In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) as a means of protecting investors and the general public from accounting inaccuracies and deceptive practices in enterprises, as well as to increase the accuracy of corporate disclosures. The regulation establishes deadlines and rules to achieve compliance and was drafted with the aim of improving corporate governance and accountability. The implementation of the SOX regulation was driven by financial scandals that had recently occurred.
All public companies must comply with SOX for both their information technology and financial practices. One of the main impacts of SOX is in its guidelines for how enterprises must store electronic records as it defines which records should be stored and for how long. To be compliant, corporations must save all business data, including electronic records and electronic messages, for a period of “not less than five years.”
SOX Compliance Audit Requirements
A SOX compliance audit of an organization’s internal controls is required once a year. The organization itself is responsible for finding and hiring an independent firm to conduct the audit. To eliminate any potential conflict of interest, SOX audits must be independent of other internal audits conducted by the company.
SOX requires that all financial reports include an Internal Controls Report. The report must show that adequate controls are in place and that all company financial data is accurate (within a 5% variance). Year-end financial disclosure reports are also required. Many companies share their audit results in their annual report in order to satisfy the requirement of making findings available to shareholders.
An audit will also examine personnel to ensure they have the required training to access financial information. As part of the audit process, the staff may be interviewed to confirm that their duties match their job description and training.
Sections Covered
While the Sarbanes-Oxley Act addresses many areas of corporate responsibility (the entire act is 66 pages) there are several sections in particular that a business should understand and be prepared for in a SOX compliance audit.
Section 302: Corporate Responsibility for Financial Reports
Section 302 covers the CEO and CFO responsibilities for ensuring accurate documentation within financial reports. It emphasizes the Disclosure Control and Procedures where the CEO and CFO must certify that they are personally responsible for creating and preserving disclosure controls and processes. Any changes that may have occurred within their internal controls must be reported.
Section 401: Disclosures in Periodic Reports
This section states that disclosures in public financial reports are to be prepared according to accounting standards. It asserts that companies must maintain a report of off-balance sheet disclosures in accordance with accounting standards.
Section 404: Management Assessment of Internal Controls
SOX 404 can be the costliest of the Sarbanes-Oxley Act as it requires company management as well as the auditor to state the adequacy and accuracy of the company’s internal controls regarding financial reporting. This section requires the company to provide an internal control report.
Working with a SOX Compliance Checklist
While every organization and every audit is different, a SOX compliance checklist can provide some general guidelines an organization can use as it prepares for a SOX compliance audit.
Build safeguards to protect against data tampering
Create processes that can establish timelines
Implement verifiable controls to monitor data access
Review safeguards to ensure they are operational and periodically report on their effectiveness
Identify any security breaches
Be prepared to disclose security safeguards to SOX auditors
Disclose any security infringements to SOX auditors
Be prepared to disclose any failures or shortcomings of security safeguards to SOX auditors
eLearning for SOX Compliance Training
An important element for ensuring SOX compliance is in making sure your staff is trained on your security policies. You should provide resources that will enable each worker to understand the basics of SOX compliance and how it pertains to their specific job role. In addition to training your staff, you may want to track and manage the activity of your users and vendors.
LMS Portals provides a cloud-based platform that allows our clients to launch and manage their own corporate-branded eLearning portal. Our system enables fast and easy development and delivery of eLearning courses and includes powerful supporting tools for user onboarding, online communication and collaboration, and program measurement and feedback.
Contact us today to get started for free!