Sarbanes-Oxley Responsibilities and Techniques for Compliance
What are SOX sections 404 and 302 and what controls and tools do we need?
The Sarbanes-Oxley Act of 2002 is a comprehensive set of regulations devised to protect investors by improving the accuracy and reliability of financial reporting and corporate disclosures. While it is required for companies traded on the US stock exchanges, portions are also implemented across non-public companies because it provides a framework for basic corporate governance.
The Act, also known as SOX, Sarb-Ox and SOA, consists of nine sections including auditor independence, corporate responsibility, corporate fraud accountability, and enhanced financial disclosures. The most widely discussed sections are sections 302 and 404. Section 302 is about corporate responsibility for financial reports and section 404 addresses management assessment of and responsibility for internal controls.
Fast, reliable data access for ODBC, JDBC, ADO.NET and XML
Section 302 and 404 Responsibilities
Section 302 places on management the responsibility for accuracy of financial reports and effectiveness of internal controls over financial data. This responsibility is illustrated by the executive officer's certification that the financial reports are not misleading and materially accurate with respect to financial control and results of operations. It is through this certification that any significant weaknesses in internal controls are disclosed. Significant weaknesses are defined as both the design and operation of the control that could adversely affect the recording, processing, summary and reporting of financial data.
Management is responsible for
- having adequate controls in place for the reporting period
- disclosure of weaknesses in internal control
- disclosing to the audit committee and auditors any fraud involving key employees with financial reporting duties
- indicating if there were significant changes in internal controls during the reporting period
- indicating whether corrective action was performed on any control changes related to deficiencies or material weaknesses.
Section 404 requires management to establish and maintain an adequate internal control structure and procedures for financial reporting. An annual assessment on the effectiveness of the internal controls and financial reporting procedures is also required.
Controls and Tools for Compliance
The process of establishing internal controls includes the documentation of activity involving financial transactions and data. Auditors and business analysts evaluate those processes to identify controls that ensure data accuracy and validity. The tools used to document the processes and controls range from spreadsheet and word processing software to sophisticated workflow and document management software. In addition, some software is self-documenting through use of audit trails.
After controls are established, documented processes should be in place that detect changes to those controls. We can identify changes by interviewing personnel or testing the processes for compliance. We can also analyze changes in financial statement data for patterns that indicate irregularities that might be the result of errors or fraud. Software used for data analysis includes data mining, file retrieval and pattern recognition software.
Management and auditors must ensure that processes are documented and controls are assessed for design and operating effectiveness. When those steps have been taken, management may limit its review of changes in business conditions. Such a review will encompass changes in revenue, expenses, cash flow and other production metrics.
To assess changes in the internal controls or financial data, we may use a variety of tools.
Auditors have long reviewed supporting documentation in their audit of financial statements. They previously considered the internal control structure of a company when scoping the sample (the number of documents to be reviewed) being audited. As a result of Sarbanes-Oxley, auditors are now required to assess the effectiveness of the internal controls.
Copyright © 2004 Control Consulting Corporation.
About the Author
Cathy Mugford of Control Consulting Corporation is a Certified Public Accountant (CPA) and Certified Information Systems Auditor (CISA).