The Sarbanes-Oxley Act (SOX) is a federal act passed in 2002 with bipartisan congressional support to improve auditing and public disclosure in response to several accounting scandals in the early-2000s.
Within section 404 of SOX, there are key features that require the CEO and CFO to prove their internal controls’ effectiveness and have external accounting/auditing firms audit and attest.
What do you have to know?
External auditors and the organization have to develop a set of critical requirements. These requirements will allow the auditor to “work with others” by parallel auditioning financial statements and IT controls over financial reporting.
The requirements can be:
- Select appropriate frameworks
- Adopt risk-based approaches
- Map business process to IT processes
- Have internal audits use the same approach as external audits
Cost
What is the cost associated with implementing the processes to be compliant; after researching the topic relating to SEC’s SOX Law. The takeaway is that the law will impact the IT business cost. As an IT executive, the cost is always the bottom line; can we afford this? However, the research shows the startup cost of implementing IT controls can be a burden but does reduce over time as the company grows and becomes profitable, which becomes a typical operational cost.
One key takeaway from the SEC research indicates companies with controls that meet regulatory standards have a byproduct of having better IT infrastructure, more secure infrastructure, and skilled employees. In essence, there is a trade-off to being compliant with local and federal laws; your employee talent is of higher quality because companies will hire people that adhere to and institute best practices and standards.
Section of the Law as it is written:
(Sec. 404) Directs the SEC to require by rule that annual reports include an internal control report which: (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting; and (2) evaluates the efficacy of such mechanisms. Requires the public accounting firm responsible for the audit report to attest to and report on the assessment made by the issuer.
Summary
As a key IT executive, you should know that IT is one of the critical stakeholders for any auditing outcome, whether good or bad. Even though IT isn’t responsible for the human input of what data goes into the system, it is reliable for data integrity, reliability and accuracy. The executive job is having in-depth knowledge of the business IT infrastructure, workflow, and personal because you must ensure that the information provided into the systems has controls, security, compliance layers, and every action is captured.