An introduction to SOX compliance

Sarbanes Oxley Act also known as SOX was enacted in the year 2002 in the United States in response to various corporate scams. The objective of the enactment has been to protect the shareholders and the general public from accounting errors and fraudulent business practices. The Act is administered by the Securities Exchange Commission and is applicable to public companies.

The significant requirement of the Act is laid down in Section 404 which requires that the SEC develop and publish rules for the management assessment of ICFR (Internal Control over Financial Reporting). The SEC has come out with rules which along with the PCAOB standards (Public Companies Accounting Oversight Board – a non profit corporation created by SOX to oversee the work of the auditors of public companies) require that the management perform a formal assessment of its control over financial reporting including tests that confirm the design and operating effectiveness of the controls. The assessment of ICFR shall be included along with the annual report. The assessment can be based on internal control framework described in COSO (Committee of Sponsored Organisations of the Treadway Commission – a voluntary organisation dedicated to provide guidance to executive management on areas such as organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting). The external auditors are also required to provide an independent opinion on the effectiveness of the ICFR.

SOX regulations require that an audit trail of log files and all pertinent documentation must be retained for a minimum period of five years. The legislation not only affects the financial side of the corporation but also the IT departments which are entrusted with the job of storing the electronic records of the organisations. The consequences of the non-compliance are fines, imprisonment or both.

SOX specifies what records are to be stored and for what duration. It however does not specify how the records are to be stored – the best practices for data protection, disaster recovery and storage management. To ensure compliance, many companies adopt COBIT (Control Objectives for Information and related Technology – a set of best practices for IT management created by ISACA)

It is mandatory for the IT departments of all the public companies in the US to be aware of the key requirements of the SOX which includes log management, backups and all relevant electronic communication. All information pertaining to finance and accounting should be tracked, archived and made available when SOX compliance audit takes place.

Comments are closed.