Overview
With corporate governance becoming increasingly subject to stakeholder scrutiny, compliance to and deployment of a set of financial management standards has become mandatory for the board of directors of most organizations.
Scope And Deliverables
The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI).
These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D–Md.) and Representative Michael G. Oxley (R–Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0.
The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company Boards, Management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.
The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.
IT controls, IT audit, and SOX
The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB’s “Auditing Standard 2” states:
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act.
So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.
Internal controls
Under Sarbanes-Oxley, two separate certification sections came into effect – one civil and the other criminal. See 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”
Moreover, under Section 404 of the Act, management is required to produce an internal control report as part of each annual Exchange Act report. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. To do this, managers are generally adopting an internal control framework such as that described in COSO.
Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions.
In addition, outside auditors for companies must, for the first time, attest to managers’ internal control assessment. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology. Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.
Provisions
The Sarbanes-Oxley Act’s major provisions include:
- Creation of the Public Company Accounting Oversight Board (PCAOB)
- A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies attest (i.e., agree, or qualify) to such disclosure
- Certification of financial reports by chief executive officers and chief financial officers
- Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company’s Audit Committee of all other non-audit work
- A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor
- Ban on most personal loans to any executive officer or director
- Accelerated reporting of trades by insiders
- Prohibition on insider trades during pension fund blackout periods
- Additional disclosure
- Enhanced criminal and civil penalties for violations of securities law
- Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because of the ability of judges to declare consecutive sentences under the Federal Sentencing Guidelines
What We Will Do
Overall Financial and IT Systems Business Risk Analysis
The first step in creating an SOX management system is to identify the high risk elements of your business. SatiStar’s consultants will conduct FMEA-based Risk Analyses throughout your operations.
Manual Creation
SatiStar will create SOX compliant policies and procedures and assemble these documents into a manual for your approval. Implementation of the SOX management system, as described by the manual, usually commences while the manual is still being created.
SOX Implementation Coaching and Support
The overall SOX management system implementation process takes about six to twelve months, but you can choose to implement the system at any pace that is comfortable. More rapid implementations have better success and produce much higher quality results. If you plan to extend the implementation time frame beyond twelve months our experience is that it will be hard to maintain sufficient momentum and internal enthusiasm to keep the project viable, and avoid considerable rework.
Internal Audit
Once the new SOX system has been fully implemented a qualified SatiStar audit team will conduct the audit, which will take between one and two weeks to complete. The audit itself will be documented in an audit binder that we will create on your behalf. Any corrective actions that are required will be written up by our auditor and placed within the audit binder. The auditor will then review with your SOX system representative exactly what each corrective action refers to, and will discuss detailed actions that will rapidly and effectively close out the corrective action request. Coaching will also be provided on how to respond to corrective action requests.
Management Review
An essential component of any system is that your board of directors must periodically review the status of your SOX system. SatiStar will facilitate your management review meeting. We will create an agenda for this meeting that complies with the requirements of the standard, and ensure that it becomes an effective tool for action and improvement of your systems to manage financial security.
External Audit
Your annual financial audit will provide another source of valuable insight on the overall effectiveness of your financial control systems.
Maintenance
We will ensure that your system is maintained and improves over time, by conducting annual or semi-annual audits and participating in your management review meetings. Many of our clients have opted for a fully electronic deployment of their system, and we can help by implementing such systems.
What We Need You To Do
Although SatiStar does most of the technical work, ultimately it is up to the client to implement and “live” in the new SOX management system processes.
- Commit to the development of a SOX system.
- Provide us with access to key individuals, including the company legal and financial counsel.
- Authorize these individuals to provide us with the required information, including confidential files as needed.
- Assign a SOX system representative who will ensure that the management system processes are implemented and maintained.
- Provide a suitable space where we can conduct training, coaching, interviews and planning sessions.
- Provide defined software in a timely manner.
- Participate in the SOX aspects analysis, process flow diagramming, management review meeting and in the internal audit events.
WHAT PEOPLE ARE SAYING
SatiStar's Experience Makes The Difference!