The Sarbanes-Oxley Act:
The Sarbanes-Oxley Act of 2002, also known as the Public Company Reform and Investor Protection Act, is the largest corporate reform of business practices in modern times. SOX directly affects U.S. public companies with revenues over $75 million and includes not-for-profit organizations. Sarbanes-Oxley created a new level of accountability by imposing severe penalties for corporate wrongdoing. The Sarbanes-Oxley Act includes 11 titles which cover a broad spectrum of business practices for financial record keeping, auditing, reporting, and securities fraud. Two of the most visible sections of the act are Title III, Section 302 and Title IV, Section 404.
Section 302 of the Sarbanes-Oxley Act holds the CEO and CFO of a company responsible for properly certifying the accuracy of quarterly and annual reports under the penalty of law. Under Section 302, executive management is also responsible for implementing and maintaining the necessary internal controls, ensuring the effectiveness of those controls, reporting all significant deficiencies in the design or operation of the internal controls, reporting fraud committed by management or employees that have a major role with internal controls, and reporting all changes in internal controls.
Many companies rushed to meet their first-year SOX compliance in 2004 and experienced firsthand the tremendous cost and complexity of SOX adherence. According to a study by Finance Executives International (FEI), first year compliance costs for Section 404 averaged $1.9 million, including an additional $509,000 in auditing expenses and $700,000 in IT consulting and software. Companies polled reported an average of 12,000 hours of internal time required to complete first year compliance. For companies with revenues over $5 billion, FEI found higher first year costs of $4.7 million and 35,000 hours of internal time to meet compliance.
Sarbanes-Oxley Act Solutions
Even with costs in the millions to achieve compliance, many companies still implemented manual procedures and temporary workarounds to meet their first SOX deadline. Going forward, these companies will need to invest in additional work to replace "quick fixes" with solid, scalable and sustainable solutions to meet future compliance more efficiently. According to Ventana Research, some auditors predict that 10-20% of companies covered by the Act will fail to comply fully in their first year and companies that rushed to achieve compliance with short-cuts will end up spending more to redesign their controls and effectiveness tests - making SOX Section 404 compliance even more complicated and time consuming.
Despite the heavy burden and costs of the Sarbanes-Oxley Act on publicly traded companies for compliance, many businesses are reporting the benefits of SOX compliance and how working through the process has helped strengthen many aspects of their financial and information security processes that were not tracked previously. The benefits experienced by companies included:
- Accountability of individuals involved in financial reports and operations
- Reduced errors in financial operations
- Reduced risk of financial fraud
- Improved accuracy of financial reports
- Improved decision making through better information
- Improved investor confidence and shareholder value
Figure 1 demonstrates that the majority of companies polled will be spending a lot more effort to strengthen programs to reduce compliance issues, improve risk management and streamline cost efficiency - with 50% planning to increase the use of technology to improve compliance efficiency.
Under the Sarbanes-Oxley Act, IT and InfoSec roles are expanded to include:
- Understanding the company's internal control program and financial reporting - Mapping IT systems for internal control & financial reporting to financial statements - Identifying and understanding the risks related to these IT systems - Providing the security and monitoring systems necessary to protect these IT systems - Documenting and testing IT controls - Ensuring IT controls are updated with changes in internal control or financial reporting processes - Ensuring data confidentiality and integrity as well as availability of both real-time and historic data - Architecting solutions to increase efficiency and lower costs of SOX compliance
In addition, for all audit related information, reports, and paperwork, SOX Section 103 requires that they be maintained for a period of 7 years - meaning IT and management must provide robust and secure systems with good logging, reporting and archiving capabilities. Check out more information on Sarbanes-Oxley Act.
