What is SOX compliance?
The Sarbanes-Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" (in the House) and more commonly called Sarbanes-Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
The bill, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The sections of the bill cover responsibilities of a public corporation's board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
The basics of SOX compliance
While the details of the Sarbanes-Oxley Act are complex, "SOX compliance" refers to the annual audit in which a public company is obligated to provide proof of accurate, data-secured financial reporting.
SOX reporting specifically involves IT departments because adequate SOX internal controls require complete file safety and full visibility into financial record history-conditions which require each IT employee to understand his or her role in demonstrating SOX compliance. All public companies must comply with SOX, both on the financial side and on the IT side. The way in which IT departments store corporate electronic records changed as a result of SOX.
What SOX Compliance Means for Senior Management
Formal penalties for non-compliance with SOX can include:
- Fines
- Removal from listings on public stock exchanges
- Invalidation of Directors and Officers (D&O) insurance policies
- CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of up to $5 million and up to 20 years in jail.
Major Provisions of the Sarbanes-Oxley (SOX) Act of 2002
The Sarbanes-Oxley Act of 2002 is a complex and lengthy piece of legislation. Three of its key provisions are commonly referred to by their section numbers: Section 302, Section 404, and Section 802.
This section relates to a company's financial reporting. The act requires a company's CEO and CFO to personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days.
This section states that annual disclosures and quarterly updates must be provided to shareholders and the U.S. Securities and Exchange Commission. It stipulates further requirements for the monitoring and maintenance of internal controls related to the company's accounting and financials. It requires businesses to have an annual audit of these controls performed by an outside firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the SEC.
This section contains the three rules that affect recordkeeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, which includes electronic communications.
What SOX Compliance Means for Business teams
Besides the financial side of a business, such as audits, accuracy, and controls, the SOX Act of 2002 also outlines requirements for information technology (IT) departments regarding electronic records. The act does not specify a set of business practices in this regard but instead defines which company records need to be kept on file and for how long. The standards outlined in the SOX Act of 2002 do not specify how a business should store its records, just that it's the company IT department's responsibility to store them.
The best plan of action for SOX compliance is to have the correct security controls in place to ensure that financial data is accurate and protected against loss. Developing best practices and relying on the appropriate tools helps businesses automate SOX compliance and reduce SOX management costs.
What SOX Compliance Means for IT teams
In a SOX IT audit, the IT department proves compliance by providing documentation showing that its employer has met mandated financial transparency and data security thresholds.
The 3 rules of SOX
Three rules in Section 802 of SOX affect the management of electronic records.
This rule concerns the destruction, alteration, or falsification of records and the resulting penalties.
A rule that defines the retention period for records storage; best practices suggest corporations securely store all business records using the same guidelines as public accountants.
This rule outlines the type of business records that need to be stored, including all business records, communications, and electronic communications.
To align with SOX regulation law, IT departments must be familiar with the security, access privilege, and log management standards required for their financial records. The first step in cementing SOX internal controls is creating "control environment", which should:
1. Acknowledge the need for increased transparency, internal balances, and regulation.
2. Strive to perform control actions that mitigate risk and ensure the inviolability and reliability of financial information.
Adan Corporate's Value Proposition
Our experts partner with clients on SOX assesments and implementations, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.
Adan Corporate's Approach to SOX implementations:
Our approach applies a top-down risk-based methodology that helps clients focus on the right risks and maximize efficiencies. We provide a full range of
SOX advisory services, which address your business and compliance needs:
+ End-to-end SOX project management
+ Conduct risk assessment (as required under AS-5)
+ Assist corporates to document and evaluate internal controls
+ Document "as-is" processes throughout the organization, assess gaps in controls, and determine appropriate steps to remediate control gaps
+ Perform key controls testing
+ Identify Best Practices that can be integrated across the organization
+ Assist in developing an internal control framework
+ Assist in developing a risk management framework
+ Train personnel on COSO, methods of documenting controls, etc.
+ Reinforce continual improvement and analysis process
+ Institutionalize self-assessment
Adan Corporate's SOX implementation models
To help your organisation to ensure SOX compliance, our team can take on as much or as little of your SOX project as needed. We provide complete
compliance departments, interim consultancy or help with SOX testing. We also understand the importance of collaborative relationships with client
teams, audit committees and external auditors.
Are you growing rapidly and trying to scale your business without adding headcount?
Adan Corporate's outsourced SOX Act
compliance services are the solution for you. We will create and manage a SOX compliance program that meets your auditor's requirements and
drives bottom-line value for your company. Specifically, Adan Corporate provides SOX program design, testing and reporting to audit committees,
utilizing the latest workflow solution to streamline the processes for our clients.
Do your team need the skills and experience to implement without complete outsourcing?
Through our co-sourcing services model for SOX compliance, Adan Corporate work with your SOX program manager to assess current processes.
We evaluate your management team's approach and utilize technology to determine where streamlining updates can and should be made.
This hyper-focus on continuous improvement helps us to ensure that your risks are fully mitigated and your operations are as cost-effective as possible.
Are your employees being pulled in too many directions and stretched too thin?
SOX compliance is a necessary cost of doing business for public
companies, but is your team drowning from the reporting workload? To ease the pain, Adan Corporate provides skilled professionals
with Sarbanes-Oxley Act compliance expertise. Employ us as an extension of your in-house team and we'll hit the ground running to ease the overtime
pressure on your team.
When implemented correctly, SOX can improve processes, reduce the risk of fraud, and maximise business resources. Manually onerous processes, obsolete processes, and unnecessary review procedures can all be identified and assessed during the risk assessment and control design phases of a project, resulting in increased efficiency and effectiveness throughout many aspects of the business.
We have deep experience of assisting clients through all stages of SOX implementation from the initial scoping of the project to identify areas and processes that would fall within the project to intelligent design of improvements to those processes and controls to enable SOX compliance to be achieved in the most efficient manner practicable.
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk or uncertainties followed up by minimizing, monitoring and controlling the impact of risk realities or enhancing the opportunity potential by applying coordinated and economical resources.
Our team includes technology experts and leaders with significant first-hand experience from several SOX engagements. Using our proprietary, proven methodology and extensive, hands-on knowledge, our team serves a wide range of clients, including Fortune 1000 companies, in adding efficiencies and minimizing the additional costs of compliance efforts.