Sarbanes-Oxley (SOX): A Simple Guide
Sarbanes-Oxley compliance is a crucial responsibility of all public companies. The legislation has been in place since 2002, so many companies are well versed in the best ways to adhere with its guidelines. However, there are certain aspects of SOX compliance that still eat up time and money for US-listed companies.
In essence, the Sarbanes-Oxley Act is a set of guidelines designed to rid the corporate world of fraud, and improve accountability and corporate governance. Let’s take a closer look at this key part of US legislation, and what it means for businesses today.
What is the Sarbanes–Oxley (SOX) Act of 2002?
The Sarbanes-Oxley Act is a piece of legislation which came into force in 2002. The act was passed by the United States Congress, in order to provide crucial protection for shareholders and members of the public, from fraud and significant accounting errors. The act was also designed to improve visibility on corporate disclosures, and avoid inaccuracies.
As a result of the Sarbanes-Oxley Act, companies are required to adhere to strict regulations, and SOX compliance deadlines. There are set guidelines on the rules of compliance, ensuring that companies are always fully accountable for their actions.
Sarbanes-Oxley requirements focus on four main areas:
- Corporate responsibility
- Increased criminal punishment
- Accounting regulation
- New protections
The Sarbanes-Oxley Act takes its name from the two member of the US Congress who sponsored it: Paul Sarbanes and Michael Oxley. The pair drafted the act in response to several scandalous fraud cases and criminal accounting cases, such as WorldCom and Enron. Their goal was to ensure that similar cases could never happen again, by drastically improving accountability.
Since 2002, SOX compliance has been a key responsibility of all public companies, in particular public accounting organizations and management companies. There are also some parts of the Act which must be adhered to by private companies.
In order to fully comply with Sarbanes–Oxley legislation, there are both financial and digital requirements, which businesses must take note of. One of the main areas of SOX regulations companies need to be aware of relates to the storage of information.
SOX legislation does not determine how businesses keep records, nor does it give strict guidelines on the best business practices to use. However, it does set out rules on the types of information that should be kept, and how long this information needs to be kept for. For example, businesses are required to keep electronic records and messages for a minimum of five years. If businesses fail to do this, fines can be enforced. Severe cases can even result in prison sentences.
In order to ensure your business meets all SOX requirements, it’s a good idea to make use of a compliance checklist, which brings together all the rules and regulations from Sections 302 and 404 of the act.
Sections 302 and 404 of SOX
The SOX Act of 2002 has been a fundamental driving force in ensuring accountability across public companies. Two of its key provisions, known as Section 302 and Section 404, have been crucial to its importance to date.
Section 302: This mandate covers a collection of safeguards, which are designed to ensure that senior members of a company’s leadership team are required to formally certify the accuracy of financial reports. The section itself includes safeguards for the prevention of data tampering, safeguards on establishing timelines, verifiable controls on data access and recommended operational safeguards. In addition, this section also covers reporting on the effectiveness of such safeguards, and the detection of potential security breaches.
Section 404: This section requires the implementation of internal controls and reporting methods by both management and auditors. It is costly to establish, as the internal controls it requires are very expensive. These controls cover the disclosure of security safeguards to approved SOX auditors, as well as the disclosure of any possible security breaches and failures to auditors.
Recordkeeping is the main focus of Section 802 of the Act. It covers the keeping of records in three distinct ways. Firstly, SOX gives set guidelines on the destruction of records, and the detection of false records. Secondly, SOX sets out the timeline for keeping records. Thirdly, Sarbanes-Oxley gives businesses rules on which records they need to keep. This section also pays particular attention to electronic messages, and the correct ways of storing these.
SOX and spreadsheet risk
Despite the growing importance of increasingly complex corporate IT systems, the use of spreadsheets in businesses is still widespread. So, SOX compliance guidelines must be kept in mind when it comes to managing such spreadsheet estates. There are significant risks associated with not managing spreadsheets effectively, due to their inherent flexibility. The fact that many spreadsheets are also linked to different data sources and other spreadsheets means that spreadsheet risk is a factor that businesses cannot ignore.
Steps to meeting Sarbanes-Oxley requirements
- Establish a plan: make sure there is complete clarity about what information needs to be reported when. Develop short term goals for the current year as well as long term goals to match the evolution of the organization.
- Choose one or multiple frameworks to support compliance: different organizations have created frameworks and models to use when developing internal SOX controls and compliance such as; The Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and Related Technologies (COBIT) and The Information Technology Governance Institute (ITGI).
- Conduct a Sarbanes-Oxley risk assessment: insight into which processes are relevant for compliance and where potential risks may arise is critical when developing a comprehensive compliance plan.
- Assess entity level controls: what controls are in place and in what divisions
- Document processes: any processes relevant to SOX need to be documented so that responsibility as well as information is clear. Controls that protect against fraud or other risks need to be clarified as well.
- IT controls: data security should always be high up on the priority list and maintaining this security is critical for Sarbanes-Oxley risk assessment for compliance.
- Evaluate third party providers: It is your organization’s responsibility to have adequate controls in place to protect your financial information, this includes thorough evaluation of third party vendors you may utilise.
- Internal controls testing: key controls should be tested regularly to ensure they are meeting the requirements for SOX.
- Evaluate any deficiencies: when deficiencies are noted during testing they need to be evaluated to establish whether they are significant. Any deficiencies that have a material effect on the organization will need to be reported.
- Communication of results: senior management and the audit committee should receive updates on the status of internal compliance and controls.