In 2002, the Public Company Accounting Oversight Board (PCAOB) created the Sarbanes-Oxley Act (SOX) due to major corporate scandals at the time involving companies such as Enron and WorldCom (neither of which exist any longer as a result of said scandals). Passed by Congress with hopes of deterring corporate fraud, improving financial disclosures, and protecting both investors and whistleblowers, SOX holds CEOs personally responsible for any errors made in accounting audits.
Now in its twenty-first year, many organizations believe the compliance work has improved their internal control financial reporting (ICFR), though the cost of being SOX compliant continues to rise.
For those who will need to go through a SOX compliance audit, here is an idea of what can be expected to take place.
Who Needs to be SOX Compliant?
If you are wondering if a SOX audit is necessary for your company, the audit is applicable to the following, according to Sarbanes-Oxley 101:
- All publicly-traded companies in the United States
- Private companies that are preparing for their initial public offering (IPO)
- All publicly-traded non-US companies doing business in the US
- All wholly-owned subsidiaries
As you can see, a SOX compliance audit is applicable to both public and private companies (despite the rumors of it only being for the public) regardless of size.
Before the Audit Begins
Before a SOX audit can begin, it is the company’s responsibility to hire an independent auditor—separate from the client company. This ensures the audit will be impartial. You can expect to do some research into accounting firms to find which one works best for you.
You may have gone through a PCI compliance audit where the security of your clients' or consumers’ credit and debit card information was evaluated. Unlike a PCI compliance audit, a SOX audit is required by federal law. SOX analyzes IT areas of your business and verifies that financial data is accurate within a 5% variance. Anything more than 5% can cause warning bells to go off for the auditor.
What it Entails
Once an organization has hired an independent auditor, the next step usually involves a meeting between management and the auditing firm. The specifics of the audit should be discussed, such as when the audit will take place, what results management expects to see, what will be looked into, etc. Auditors may also interview staff to verify job functions match job descriptions and ensure those employees within job functions have received the proper training necessary for keeping financial assets secure.
Audit of internal controls
The largest component of a SOX compliance audit, Section 404 concerns the Assessment of Internal Controls. The Assessment of Internal Controls covers four major categories encompassing all of a company's IT assets:
Access: This is in reference to the physical and electronic controls that prevent users without the proper credentials to have access to sensitive information. Servers and data centers being kept in secure locations, strong passwords, and lockout screens also fall into this category.
Security: Security means that proper controls (such as computers, network hardware, and other devices that financial data goes through) are in place to prevent breaches as well as, have the ability to fix issues should they occur.
Change Management: Your process for new users and computer updates falls into this category. This also means any new software installed and changes to databases are recorded, including when they changed and who the user was who made the changes.
Backup Procedure: There must be a backup of sensitive data. This includes data from third parties and data stored off-site.
Knowing what to expect from an auditor may help the process of SOX compliance run smoothly.
The Sarbanes-Oxley Act encompasses many different portions regarding corporate responsibility. The entire act is 66 pages, but there are a few sections that should be highlighted for a business to understand and be prepared for an upcoming SOX compliance audit. Here are a few of the main sections so as to not feel overwhelmed with the entirety of the act:
Section 302: Corporate Responsibility for Financial Reports
This section covers the responsibility the CEO and CFO have for accurate documentation of all financial reports. It focuses on the Disclosure Control and Procedures that the CEO and CFO must sign to certify that they are personally responsible for establishing and maintaining disclosure controls and procedures and identified any changes in internal controls that occurred.
Section 401: Disclosures in Periodic Reports
This is a two-part section. In summary, it states that disclosures in public financial reports must be prepared in accordance with accounting standards. The second part affirms that companies must keep a report of off-balance sheet disclosures to ensure they are meeting said accounting standards.
Section 404: Management Assessment of Internal Controls
SOX 404 is the most costly of the Sarbanes-Oxley Act. It requires management as well as the auditor to report the accuracy and adequacy of the company’s internal controls on financial reporting. It states the company must have an internal control report as part of the Exchange Act report.
The aforementioned sections are merely the main ones of Sarbanes-Oxley. The act also includes sections such as Section 409: Real-Time Issuer Disclosures, Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud, and Section 906: Corporate Responsibility for Financial Reports. The Sarbanes-Oxley Act in full is available to the public for further information on the individual sections it covers.
Set Yourself Up for Success: SOX Audit Checklist
Now that you know what to expect during a SOX compliance audit, you may be wondering, “What are my next steps?” Sarbanes-Oxley 101 provides these 9 key steps to follow to ensure you’re prepared for your next audit:
- Establish safeguards to prevent data tampering (Section 302.2)
- Establish safeguards to establish timelines (Section 302.3)
- Establish verifiable controls to track data access (Section 302.4.B)
- Ensure that safeguards are operational (Section 302.4 C)
- Periodically report the effectiveness of safeguards (Section 302.4.D)
- Detect security breaches (Section 302.5.A/B)
- Disclose security safeguards to SOX auditors (Section 404.A.1.1)
- Disclose security breaches to SOX auditors (Section 404.A.2)
- Disclose failures of security safeguards to SOX auditors (Section 404.B)
The Sarbanes-Oxley Act of 2002 has affected many companies during the last few decades, as well as the accounting industry and the way financial records are kept. Many companies are on the side that it has been useful. Now that you know what to expect and what you’ll need for a SOX audit, you can begin to prepare and start reviewing your current methods and IT security software.
March 14, 2023