SOX Compliance – A Continuing Challenge
SOX Compliance in Recent News
Although the Sarbanes-Oxley Act has been around since 2002, compliance remains a challenge. In a recent example, a Forbes article from this month explores reasons for Plantronics’ under-performance in the stock market and brings up concerns that Plantronics may be facing a Sarbanes-Oxley violation. The article mentions that the senior vice president of sales at Plantronics, “…was instructing employees who worked under him to delete e-mails that were clearly relevant and responsive to pending discovery having to do with the distributors that are at issue in this case.”
In our last several posts we’ve focused on HIPAA compliance. But of course HIPAA is only one of several areas companies need to keep in mind when it comes to compliance issues. Here’s a quick refresher on the Sarbanes-Oxley Act.
Intent of the Sarbanes-Oxley Act
The intent of the Sarbanes-Oxley Act (also known as Sarbox or SOX) was to protect investors by improving the reliability and accuracy of corporate disclosures. It was enacted in 2002 and while it applies primarily to public companies, the act also contains provisions for private companies. The provisions have to do with the willful destruction of evidence to impede a Federal investigation.
A major feature of the SOX Act is that it is designed to specify financial reporting responsibilities. This means that it should no longer be possible for CEOs and CFOs to claim that ignorance of financial issues means that they should not be held accountable for the accuracy of financial statements.
As a result of the SOX Act, leaders of an organization are held legally responsible for SOX compliance, facing possible monetary fines and imprisonment (up to twenty years) for failure to comply. Thus, even if a company’s IT department prepares SOX audit statements, those statements will need to be certified by the CEO.
What are some of the ways SOX Compliance has affected companies since SOX was enacted?
- Stronger audit committees and public companies, due to the act’s requirement that the audit committee members must be independent of top management.
- Increased costs, especially due to Section 404 of the act. This section requires extensive internal control tests and reporting. As a result of these costs, many companies have seen a need to focus on making their financial reporting more efficient.
- Strengthened public disclosure requirements.
- Stricter penalties for obstructing justice and for securities fraud.
What are the main IT concerns regarding SOX Compliance?
Most aspects of IT are affected by SOX compliance. SOX regulations mean that audit trails must be retained and auditable for five years. Any IT operation that involves financial data or activity may be affected. All forms of communication regarding finance and accounting must be tracked and archived in case of compliance audits.
What kinds of information does IT need to store with regard to SOX compliance, and how?
Generally speaking, all emails, spreadsheets, and documents used to arrive at final financial conclusions. For a more complete breakdown, see our post “What Does Your IT Team Need to Know about SOX Compliance.”
Learn more about the SOX Act:
Our previous posts regarding SOX Compliance: