Revisiting Sarbanes-Oxley Compliance
The Sarbanes-Oxley Act (SOX) has brought major changes to the regulation of financial reporting and corporate governance practices. SOX was enacted in the wake of the Enron and WorldCom financial scandals to protect shareholders and other company stakeholders from corporate accounting errors and fraudulent financial practices. The Act covers a range of areas from corporate board and CEO responsibilities to independent auditing requirements, to enhanced financial transparency, and internal control assessment.
Enacted in July of 2002, SOX is administered by the Securities and Exchange Commission, which sets strict deadlines for compliance. Penalties for non-compliance can include hefty fines, lengthy prison terms, or even both. The Dodd-Frank Act, which was signed into law in July, 2010, modified certain provisions of the Act to allow smaller public companies (i.e., companies with a market cap of less that $75 million) to opt out of full compliance with SOX.
While SOX requirements may seem burdensome, time-consuming and costly – especially when organizations are first developing systems and processes for assessment and compliance – the intent and basic tenets of the Act are sound. In fact, all companies – from small public companies granted relief under Dodd-Frank to private firms of any size and even non-profits – can benefit from compliance. SOX provides the framework needed to review operational and managerial processes, strengthen internal controls, improve record-keeping and financial reporting, and upgrade data management systems and security. Companies adhering to SOX requirements will achieve best-in-class governance structures and improve their operational effectiveness and efficiency in the long term.
The Sarbanes-Oxley Act is arranged into eleven titles. With regard to compliance, the key sections are 302, 401, 404, 409, 802, and 906.
Section 302 requires a company’s officers to certify that statutory financial reports fairly present the firm’s financial condition and results in all material respects with no material false or misleading statements or material omissions. The signing officers bear responsibility for internal controls, and organizations may not attempt to avoid the requirements by reincorporating or relocating.
Section 401 requires that published financial statements (including off-balance sheet liabilities or transactions) must be accurate and not omit any material information.
Section 404 requires issuers to disclose the scope, adequacy, and effectiveness of the firm’s internal control structure and financial reporting procedures in their annual reports.
Section 409 states that issuers must publicly and immediately disclose any material changes in their financial condition or operations.
Section 802 imposes penalties for actions such as altering, destroying, hiding or falsifying records, documents, or tangible objects with the intent of obstructing, impeding, or influencing a legal investigation.
Section 906 requires firms’ CEOs and CFOs to submit written certification statements along with the periodic financial reports.
The Sarbanes-Oxley Act impacts virtually all financial management and IT functions within public companies.
Financial Management and Control
Within the organization, the roles and responsibilities for SOX compliance should be clearly defined and delineated, including the roles of the CEO, CFO, CIO, and Corporate Secretary, as well of the internal audit, IT, treasury, and accounting teams.
Ongoing SOX compliance entails a regular dialogue among the company's executives and these groups. It is important to institute the concept of continuous auditing and ensure that accurate, reliable, up-to-date financial information is always accessible. The financial processes should be automated and linked, and the linked processes should be reviewed in the light of specified control parameters. Regular compliance meetings should be conducted where any issues related to SOX compliance can be addressed.
Other organizational stakeholders, including suppliers, contractors, partners, and employees should be aware of compliance and control objectives and encouraged to participate in the process as appropriate.
SOX compliance calls for regular review and updating of all IT systems where data administration issues such as capacity management, storage, security, and accessibility can be vetted. Policies for email retention and e-security should be spelled out. User access and intrusion detection infrastructure should be updated regularly. Any new IT systems or modifications to existing systems should be analyzed for possible impacts to SOX compliance. IT systems and processes relating to compliance assessment and implementation should be tested and updated periodically.
Required companies must – and all other companies should – be fully aware of SOX compliance requirements, and fully document appropriate implementation systems in their processes. Documentary evidence needs to be maintained to prove that SOX compliance meetings are being held, that compliance progress is being tracked, and that any non-compliant areas are being addressed with plans for corrective action. There should be ongoing documented training for the administration of the compliance audit program and financial reporting and controls. In addition, there should be full documentation of all governance policies, including any and all changes to these policies.
By requiring written statements corroborating the financial reporting, the Sarbanes-Oxley Act places accountability for SOX compliance squarely on the shoulders of each organization’s executive managers. It is up to the management team to create a culture of transparency and quality governance as well as ensure strict adherence to all requirements of SOX Act. Policies should ensure that corporate behavior is consistent, controlled, and provable, and should follow the letter of the law as exhibited by disclosure controls and financial reporting.
An effective SOX compliance methodology begins with a thorough and thoroughly documented analysis of all existing operational and managerial processes, including financial reporting and disclosure processes, auditing constructs, as well as information technology (IT) systems. This phase of documenting and analyzing the existing systems is often the most arduous. Here are strategies to ensure SOX compliance best-practices:
SOX Task Force
Create an internal task force comprised of key SOX stakeholders like the CEO, CFO, CIO, COO, and the Corporate Secretary. To the extent that they are not represented by the previously-mentioned executives, assure there is also representation from groups like internal audit, treasury, and accounting. The group should hold regular monthly meetings to address all aspects of SOX compliance including recent developments, updates, new regulations, new reporting requirements, and identified problem areas.
Assessment, Gap Analysis and Corrective Action
Charge this task force with conducting a comprehensive assessment of operational and managerial processes, internal controls, record-keeping, reporting, information technology systems, and security. Identify gaps that exist and steps that need to be taken in order to achieve full compliance. Adopt a proactive stance moving forward to ensure that nothing is overlooked or left to chance.
Stay apprised of recent developments and ongoing SOX discussions. Online resources include the following:
Securities and Exchange Commission
The Institute of Internal Auditors
Bloomberg Businessweek: Sarbanes-Oxley Compliance News
LinkedIn Group: SOX Professionals
LinkedIn Group: Sarbanes Oxley Compliance Professionals Association (SOXCPA)
LinkedIn Group: SOX International Group
LinkedIn Group: Sarbanes Oxley (SOX)
Organizations that do not possess the internal capacity, expertise, or range of skills needed to assess their structures and remediate their processes often find SOX compliance outsourcing to be a cost-effective solution. With commercial SOX compliance software to automate the system review process and experienced financial professionals who have special training and expertise in SOX constructs, an outsource provider can often pinpoint where current processes are non-compliant and advise management on what changes are needed to meet control objectives.
Once these processes are in place, SOX compliance essentially becomes an ongoing review and updating process, as well as a continuing set of regular internal process improvement activities.