In 2002, the Public Company Accounting Oversight Board (PCAOB) created the Sarbanes-Oxley Act (SOX) due to major corporate scandals at the time involving companies such as Enron and WorldCom (neither of which exist any longer as a result of said scandals). Passed by Congress with hopes of deterring corporate fraud, improving financial disclosures, and protecting both investors and whistleblowers, SOX holds CEOs personally responsible for any errors made in accounting audits.
Now in its fifteenth year, many organizations believe the compliance work has improved their internal control financial reporting (ICFR), though the cost of being SOX compliant continues to rise.
For those who will need to go through a SOX compliance audit, here is an idea of what can be expected to take place.
Before the Audit Begins
Before a SOX audit can begin, it is the company’s responsibility to hire an independent auditor—separate from the client company. This ensures the audit will be impartial. You can expect to do some research into accounting firms to find which one works best for you. If you are wondering if a SOX audit is necessary for your company, the audit is applicable to the following, according to Sarbanes-Oxley 101:
- All publicly-traded companies in the United States
- Private companies that are preparing for their initial public offering (IPO)
- All publicly-traded non-US companies doing business in the US
- All wholly-owned subsidiaries
As you can see, a SOX compliance audit is applicable to both public and private companies (despite the rumors of it only being for public) regardless of size.
You may have gone through a PCI compliance audit in the past where the security of your clients' or consumers’ credit and debit card information was evaluated. Unlike a PCI compliance audit, a SOX audit is required by federal law. SOX analyzes IT areas of your business and verifies that financial data is accurate within a 5% variance. Anything more than the 5% can cause warning bells to go off for the auditor.
What it Entails
Once an organization has hired an independent auditor, the next step usually involves a meeting between management and the auditing firm. The specifics of the audit should be discussed, such as when the audit will take place, what results management expects to see, what will be looked into, etc. Auditors may also interview staff to verify job functions match job descriptions, as well as ensure those employees within job functions have received proper training necessary for keeping financial assets secure.
Audit of internal controls
The largest component of a SOX compliance audit, Section 404 concerns the Assessment of Internal Controls. The Assessment of Internal Controls covers four major categories encompassing all of a company's IT assets:
Access: This is in reference to the physical and electronic controls that prevent users without the proper credentials to have access to sensitive information. Servers and data centers being kept in secure locations, strong passwords, and lockout screens also fall into this category.
Security: Security means that proper controls (such as computers, network hardware, and other devices that financial data goes through) are in place to prevent breaches as well as, have the ability to fix issues should they occur.
Change Management: Your process for new users and computer updates falls into this category. This also means any new software installed and changes to databases are recorded, including when they changed and who the user was who made the changes.
Backup Procedure: There must be a backup of sensitive data. This includes data from third parties and data stored off-site.
Knowing what to expect from an auditor may help the process of SOX compliance run smoothly.
The Sarbanes-Oxley Act encompasses many different portions regarding corporate responsibility. The entire act is 66 pages, but there are a few sections that should be highlighted for a business to understand and be prepared for an upcoming SOX compliance audit. Here are a few of the main sections so as to not feel overwhelmed with the entirety of the act:
Section 302: Corporate Responsibility for Financial Reports
This section covers the responsibility the CEO and CFO have for accurate documentation of all financial reports. It focuses on the Disclosure Control and Procedures where the CEO and CFO must sign to certify that they are personally responsible for establishing and maintaining disclosure controls and procedures and identified any changes in internal controls that occurred.
Section 401: Disclosures in Periodic Reports
This is a two-part section. In summary, it states that disclosures in public financial reports must be prepared in accordance with accounting standards. The second part affirms that companies must keep a report of off-balance sheet disclosures to ensure they are meeting said accounting standards.
Section 404: Management Assessment of Internal Controls
SOX 404 is the most costly of the Sarbanes-Oxley Act. It requires management as well as the auditor to report the accuracy and adequacy of the company’s internal controls on financial reporting. It states the company must have an internal control report as part of the Exchange Act report.
The aforementioned sections are merely the main ones of Sarbanes-Oxley. The act also includes sections such as Section 409: Real-Time Issuer Disclosures, Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud, and Section 906: Corporate Responsibility for Financial Reports. The Sarbanes-Oxley Act in full is available to the public for further information on the individual sections it covers.
The Sarbanes-Oxley Act of 2002 has affected many companies over the last 15 years, as well as the accounting industry and the way financial records are kept. Many companies are on the side that it has been useful. Now that you know what to expect for a SOX audit, you can begin to prepare and start reviewing your current methods and IT security software.
August 30, 2017