SOX compliance: Adding software to procedures
(Sept. 10, 2007)
You might think that five years after a bill was passed, figuring out how to comply with it would be pretty much cut-and-dried. That's simply not the case with the Sarbanes-Oxley Act of 2002.
While there is a good understanding of the kinds of excesses and vulnerabilities that its major sections are supposed to prevent, exactly how to go about implementing compliance procedures - and to what extent different-sized companies are responsible for compliance - is still very much up in the air.
The two major compliance areas are Section 302, which holds management, especially the chief executive officer and chief financial officer of the company, responsible for the appropriateness and fairness of the financial statements, and Section 404, which holds the same management responsible for the creation and validation of internal controls sufficient to prevent or expose unauthorized transactions.
Section 404 requires that management perform periodic assessments of internal controls in the form of a report that must be included with the company's annual financial statements. The company's external auditors must attest and report on these reports, and this report from them also becomes part of the financial statement.
Finally, Section 302 requires that the CEO and CFO also issue a statement that will accompany financial statements and other periodic reports certifying the appropriateness of the financial statements and disclosures. No more pointing of fingers and claims of "I didn't know what Accounting was doing!"
Further muddying the waters are new SAS pronouncements on risk assessment, audit documentation of internal control-related matters, and documentation standards. Many of these pronouncements tie directly into similar concerns addressed with SOX.
And just so you don't feel that the Securities and Exchange Commission is picking on you and your clients, Japan, which has suffered from some of the same kinds of corporate excesses that we have, is also getting its own new set of laws, the Financial Instruments and Exchange Law, nicknamed J-SOX. All publicly listed Japanese companies and their subsidiaries will be subject to J-SOX when it kicks in next April.
TO A MAN WITH A HAMMER ...
The IT function in many companies is where SOX compliance hits hardest. That's largely because of the high level of integration of IT with financial and other systems. While there may be paper backup for many transactions, for most companies, a transaction doesn't become "real" until it is "in the computer." That should happen as close to the point of occurrence as possible. Regardless of when the data is entered into the IT system, guarding the source document and the data that it contains is an important component of internal control.
SOX compliance software can be viewed as an adjunct to the company's IT and financial systems. While there is no single accepted definition of a SOX compliance application, we concentrated on applications that address three major areas of internal control. These are: access control, change control and documentation control.
- Group Appeals PCAOB Case to Supreme Court - WebCPA (Nov 21, 2008)
- MYOB Upgrades Premier Accounting - WebCPA (Nov 21, 2008)
- Major Workplace Challenges for Young Employees - WebCPA (Nov 20, 2008)
- Bruce Jenner Runs with the Accountants - WebCPA (Nov 20, 2008)
- Finding Resellers in a User's World - WebCPA (Nov 20, 2008)
