your Data Enough to Risk your Neck’. Web.

Sox and Controls. Web.

Stake, R. E. (1978, February) The case study method in social inquiry. Educational Researcher, 7(2), 5-8.

Stallings, W. M. (1995, April) Confessions of a quantitative educational researcher trying to teach qualitative research Educational Researcher, 24(3), 31-32

Stephen Kost ‘DBA Guide to Understanding Sarbanes – Oxley Integrigy Corporation.

Strauss, A., & Corbin, J. (1990) Basics of qualitative research: Grounded theory procedures and techniques. Newbury Park, CA: Sage Publications, Inc.

Tamaney (2002) Mc. THE SARBANES-OXLEY ACT OF 2002: WILL IT PREVENT FUTURE “ENRONS?” Washington Legal Foundation Vol. 17 No. 32 9 Aug 2002.

White, B. (2000). ‘Dissertation skills for Business and management students’ Cassell London p 25.

Wu, H. Frederick., and Lin, Hsieu Heng. (March 2006). Limitations of Section 404 of the Sarbanes-Oxley Act The CPA Journal New York p.48.

Appendix 1 – Questionnaire

Survey on “SOX” Effectiveness Measurement

General Demographic Information

1. Age Group:

1. 1. 18 – 25 years
   2. 26 – 35 years
   3. 36 – 40 years
   4. Above 41 years

2. Gender:

1. 1. Male
   2. Female

3. Education Level:

1. 1. Secondary
   2. Degree
   3. Master’s Degree
   4. Professional

4. Employment Period with the Company:

1. 1. 1-5 years
   2. 6-10 years
   3. 11-15 years
   4. Over 15 years

5. What department are you in?

1. 1. Finance department
   2. Sales and marketing
   3. IT department
   4. Human resources
   5. Other

6. Level with the company:

1. 1. Lower level
   2. Middle level
   3. Senior level

Questions on SOX

7. Awareness of SOX:

Have you fully understood the implications of SOX?

1. 1. Yes
   2. No

Did the company held any workshop while implementing SOX?

1. 1. Yes
   2. No

8. Impact on the Organizational Functions:

Do you prefer SOX?

1. 1. Yes
   2. No

Are you satisfied with SOX implementation in the company?

1. 1. Yes
   2. No

9. What is the impact about SOX 2002 within the company?

What according to you is the most important impact on the company after the implementation of SOX? Please rank your choice on a scale of 1 to 5 where 5 indicates ‘strongly agree’ and 1 indicates ‘strongly disagree’

1. Understand code of ethics
2. Rebuilt the confidentially of investors
3. Improving the profitability
4. Detection and prevention of frauds
5. Enhance financial disclosures
6. Compliance with laws and regulations
7. Arose the employee morale
8. Awareness of internal control

Which of the following activities within the company has impressed you after the implementation of SOX?

1. Changes in internal policies
2. Increased scope of internal audit
3. Prevention of frauds on financial statements
4. The series of ‘laid off’ after the scandal
5. Change in the ‘free’ sell of stock-option policy

10. Impact the most of SOX while implementation

Which department in your opinion has more impact and pressure on the implementation aspects of SOX? Please rank your choice on a scale of 1 to 5 where 5 indicates ‘strongly agree’ and 1 indicates ‘strongly disagree’

1. Finance department
2. IT department
3. Sales and marketing
4. Human resources
5. Others: please indicate

11. Resources needed to enhance SOX within the company

What according to you is an important step the company has to take for improving the resources necessary to enhance the compliance with SOX? Please rank your choice on a scale of 1 to 5 where 5 indicates ‘strongly agree’ and 1 indicates ‘strongly disagree’

• Hire more experienced staff
• Enhance the current system
• Need more workshop while implement SOX
• Others: please indicate

If you have any comment on SOX implementation with the company, please use below to fill out.

