Sarbanes-Oxley Compliance Procedure
The purpose of the Sarbanes-Oxley Compliance Procedure is to list and assign Sarbanes-Oxley compliance requirements, measure and monitor (track) compliance, and note when key compliance items are complete. The procedure applies to the Finance and Accounting departments, and to all departments that provide financial or accounting data. (14 pages, 3015 words)
Sarbanes-Oxley Compliance Responsibilities:
The CFO (Chief Financial Officer) is responsible for ensuring that the company is in compliance with the Sarbanes-Oxley Act of 2002. The CFO is also responsible for approving and signing all financial statements, financial reports, and tax returns.
The CEO (Chief Executive Officer) is responsible for approving and signing all financial statements, financial reports, and tax returns.
The Controller is responsible for assisting the CFO in preparation of financial statements.
Top Management is responsible for overseeing and verifying financial statement preparation, and for putting in place an internal control system as prescribed in Sections 302 and 404 of the Sarbanes-Oxley Act of 2002. Top Management should also prepare an annual report on the effectiveness of the internal control system.
Department Managers are responsible for providing information necessary for preparing financial statements, and for assistance in developing and monitoring the system of internal controls needed to comply with the Sarbanes-Oxley Act of 2002.
The Audit Team Leader established by and of the board of directors, should oversee the accounting and financial reporting processes and the audits of the financial statements of the company.
Sarbanes-Oxley Compliance Definitions:
Blackout period – Period of up to sixty days, during which employees may not adjust the investments contained in their investment plans (e.g., 401-k); blackout periods often occur when the investment plan is undergoing significant changes.
Generally Accepted Accounting Principles (GAAP) – Standards, conventions, and rules followed by accountants practicing in the USA and established by the Financial Accounting Standards Board (FASB).
ICFR – Internal Control over Financial Reporting.
Public Company Accounting Oversight Board (PCAOB) – A private-sector, non-profit corporation established by SOX to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.
Sarbanes-Oxley Act of 2002 (SOX – USA) – Law designed to protect investors, in combination with other Securities regulations, by promoting ethical behavior by corporate officers and by improving the accuracy and reliability of corporate disclosures, particularly financial statements.
Sarbanes-Oxley Compliance Procedure Activities
- Sarbanes-Oxley Act
- Sox Audit Committee Plan
- Sox Auditor Plan
- Corporate Responsibility Plan
- Internal Control System Plan
- Completing the Sox Checklist
- Improving Sox Compliance
Sarbanes-Oxley Compliance Procedure References
- Securities Exchange Act of 1934(USA)
- Sarbanes-Oxley Act of 2002(USA)
- Markets in Financial Instruments Directive (MiFID-European Union)
- Financial Instruments and Exchange Law(Japan)
- Certification of Disclosure in Issuers’ Annual and Interim Filings (MI 52-109), Canada
- Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act (CLERP-9), Australia
Sarbanes-Oxley Compliance Procedure Forms
How Difficult Is SOX Compliance?
Many publicly traded companies still seem to struggle with developing a confident understanding of compliance. To a degree, the confusion over SOX seems inordinate in relation to the complexity of the regulation. Actually, compared to the intricacy of other regulations enforced by the Securities and Exchange Commission (SEC), Sarbanes-Oxley compliance is relatively straightforward. It is somewhat hard to understand why there is so much misunderstanding about Sarbanes-Oxley and why many people ask –how difficult is SOX Compliance?
SOX Compliance Basics
As noted, for the most part the answer to the question “how difficult is SOX compliance?” should be relatively easy. In fact, the most arcane sections of the law require no effort by publicly traded companies whatsoever. These Sarbanes-Oxley sections deal with topics such as:
- Authorization and establishment of the Public Company Accounting Oversight Board (PCAOB)
- Funding and reviewing studies on corporate accountability and fraud
- Increasing punishment for white collar crime
As a brief overview shows, most sections of the SOX regulation that do require action by publicly traded companies are not that demanding:
- Creating an Audit Committee from the Board of Directors to oversee independent financial auditing activities, directly receive audit reports, and develop a process for receiving and investigating anonymous complaints about unethical accounting practices. The committee must be chaired by someone with accounting or finance experience.
- Using auditors that are independent from other company relationships, are registered with the PCAOB and comply with its requirements, and lead auditors that are rotated at least every five years.
- Avoiding improper relationships and creating transparency through implementing policies such as restricting employee movement between auditors and the organization, disclosing financial transactions (i.e. loans) with executives and officers, disclosing major stockholders, restricting officer and executive trading of company stocks when other employees are restricted from doing so, and prohibiting retaliation on whistleblowers.
- Management establishing an internal control system that ensures proper accounting practices and safeguards, produces accurate financial statements, as well as annually verifying the control system’s effectiveness.
Sarbanes-Oxley Section 404 Internal Control Compliance
It is that last item listed, management establishing and verifying an effective internal control system listed in SOX Section 404, that causes the most problems for publicly traded companies. Between Sarbanes-Oxley passage and its implementation, the SEC was inundated with questions and inquiries about how to comply with this internal control requirement.
In response to these concerns the SEC pointed to a 1992 report from The Committee of Sponsoring Organizations of the Treadway Commission (known as COSO) called “Internal Control ” Integrated Framework.” The SEC cited this COSO report as one example of internal control, but also indicated that this was by no means the only method of effective internal controls.
The Role of Procedures in SOX Section 404 Compliance
It is somewhat unclear how well the SEC’s reference to the COSO report helped in clearing up confusion over internal controls. In response to the requirement, some companies began to “procedure-ize” all of their activities in finance and accounting, mistaking mounds and mounds of procedures for an internal control system.
While procedures are an important component of internal control, creating stacks of paper really only exacerbates the problem. By writing everything down in great detail and putting it in procedures you are setting your internal control system up for failure. Now anytime you do something somewhat differently than what is minutely documented in your procedures, you are not in compliance because you are not following your control system procedures.