How to Achieve Optimal SOX Compliance
Many companies still struggle to achieve and maintain compliance. Even if you aren’t necessarily struggling to get up to speed on compliance with the Sarbanes-Oxley Act, it never hurts to review the process to fill in any possible gaps and feel more confident than ever about your organization’s SOX compliance status.
Explore the following overview considerations for a smooth auditing process and a report that reflects your organization’s strong ethical standing and solid controls.
1. Plan the Timing of Your Annual SOX Audit
Your independent auditor must perform one SOX audit each year. Make sure that you keep your SOX audit separate from other internal audits to avoid any potential conflicts of interest.
Your best bet is to schedule your audit so you can have the results ready for your prepared annual report to share with your stockholders.
2. Identify the Most Crucial Sections of Your SOX Audit.
The SOX audit is broken down into 11 sections, but six of those sections take precedence over the others. The critical six sections are 302, 401, 404, 409 and 802.
Section 302. Disclosure Controls
The report from this section must verify:
- The signing officers have reviewed the report.
- The report does not contain any material untrue statements or omissions.
- The financial statements accurately portray the company’s financial condition.
- The signing officers are responsible for internal controls and have assessed those controls within the past 90-days and have provided a report of their findings.
- There is a list of any and all deficiencies in the internal controls, as well as information regarding any fraud that concerns employees involved with internal activities.
- Significant changes related to internal controls that could have a negative impact.
Section 401. Disclosures in Periodic Reports
This section requires that financial statements must be accurate and presented in a way that does not contain any incorrect statements. These financial statements in the periodic reports must also include all material off-balance sheet transactions, obligations and liabilities that may serve to make the company’s financial position appear more favorable to investors than is true.
Section 404. Management Assessment of Internal Controls
Here, issuers must publish information in their annual reports regarding the scope and adequacy of the internal control structure and procedures for financial reporting. This statement must also contain the assessment of effectiveness of internal controls and procedures.
In the SOX report, the engaged and registered accounting firm shall attest to and report on the assessments about the effectiveness of the internal control structure and approach to financial reporting.
Section 409. Real-Time Issuer Disclosures
Issuers must disclose any information or material changes in their financial condition or operations to the public, on an urgent basis.
Section 802. Criminal Penalties for Altering Documents
The fines and penalties are laid out in Section 802. Non-compliance, or inadequate compliance, can result in penalties and/or fines up to 20 years in prison for activities that include altering, destroying, mutilating, concealing, falsifying documents, records or objects with the intent to impede, obstruct or influence a legal investigation.
Section 802 also informs that penalties and fines can result in 10 years of imprisonment for any accountant who knowingly and willfully violates the requirements of audit and review papers over the course of five years their five years as lead auditor or reviewing auditor for a client.
3. Focus on Your Internal Controls
While it is important to learn as much as possible about each section of the SOX Act, you can also look at your audit as an opportunity to review and improve your internal controls.
These internal controls include any computers, electronic infrastructure, network hardware and any other technology-based components through which financial data passes.
For IT leaders, your part of the audit may focus on the following:
- Access
- Security
- Chain Management
- Backup Procedures
4. Get Support from the IT Department.
While SOX is an accounting and financial mandate, the same is not true when it comes to technology. But support from the IT department is crucial to successful SOX audit preparation. To pass a SOX audit, your organization must adopt and implement security best practices, which should include the following:
- Implementing a formal security information governance approach.
- Preventing data loss.
- Regularly backing up data.
- Staying vigilant against social engineering tactics via fraudulent telephone and email scams.
- Educating and training users – from the CEO to individual staff members – using technology resources.
- Outlining clear use policies for employees and any third parties with access to your system.
- Updating software and systems.
- Creating an incident response strategy for relevant parties like your IT and executive teams.
- Maintaining compliance with all regulations, including SOX.
Once you land on the right set of security best practices for financial and accounting systems, you are on your way to solid SOX compliance.
5. Meet with the External Auditing Team.
Once your organization has hired your external auditing team, schedule a meeting to introduce your respective teams and discuss your needs for a successful SOX auditing result. Discuss matters such as the designation of your primary contact person, a review of your preparatory materials at the project’s onset and additional information about what the auditors will need along the way.
6. Document the Financial Tools and Technology Used by Your Organization.
Regardless of the type of system—whether a basic financial system like QuickBooks, NetSuite, Intaact or something more elaborate that has been tailored to your organization—it will help to document these before meeting with an independent auditor.
7. Document Relevant Policies, Procedures, and Processes.
Assess, document and communicate financial, legal and operating policies and procedures to provide to your auditing team. Throughout the year, be sure to keep your team updated on any major changes in policies, procedures and processes. This step helps to maintain a culture of accountability and to reinforce the importance of internal controls to avoid a potential material control weakness on your external audit.
8. Map Organizational Responsibilities.
Make sure that roles and responsibilities are properly defined by implementing a Segregation of Duties (SOD), which serves as the “basic building block of sustainable risk management and internal controls,” according to the AICPA. For example, an organization would not want to assign the same employee who maintains the general accounting ledger the authorization to approve purchase orders or cut checks to pay invoices.
9. Inventory Internal Controls.
Properly document your Internal Controls Over Financial Reporting (ICFR) to gear up for the arrival of your organization’s external auditors for the SOX audit. Your internal controls refer to procedures designed to ensure compliance with your organization’s policies. Keep in mind three types of controls:
- Controls that affect your company’s operations,
- Controls that affect your company’s compliance with laws and regulations, and
- Controls that affect your company’s financial reporting.
Is Your Team Fully SOX Compliant? – Get Expert Assistance.
Do you have additional questions not covered in this post? Maybe you simply need an auditing firm that can perform your upcoming SOX audit?
At I.S. Partners, LLC., we specialize in performing internal audit preparedness engagements for businesses throughout the United States. Our staff diligently follows updates to the Sarbanes-Oxley Act and can help clients obtain and maintain optimal SOX compliance.
