The three mega cases of Enron, WorldCom and Tyco essentially caused the passage of the 2002 Sarbanes-Oxley Act (SOX). After millions of Americans lost billions of dollars to the criminals who managed these immense corporations, Congress determined that rules were required to prevent the perpetration of similar frauds in the future. The SOX law established comprehensive financial control and auditing regulations for publicly held companies and remains a fundamental element of today’s financial services industry.
The Necessity for Regulation
Prior to SOX, publicly held corporations were trusted to provide honest and accurate accounting statements about their assets, holdings, and net worth. However, the financial losses caused by the failure of three referenced giants revealed that, in many cases, that ‘trust’ was misplaced and badly abused:
Enron’s leadership gambled (poorly) on deregulated energy markets, losing millions of investor dollars. Instead of reporting those, however, it chose to lodge the losses in shell companies and fraudulent accounting practices ensured they were hidden from public view, misleading the public and regulators to believe that the company was doing well and deserved even more investment. By the time the company collapsed in January of 2002, millions of investor dollars were gone, and several of its ‘leaders’ were headed for prison.
Allegedly an electronics conglomerate, Tyco’s actual value was based on a series of mergers and acquisitions and outright fraudulent bookkeeping practices. When it finally failed (also in 2002), law enforcement determined that its leaders had stolen more than 150 million from the company.
The WorldCom disaster followed Enron and Tyco but dwarfed them in losses. Rather than own up to significant losses, the WorldCom accountants simply reported them as profits and assets. After the criminals went off to jail and the company emerged from bankruptcy, the value of losses to investors and employees approached $7 billion.
These financial disasters revealed the need for comprehensive regulation of publicly held companies; the SOX law is the response to that need. All publicly held American companies, international companies that have registered debt or equities with the U.S. Securities and Exchange Commission (SEC), and the accounting firms that provide services to these companies are subject to the SOX.
SOX Compliance Principles
Complying with SOX requires maintaining transparency in financial governance and information reporting and maintaining a system of internal checks and balances that prevents inappropriate financial manipulation.
SOX Compliance Audit Process: The Requirements
While there are eleven titles to the SOX legislation, the most significant of these are those related to audits, sections 302 and 404:
- § 302 requires corporate officers to certify that all records and reports are accurate, as well as personally verify the sufficiency and accuracy of the physical, administrative and electronic internal controls used to produce them. The SOX compliance audit focuses on how accurate these leaders are when they sign off on that assertion.
- § 404 requires annual reporting on the scope and adequacy of the internal controls, including technical controls, used to ensure transparent and accurate financial management processes. It mandates that an outside entity perform the annual audit of those internal controls. The audit evaluates the effectiveness of the company’s internal controls to protect against and detect nefarious financial management activities.
In layman’s terms, the audit reviews how well your company’s internal controls protect your customer’s data. Companies of every size should prepare for the audit as if their future depends on it because it does.
Preparing for the SOX Compliance Audit
Initial preparation efforts should focus on finding an appropriate auditor. The Public Company Accounting Oversight Board (PCAOB) sets the standards for the audits and, for electronic controls, follows the framework established by the Information Systems Audit and Control Association (ISACA), which outlines best practices for 34 IT processes. Your auditor should be familiar with the standards established by both entities.
The assessment of internal controls required by § 404 covers how those controls manage G four main data management categories:
- Access. Both physical and technical controls must prevent unauthorized users from accessing confidential financial data. The audit will review how workers, contractors and leadership access the financial data contained on servers, in data centers, and on mobile devices.
- Data backup. Maintaining back up files protects data from loss when primary systems fail. Companies that provide back up services are also subject to SOX regulations. The auditor will review the practices of both client and provider to evaluate the appropriate management of back up files.
- Change management. Adding or removing users and machines always creates new vulnerabilities. The system must have controls that govern how it incorporates new users into the system and how it manages the removal from the system of existing users. The auditor will trace how both new additions and removed elements affect the security of the overall system.
- IT security. The system must protect data from breaches, whether caused by internal or external factors. If or when those occur, there must also be processes for managing the breach and limiting the damage it can cause. The auditor will look for the sufficiency of the overall data security schematic to ensure that it provides sufficient protection of financial data.
The absence of corporate failures like those of Enron, Tyco and Worldcom indicate the SOX compliance audits are working to prevent consumers from having their financial data stolen from unethical financial companies. Simply put, to comply with the SOX compliance audit process, ensure that your company is properly protecting the financial information of your customers and clients.