All the way back in 2002, Congress passed the Sarbanes-Oxley Act (named for its authors, Maryland Sen. Paul Sarbanes and Ohio Rep. Michael Oxley — hereafter SOX). You may remember a little corruption problem around that time having to do with big-name companies like Enron and WorldCom or, less famously, HealthSouth, Adelphia, Arthur Andersen, Tyco and Global Tel Link.
SOX was the solution Congress came up with and placed in the hands of the Public Company Accounting Oversight Board (PCAOB) in order to minimize the adverse impact of corporate financial scandals on investors. It accomplishes this by rigorously mandating the keeping of financial records and their security, makes CEOs and CFOs responsible for the data appearing in a yearly audit and places all covered companies under a single rule for compliance.
This post constitutes a brief introduction to the essential provisions of SOX, explains which entities it applies to (there are many more than you might think), gives an outline of the SOX auditing process, and finally, covers how companies can successfully enhance their SOX compliance framework through the implementation of a secure and reliable software program at all levels.
What SOX Is and What It Does
The full text of SOX, as passed by Congress and implemented by the PCAOB, comprises some 66 pages. Not to worry, however: There are just a few provisions here that broadly apply and, therefore, are essential for the C-suite, the legal team and the tech staff working on compliance to know.
Here’s an overview:
- Section 302: Corporate Responsibility for Financial Reports: This section of SOX covers the responsibility of CEOs and CFOs for all financial reporting. It establishes procedures that require them to verify their personal liability for the purpose of establishing and maintaining disclosure controls, as well as identifying any changes in internal controls between audits.
- Section 401: Disclosures in Periodic Reports: This two-part section states that disclosures in public financial reports must be prepared in accordance with accounting standards, and that companies must keep reports of any off-balance-sheet disclosures to ensure that they are meeting the same standards.
- Section 404: Management Assessment of Internal Controls: This section, which is the costliest of the provisions of SOX, requires management and auditors to report the accuracy and adequacy of internal controls on financial reporting. Specifically, it requires companies to file an 8-K report on specific routine events, including changes in management or loss of a major client.
- Section 802: Criminal Penalties for Altering Documents: This establishes penalties ranging from fines to jail time for any executives caught destroying, altering or falsifying electronic records. It establishes the retention period for financial records (according to the text, “no less” than five years, but a smart bet is up to seven) and outlines the types of records that need to be kept.
Entities covered by SOX compliance
The provisions of SOX outlined above apply directly to the following entities:
- All publicly traded companies in the United States;
- Private companies preparing for their IPOs;
- Publicly traded non-U.S. companies doing business in the U.S.; and
- All wholly owned subsidiaries.
Although SOX was intended to halt corruption primarily within the corporate giants, many smaller companies and even not-for-profit entities that its provisions don’t directly apply to are finding that they have to adopt the same standards as the big guys in order to get insurance, attract investors and mitigate risk. For example, small companies that provide services to publicly traded entities may be required by these customers to provide appropriate controls documentation under Form SAS-70.
The process of SOX compliance auditing
Before the SOX auditing process begins, it is the company’s own responsibility to hire an independent auditor. “Independent” means separate in all ways from the client company. This ensures the audit will be impartial. Your firm can expect to have some research to do into accounting firms to find which service works best for you.
The next step usually entails a meeting between management and the auditing firm. This meeting will discuss the specifics of the audit, including when it will take place, what results management expects to see and which books will be looked at. Auditors also have the authority to interview staff to handle tasks like verifying job descriptions and ensuring proper training protocols for the security of financial data.
The most intensive part of a SOX audit, covered under section 404, encompasses four major categories of a company’s IT assets:
- Access references the physical and electronic controls that prevent users without the proper credentials from having access to sensitive information: maintaining secure locations of servers and data centers, strong passwords as well as lockout screens;
- Security involves ensuring that proper controls for computers, network hardware and other devices that financial data passes through are in place to prevent breaches;
- Change management applies to the process for establishing new users and updating software, including the records kept of these processes and the audit trail — e.g., who made which changes when;
- Backup references an airtight system that possesses the capacity to restore sensitive data, including data from third parties or that which is kept offsite.
Leverage technology for SOX compliance audits
Solutions in the form of software to the problems of entity management, for compliance with SOX and other regulations, come in different shapes and sizes according to the organization’s needs. Large organizations are trying less and less to reinvent the wheel, and are instead looking for cost-effective solutions to the dilemmas of entity management in an outsourced platform.
This includes, in particular, creating a single source of data truth. It goes by many names, but the data repository or vault comprises a single space created by software, increasingly often hosted on the Cloud, which contains the corporate data and documents that comprise operations for the many overlapping entities that make up a large organization. These data banks are sorted so as to be easily searchable and use group permission functions to handle access, track content creation and editing.
The features and functionality discussed above, plus much more, offer a number of elegant, effective and affordable solutions within Blueprint OneWorld’s entity management platform. We hope to be your organization’s entry point to Sarbanes-Oxley compliance, as well as the numerous other tasks of continuous entity management. Please call or email us today to discuss how our platform can serve you.