The areas of improvement go well beyond technical statutory compliance. They include a strengthened control environment; more reliable documentation; increased audit committee involvement; better, less burdensome compliance with other statutory regimes; more standardized processes for IT and other functions; reduced complexity of organizational processes; better internal controls within partner companies; and more effective use of both automated and manual controls.
The result is not only shareholder protection, the official purpose of the act, but also enhanced shareholder value. Fear can be a powerful generator of upstanding conduct. But businesses run on discovering and creating value. Companies need to start viewing Sarbanes-Oxley as an ally in that effort. When Congress hurriedly passed the Sarbanes-Oxley Act of , it had in mind combating fraud, improving the reliability of financial reporting, and restoring investor confidence.
Understandably, most executives wondered why they should be subjected to the same compliance burdens as those who had been negligent or dishonest. But what exactly is a control structure composed of?
A control is a practice established to help ensure that business processes are carried out consistently, safely, with the proper authorization, and in the manner prescribed. Take, for example, the objective of keeping information secure. Controls to achieve this objective might be as straightforward as locking a file cabinet or as elaborate as encrypting computer data.
Sarbanes-Oxley was enacted to improve the reliability of financial reporting; therefore, most of the controls adopted pursuant to the Act concern themselves with the timeliness, integrity, and accuracy of financial data. Controls fall into two broad categories. Preventive controls are intended to eliminate lapses, either intentional or inadvertent. An example would be the segregation of duties in an accounts payable department, so that one person approves an invoice, another prepares the payment, and a third signs the check.
In this way an unauthorized payment is kept from being issued. Detective controls are designed to identify errors and irregularities that have already occurred. Monthly reconciliation of cash accounts, for example, is undertaken to ferret out such conditions.
An essential element of any Sarbanes-Oxley compliance program is the testing of controls. In some cases, the matters being tested were too unimportant to contribute to a material misstatement in the financial reports. Such controls are tested more frequently; less essential ones may be deemed to fall outside the scope of the testing plan entirely. Many companies have achieved cost savings in the second year of SOX compliance, without any reduction in control effectiveness, by rationalizing their controls in this manner.
Yet in the course of providing compliance advice to executives, we discovered a small subset who approached the new law with something like gratitude. They were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions.
While providing compliance advice to executives, we discovered a small subset who approached Sarbanes-Oxley with something like gratitude. However, the burdens of implementing SOX for the first time, in , were so great that this more forward-thinking group could give little time to developing and adopting policies and practices that went beyond literal compliance. As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.
In any era, the enactment of a law like SOX would probably have prompted a similar stocktaking. It is no wonder that actual and reported performance at a number of companies diverged.
Year two of compliance is now complete at most large U. Is the parking lot still full of unimplemented change plans? At many organizations, it is.
In year two, a number of companies have begun to standardize and consolidate key financial processes often in shared service centers ; eliminate redundant information systems and unify multiple platforms; minimize inconsistencies in data definitions; automate manual processes; reduce the number of handoffs; better integrate far-flung offices and acquisitions; bring new employees up to speed faster; broaden responsibility for controls; and eliminate unnecessary controls.
Moreover, SOX-inspired procedures are beginning to serve as a template for compliance with other statutory regimes. Good governance is a mixture of the enforceable and the intangible. Organizations with strong governance provide discipline and structure; instill ethical values in employees and train them in the proper procedures; and exhibit behavior at the board and executive levels that the rest of the organization will want to emulate. These are all components of the control environment, which forms the foundation of internal control.
A proper control environment is one factor an external auditor considers when called upon to evaluate internal control over financial reporting pursuant to Section Rather, they contribute to the mass of evidence weighed by the external auditor. Fiscal Policy. Financial Statements. Your Privacy Rights. To change or withdraw your consent choices for Investopedia. At any time, you can update your settings through the "EU Privacy" link at the bottom of any page. These choices will be signaled globally to our partners and will not affect browsing data.
We and our partners process data to: Actively scan device characteristics for identification. I Accept Show Purposes. Your Money. Personal Finance. Your Practice. Popular Courses. The act created strict new rules for accountants, auditors, and corporate officers and imposed more stringent recordkeeping requirements.
The act also added new criminal penalties for violating securities laws. Article Sources. Investopedia requires writers to use primary sources to support their work.
These include white papers, government data, original reporting, and interviews with industry experts. Businesses had little knowledge of it and often had to spend much money and manpower to get it implemented. Not only that, but it also required many people to oversee the process as companies tended to ensure that they were over-compliant.
The significant costs and complex regulations made SOX the bane of many corporations. Fast forward to now. SOX has allowed a more efficient and streamlined approach that focuses on areas of real risk rather than a catch-all approach. Companies that have put sufficient resources and effort into designing strong SOX programs have clearly understood the benefits that SOX brings beyond compliance. The acceptance that Sarbanes-Oxley was here to stay allowed its internal control environments to become the norm within organizations.
SOX forces companies to be disciplined and helps businesses reduce the number of mistakes they would make otherwise. As a result, according to an annual report done by Audit Analytics, the number of restatements noted in , at , was the lowest in a decade. In , companies told investors a restatement was needed. SOX also strengthens the roles and responsibilities of audit committees to allow them to continue to hone their capabilities and enhance their financial reporting, creates specific communication of the review delivered throughout the company and provides the internal audit team with a prime opportunity to become one of the cornerstones of business.
Furthermore, the SOX guidelines protect whistleblowers from retaliatory actions and prevent potentially expensive lawsuits and government fines. SOX compliance can encompass many of the same practices as any data security initiative.
Oxley R-OH-4 wrote this bill in response to several high profile corporate scandals — Enron, Worldcom, and Tyco in particular. The bill passed by overwhelming majorities in both the House and Senate — only three members voted to oppose. SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
Private companies, charities, and non-profits are generally not required to comply with all of SOX. SOX mandates companies complete yearly audits and make those results easily available to any stakeholders. Companies hire independent auditors to complete the SOX audits, which must be separate from any other audits to prevent a conflict of interest. Auditors compare past statements to the current year and determine if everything is copasetic.
Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards. Make sure to update your reporting and internal auditing systems so you can pull any report the auditor requests quickly.
0コメント