Sarbanes-Oxley Act of 2002 is also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox.
The act is called as Sarbanes-Oxley Act after sponsors Senator Paul Sarbanes and Representative Michael G. Oxley.
Reason behind the enactment –
Number of major corporate and accounting scandals which rocked the United States prompted the House to enact the law.The confidence of general public in the United States’ securities market was shaken after the Enron, Peregrine System, Tyco Adelphia, Worldcom scandals. Not only these scandals cost the public billions of dollars but also negatively affected their faith in the United States Security Market.
The legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. It does not apply to privately held companies.
The Act –
The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
However, there is a heated debate on whether the benefits are comparable to the cost incurred in the implementation of the Act. Some feel that the legislation is necessary and will definitely help restoring public confidence in nation’s capital market, will help control the corporate accouting and strengthen the accounting creditibility of public accounting firms and others.
The Detractors contend that SOX was an unnecessary and costly government intrusion into corporate management that places U.S. corporations at a competitive disadvantage vis-a-vis foreign firms.
The effect of SOX on non-US companies –
It is being argued that with a legislation like Sarbanes Oxley, business will shift from US to other countries where there is lesser interference by Authority.
SOX’s effect on Non US cross listed Companies will be different depending on where such companies come from. If a company comes from a well regulated country, SOX will unnecessarily increase cost as such companies already comply with strict norms in their home country.
But Companies from not so well regulated countries will benefit as such companies will have to comply with requirements under the act and in turn which will enhance their creditibility and rating due to compliance of the act. But one must keep in mind that it is going to be too expensive for all companies to comply with the provisions of SOX.
Impact of SOX on the corporate IT department
The five areas and their impacts for the IT Department are as follows:
Risk Assessment – Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company’s systems are being used and the current level and accuracy of existing documentation.
Control Environment – environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Control Activities – Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. In an IT environment, control activities typically include IT general controls — such as controls over program changes, access to programs, computer operations — and application controls.
Monitoring – Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.
Information and Communication – Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.
This article has been written from inputs gathered from different sources available on the Internet and in Print Media.