(https://www.soxlaw.

com/)

SOX Compliance
SoxLaw (Https://Www.soxlaw.com) / SOX Compliance

SOX Section 302: Corporate Responsibility

for Financial Reports
Complying with the Sarbanes-Oxley Act
(SOX)
The Sarbanes-Oxley Act of 2002 (https://www.soxlaw.com/)
(commonly referred to as “SOX”) was passed into law by the US
Congress in order to provide greater protections for shareholders in
publicly traded companies. After several notable cases of massive
corporate fraud (https://www.thebalancesmb.com/sarbanes-oxley-
act-and-the-enron-scandal-393497) by publicly held companies,
especially Worldcom and Enron. High-profile cases such as these
shook investor confidence in US equities markets.

Passage of the Sarbanes-Oxley Act

The need for change in corporate governance

(https://www.icaew.com/technical/corporate-
governance/principles/principles-articles/does-corporate-
governance-matter) was recognized by both the Democrats and
the Republicans; the bill is named after the two co-sponsors,
Senator Paul Sarbanes, Democrat of Maryland, and Senator
Michael Oxley, Republican of Ohio. The Sarbanes-Oxley Act was
passed by an overwhelming majority in both the House and
Senate. In the House, the bill received 423 votes in favor, and only
3 opposed, with 8 abstentions. The vote was even more lopsided in
the Senate, with 99 voting in favor and one abstention.

Key Provisions of SOX Relevant for Compliance

SOX is a large and comprehensive piece of legislation. Not all of it
is relevant to companies that are concerned with compliance; the
highlights from a compliance standpoint follow:

Creation of the Public Company Accounting Oversight

Board

Prior to SOX, the stock exchanges were largely self-regulating, and

compliance meant simply complying with whatever standards the
stock exchanges set. The Public Company Accounting Oversight
Board (https://pcaobus.org/about) was created to transform the
process and establish government-mandated standards and
procedures for publicly held companies.

Which Companies Must Comply with SOX?

Not all businesses are required to comply with SOX. SOX

requirements fall on companies that are publicly traded in the US,
including wholly owned subsidiaries of foreign companies, and
foreign companies that raise debt or equity on the US public
exchanges. There are some exceptions: 1) “non-accelerated filers,”
which are companies that have less than $100 million in annual
revenue and less than $700 million in public float, and 2) emerging
growth companies have five years before they must be fully SOX
compliant.

Financial Reporting
Companies must provide periodic financial reports that have been
audited by independent auditors. SOX includes rules to ensure that
auditors are truly independent. One important provision is that the
accounting firms that provide audits cannot provide any other
services to the firms they audit, such as consulting or tax advice.
Financial statements must comply with Generally Accepted
Accounting Principles
(https://www.investopedia.com/terms/g/gaap.asp) (GAAP). The
statements must fairly represent the financial state of the
company, and the signing officer(s) certify that to the best of their
knowledge there are no untrue or misleading statements or
omissions in the reports. Reports are to include off balance sheet
transactions.

Internal Controls

SOX mandated not only the standards for independently audited

financial statements, but it also requires companies to have in
place robust internal controls that would detect and prevent fraud.
Internal controls can include policies and procedures, for example
not allowing the person who enters an invoice to also be the one
who signs off on paying the invoice. The law requires not only the
establishment of an adequate internal control structure, it also
requires a management assessment of internal controls as part of
the annual reporting. The compliance costs for these provisions can
be quite high. Since corporations today all run on computers, part
of the SOX internal controls (https://www.soxlaw.com/sox-
controls/) includes a company’s IT procedures including things such
as who has access to what data, where and how is the data
stored, how is data integrity maintained, etc.

Real-Time Issuer Disclosures

In addition to periodic financial reports, SOX requires companies to

disclose to the public, “on an urgent basis,” any material changes in
their financial condition or operations. This is one reason you read
about a lot of data breaches or ransomware attacks that have
happened to public companies; even though the companies might
prefer to keep quiet about such things from a consumer confidence
standpoint, they could have a material effect on a company, so
companies are required to disclose such incidents to the public.

Whistleblower Protections

Several of the high-profile fraud cases that spurred the passage of

the Sarbanes-Oxley Act were uncovered because internal
whistleblowers brought the fraud to light. SOX makes it a criminal
act to retaliate against whistleblowers. This provision covers not
only employees, it also covers contractors.

