What Is the Sarbanes-Oxley (SOX) Act?
The Sarbanes-Oxley Act (SOX or Act) has been in effect for more than two decades now. SOX compliance provides transparency to investors, customers, regulatory bodies, and the public. Complete and consistent SOX compliance reveals your commitment to ethical accounting practices and instills confidence in everyone who counts on your organization.
Above all, the SOX act forbids all businesses— including private companies and nonprofits—from any illegal handling or destruction of financial records. They are also prohibited from enacting any retaliation or infringement on the rights of whistleblowers.
Why Was the SOX Act Created?
SOX is a government-issued record keeping and financial information disclosure standards law. Officially known as the Sarbanes-Oxley Act of 2002, it was enacted in the wake of the Enron, Arthur Andersen, WorldCom and Tyco International scandals. In the late 1990s and early 2000s, these massive organizations became monumental scandals and eventual demise of the entities due to unethical financial accounting practices.
Everyone impacted by these scandals suffered in the end—clients, employees, investors, accounting firms and the companies themselves. This proved the necessity to strengthen controls preventing fraud, whether intentionally or inadvertently.
The U.S. Congress passed the SOX act in an effort to protect stakeholders through minimizing the possibility of fraudulent accounting activities by corporations and auditing firms. SOX was enacted to create a consistent standard of care for an array of public businesses, as well as private companies in some cases, in the interest of customers, employees, vendors and any relevant third parties.
How Does the SOX Act Enforce Ethics?
How exactly does the SOX act work to better protect stakeholders from fraudulent financial activities within organizations?
1. Protection for Whistleblowers.
Section 806 is entitled “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” SOX encourages disclosure of corporate fraud by having set up a series of protections for employees or contractors (whistleblowers) who come forward with concrete evidence. These protections extend to whistleblowers employed by private companies, via SOX, while nonprofits are encouraged to extend protections to whistleblowers.
Any employee aware of a breach of internal policies or government regulations must be allowed to alert the company. Those reporting fraud should not fear of reprisal in the form of termination, demotion, denial of benefits, disciplinary action, intimidation, or reduction of pay or hours.
2. Enforcing Entities to Adopt a Code of Ethics.
SOX has mandated that the U.S. Securities and Exchange Commission (SEC) issue a rule that requires public companies to disclose whether it has adopted a code of ethics that applies to its financial officers. The SEC leaves it up to each company to develop its own code of ethics.
Once the company has drawn up its own code of ethics, it is important that they make it available to the public. Most companies now simply place their code of ethics on their company website.
3. Requiring Annual SOX Audits.
SOX mandates that entities complete yearly audits and make audit reports readily available to stakeholders. Covered entities must hire independent auditors to complete the SOX audits, which must be handled separately from any other audits or internal affairs to prevent a conflict of interest.
What Does a SOX Audit Involve?
SOX audits review internal controls and procedures using a control framework, such as COBIT. Log collections and monitoring systems for access and activity involving sensitive business information are analyzed during the audit.
The review of a company’s internal controls is usually the largest part of a SOX compliance audit. Internal controls include all IT assets, such as computers, network hardware, and other electronic equipment that financial data passes through. A SOX IT audit covers IT security, access controls, data backup, and change management.
What Types of Organizations Need SOX Auditing?
Today, all publicly traded U.S. companies, all publicly traded non-U.S. companies doing business in the U.S., and private companies seeking their initial public offering (IPO) are subject to SOX compliance to protect investors, clients, staff, accounting firms and any other relevant parties.
Companies that need to achieve and maintain SOX compliance include the following:
- Publicly traded companies in the U.S., including all wholly-owned subsidiaries.
- All publicly traded non-U.S. companies doing business in the U.S.
- Private companies in the process of preparing for their initial public offering (IPO).
- Accounting firms or third-party businesses that provide services to any of the above-mentioned types of companies.
When Should a Private Company Perform a SOX Audit?
While SOX was created in response to corporate scandals perpetrated by public companies—in collusion with their respective accounting firms—the act is also applicable to private companies and nonprofits in certain contexts. A private company may need to perform a SOX audit for reasons that may include:
- A Third-Party’s Insistence. Important business partners may insist that private companies. Lenders may require that companies provide an independent audit when applying for a loan, for instance, or insurance companies may need financial statement certifications before approving Directors & Officers (D&O) liability insurance.
- Due Diligence for Prospective Investors and Buyers. Prospective buyers and investors may insist on seeing audited financials and assurance regarding internal controls to make informed decisions on loans, acquisitions and coverage to mitigate risk.
- State Requirements. Some state security regulators may extend SOX requirements to private companies.
A few additional reasons for a private company to comply with SOX standards include those preparing to go public or that may become acquired by a large public company in the future, those with large outside shareholder bases and those with registered debt securities.
When Should a Nonprofit Organization Perform a SOX Audit?
Not all nonprofits need to conduct a SOX audit. However, it is important that nonprofit leaders ensure effective governance of their organizations. Otherwise, the government may step forward to regulate nonprofit governance.
Some state attorneys general have proposed the application of certain elements of SOX to nonprofit organizations to ensure proper governance. For instance, the California Nonprofit Integrity Act of 2004 mandates that all nonprofits with $2 million or more in annual revenues submit to an audit prepared by an independent auditing firm. States like New Hampshire, Connecticut, Kansas, and Maine have passed similar laws with varying revenue ceilings.
Why Are SOX Audits Important for Your Company?
While achieving and maintaining SOX compliance is crucial to your business on a practical level, many companies have experienced additional benefits from performing a regular SOX audit, including:
- Strengthening control environment,
- Improving documentation,
- Increasing audit committee engagement level,
- Minimizing and streamlining complex tasks,
- Allowing for management of security risks more proactively and effectively,
- Streamlining auditing and reporting processes, increasing productivity and reducing costs,
- Tightening up weak links,
- Privatizing companies are more attractive as acquisition candidates for publicly held companies.
Who Can Perform a SOX Audit?
Each organization planning a SOX audit must work with an independent audit committee. The committee is responsible for setting up intensive and objective internal audit systems to fully review the financial controls.
Additionally, any accounting firm engaged to perform an independent audit may not perform any other accounting services for that same client. Such restrictions include investment advice, implementation services, and internal audit outsourcing.
Related article: How to Solidify SOX Compliance and Ensure Audit Success.
Approaching SOX Auditing? – Get Expert Assistance.
At I.S. Partners, LLC., we understand the headaches that an upcoming SOX audit can cause the most efficient IT team. Your days are jam-packed with daily responsibilities, as well as plenty of unexpected front-burner issues that arise and require your attention, so we know what a wrench preparing for an audit can become. We can help you work out the rough edges to streamline your preparation to garner pitch perfect SOX compliance with minimal interruption.
If you need more information on planning for your IT department’s role in a SOX audit, or if you want to schedule a meeting to discuss our auditing services in more detail, call us at 215-631-3452 or request a quote.