|
By Curt Finch
A Securities and Exchange Commission advisory panel recently recommended exempting thousands of small public companies from key parts of a 2002 corporate accounting law. In its final meeting, the advisory committee adopted a report that includes a handful of proposals for easing rules on small companies.
The most controversial proposal calls on the agency to override the internal-controls requirement of the Sarbanes-Oxley Act (SOX), including allowing an estimated 70 percent of public companies to escape from rules that require an outside auditor to assess internal controls over financial reporting. The vote brings into focus a heated debate over the internal-controls requirement of the 2002 law, enacted in the aftermath of corporate accounting scandals at Enron and WorldCom. Smaller businesses have complained that the costs of following the law are too high.
What is SOX?
The Sarbanes-Oxley Act of 2002 is a congressional act passed to prevent future scandals of Enron proportion, and is considered to be one of the most significant changes to federal securities laws in the United States. The Enron scandal, and other similar scandals, damaged investors’ confidence in the accuracy of all public corporate financial statements. Among the major provisions of the act are: criminal and civil penalties for securities violations, auditor independence/certification of internal audit work by external auditors and increased disclosure regarding executive compensation, insider trading and financial statements.
In layman’s terms, SOX essentially says that you will go to jail if you are signing off on the veracity of certain documents in a public corporation and they turn out to be incorrect, even if it wasn’t really your fault. It requires certain executives at the top to sign off on the financial statements that stockholders typically examine before buying a stock. This potentially exposes those top executives to the risk of jail time.
On demand software providers like Journyx for time collection assist with compliance for revenue recognition and IT development capitalization. On demand providers like Amicus.com for email storage, search and retrieval allow for compliance with SOX and SEC regulations for financial firms, like stock brokers. The Internet makes information security issues related to SOX acute since it becomes difficult to guarantee that the wrong data isn’t getting out of your company.
As you might expect, the CEOs, CFOs and other executives of publicly-traded companies take SOX very seriously. When a CEO takes something seriously, it typically means finding some other person in the company, or several, and requiring them to take the issue even more seriously than he/she does. And that’s just what CEOs have done with SOX. Some call it “delegation of responsibility,” “buck-passing” or “things rolling downhill” – all depending on your point of view.
This is probably where you come in. You may be selling to, or working for, a company that must be SOX compliant. It is important for you to know how SOX can affect your work.
With the help of certain very large and expensive consulting companies (who, as you can imagine, love SOX), a model called Committee of Sponsoring Organizations (COSO) of the Treadway Commission was developed to spread the responsibility of SOX across organizations evenly. This leads to total corporate buy-in for obtaining accurate financial statements. It centers around the idea that fraud and mistakes are much less likely to occur if the company follows effective processes.
The model describes a control matrix with processes, sub-processes, objectives, risks, controls, tests and results in a dependency tree. Processes have sub-processes, which have objectives, which have risks, which have controls, which have tests, which have results. These are all one-to-many relationships.
For example, there is an HR/payroll process by which people are hired, paid, fired, given benefits, etc. One sub-process (of which there could be many) of the HR/payroll process is “payroll calculation.”
An objective of this sub-process is that people are paid correctly for what hours they actually worked and were authorized to work. Another objective might be to keep the payroll data secure.
There could be a number of risks to the objective of correct pay for actual authorized work, such as unauthorized hours being worked, or a discrepancy between claimed and authorized hours. Buddy punching (where someone lends his badge to a friend for illicit system login to get free money) is another potential risk.
|