Criminal Penalties

This is the part that can keep corporate CEOs awake at night: SOX
makes the “signing executives,” typically the Chief Executive Officer
and Chief Financial Officer, personally and individually responsible
for the attestations they are required to make. The penalty for filing
a false or misleading report can be up to a $5 million fine and 20
years of jail time. In order to provide some protection for
themselves, many CEOs now require “sub-certifications.” They
require lower-level executives, for example division or subsidiary
heads, to make the same type of certifications regarding their
operations that the CEO has to make for the company as a whole.
The CEO’s hope is that in the event there was something
fraudulent in a subsidiary somewhere, the CEO could claim they
relied on the certification of the responsible executive, so they did
not “knowingly” submit a false report.

What are SOX Compliance Requirements?

To summarize, these are the key things public companies must do

to be in compliance with SOX:

1. Provide periodic financial statements that are audited by

independent auditors.
2. Promptly report any material changes to the company’s
financial situation to the public.
3. Have in place adequate internal controls to detect and prevent
fraud and ensure the integrity of the company’s financial
information. This typically includes both financial-type controls,
and controls related to the company’s IT system.
4. Provide an annual management assessment of internal
controls, signed off by independent auditors.

Preparing for SOX Compliance

Sarbanes Oxley compliance can seem like a daunting task, with
lots of opportunities to mess up with potentially steep penalties for
non-compliance. Companies generally have at least a few years’
worth of time to prepare before they are required to be fully SOX
compliant. Here are steps you can take to make the path to SOX
compliance a little less stressful.

Plan ahead

Make sure you have a clear timeline established for when which
procedures and reports must be in place. Have both a short term
plan for the current year, and a longer term plan leading up to the
time when you need to be fully compliant.

Choose one or more frameworks

There are several non-profit industry groups that have developed

frameworks intended to help companies strengthen their internal
controls and prepare for Sarbane Oxley compliance. You may wish
to consider:

1. COSO (The Committee of Sponsoring Organizations of the

Treadway Commission). COSO has developed what they call an
“Internal Control – Integrated Framework”
(https://www.coso.org/pages/ic.aspx) which can provide
guidance on developing your company’s controls.
2. COBIT (Control Objectives for Information and Related
Technologies. COBIT was developed by ISACA
(https://www.isaca.org/) an IT governance focused industry
 group. COBIT will help you bring your IT processes into
compliance.
3. ITGI (https://searchcompliance.techtarget.com/definition/ITGI-IT-
Governance-Institute) (The Information Technology Governance
Institute). ITGI’s recommendations draw on both COSO and
COBIT, with a heavy focus on the security-related aspects of
internal controls.

Risk assessment

By the time a company has gone public, the chances are very good
that it will be big enough and will have complex enough processes
that it would be a very heavy financial burden to fully test and
evaluate each individual control in the company’s processes. A
proper risk assessment can be a very helpful tool in identifying the
areas where the company might be exposed to a higher level of
risk. It makes sense to focus testing and validation on the
processes where there is the greatest risk of a potential violation.

Assess the entire company

The assessment process needs to go beyond headquarters.

Especially if a company has made some acquisitions, it’s possible
that subsidiaries or branches may be running different software
and may have different processes and procedures in place. The
entire company has to be compliant, so it’s important that these
secondary operations are fully treated as in scope for assessment
and audit. An exception could be made if an operation was small
enough that it would not have a material effect on the financial
health of the overall corporation.

Thoroughly document your processes

In to pass your audit with a minimum of cost and stress, it’s not
enough to good internal controls in place: those controls need to be
thoroughly documented. Information flow and lines of authority are
especially important. Procedures that are intended to prevent or
detect flaw should be particularly well documented.

Pay attention to IT

Your financial data is only as secure as your IT system

(https://www.soxlaw.com/what-is-the-it-teams-role-in-sox-
compliance/). Failure to follow industry best practices with regard
to data security could expose your company to criticism that
internal IT controls are insufficient to protect sensitive financial
data. It’s good policy to implement “least privilege access,”
(https://www.cyberark.com/what-is/least-privilege/) where users
only have access to the information they need to do their job, in
order to minimize potential problems from “trusted insiders.”

Evaluate your suppliers

For years many companies have been focusing on their core

competence, and have been outsourcing business processes that
are not part of that core competence. If fraud or a breach happens
at a vendor, your company is still on the hook. You have to pay
attention to any vendors who may have access to your systems in
a way that could compromise security or data integrity.

