Sarbanes-Oxley

Sarbanes-Oxley – SOX Compliance

Sarbanes-Oxley’s main role is to "deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders" (President George W. Bush).

While investing billions of dollars in obtaining SOX compliance, enterprises have the need for automated tools to assist them to stay compliant.

Vanadium has the best solution for you. With Vanadium, your road to SOX compliance is assured.

Overview

The legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. It does not apply to privately held companies. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.

Vanadium Related Provisions

Under Sarbanes-Oxley, two separate certification sections came into effect - one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”

Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” To do this, managers are generally adopting an internal control framework such as that described in COSO (for more info on COSO, see: http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf ).

Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm).

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

SOX Section 404: Assessment of Internal Control
The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.

Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. Both the PCAOB and SEC recently issued guidance on this topic to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas.

The recently released Auditing Standard No. 5 of the Public Company Accounting Oversight Board (PCAOB), which superseded Auditing Standard No 2., has the following key requirements for the external auditor:

• Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks

• Understand the flow of transactions, including IT aspects, sufficiently to identify points at which a misstatement could arise

• Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework

• Perform a fraud risk assessment Evaluate controls designed to prevent or detect fraud, including management override of controls

• Evaluate controls over the period-end financial reporting process

• Scale the assessment based on the size and complexity of the company Rely on management's work based on factors such as competency, objectivity, and risk

• Evaluate controls over the safeguarding of assets; and conclude on the adequacy of internal control over financial reporting

SOX 404 and Smaller Public Companies
The cost of complying with SOX 404 impacts smaller companies disproportionally, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent .06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.

SOX 404 and Information Technology
The financial reporting processes of many companies depend to some extent on IT systems. Therefore, Information technology controls that specifically address financial risks may be within the scope of a SOX 404 assessment. Chief information officers are typically responsible for the IT organization and IT personnel may be directly involved in SOX compliance efforts.

The SOX 404 guidance requires the usage of an internal control framework, such as the COSO framework. The IT Governance Institute's " COBIT: Control Objectives of Information and Related Technology" is also used by many companies as a framework supporting IT SOX 404 efforts. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. IT application controls (i.e., transaction processing controls) that address specific material misstatement risks are a critical part of the SOX 404 assessment.

 

Impact of SOX on the Corporate IT Department
The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five components of internal control, which can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:

Risk Assessment - before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.

Control Environment - the control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.

Control Activities - control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. In an IT environment, control activities typically include IT general controls -- such as controls over program changes, access to programs, computer operations -- and application controls.

Monitoring - auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.

Information and Communication - without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.