Blog

When Enron declared bankruptcy in 2001, it was one of the world’s largest corporate scandals. That year, they had over $63 billion dollars worth of assets and soon became a symbol for executive-level corruption after declaring bankruptcy only four years later. This large scandal was then followed by the Sarbanes-Oxley Act, which sought to avoid future scandals like this from happening again. 

Sarbox is a law passed by the United States Congress that aims to protect shareholders from fraud. The Sarbanes-Oxley Act of 2002, also known as SOX, strengthens corporate oversight and improves internal controls. These controls will hopefully protect investors against fraudulent financial statements provided by companies. One way SOX does this is by requiring independent third parties to verify company financials before they can be released. Such measures are welcome for many investors, though it may prove difficult for some businesses when complying with these requirements. 

The Sarbanes Oxley Act was put into place in response to accounting scandals at Enron and other corporations late in 2001, where management manipulated finances as well as kept secret off-balance-sheet debt obligations while reporting profits based on unrealistic assumptions about market prices. 

SOX was created to increase the transparency of how businesses are run and therefore make it easier for investors. However, this increased regulation has led many companies to outsource their jobs overseas in order to remain competitive when faced with high compliance costs. Point blank, this is a law that both helps and hinders investments. That being said, its main goal is to increase the company’s transparency through more stringent regulations on management practices. To help you and your business make an informed decision on how this will affect your business or investment strategy we’ve compiled the pros and cons of SOX which should give perspective on whether it’s worth supporting or not. 

The Pros

1. At All Times, Crucial Information Can’t Be Withheld From Shareholders

The Enron Corporation used a shady practice called mark-to-market accounting, also known as cooking the books, by hiding their losses. For example, if they built an asset, such as a power plant and predicted that it would make a profit before even earning any revenue from it and then actually made money, which was less than what was projected on paper, Enron transferred assets off the company’s ledgers into another corporation. These numbers were not accounted for at all. In other words, rather than hurt its bottom line with financials being reported accurately, the company would lose profits wouldn’t be devastating since no one knew about them except insiders who benefited from insider trading schemes. 

By requiring that all company reports be verified independently for accuracy, stockholders can rest assured knowing their investments have not been put at risk due to dishonest business activities like this one.

2. The Need for Internal Controls is Vital 

The Sarbanes-Oxley Act of 2002 is a federal law that requires managers to perform internal control testing on their company’s financial statements. The idea behind this legislation was for the government and investors to be more aware if there are any management overrides happening, which led to an extensive investigation into Enron Corporation in 2001. 

In order to prevent the same internal controls that led to Enron’s downfall, management is required to test these controls quarterly and file a report on their effects. This prevents managers from manipulating transactions by placing checks and balances in place that can catch abnormalities before it becomes too serious of an issue for anyone involved. 

The Cons

1. Sometimes, Smaller Companies Feel the Burden

SOX has been criticized by small public companies that are required to follow the same reporting rules as large, multinational corporations. Essentially, Section 404 states internal control procedures for all organizations but still leaves out the differentiation between company size and resources available. This leaves smaller companies with a difficult choice of either following SOX or spending their own money on additional external compliance measures they don’t have in place internally yet. 

One of the reasons that small businesses succeed is because they don’t have to worry about their IT. The around the clock support and flat-rate fee structure make it a low-cost, predictable expense with great benefits as well. With a managed service provider, you or your business doesn’t have to worry about constantly upgrading your technology. They’ll take care of everything from data backup and disaster recovery to providing technical support at all hours, so no matter what time it is or where you are in the world, at a fraction of the cost. 

2. Audit Fees are Increased 

When auditors are forced to be more accountable for their audit reports, they have less time and resources available. This means that fees go up which allows them the time required for work with SOX compliance while covering additional liability from a data breach. One thing to consider is South Dakota, which is a state that has one of the strictest laws in regards to data breaches. In this state, companies are now able-bodies liable after any incident. So when the increased audit fee of SOX compliances is increased, ask yourself if your business can afford to pay $10,000 a day due to a data breach. 

In 2002, the Sarbanes-Oxley Act was formed due to a huge business scandal that took place involving three large companies. These three companies, Enron, Arthur Andersen, and Worldcom, ended their business endeavors with prison sentences, countless layoffs, and billions of invested dollars lost. This act was formed in order to increase company security and prevent a large-scale accounting scandal from happening again. 

