Sarbanes-Oxley. It sounds like a hearty French stew, right? Maybe something you pair with an earthy Bordeaux? But as anyone at all familiar with today's regulatory environment will tell you, what might sound like a nice meal on a wintery day is actually one of the most stringent and robust regulations to drive down Public Company Boulevard since the 1930s. And that's really saying something.
We don't mean to imply that Sarbanes-Oxley – SOX for the shorthand crowd – is some mysterious, monolithic compliance monster preying on unsuspecting companies, though. It's pretty straightforward as long as you understand its purpose, reach, and how it impacts your accounting and corporate governance.
So on that note, put your feet up on your desk and let Professor Embark walk you through SOX regulations, compliance requirements, and what it all means for your controls, audits, and more. Granted, SOX isn't exactly a walk in the park, but, as you'll see, it's nothing to run and hide from, either.
The Sarbanes-Oxley Act of 2002 is all about preventing corporate fraud and providing investors with clear, accurate, and timely information that they can base their decisions on. Very much a product of its time – more on that in just a bit – SOX is a comprehensive, sweeping set of laws establishing reforms and additions in four key areas:
- Corporate responsibility: Your C-Suite, specifically the CEO and CFO, are on the hook for accurate financial statements and reliable internal controls, as detailed in Section 302 of SOX.
- Increased criminal punishment: Section 906 discusses the criminal penalties for management that certify fraudulent or misleading financials – up to a $5 million fine and 20 years in prison.
- Accounting regulation: SOX created a new auditor watchdog, the Public Company Accounting Oversight Board (PCAOB) to set standards for audit reports. All firms that audit public companies must register with the PCAOB and abide by their policies and procedures. For a more in-depth look at the PCAOB, we suggest looking over some of our previous insights.
- New protections: Aside from the overall intention of SOX – to provide new protections for investors by way of accurate, reliable information – SOX also introduced legal protection for whistleblowers under Section 806. This portion of the act shields corporate whistleblowers from retaliation when they provide information on different types of fraud or SEC violations.
Although SOX certainly has many moving parts that can appear confusing from a distance, just remember its primary intention if things start to get murky. At its heart, regulators created SOX to establish a set of internal checks and balances for public companies, along with strict criteria and guidelines for auditors, all to provide investors with transparent, accurate financial information.
A Brief History of SOX
Let's begin our look at the history of Sarbanes-Oxley by taking a quick stroll down Memory Lane, circa 2002. Star Wars fans were knee-deep in the prequel nightmares, the first iPhone was still five years away, and names like Enron, Worldcom, Tyco, and Arthur Anderson were dominating the headlines – but not for good reasons.
So what do those four names all have in common? Fraud, pure and simple. They cooked the books to prop up their financial metrics and ratios, dragging down one of the largest auditing firms in the world at the time, Arthur Anderson, along with them. And for too many reasons to list in a short(ish) blog post, financials built on fraudulent data aren’t great for investors, confidence in the markets, or our financial infrastructure.
As these different scandals came to light, both the public and legislators were rightfully aghast, driving the two bills that would eventually become the Sarbanes-Oxley Act of 2002 ahead at light speed "to protect investors by improving the accuracy and reliability of corporate disclosures." To give you a clearer view of the climate and overwhelming fury over the assorted financial scandals at the time, the final bill only had three dissenters between both the House and Senate.
Does SOX Apply to You?
And that leads us to the present day. As is usually the case, today’s environment doesn't lack for financial scandals. Perhaps we're not seeing them at the scope of those at the turn of the century, but the need for transparency and accuracy in financial information from organizations is just as acute as it's ever been.
But that term we just used, organizations, is pretty darn broad. To narrow things a bit, SOX applies to all US-based publicly traded companies, along with wholly-owned subsidiaries and public foreign companies doing business in the United States. That, for the most part, excludes private companies, non-profits, and charities from the reach of SOX. It's important to note, however, that the SOX act does contain some provisions that apply to private companies as well, including:
- Violations of federal or state securities laws not dischargeable in bankruptcy
- Penalties for falsifying, destroying, or altering documents to impede a federal agency investigation
- Violation of whistleblower protection regarding a possible federal offense
Also, as a best practice, any private company with a possible IPO on the horizon should get the SOX wheels turning ahead of time to comply with the regulations before they go public.
SOX Compliance Requirements
So what, exactly, does SOX compliance entail? Plenty. In fact, even before amendments to SOX stemming from Dodd-Frank, the original bill was 66 pages long with 11 separate sections. Granted, the bill spends many of those pages discussing the PCAOB, auditor independence, and other provisions that, while critical for protecting investors and markets, don't directly apply to a company's SOX compliance.
To separate the regulatory wheat from the chaff, though, there are four essential SOX compliance requirements that every company must meet if they fall under the regulations:
- As mentioned, CEOs and CFOs are responsible for the accuracy, documentation, and submission of both their financial reports and internal control structure to the SEC under Section 302.
- Management must also state that it's responsible for maintaining sufficient internal controls for their financials, as discussed in Section 404.
