Sarbanes-Oxley Act Background:
Sarbanes-Oxley Act was introduced in 2002 by US government with the objective to define rules to safeguard public interest from fraudulent or erroneous practices by corporate and other business entities. The main objective of the legislation is to increase transparency in the financial reporting by corporate and to enhance a formalized system of checks and balances in the organization.
The SOX Act, also known as the “Public Company Accounting Reform and Investor Protection Act” and the “Corporate and Auditing Accountability and Responsibility Act”, was named after its main architects Senator Paul Sarbanes and Representative Michael Oxley.
SOX is a set of compliance standards that all US public companies and public accounting firms are required to comply & adhere with true & fair view in financial reporting.
- All publicly held American companies
- Any international companies that have listed equity or debt securities with the U.S. Securities and Exchange Commission (SEC)
- Any accounting firm or other third party that provides financial services to either of the above
- Increase transparency & adequacy in corporate governance and financial reporting
- Formalize a standard of internal checks and balances
Penalties for SOX non-compliance:
- Formal penalties for SOX non-compliance may include fines, removal from listings on public stock exchanges and invalidation of D&O insurance policies.
- CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.
SOX Compliance Audit Components:
There are several key components for SOX compliance audit. The first step is to have clear understanding of management expectations between the auditing firm & management. The sections are as follows:
- Section 302: Corporate Responsibility of Financial Records
- Section 401: Disclosures in Periodic Reports
- Section 404: Management Assessment of Internal Controls
- Section 409: Disclosures of Changes to Financial Conditions or Operations
- Section 802: Penalties for Altering Documents
Key Sarbanes-Oxley Requirements:
Sarbanes-Oxley consists of 11 titles, but there are two key provisions when it comes to compliance requirements: Sections 302 and 404.
Section 302: Corporate Responsibility for Financial Reports:
- Section 302 states that the CEO and CFO are held directly responsible for the accuracy of financial reports. Signing officers must review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose all significant deficiencies, fraud and significant changes in internal control system.
- Section 302.2 – Establish safeguards to prevent data tampering. Under this section of SOX signing officer must attest to the validity of reported financial information. Adequate safeguards must be established to prevent data tampering, so that data is true & reliable.
- Section 302.3 – Establish safeguards to establish timelines. Under this section signing officer are required attest to the fact that reported information is fairly presented, including accurate reporting in the timely manner. Adequate safeguards must established to assure that data relates to a verifiable reporting period.
- Section 302.4.B – Establish verifiable controls to track data access. Data must be accessed by only authorized person. Data classification must be done in confidential, internal, public, external & secret so that it shall be available and used accordingly. .
- Section 302.4.C – Ensure that safeguards are operational. Under this section, officers must evaluate the adequacy and operating effectiveness of the internal controls system prior to financial reporting. All financial controls must be implemented and tested periodically to prevent and incorrect financial reporting.
- Section 302.4.D – Periodically report the effectiveness of safeguards. Under this section officers are required to provide a report on the operating effectiveness of the IT security system. The security framework should be implemented to establish an effectiveness internal control procedure.
- Section 302.5.A&B – Detect Security Breaches. Under this section security breaches (either due to flaws in the control system, the security system, or due to fraud, phishing, malware, unauthorized access) must be detected.
Section 404: Management Assessment of Internal Controls
- Section 404 states that management is responsible for an adequate internal control system, an assessment of the effectiveness of the internal controls over financial reporting and any gaps in the controls. Independent external auditors must also attest to the accuracy of the company’s financial statement that internal controls are in place operating effectively.
- Section 404.A.1.1 – Disclose security safeguards to independent auditors. Under this section auditors are required to review internal control system and procedures for financial reporting. The existence of a security framework, and users responsible for the operation of the security framework, must be disclosed to external auditors.
- Section 404.A.2 – Disclose security breaches to independent auditors. any security breach must be communicated to external auditors. The security framework operating effectiveness must be established and disclosed.
- Section 404.B – Disclose failures of security safeguards to independent auditors. Any significant changes in internal controls system and any significant failures in the internal control system must be disclosed to independent auditors.
SOX Compliance Advisory Services by ITR Filling (SOX process):
ITR Filling follow top-down risk-based methodology for SOX compliance that helps corporate & clients to focus on the right approach to manage risks, implement internal controls and enhancement of business efficiencies. Our advisory services includes:
- End-to-end SOX compliance management
- Conduct risk assessment
- Document “As-Is” processes throughout the organization, assess gaps in controls design & operating effectiveness, and determine appropriate steps to remediate control gaps
- Documentation and evaluation of Internal Control System
- Identification of significant risks and controls for all key process areas, designing the Risk and Control matrix (manual and automated controls) and mapping of key safeguards with supporting evidences
- Perform key controls design testing
- Identify Best Practices that can be implemented across the organization
- Process Flows preparation & process narratives documentation
- Developing an COSO internal control framework
- Developing a risk management framework
- Continuous monitoring mechanism for improvement and analysis process
Key Advantages of SOX Audit:
- Increased accountability
- Reliable Financial Statements of the company
- Transparent financial position of the company
- Trusted internal control environment
- Auditor independence
- Reduced financial restatements
- Improved corporate governance