With this act, businesses establish a strong and transparent internal control over all of their financial reporting. A SOX audit is required for all public, private, in-country, and overseas businesses. A company will be asked to hire a third-party auditor and comply with the SOX guidelines. A business team’s responsibilities are to identify the company’s biggest priorities when dealing with financial risk. 

This act is 66 pages in total but has only a few very important sections that businesses can prepare for. The most important sections of this act are 302, 404, 409, and 802. 

SOX Section 302

Keeping executives in the loop of all business activities is the baseline of this section. CEOs and CFOs are required to personally vouch for their company’s financial standards. These two in management need to state that they have evaluated ICFR within 90 days of certifying final financial results. The IT team’s role is to then deliver real-time reporting, based on their internal controls. These controls must apply to the SOX guidelines. This usually requires automating tasks, such as testing, evidence fathering, and even reporting on remediation efforts. These reports should be given to the auditor and management. 

SOX Section 404

In this section, establishing the proper business controls to support all accurate financial reporting is crucial to a business’s livelihood. Many organizations don’t have the resources or time to perform a full SOX audit every year. Fortunately, they can outsource this burden by hiring an external auditor who will provide them with peace of mind that their financials are accurate and transparent while saving them from spending valuable man-hours on internal audits.

The IT team is an integral part of the company’s financial data management. The wide variety of tasks they undertake includes protecting information from unauthorized access, ensuring accuracy and completeness in all given information, fixing bugs that have been identified by application testing or software integration verification to ensure processes run smoothly and quickly with maximum possible security for clients’ assets.

In order to ensure the accuracy and completeness of all given information, a business’s IT team is responsible for security measures. In the case of a SOX audit, this may involve testing software integration or performing automated process tests in an effort to prevent unauthorized access to asset-bearing accounts – which could be damaging both financially and logistically.

SOX Section 409

SOX section 409 ensures the timely disclosure of any information that could shift a public company’s financial performance. Certain events such as mergers and acquisitions, bankruptcy, or crippling data breaches will sometimes be the cause of this type of effect on companies’ stocks.

To avoid any major financial disruption, it is important for public companies to be sure they are in compliance with SOX. In the rare occasion that this does happen, there must be timely disclosure of information about what happened so shareholders know how best to handle their investments accordingly

The IT team’s main and most important role is to support SOX compliance software. This software typically uses alert mechanisms, as well as quick ways of informing shareholders and regulators. These tools are used for timely disclosure requirements, in order to ensure the company stays on top of any changes or missteps with financial statements.

SOX Section 802

Paper and electronic records are often kept by small businesses today, but this is not always a safe decision. Spreadsheets on an end user’s computer, email messages, Instant Messages, recorded calls discussing money, or financial transactions should be carefully monitored for security purposes as they must be preserved to provide auditors with the information needed during audits of your business finances.

The IT team’s role in SOX compliance regulations is to preserve records with internal backup processes, and additionally, need to make sure document management systems are operating properly. These processes may or may not include an archive of old email content, depending on the organization’s needs and technological capabilities. The professionals also have control over maintaining accessibility for these documents in the most modern ways. 

How to Ensure a SOX Audit Goes Smoothly 

The Unified Compliance Framework (UCF) is the perfect way for IT teams to satisfy multiple regulations. With this framework in place, an organization can adopt a set of controls that will meet all compliance needs, no matter how strict they are. 

Documenting processes before they happen will save both time and money in the long run. If you’re ready for any audit, whether it be from your boss or an outside auditor, then the process is easy to document as well. Listed below are a few different frameworks that can be used when undergoing a SOX audit. 

COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission, which is known as the COSO, has created a framework for creating an effective internal control system. You can use their five components, directed leadership, shared values, and culture that emphasizes accountability for control as well as risk-based approach to help create your foundation on organizational controls through identifying and assessing risks at all levels, in order to prevent costly mistakes from happening again.

COBIT Framework

The COBIT framework is a valuable tool for organizations looking to create an internal control system. This comprehensive set of guidelines combines compliance with other requirements, such as SOX and technical issues that companies may have faced when implementing their corporate governance within IT teams. With the help of this guide, businesses are able to better understand how they can maximize the potential value gained from their IT team while also simplifying implementation for a successful enterprise-wide management policy.

Your team’s role to document and package the process, as well as support systems that minimize risk is vital for SOX compliance. Preventing accounting oversight will help your company stay in line with industry standards by ensuring it stays compliant all year long.  

