Birth of Sarbanes Oxley Act
Well known scams of early 21st century like Enron and WorldCom were based on malicious/fraudulent accounting practices like inflating revenues, inadequate financial reporting and improper accounting entries. The companies indulged in these activities to hide their debts and inflate the stock values. When the scams were disclosed, shareholders lost billions of dollars due to crash in stock prices. As a result shareholders and investors started losing their trust in companies. Sarbanes-Oxley (SOX) act was enacted by the U.S. Congress in 2002 as a response to these scams. The SOX act applies to all the publicly traded companies in US.
The SOX act was commissioned to preserve the investor’s confidence, prevent fraudulent accounting practices and improve the state of financial disclosures. SOX act is all about establishing accountability. With SOX the corporate accountability was enforced. Top management like CEO & CFO could no longer be indifferent or ignorant to the financial issues of the organization. They were made accountable for the accuracy of the financial statements. SOX has laid down criminal penalties for activities like retaliation to whistle blowers, corporate frauds and altering documents. The SOX act changed the face of corporate governance. It mandates the management to include the report of internal controls along with its annual financial reporting.
SOX act is administered by the Securities and Exchange Commission (SEC). The Public Company Accounting Oversight Board (PCAOB) regulates audits and auditors of public companies. PACOB was institutionalized to protect investor’s interest and ensure that a company’s external auditors prepare independent, fair, unbiased reports.
Two key provisions of SOX
1. Section 302 – Corporate responsibility for financial reports
In section 302, the higher management/signing officers like the CEO & CFO certify that financial statements of the company and all related disclosures are accurate and dependable. It fairly represents the financial condition of the company. The signing officers are responsible for designing, implementing and testing the effectiveness of internal controls over financial reporting (ICOFR).
2. Section 404 – Management Assessment of Internal Controls
This section contains detailed report of internal controls over financial reporting. The report states the responsibility of management in developing and maintaining necessary internal controls framework and procedures for financial reporting. It contains the assessment of the effectiveness of internal controls for the most recent fiscal year. The external auditor of the company is responsible for attesting and reporting the effectiveness of internal controls.
This section is most heavy on the administrative and cost front.
Public listed companies at times use service providers for processing financial transactions, host processes or data. In this case the management needs to do an independent assessment of service providers or can rely on SSAE 16/ISAE 3402 service auditor reports.
Frameworks and Guidance for SOX
Many organizations adopt and refer to COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework for guidance on the internal controls. This framework assists organizations to develop and maintain systems of internal controls. Businesses these days are dependent on IT as a result IT also comes under the regulatory and compliance umbrella. Control Objectives for Information and related Technology (COBIT) is an IT Governance framework which enables policy development and good practice for IT control throughout the organizations.
Approaching SOX compliance
Complying with SOX is a top down approach. The higher management should have a strong tone and should drive the compliance approach. SOX should be an organization wide responsibility.
Risk assessment is recommended to identify key risk areas, material processes, underlining applications and applicable controls. Identifying the scope of SOX compliance is critical. A lot of effort and money is wasted when the scope is not clear. Most of the organizations identify the critical processes that affect the revenue or materiality. Based on these processes underlining applications & infrastructures are identified and the scope is defined.
The process owners do a walkthrough of their processes and document the process narrative along with identified risks and respective controls. The control owners are responsible for operating effectiveness of their controls. Self-assessment program can be followed during the initial stages of scoping and while identifying the material processes and applications. SOX management team can also rely on periodic self-assessment programs to track the current state of risk and controls. However, the management should conduct independent assessment before concluding on the design and operating effectiveness of the controls.
Trainings and continuous learning are imperative. Management should design training programs and self-learning courses for all the personnel involved in SOX compliance. Many organization award their employees internal accreditations like “SOX Champion” or “SOX Certified” on successful completion of SOX related training courses.
Internal Audit function
Most organizations these days have a dedicated Internal Audit (IA) function. The IA team program manages the SOX compliance process within the organization. They help in defining the overall SOX methodology; assist in identifying the key risks and applicable controls. They get involved in review of design documents, testing of design and operating effectiveness of controls, identifying control gaps, liaising between management and external auditors, follow up reviews etc.
The external auditors need to perform sufficient testing to substantiate their opinion. With this in mind the external auditors can rely on the work performed by internal auditors depending upon the effectiveness and timing of internal auditor’s report, results of external auditors re-performance of certain areas of work performed by internal auditors, competency of internal auditor etc.
While the IA function assists management with the SOX compliance, the management is finally accountable and responsible for SOX.
Benefits of being SOX compliant
Overall, SOX has proved very beneficial in establishing an organization wide integrated risk and control framework. It has proved instrumental in establishing financial and IT control framework across the organization. It has increased the confidence and trust of investors in financial reporting. It has helped bring in place organized and structured corporate governance along with higher operational efficiency and effectiveness.