Complying with the Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (commonly referred to as “SOX”) was passed into law by the US Congress in order to provide greater protections for shareholders in publicly traded companies. After several notable cases of massive corporate fraud by publicly held companies, especially Worldcom and Enron. High-profile cases such as these shook investor confidence in US equities markets.

Passage of the Sarbanes-Oxley Act

The need for change in corporate governance was recognized by both the Democrats and the Republicans; the bill is named after the two co-sponsors, Senator Paul Sarbanes, Democrat of Maryland, and Senator Michael Oxley, Republican of Ohio. The Sarbanes-Oxley Act was passed by an overwhelming majority in both the House and Senate. In the House, the bill received 423 votes in favor, and only 3 opposed, with 8 abstentions. The vote was even more lopsided in the Senate, with 99 voting in favor and one abstention.

Key Provisions of SOX Relevant for Compliance

SOX is a large and comprehensive piece of legislation. Not all of it is relevant to companies that are concerned with compliance; the highlights from a compliance standpoint follow:

Creation of the Public Company Accounting Oversight Board

Prior to SOX, the stock exchanges were largely self-regulating, and compliance meant simply complying with whatever standards the stock exchanges set. The Public Company Accounting Oversight Board was created to transform the process and establish government-mandated standards and procedures for publicly held companies.

Which Companies Must Comply with SOX?

Not all businesses are required to comply with SOX. SOX requirements fall on companies that are publicly traded in the US, including wholly owned subsidiaries of foreign companies, and foreign companies that raise debt or equity on the US public exchanges. There are some exceptions: 1) “non-accelerated filers,” which are companies that have less than $100 million in annual revenue and less than $700 million in public float, and 2) emerging growth companies have five years before they must be fully SOX compliant.

Financial Reporting

Companies must provide periodic financial reports that have been audited by independent auditors. SOX includes rules to ensure that auditors are truly independent. One important provision is that the accounting firms that provide audits cannot provide any other services to the firms they audit, such as consulting or tax advice. Financial statements must comply with Generally Accepted Accounting Principles (GAAP). The statements must fairly represent the financial state of the company, and the signing officer(s) certify that to the best of their knowledge there are no untrue or misleading statements or omissions in the reports. Reports are to include off balance sheet transactions.

Internal Controls

SOX mandated not only the standards for independently audited financial statements, but it also requires companies to have in place robust internal controls that would detect and prevent fraud. Internal controls can include policies and procedures, for example not allowing the person who enters an invoice to also be the one who signs off on paying the invoice. The law requires not only the establishment of an adequate internal control structure, it also requires a management assessment of internal controls as part of the annual reporting. The compliance costs for these provisions can be quite high. Since corporations today all run on computers, part of the SOX internal controls includes a company’s IT procedures including things such as who has access to what data, where and how is the data stored, how is data integrity maintained, etc.

Real-Time Issuer Disclosures

In addition to periodic financial reports, SOX requires companies to disclose to the public, “on an urgent basis,” any material changes in their financial condition or operations. This is one reason you read about a lot of data breaches or ransomware attacks that have happened to public companies; even though the companies might prefer to keep quiet about such things from a consumer confidence standpoint, they could have a material effect on a company, so companies are required to disclose such incidents to the public.

Whistleblower Protections

Several of the high-profile fraud cases that spurred the passage of the Sarbanes-Oxley Act were uncovered because internal whistleblowers brought the fraud to light. SOX makes it a criminal act to retaliate against whistleblowers. This provision covers not only employees, it also covers contractors.

Criminal Penalties

This is the part that can keep corporate CEOs awake at night: SOX makes the “signing executives,” typically the Chief Executive Officer and Chief Financial Officer, personally and individually responsible for the attestations they are required to make. The penalty for filing a false or misleading report can be up to a $5 million fine and 20 years of jail time. In order to provide some protection for themselves, many CEOs now require “sub-certifications.” They require lower-level executives, for example division or subsidiary heads, to make the same type of certifications regarding their operations that the CEO has to make for the company as a whole. The CEO’s hope is that in the event there was something fraudulent in a subsidiary somewhere, the CEO could claim they relied on the certification of the responsible executive, so they did not “knowingly” submit a false report.

What are SOX Compliance Requirements?

To summarize, these are the key things public companies must do to be in compliance with SOX:

1. Provide periodic financial statements that are audited by independent auditors.
2. Promptly report any material changes to the company’s financial situation to the public.
3. Have in place adequate internal controls to detect and prevent fraud and ensure the integrity of the company’s financial information. This typically includes both financial-type controls, and controls related to the company’s IT system.
4. Provide an annual management assessment of internal controls, signed off by independent auditors.

Preparing for SOX Compliance

Sarbanes Oxley compliance can seem like a daunting task, with lots of opportunities to mess up with potentially steep penalties for non-compliance. Companies generally have at least a few years’ worth of time to prepare before they are required to be fully SOX compliant. Here are steps you can take to make the path to SOX compliance a little less stressful.