In 2002, to reduce the number of corporate scandals that were prevalent during this time, the Sarbanes-Oxley Act was formed. These scams left large companies like Enron and WorldCom to be exposed, which resulted in their demise. Still, 20 years later, this act has kept businesses and CEOs personally accountable for any wrongdoing done by those they hire under them with regard to accounting audits. 

Now, these individuals are required by SOX rules to serve jail time if found guilty of criminal fraud against a company or its investors even after retiring from the position without knowledge of what went wrong on his watch. Since this law went into place, countless organizations believe that their compliance work has massively improved all internal controls. If you are someone who must undergo a SOX audit, here is what you can expect throughout this process. 

Does Your Company Need a SOX Audit? 

If you and your company are debating on whether or not a SOX audit is needed, here are some of the businesses that are required to complete one, according to the Sarbanes-Oxley act. 

• All traded companies in the United States
• All private companies that are beginning to prepare for their initial public offering, also known as an IPO
• All publicly-traded companies that aren’t in the United States, but are still working with businesses in the United States
•  All wholly-owned subsidiary companies 

A SOX compliance audit is most likely applicable for all companies, private and public, large and small. This type of audit is now required by federal law and will analyze and verify all areas of the business in question. 

Before a SOX Audit Begins

Before an audit such as this can be started, a company must take responsibility and hire an independent auditor. This means that the auditor must have no internal links to the company, and must be entirely separate. This must be done to ensure that there is no bias and that the audit about to take place will be impartial. Companies can do extensive research into finding the perfect firm to work with of course, but in the end, they must choose an unbiased candidate. 

What Does a SOX Audit Entail? 

After an organization or business has hired an unbiased and independent auditor, there will be a planned meeting. Business management and the auditing firm will get together and talk about the specifics of the audit when it will take place, what will be looked into and what results are expected to be found. An auditor may also go around and interview randomly selected staff to investigate if their daily duties match their job descriptions. 

An Audit for Internal Controls 

Section 404 of a SOX compliance audit is the largest and most important section that is always looked at. This section deals with the assessment of internal controls and covers four major categories that encompass all of a company’s IT assets. Listed below are the four major categories. 

1. Access- This category focuses on the physical and electronic controls that can prevent employees and administration without the proper credentials to get denied access to high-quality information. Serves and data centers for a business are most likely kept in secure locations with strong passwords and lengthy log-in screens, keeping all those who don’t have access, away. 
2. Security- In a company, security means that all computers, network hardware, and all other devices that financial data can go through, might be put in place to protect against a breach. If a breach does occur, these devices need to get to the start of the issues and find who was the one trying to access the information. 
3. Change Management- This focuses on the process for new users and any type of company-wide software updates that are needed. When new software is added or database changes occur, they must be recorded. 
4. Backup Procedure- All backup of sensitive data, even that from third parties and off-site data, must be properly secured and backed up in case of an emergency. 

 Sections That Should be Highlighted 

The Sarbanes-Oxley Act incorporates countless different portions, from business finances to corporate responsibility. In all, the SOX act is around 66 pages, but those who are scheduled to undergo this audit should look and familiarize themselves with these few important sections. 

Section 302

This section deals with the corporate responsibility for financial reports. Meaning, the CEO and CFO must be able to provide accurate documentation of a business’s financial reports. This section will look at the disclosure control and procedures needed for a CEO and CFO to certify that they are fully, and personally, responsible for establishing and maintaining disclosure controls within a company. 

Section 401

Section 401 is a two-part section that touches on the disclosures in public records and financial reports that need to be prepared in accordance with accounting standards. The next part of this section affirms that all companies are required to keep a report of any off-balance sheet disclosures. This is done to ensure that the business is meeting all the required accounting standards. 

Section 404

As the most costly section, 404 requires management, as well as the auditor, to report the accuracy and adequacy of the company in question’s internal controls on financial reporting. This section states that each company must have internal control reports as part of their exchange act report. 

Conclusion 

The many businesses that have undergone a SOX audit have said that it was worth it in the long run. Since 2002, this act has affected all companies, as well as accounting industries, and will continue to do so. For businesses that are heading towards their SOX audits, knowing what to expect and what to begin to prepare is very important. More information about the Sarbanes-Oxley Act, including the full act, can be found online.