Test your controls

You need to make sure your controls work, especially the key
controls that have been identified by your risk assessment.

Fix deRciencies

The testing process is likely to turn up some things that didn’t quite
work as expected. That’s OK: that’s why you test, to find the weak
spots, and take corrective action. Major deficiencies, ones that
could have a material impact on the company, have to be reported
to the public in a 10-K.

Communicate

Improved transparency was one of the major goals of SOX. Make

sure that the board, senior management, and the internal audit
committee are all apprised of things that are happening on the
Sarbanes Oxley compliance process.

Do we need a SOX compliance checklist?

Checklists can be very helpful tools to make sure nothing important

gets overlooked, especially when you’re dealing with a process as
complex of SOX compliance. In all likelihood, multiple checklists,
drilling down to greater levels of details, will be wanted.
For most companies, the financial reporting requirements will be
fairly straightforward, they are likely activities the company has
been doing for some time, even if the reporting was initially as a
private company, not a public company. The big challenge is
typically getting in compliance with Section 404 of the SOX Act
(https://www.soxlaw.com/sox-section-404/), management
assessment of internal controls. While it’s always good practice for
companies to have good internal controls, SOX adds requirements
for documentation, tests, and audits of both financial and IT
controls, all of which may place additional burdens on staff in the
relevant departments. You may want separate checklists
evaluating your financial controls and your IT controls, as they will
be very different and will be managed by different teams.

SOX compliance software

With all of the details that go into SOX compliance, there are
companies that have developed software tools to help companies
make sure they are fully compliant. Such software is typically used
as an adjunct to the SOX compliance checklists: the checklists tend
to focus on the bigger picture, and SOX compliance software
(https://www.soxlaw.com/sox-compliance-software/) can help with
all of the many details.

SOX audit

The SOX audit is the audit on the effectiveness of the company’s

internal controls. The financial audit is strictly concerned with the
numbers: do the figures in the company’s financial reports
accurately reflect the health of the company? The SOX audit is
focused on whether the controls in place are sufficient to give the
public confidence in the integrity of those numbers.

Management is responsible for providing an assessment of the

company’s internal controls. The external SOX audit
(https://www.soxlaw.com/sox-audits/) is an independent
confirmation of the things that management has to say about the
controls.

Conclusion

Many companies dread having to comply with SOX. They see it as

a huge distraction from their primary focus of providing a good
return to shareholders. But the truth is, there are many benefits of
Sarbane Oxley compliance. When a company goes public, it’s
typically on a growth trajectory. The internal controls and
processes that were suitable for a startup are not likely to be
adequate for a rapidly growing public company. The steps taken to
comply with SOX are the same steps that will help the company
have the infrastructure in place that it needs to be able to support
rapid growth in a controlled fashion.
About Us

SoxLaw.com is an intendant resource designed to provide free

education and create clarity around the Sarbanes-Oxley Act from
2002. Become Sarbanes Oxley Act compliant and increase
public/investor confidence.

SoxLaw Resources

! SOX Compliance (https://www.soxlaw.com/sox-compliance/)

! Sox Controls (https://www.soxlaw.com/sox-controls/)

! SOX Audits (https://www.soxlaw.com/sox-audits/)

! SOX Compliance Software (https://www.soxlaw.com/sox-

compliance-software/)

Recent Posts

(https://www.soxlaw.com/the-pros-and-cons-of-the-
sarbanes-oxley-act/)
! May 12, 2021

The Pros and Cons of the Sarbanes-Oxley Act (https://www.soxlaw.com/the-

pros-and-cons-of-the-sarbanes-oxley-act/)
 (https://www.soxlaw.com/what-is-the-it-teams-role-in-
sox-compliance/)
! March 21, 2021

What is the IT Team’s Role in SOX Compliance?

(https://www.soxlaw.com/what-is-the-it-teams-role-in-sox-compliance/)

(https://www.soxlaw.com/what-to-expect-during-a-sox-
compliance-audit/)
! January 13, 2021

What to Expect During a SOX Compliance Audit

(https://www.soxlaw.com/what-to-expect-during-a-sox-compliance-audit/)

Useful Links

" Australia: 1234 567 890

" Ontario: 1234 567 890

Copyright © 2021. www.soxlaw.com (https://www.soxlaw.com) - All rights

reserved.
Automated page speed optimizations for fast site
performance