Sarbanes-Oxley Overview
The Sarbanes-Oxley Act (SOX) is a US federal law enacted on July 30, 2002 in response to several high profile accounting and corporate governance scandals which cost investors billions of dollars. SOX created new corporate governance rules, regulations, and standards for SEC registrants. The section most relevant to public corporations is Section 404 – internal controls and procedures for financial reporting.
Requirements of Section 404
This section requires management and external auditors to report on the adequacy of the company´s internal controls over financial reporting. This process to document and test financial and related information technology controls requires significant effort. Consequently Section 404 is the most costly aspect of the legislation to implement.
The annual report filed with the SEC must include:
- A report that lays out the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
- Contains an assessment of the effectiveness of the company´s internal control structure and procedures for financial reporting as of the company´s year-end
- A report on the internal controls by the company´s external auditors
Consequences and Responsibilities
The penalties for non-compliance will be heavy. While the prospect of personal criminal liability looms for executives, there are even steeper penalties for corporations to consider, including a tarnished corporate brand image, heavy fines and lower shareholder confidence. These penalties result in reduced sales and lower stock prices from which it takes years and millions of dollars to recover.
Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. To accomplish these goals, managers have broadly adopted the COSO internal control framework. The CobIT framework has been equally well received in meeting information technology control objectives.
Compliance Challenges
Compliance is not easy. For many organizations, first-time compliance with Sarbanes-Oxley will consume a great deal of time and budget. Corporations that fail to develop a comprehensive strategy for ongoing compliance – quarter over quarter and year over year – will continually incur these high costs. Furthermore, legislation will continue to evolve over time, creating new compliance requirements that demand constant corporate attention and draw on additional resources.
With the “reprieve” rulings of May 2003 and February 2004, the SEC has given many public and private corporations time to step back and take a strategic approach to corporate compliance, rather than making rash tactical decisions that, in the long run, will incur higher costs and greater resource drain. Many forward-looking organizations understand the benefits of strategic, proactive compliance. Their approach to compliance has transformed Sarbanes-Oxley compliance from a painful, “have-to-do” process to an opportunity for continual business improvement.
For most corporations, the most challenging aspect of complying with the Act is finding a prescriptive method that describes a sequence of steps that can be followed.
How GhostWatch Helps
GhostWatch has developed a strong reputation as a source of expertise on both the financial and information technology aspects of SOX. We bring decades of compliance and audit experience to every assignment. We have a targeted approach in delivering best practices, managing risks, and ensuring the most efficient use of resources. We leave a lasting impression by designing and executing compliance programs that are effective, efficient, and sustainable.
We assist clients through all phases of the SOX process including:
- Planning and scoping
- Designing and developing the risk assessment
- Identifying key controls
- Documenting controls and/or documentation gap analysis
- Evaluating and testing the design and operating effectiveness
- Prioritizing and remediating control deficiencies
- Reporting to stakeholders
- Building sustainable compliance processes
The Sarbanes-Oxley Act of 2002 is the most sweeping legislation affecting corporate governance in over a generation. Over time, it will increase in its complexity. Regulations associated with the Act will continue to evolve, and new requirements will be introduced.
As companies develop their corporate compliance strategies, it is important to look beyond today and develop an integrated compliance strategy that considers the ongoing time and resource costs associated with the continual test and evaluation of internal controls. GhostWatch has the expertise to ensure your organization complies with all the required SOX regulations.