The Sarbanes-Oxley Act of 2002 was written and enacted in response to some rather large and public failures of corporate governance. Enron. WorldCom, and Tyco became well known brand names for all the wrong reasons. Scenes of C level executives being arrested and “perp-walked” in handcuffs became common TV news fare.
Sarbanes-Oxley was fashioned to protect investors by requiring accuracy, reliability, and accountability of corporate disclosures. It requires companies to put in place controls to inhibit and deter financial misconduct. And it places responsibility for all this – unambiguously – in the hands of the CEO.
Failure to comply with Sarbanes-Oxley exposes senior management to possible prison time (up to 20 years), significant penalties (as much as $5 million), or both. Historically, Sarbanes-Oxley is one of the most complete American corporate anticrime laws ever. It focuses on and proscribes a range of corporate misbehavior such as, altering financial statements, misleading auditors, and intimidating whistle blowers. It doles out harsh punishments and imposes fines and prison sentences for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation.
Sarbanes-Oxley is clear on what it disallows, and sets the tone for proper corporate conduct. It does not, however, detail how to become compliant. It leaves the bulk of that decision and definition in the hands of individual businesses. This flexibility is a plus in that it provides wide latitude in compliance. At the same time this lack of detail has created some confusion as to what constitutes appropriate controls.
Much of the discussion about Sarbanes-Oxley as it relates to IT focuses on two sections: 302 and 404.
Section 302: Corporate Responsibility for Financial Reports.
Sarbanes-Oxley 302 specifies that certifying officers are responsible for establishing and maintaining internal control over financial reporting.
302 requires:
- A statement that certifying officers are responsible for establishing and maintaining internal control over financial reporting.
A statement that the certifying officers designed internal controls and provide assurance that financial reporting and financial statements were prepared using generally accepted accounting principles.
- A statement that the report discloses any changes in the company’s internal control over financial reporting that have materially affected those internal controls
This section makes corporate executives clearly responsible for establishing, evaluating, and monitoring internal control over financial reporting. For most companies the IT department is crucial to achieving this goal. IT is the foundation of any system of internal control.
Section 302 effectively puts IT in the Sarbanes-Oxley compliance game. CEOs and CFOs, who bear full responsibility for Sarbanes-Oxley compliance, quickly find that IT departments are where internal controls at a material level can be implemented, managed, and documented.
Section 404 -- Management Assessment of Internal Controls
When the Sarbanes-Oxley Act was signed into law, it was obvious compliance would require significant effort from financial executives. An area of particular concern was Section 404, Management Assessment of Internal Controls.
Section 404 of Sarbanes-Oxley requires companies that file an annual report to include an internal control report that states the responsibility of management for establishing and maintaining an adequate internal controls structure and procedures for financial reporting.
It also requires an annual assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Section 404 also requires the company’s auditor to attest to, and report on, management’s assessment of the effectiveness of the company’s internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board.
Compliance with Section 404 originally became effective on June 15, 2004, for all SEC reporting companies with a market capitalization in excess of $75 million. That was later extended to November 15, 2004. For all other companies that file periodic reports with the SEC, the compliance deadline is April 15, 2005.
Compliance with Section 404 requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