The author is conducting a study on SOX Effectiveness Measurement of our company. The findings of the study will enable the author as well as accounting practitioner to identify the various aspects of SOX purpose and its effectiveness. Your participation is extremely important to assess the general issues related to Sarbanes Oxley act 2002. The answer will be used for academic purpose only. All information you provide will be kept strictly confidential.

Footnotes

1. AICPA ‘Sarbanes – Oxley – The Basics’ Web.
2. Henry N. Butler and Larry E. Ribestein ‘The Sarbanes – Oxley Debacle: What We’ve Learned; How to Fix it’AEI Press Washington.
3. Sox and Controls Web.
4. Brazelton, Julia K. and Ammons, Janice L. Enron and Beyond. CCH Tax and Accounting, 2002.
5. Stephen Kost ‘DBA Guide to Understanding Sarbanes – Oxley Integrigy Corporation.
6. Carpenter M. Gina. Good Corporate Governance: Responding to Today’s New Business Environment. Management Quarterly, Vol. 45, 2004.
7. Tamaney (2002) Mc. THE SARBANES-OXLEY ACT OF 2002: WILL IT PREVENT FUTURE “ENRONS?” Washington Legal Foundation Vol. 17 No. 32.
8. McAlevey, Michael R. Understanding the Sarbanes-Oxley Act of 2002, Practising Law Institute. 2002.
9. Hugh Taylor (2006) ‘Managing SOX in the Age of SOA’ Web.
10. RODIN ‘Do you Trust your Data Enough to Risk your Neck’ Web.
11. Johnson, S. D. (1995). Will our research hold up under scrutiny? Journal of Industrial Teacher Education, 32(3), 3-6.
12. ibid.
13. Creswell, J. (1994) ‘Research Design: Quantitative & Qualitative Approaches’, Sage Publications, Thousand Oaks, CA p 8-22.
14. Denzin, Norman K. & Lincoln, Yvonna S. (1994) ‘Introduction: Entering the Field of Qualitative Research’ in Norman K Denzin & Yvonna S Lincoln (Eds.) Handbook of Qualitative Research, Thousand Oaks, CA, New Delhi, London: Sage Publications.
15. Stallings, W. M. (1995) Confessions of a quantitative educational researcher trying to teach qualitative research Educational Researcher, 24(3), 31-32
16. Bogdan, R. C., & Biklen, S. K. (1982) Qualitative research for education: An introduction to theory and methods. Boston: Allyn and Bacon, Inc.
17. Lincoln, Y. S., & Guba, E. G. (1985) Naturalistic inquiry Beverly Hills, CA: Sage Publications, Inc.
18. Patton, M. Q. (1990). Qualitative Evaluation and Research Methods (2nd ed.). Newbury Park, CA: Sage Publications, Inc.
19. Eisner, E. W. (1991). The enlightened eye: Qualitative inquiry and the enhancement of educational practice. New York, NY: Macmillan Publishing Company.
20. Strauss, A., & Corbin, J. (1990) Basics of qualitative research: Grounded theory procedures and techniques. Newbury Park, CA: Sage Publications, Inc.
21. Stake, R. E. (1978) The case study method in social inquiry. Educational Researcher, 7(2), 5-8.
22. Myers, M. D (1997) ‘Qualitative Research in Information Systems’ MIS Quarterly, 21(2), (1997) 241-242
23. Meyer, Jon’a F. (1998) ‘Early Steps in Research’ Research Methods Tutorial Web.
24. Neumann, Iver. (2002) “Returning Practice to the Linguistic Turn: The Case of Diplomacy.” Millennium 31 p 627 – 652.
25. Fink, A. (1995). ‘How to ask survey questions’ Thousand Oaks, CA: SAGE Publications. p 91.
26. Nortel Networks. (n.d.). Web.
27. Wu, H. Frederick., and Lin, Hsieu Heng. (2006). Limitations of Section 404 of the Sarbanes-Oxley Act The CPA Journal New York p.48.
28. Nortel Networks Corporation, UNITED STATES SECURITIES AND EXCHANGE COMMISSION, Washington, DC 20549 2005  Web.