The purpose of the Sarbanes-Oxley Compliance Procedure is to list and assign Sarbanes-Oxley compliance requirements, measure and monitor (track) compliance, and note when key compliance items are complete. The procedure applies to the Finance and Accounting departments, and to all departments that provide financial or accounting data. (14 pages, 3015 words)
Sarbanes-Oxley Compliance Responsibilities:
The CFO (Chief Financial Officer) is responsible for ensuring that the company is in compliance with the Sarbanes-Oxley Act of 2002. The CFO is also responsible for approving and signing all financial statements, financial reports, and tax returns.
The CEO (Chief Executive Officer) is responsible for approving and signing all financial statements, financial reports, and tax returns.
The Controller is responsible for assisting the CFO in preparation of financial statements.
Top Management is responsible for overseeing and verifying financial statement preparation, and for putting in place an internal control system as prescribed in Sections 302 and 404 of the Sarbanes-Oxley Act of 2002. Top Management should also prepare an annual report on the effectiveness of the internal control system.
Department Managers are responsible for providing information necessary for preparing financial statements, and for assistance in developing and monitoring the system of internal controls needed to comply with the Sarbanes-Oxley Act of 2002.
The Audit Team Leader established by and of the board of directors, should oversee the accounting and financial reporting processes and the audits of the financial statements of the company.
Sarbanes-Oxley Compliance Definitions:
Blackout period – Period of up to sixty days, during which employees may not adjust the investments contained in their investment plans (e.g., 401-k); blackout periods often occur when the investment plan is undergoing significant changes.
Generally Accepted Accounting Principles (GAAP) – Standards, conventions, and rules followed by accountants practicing in the USA and established by the Financial Accounting Standards Board (FASB).
ICFR – Internal Control over Financial Reporting.
Public Company Accounting Oversight Board (PCAOB) – A private-sector, non-profit corporation established by SOX to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.
Sarbanes-Oxley Act of 2002 (SOX – USA) – Law designed to protect investors, in combination with other Securities regulations, by promoting ethical behavior by corporate officers and by improving the accuracy and reliability of corporate disclosures, particularly financial statements.
Many publicly traded companies still seem to struggle with developing a confident understanding of compliance. To a degree, the confusion over SOX seems inordinate in relation to the complexity of the regulation. Actually, compared to the intricacy of other regulations enforced by the Securities and Exchange Commission (SEC), Sarbanes-Oxley compliance is relatively straightforward. It is somewhat hard to understand why there is so much misunderstanding about Sarbanes-Oxley and why many people ask –how difficult is SOX Compliance?
As noted, for the most part the answer to the question “how difficult is SOX compliance?” should be relatively easy. In fact, the most arcane sections of the law require no effort by publicly traded companies whatsoever. These Sarbanes-Oxley sections deal with topics such as:
As a brief overview shows, most sections of the SOX regulation that do require action by publicly traded companies are not that demanding:
It is that last item listed, management establishing and verifying an effective internal control system listed in SOX Section 404, that causes the most problems for publicly traded companies. Between Sarbanes-Oxley passage and its implementation, the SEC was inundated with questions and inquiries about how to comply with this internal control requirement.
In response to these concerns the SEC pointed to a 1992 report from The Committee of Sponsoring Organizations of the Treadway Commission (known as COSO) called “Internal Control ” Integrated Framework.” The SEC cited this COSO report as one example of internal control, but also indicated that this was by no means the only method of effective internal controls.
It is somewhat unclear how well the SEC’s reference to the COSO report helped in clearing up confusion over internal controls. In response to the requirement, some companies began to “procedure-ize” all of their activities in finance and accounting, mistaking mounds and mounds of procedures for an internal control system.
While procedures are an important component of internal control, creating stacks of paper really only exacerbates the problem. By writing everything down in great detail and putting it in procedures you are setting your internal control system up for failure. Now anytime you do something somewhat differently than what is minutely documented in your procedures, you are not in compliance because you are not following your control system procedures.