The great cause & effect
In 2002, United States of America’s Congress passed “Sarbanes-Oxley Act”named after bill sponsors Senator Paul Sarbanes and Representative Michael G. Oxley. The Sarbanes-Oxley Act imposes various governance, accounting and reporting standards on US public companies (including their subsidiaries) and accounting firms. The act come in response to high-profile frauds and corporate financial scandals including Enron, WorldCom and Tyco etc. that shattered investor confidence in the credibility of the financial statements. The main purpose was to improve the lost reliability of financial reporting along with regaining and restoring investor confidence.
Key provisions of the Sarbanes-Oxley Act 2002 (SOX)
The Sarbanes-Oxley Act contains number of provision and is a complicated and extensive piece of legislation. The 3 significant provision are generally known by their section numbers including Sec 302, Sec 401, Sec 404 and Sec 802.
Section 302 – Corporate Responsibility for Financial Reports:
• CEO and CFO must review all financial reports;
• Financial report does not contain any misrepresentations;
• Information in the financial report is “fairly presented”;
• CEO and CFO are responsible for the internal accounting controls;
• CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee;
• CEO and CFO must indicate any material changes in internal accounting controls.
Section 401 – Disclosures in Periodic Reports:
All financial statements and their requirement to be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. Such financial statements should also include all material off-balance sheet liabilities, obligations, and transactions.
Section 404 – Management Assessment of Internal Controls:
All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
Section 802 – Criminal Penalties for Altering Documents:
This section specifies the penalties for knowingly altering documents in an ongoing legal investigation, audit, or bankruptcy proceeding.
The SOX Act 2002 applies to all public listed companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. These companies must comply with the SOX requirements, both on the financial side and on the IT side to increase transparency in corporate and financial governance, and create checks and balances that would prevent individuals within a company from acting unethically or illegally.
Sarbanes-Oxley compliance requirement can be broadly categories into following four headings:
- CEOs and CFOs acknowledge responsibility
- Internal control report
- Data security policies
- SOX compliance documentation
Penalties for Noncompliance
Prescribed penalties for noncompliance with SOX regulations are severe. They include the following:
- Delisting of stock from public stock exchanges
- Fines of up to five million dollars
- Invalidation of D&O insurance policies
- Up to 20 years in prison (for CEOs and CFOs who wilfully submit an incorrect certification audit)
- Clawback of any bonuses paid within a year of any malfeasance
Sarbanes-Oxley Compliance Checklist
The following SOX compliance checklist will serves as a guidance in helping organisation to formalize the requirement listed in SOX Act to enhance and accomplishes the compliance objectives. Remember, it’s not enough to simply be SOX compliant. You must also prove your compliance, something that companies can sometimes overlook.
1. Prevent data tampering:
Implement system that track user logins access and detects break-in login attempts to systems used for financial data.
2. Maintenance of timelines record
Implement systems that timestamps all financial or other data relevant to SOX provisions. Such dated needs to be stored at a remote, secure location and encrypt it to prevent tampering.
3. Establish verifiable controls to track access
Implement systems that can receive data messages from practically any and unlimited number of organizational source.
4. Confirm that safeguards are in place and operations
Implement systems that can distribute reports daily in the organization that will provide assurance that all SOX control measures are up and running.
5. Reporting the effectiveness of safeguards
Implement systems that generate multiple reports on data including critical messages and alerts, security incidents that occurred and how they were handled uses a ticketing system that archives what security problems and activities have occurred.
6. Identify security breaches
Implement security systems that can do analyses of data in real time, identify signs of a security breach, counters and generate meaningful alerts. These will automatically generate tickets and updates an incident management system.
7. Disclosure of security breaches & controls to SOX auditors
Implement systems that detects and logs security breaches along with notification to security personnel for its resolution and incident resolution recording. System should also allow access to auditors, who should be able view reports showing which security incidents occurred, which were successfully mitigated and which were not.
Case Study– The rise and Fall of Enron
Enron scandal, series of events that resulted in the bankruptcy of the U.S. energy, commodities, and services company Enron Corporation and the dissolution of Arthur Andersen LLP, which had been one of the largest auditing and accounting companies in the world.
The collapse of Enron, which held more than $60 billion in assets, involved one of the biggest bankruptcy filings in the history of the United States, and it generated much debate as well as legislation designed to improve accounting standards and practices, with long-lasting repercussions in the financial world.
Enron employee pension funds and individual 401Ks were heavily invested in Enron stock. When the company failed, millions of investors found their stock portfolios devalued and depleted. In the case of Enron, reallocations to other stock choices were unavailable during the time when the stock was losing market value. Many individuals lost as much as ninety-four percent of the value of their retirement plan. By contrast, some C-suite employees had significant financial gains in preceding years by exercising stock options that were valued at less than the current price.
The financial controversies also raised questions about practices in large accounting firms, such as Arthur Andersen. Among other activities, some Arthur Andersen employees were accused of destroying paper and electronic documents while the SEC conducted a review of Enron.
The scandal resulted in a wave of new regulations and legislation designed to increase the accuracy of financial reporting for publicly traded companies. The most important of those measures, the Sarbanes-Oxley Act (2002), imposed harsh penalties for destroying, altering, or fabricating financial records.
Source: HBR / Edward Russell- Walling
Mohammad Usman Ali – Author is the Director of Financial Shared Services in Australian subsidiary of a US multinational company, based in Melbourne. He is a member of various prestigious professional organisation including CPA Australia, ACCA UK and ICAP Pakistan. He is also a panel member of ACCA Australia & New Zealand chapter.
Disclaimer: The content of this article is for information only and is not offered as an advice. Readers are encouraged to consult a suitably qualified professional adviser to obtain advice tailored to their specific requirement.