Plan ahead

Make sure you have a clear timeline established for when which procedures and reports must be in place.  Have both a short term plan for the current year, and a longer term plan leading up to the time when you need to be fully compliant.

Choose one or more frameworks

There are several non-profit industry groups that have developed frameworks intended to help companies strengthen their internal controls and prepare for Sarbane Oxley compliance. You may wish to consider:

1. COSO (The Committee of Sponsoring Organizations of the Treadway Commission). COSO has developed what they call an “Internal Control – Integrated Framework” which can provide guidance on developing your company’s controls.
2. COBIT (Control Objectives for Information and Related Technologies. COBIT was developed by ISACA an IT governance focused industry group. COBIT will help you bring your IT processes into compliance.
3. ITGI (The Information Technology Governance Institute). ITGI’s recommendations draw on both COSO and COBIT, with a heavy focus on the security-related aspects of internal controls.

Risk assessment

By the time a company has gone public, the chances are very good that it will be big enough and will have complex enough processes that it would be a very heavy financial burden to fully test and evaluate each individual control in the company’s processes. A proper risk assessment can be a very helpful tool in identifying the areas where the company might be exposed to a higher level of risk. It makes sense to focus testing and validation on the processes where there is the greatest risk of a potential violation.

Assess the entire company

The assessment process needs to go beyond headquarters. Especially if a company has made some acquisitions, it’s possible that subsidiaries or branches may be running different software and may have different processes and procedures in place. The entire company has to be compliant, so it’s important that these secondary operations are fully treated as in scope for assessment and audit. An exception could be made if an operation was small enough that it would not have a material effect on the financial health of the overall corporation.

Thoroughly document your processes

In to pass your audit with a minimum of cost and stress, it’s not enough to good internal controls in place: those controls need to be thoroughly documented. Information flow and lines of authority are especially important. Procedures that are intended to prevent or detect flaw should be particularly well documented.

Pay attention to IT

Your financial data is only as secure as your IT system. Failure to follow industry best practices with regard to data security could expose your company to criticism that internal IT controls are insufficient to protect sensitive financial data. It’s good policy to implement “least privilege access,” where users only have access to the information they need to do their job, in order to minimize potential problems from “trusted insiders.”

Evaluate your suppliers

For years many companies have been focusing on their core competence, and have been outsourcing business processes that are not part of that core competence. If fraud or a breach happens at a vendor, your company is still on the hook. You have to pay attention to any vendors who may have access to your systems in a way that could compromise security or data integrity.

Test your controls

You need to make sure your controls work, especially the key controls that have been identified by your risk assessment.

Fix deficiencies

The testing process is likely to turn up some things that didn’t quite work as expected. That’s OK: that’s why you test, to find the weak spots, and take corrective action. Major deficiencies, ones that could have a material impact on the company, have to be reported to the public in a 10-K.

Communicate

Improved transparency was one of the major goals of SOX. Make sure that the board, senior management, and the internal audit committee are all apprised of things that are happening on the Sarbanes Oxley compliance process.

Do we need a SOX compliance checklist?

Checklists can be very helpful tools to make sure nothing important gets overlooked, especially when you’re dealing with a process as complex of SOX compliance. In all likelihood, multiple checklists, drilling down to greater levels of details, will be wanted.

For most companies, the financial reporting requirements will be fairly straightforward, they are likely activities the company has been doing for some time, even if the reporting was initially as a private company, not a public company. The big challenge is typically getting in compliance with Section 404 of the SOX Act, management assessment of internal controls. While it’s always good practice for companies to have good internal controls, SOX adds requirements for documentation, tests, and audits of both financial and IT controls, all of which may place additional burdens on staff in the relevant departments. You may want separate checklists evaluating your financial controls and your IT controls, as they will be very different and will be managed by different teams.

SOX compliance software

With all of the details that go into SOX compliance, there are companies that have developed software tools to help companies make sure they are fully compliant. Such software is typically used as an adjunct to the SOX compliance checklists: the checklists tend to focus on the bigger picture, and SOX compliance software can help with all of the many details.

SOX audit

The SOX audit is the audit on the effectiveness of the company’s internal controls. The financial audit is strictly concerned with the numbers: do the figures in the company’s financial reports accurately reflect the health of the company? The SOX audit is focused on whether the controls in place are sufficient to give the public confidence in the integrity of those numbers.

Management is responsible for providing an assessment of the company’s internal controls. The external SOX audit is an independent confirmation of the things that management has to say about the controls.

Conclusion

Many companies dread having to comply with SOX. They see it as a huge distraction from their primary focus of providing a good return to shareholders. But the truth is, there are many benefits of Sarbane Oxley compliance. When a company goes public, it’s typically on a growth trajectory. The internal controls and processes that were suitable for a startup are not likely to be adequate for a rapidly growing public company. The steps taken to comply with SOX are the same steps that will help the company have the infrastructure in place that it needs to be able to support rapid growth in a controlled fashion.