- Companies must have formal data security policies in place, communicate those policies, and enforce them consistently. This includes a thorough data security strategy that protects financial data used during normal operations.
- SOX is ongoing compliance, not one-and-done. Companies must maintain and provide documentation of that continuous compliance, monitoring, and measuring of compliance objectives.
Prepping for Your SOX Compliance Audit
As stated in the SOX requirements, compliance goes far beyond keeping neat and tidy books. Your data and systems must be secure and running on all cylinders and at all times. This means that prepping for your SOX compliance audit should include updating your internal auditing and financial reporting systems.
Remember, it's not enough to simply be SOX compliant. You must also prove your compliance, something that companies can sometimes overlook. Whatever reports your auditor requests, you should be able to provide to them quickly and efficiently. Like it or not, things can and do go sideways at the worst possible times, so preparing your systems and making sure they're running without a hitch can save a good bit of frustration come audit time. In other words, be organized and meticulous, documenting as you go.
Don't Forget About Your General IT Controls
As part of your SOX compliance audit, your auditor will also examine your company's general IT controls with an especially discerning eye. Given the critical role that IT plays in your operations – and the emphasis on security from regulators – your IT controls will definitely have their moment in the SOX compliance spotlight. Therefore, you must be able to show your auditor adequate IT controls, particularly the following:
- Access: We mean this for physical access to doors, security badges, and locking file cabinets, as well as electronic controls through login guidelines, permissions audits, and least privileged access. That last one, least privileged access, means that you only give a person access to what they need to perform their job, nothing more.
- Security controls: How are you protecting your data centers and information systems from breaches? SOX doesn't specify what security controls you should or shouldn't use, just that it works.
- Information backup: You must demonstrate maintenance of off-site, SOX compliant backups for your financial documentation.
- Change management: Things change, and when they do, you must have well-defined processes to add and maintain users, implement new software, or change any applications or databases concerning your financial records.
When it comes to your internal controls, consistent risk assessment on your part can be a lifesaver for your SOX audit. For example, if you're testing and improving your internal controls frequently – and sharing that information with your auditor – then you don't automatically fail if they happen to identify a lacking or missing control during the audit. Otherwise, you have a poor control environment, and that isn’t great.
SOX Compliance Isn't Just for Accounting (IT & HR, Listen Up!)
We concede that your accounting department bears much of the responsibility for your SOX compliance, but certainly not all of it. Everyone from HR to IT plays a role, some just bigger than others. Human Resources, for instance, typically houses much of a company's records, particularly for payroll. Just like the systems storing your financial records, those systems must be compliant under SOX Section 404.
Given the regulation's emphasis on information and system security, IT departments are another major factor in SOX compliance, and not just on the data security front. Information systems must be primed and ready to go, providing your leaders and auditors the reports they need and, just as importantly, when they need them. Likewise, your systems should create a wide-open paper trail that provides any required documentation on a moment's notice. These responsibilities fall squarely on the capable shoulders of your IT team.
SOX Compliance Best Practices & Checklist
While what we've discussed so far is somewhat high-level, we don't want you to think that Embark isn't giving you the roll-up-your-sleeves type of advice that we usually do. For a closer look at how to get up and running, we urge you to read our Roadmap to Implementing SOX Compliance, an especially helpful tool for companies and CFOs new to SOX.
But to build on what we've covered today, we also have a few tips – by way of a checklist – to help you prepare for your adventure into SOX compliance. Our checklist differs from what you'll find elsewhere on the interwebs since our focus, at least with this particular diatribe, is helping you prepare for SOX compliance, not necessarily what to do during your actual audit. For that information, you can take a look at our insights onThe Differences Between an AICPA and PCAOB Audit as well as our SOX Roadmap. And on that note, let's look at our SOX preparation checklist.
- Start with the COSO framework and work from there. Doing so will help you stay on track and work from the same framework that your auditors use.
- Establish policies that spell out how you create, adapt, and maintain your accounting systems, including any applications that use your financial data.
- Create and document a strategy for handling security breaches.
- Test your safeguards to protect against data tampering or breaches, ensuring that they are operational and effective.
- Always monitor and document access to sensitive data.
- Document any previous breaches and security safeguard failures, sharing that information with your auditor.
- Collect valid and recent control reports from all applicable service organizations.
SOX Compliance Software
Lastly, we want to touch on the technology behind your SOX compliance. We understand that just reading through the requirements might make it seem like you need some NASA-level tech to drive your compliance efforts. That said, there are plenty of incredible solutions out there in the market, our favorite being Workiva's Wdesk platform with integrated SOX compliance abilities. But, as always, we encourage you to do some due diligence to find a solution that suits your organization and needs best.
If a designated system isn't feasible for you right now, plenty of companies still rely on good ol' Excel, at least as a stop-gap measure. If you follow that route, however, just make sure you have the proper access controls in place and continually update the workbooks. Something like an internal control matrix can quickly become unwieldy using a spreadsheet-based solution, making a designated platform like Wdesk especially helpful since it can automate most – if not all – of those tasks. And remember, whether it's to clean up your records, implement new systems, or just provide guidance, Embark is always here, ready to lead the way to SOX compliance nirvana.