Overview of SOX Provisions
CEOs and CFOs are obligated under Sarbanes Oxley to assure that financial records are accurate, and that reports submitted to the SEC are accurate. They are penalized for non-compliance even if the non-compliance was accidental.
SOX covers not only financial records and reporting, it also has provisions relating to data security and IT that must be complied with.
Covered companies must maintain records proving they comply with SOX, and they must complete an annual audit, the results of which must be easily available to all stakeholders.
Companies that must comply with the Sarbanes-Oxley Act Include:
US publicly traded companies larger than a certain size. It doesn’t matter where the stocks are traded: NYSE, Nasdag, and over the counter stocks are all subject to SOX compliance. Foreign companies that have registered debt or equity with the US Security and Exchange Commission (SEC).
Accounting firms that audit companies that are required to comply with SOX must themselves also comply with SOX.
There are a few exceptions for certain public companies that do not need to comply with the SOX audit requirements:
1) “non-accelerated filers,” which as of March 2020 includes companies with annual revenues of less than $100 million and public float of less than $700 million;
2) emerging growth companies for five years.
Privately held companies and nonprofits do not generally need to comply with SOX, although many of the SOX requirements are “best practices” that would be beneficial to adopt regardless of whether the firm is legally obligated to do so. The law has real teeth: failure to comply can result in hefty fines and possibly even jail time.
SOX Administrator:
A SOX administrator is responsible for overseeing the implementation and maintenance of SOX compliance within a company. This includes establishing internal controls and procedures to ensure the accuracy and reliability of financial reporting. The administrator will also be responsible for managing and monitoring the testing of internal controls, as well as providing guidance and training to employees to ensure compliance.
For pre-IPO companies, a SOX administrator should be involved in the initial design and implementation of SOX controls to ensure that the company is in compliance with the SOX requirements from the start. For post-IPO companies, the SOX administrator should monitor and update the controls to ensure that they remain effective and relevant.
Auditor:
An auditor is responsible for conducting independent reviews of a company’s financial statements and internal controls to ensure compliance with SOX requirements. The auditor will examine financial statements, transaction records, and other data to assess the accuracy and completeness of the information provided. They will also review the company’s internal controls to ensure that they are effective and properly implemented.
For pre-IPO companies: it is recommended that they engage an auditor to conduct a pre-IPO audit to ensure that they are in compliance with SOX requirements before going public. For post-IPO companies, an auditor will conduct an annual audit to ensure that the company’s financial reporting is accurate and reliable.
It is important for both pre-IPO and post-IPO companies to work closely with their SOX administrator and auditor to ensure that they are in compliance with SOX requirements and to mitigate any potential risks or issues that may arise.
Complying with SOX
Modern corporations run on computers. Everything from recognizing revenue to tracking expenses to generating reports to internal and external communications all happens on a company’s IT network. Therefore, a lot of the internal controls companies are required to have in place to verify the integrity of their financial reports have to do with the company’s IT policies and controls. Who has access to data? Is data secure from tampering?
Companies that have recently gone public (“emerging growth companies”) have a window of a few years before they must be fully SOX-compliant. Given the severe penalties for failing to comply with SOX, and given the complexity of the task, companies are advised to start on the process of SOX compliance as early as possible. Since many of the SOX requirements are good business practices whether or not the company is subject to mandatory compliance, there’s little downside to getting a head start.
Here are some suggested steps in getting on the road to SOX compliance:
Develop a plan. Be very clear about the timeline of what information must be reported when. Have both short-term goals, for the current fiscal year, as well as long-term goals. As the company grows, it’s important that processes and controls are updated and appropriate to the scale of the company.
Select one or more frameworks to support SOX compliance. There are several different organizations that have developed frameworks and models that companies can use in developing their SOX internal controls and compliance plan. The better-known ones are:
COSO (The Committee of Sponsoring Organizations of the Treadway Commission). COSO was established by a group of five accounting and financial industry organizations to help companies improve their performance through improved internal controls and risk management. They developed an “Internal Control ~ Integrated Framework” that is a useful guide for developing effective internal controls.
COBIT (Control Objectives for Information and Related Technologies). ISACA is an industry group focused on IT governance. They developed COBIT as a framework for IT governance looking at the different IT processes within a company, their inputs and outputs, objectives, etc.
ITGI (The Information Technology Governance Institute). TG! is another industry group that has developed a framework applicable to SOX compliance. ITGI uses COBIT and COSO, but it’s more focused on security than it is on general compliance.
Conduct a risk assessment: It’s important to understand which processes within the company are material to compliance and to proactively identify possible problem areas. Those potential problem areas should be addressed as the company develops its compliance plan.
What controls are in place in different locations or divisions?
Document existing processes: Any of the company’s financial reporting processes that are relevant for SOX should be documented so that the flow of information is clear, as well as the lines of responsibility for different organizations or staff members who may be involved in the process. Controls for the processes that could help protect against fraud or other financial risks should be specified.
Assess IT Controls: The security of the company’s financial data will in large measure be a factor of the security of the company’s IT infrastructure. Is the company’s IT infrastructure safe from tampering? Most companies focus on protecting the IT infrastructure from outside threats such as hackers. However, the “trusted insider” can also be a major security risk, especially when it comes to the potential for financial fraud.
Identify and evaluate any third-party providers: Many companies outsource different financial reporting processes. Outsourcing doesn’t get management off the hook for Sarbanes Oxley compliance. You have to make certain that any vendors also have adequate controls in place to protect the integrity of your financial information. Vendors are often evaluated on the basis of Service Organization Control (SOC) reports that are prepared by independent accounting firms. If no SOC is available, you will need to dedicate resources to evaluating the vendor yourself.
Test the Internal Controls: It’s important to verify that the controls in place are actually effective. Key controls should be tested to make sure that they are working the way they are supposed to work.
Evaluate deficiencies: As deficiencies are noted in either the planning or testing process, they need to be evaluated to determine if they are significant or material. Senior management needs to be aware of any significant deficiencies. Any deficiencies that have a material effect on the company will need to be reported to the public in a 10-K.
Communicate the results: Since senior management is responsible for ensuring SOX compliance, they will want regular updates on the status of internal controls and compliance. The company’s Audit Committee should also be kept in the loop.
In addition to the above, it’s worth considering the use of Sarbanes Oxley software. SOX compliance software can help with tracking data, flagging potential problem areas, and generating reports.