If you ask someone what they think of SOX, you’ll likely spark the age-old feud between the New York Yankees and the Boston Red Sox. Enter the compliance sector, however, and SOX takes on a whole new meaning: The Sarbanes-Oxley Act.
In this article, you’ll gain a deeper insight as to why SOX was enacted, its impact on companies, and how to leverage technology to strengthen SOX compliance.
What brought on SOX?
Everyone remembers the accounting scandals in the early 2000. In 2002, a whistleblower exposed Enron for hiding their debts and assets from investors and creditors by using off-balance sheet statements and debts. As a result, the stock price fell from $90.75 to $0.26 in just two years. Right afterwards, Tyco International was exposed for siphoning $2 billion to fund the lavish lifestyles of the company’s top officials. Completing the trifecta, WorldCom repeatedly inflated their financial documents (including their 10-k, Balance sheet, income statement, and annual report) to overstate its profit by $3.8 billion and mislead their investors. There was great pressure on the federal government, especially the SEC, to strengthen disclosure and auditing requirements for public corporations.
Okay so we know why – what actually is it?
In 2002, the U.S. government instituted the Sarbanes-Oxley Act, an 11-part law divided into several subsections. When companies go public, they have just two years to become SOX compliant, which is no small task. However, the SEC enacted it to provide guidelines for companies to be more transparent in their auditing and disclosures.
Did it work? (Spoiler Alert: Yes and No)
The Sarbanes-Oxley Act is infamous for the two main resources that it drains: time and money.
When it was first released, economists anticipated companies spending approximately 1% of revenue on compliance costs – for everyone billion of revenue, one million of expenses. However, surveys of real companies discovered that the actual costs were much larger than expected. Companies averaging revenue over or under $2.5 billion found that their compliance costs were 25% or 80% higher than the initial estimates, respectively.
This isn’t even to mention the time it takes to perform testing. From documenting to testing, completely performing just one key control takes an average of 35.9 hours annually. This means that it takes approximately 4.5 workdays to complete just one control. This is largely due to the sampling and testing methods – manually gathering samples and testing them individual is very repetitive and takes time to understand if the control is working.
No matter how overwhelming this seems, the introduction of automation into the compliance space is greatly decreasing costs. To read about the potential benefits of automation, read our article here.
So why do people grimace every time I mention SOX?
Thinking about SOX compliance, the two largest sections are Section 302 and Section 404. These sections outline different compliance measures for internal controls. The key points of each section are outlined below:
|
Section 302 Corporate Responsibility for Financial Reports |
Section 404 Management Assessment of Internal Controls |
|
CEOs/CFOs must:
The Bottom Line: All corporate financial reports must be “fairly presented.” |
Part A: Management in all publicly traded companies must:
Part B: Larger publicly traded companies must:
The Bottom Line: Management must maintain adequate internal controls and formally certify, along with auditors, that they are in place. |
Let’s get started – the SOX checklist:
-
Prevent Data Tampering
Why: Data tampering is just what it sounds like – changing data such that it’s no longer what it truly was. The person who tampered with the data can face a fine and/or up to 20 years in prison. The CEO/CFO who certifies a misleading/fraudulent financial report can be fined upwards of $5 million and spend 20 years in prison.
Steps:
- Internal Monitoring :
- Implement systems to track logins and detect suspicious/irregular login attempts to financial data systems
- External Monitoring:
- Implement systems to detect security breaches (like phishing and ransomware attacks)
- These systems should automatically generate meaningful alerts and automatically update an incident management system; These, as well as company responses, should be disclosed to auditors with read-only permissions.
-
Keep a Clear Audit Trail
Why: During a SOX audit, it is essential that auditors have access to an audit trail and/or access to secure information. The ability to see and analyze who made changes, what they changed, and when they changed it is essential.
Steps:
- Implement systems that apply timestamps and user details on all financial/SOX relevant data
- Invest in secure and encrypted data storage, both on-site and off-side, to hold the data
- Ensure that user permissions are appropriately specified, both to physical files and electronic data, and are appropriately protected (e.g. password protection)
- Use Extractable Compliance Management Software
Why: Not only do these systems help you in keeping a clear audit trail, as specified in Step 2, but they also allow you to extract this data from all information systems, files, and/or databases. During an audit, accessibility to this information in a consolidated and verifiable manner is essential.
Steps:
- Just like it says – get that software!
- This step is simplified if you also use a centralized workflow to regulate audit document management.
-
Test your Controls (and bonus, report and disclose them)
Why: At the end of the day, implementing auditing protocols and controls is only helpful if you have systems in place to ensure that they’re being effective in achieving their desired goals. As a result, you need to have a method of testing controls in order to report the effectiveness of your safeguards. Additionally, many of these methods include functionality to provide regular reports to auditors while giving them view-only permissions.
Steps:
- Implement systems that generate reports on data streams, messages/alerts, and security incidents
- Utilize these systems to log both what occurred and how they were handled
- Enable necessary permissions to allow auditors access to these reports
-
Monitor and Audit the Full Population of Data Continuously
Why: Performing a one-off audit can greatly misrepresent the company’s performance. Periodic audits catch mistakes well after they happen, leaving little room to correct the error. Testing only a sample of the transactions means that there are hidden weaknesses in the data that aren’t found during the annual audits. Continuous monitoring enables companies to monitor accounting and operational transactions in real-time and get alerted regularly on misstatements anywhere in the transaction data.
Steps:
- Extract all ERP system data on a regular basis
- Clean and enrich the data to be able to recognize all accounting schemes
- Leverage the cleaned and extracted data to run relevant controls for your company