Whether it’s taxes or compliance, the word “audit” is never something businesses want to hear. You might feel worried that you let something slip through the cracks, that you’ve forgotten a key requirement, or might be missing critical records. With all your other responsibilities in your business from employees to product, an audit is the last thing you want to worry about.
The Sarbanes-Oxley (SOX) Act affects all businesses, but our helpful SOX compliance audit checklist will make sure that you meet all the necessary requirements.
The Sarbanes-Oxley (SOX) Act was signed into law in 2002 and is also known as the “Public Company Accounting Reform and Investor Protection Act” or as the “Corporate and Auditing Accountability and Responsibility Act.” This act is designed to regulate corporate governance and financial practice.
The bill contains eleven sections which determine the responsibilities of public companies and its leadership, the necessary punishments, and penalties for ignoring those responsibilities, and how the U.S Securities and Exchange Commission should be involved with ensuring public companies follow the law.
This guide will cover the primary audit sections which include: 302, 401, 404, 409, and 802. The bill contains many more provisions and stipulations beyond what will be covered in this SOX compliance audit checklist so should you feel the need for more information, please reach out for a free consultation with one of our experts or read through the Sarbanes-Oxley Act itself.
Who is Required to Have a SOX Audit?
The SOX Act was introduced after a series of corporate and accounting scandals destroyed public confidence and cost investors billions of dollars. Notable companies like Enron, Tyco International, and Adelphia were among some of the companies that collapsed from deceptive business practices.
In order to restore the public’s faith in corporate entities, the bill applies to publicly held American companies both large and small, any international companies that have registered debt or equity with the U.S. Securities and Exchange Commission, and any third party company that provides financial services to these entities.
Despite the idea circulating that only publicly traded companies are required to have a SOX audit, any private company preparing for their Initial Public Offering (IPO) is also subject to an audit.
How Often is a SOX Audit?
Once per year a company is audited determining whether they are complying with the different sections of a SOX audit. An external SOX compliance auditor must be used as part of the requirement; generally, this auditor is held separate from any other internal audits that you undergo as a company to avoid conflicts of interest.
An auditor will meet with the management team of your company to discuss the extent of the audit and what will be the likely results. After this initial introduction, they will begin taking a close look at your company’s financials while also reviewing prior financial statements and audits.
One of the primary components of the audit involves a review of the company’s security procedures. It is important that you maintain a security profile that prevents against data breaches, loss of financial records, and protecting customer profiles. With a weakened security system, a SOX compliance audit will be far less effective.
The SOX compliance auditor will verify that all financial data is accurate within a 5% margin of error. Let’s review each section of the SOX compliance audit so you can check the areas in which you are doing well and determine where you might need improvement. A SOX compliance auditor is not your enemy, they are there to point out areas in which your internal security protocols can improve and mark discrepancies with financial data.
SOX Compliance Audit Components
There are several components that make up a SOX compliance audit. Again, the initial step is to have the auditing firm meet with management to set clear expectations. The sections to review are as follows:
- Section 302: Corporate Responsibility of Financial Records
- Section 401: Disclosures in Periodic Reports
- Section 404: Management Assessment of Internal Controls
- Section 409: Disclosures of Changes to Financial Conditions or Operations
- Section 802: Penalties for Altering Documents
Let’s take a closer look at each of these components and some of their stipulations.
Section 302: Corporate Responsibility of Financial Records
The CEO and CFO must maintain accurate financial records that reflect the state of the company. The Sabarnes-Oxley Act Guide details that the financial reports are to include certifications that:
- The signing officers have reviewed the report
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
This is a crucial aspect of the audit. In one of the largest scandals in the corporate world, Jeffrey Skilling curated a handful of executives that deceptively kept from the public a series of failed deals and projects. The company was billions of dollars in debt and only a few individuals were aware. Section 302 guarantees that executive staff accurately report these financial details allowing shareholders the option to continue to invest or withdraw from the company.
Section 401: Disclosures in Periodic Reports
All financial reports of the company must be published to the public. The reports must be prepared and meet normal accounting standards. These financial statements must also include any and all material off-balance sheet liabilities, obligations, or transactions. A SOX compliance auditor will assess that a company has accurately disclosed these financial records.
Section 404: Management Assessment of Internal Controls
Section 404 is the primary component of a SOX compliance audit. The company must ensure that all internal controls which include things such as network hardware, computers, and other electronic infrastructure on which any financial data would pass through, be stored, or revealed to the public. There are four major categories that fall under the assessment of internal controls:
- Access: Users are all approved to have access to any electronic systems, both physical or electronic. The proper security measures preventing unauthorized access are in place: passwords, lock screens, secure locations, etc.
- Security: While this is a broad term that encompasses a complex range of things, a company should have strong security that constantly assesses and updates the state of the system to prevent against evolving security threats. It is important a company also has the necessary tools to remediate any incidents that do occur. Invest in a good cybersecurity company like RSI Security to help assess your system security with a comprehensive list of cybersecurity services.
- Change Management: Anytime you update a system, install new software, add new users or workstations, you should keep a record of these changes, who made the changes, how it was changed, and when it was changed. This makes it much easier for a SOX compliance auditor to run a smoother report and mark any areas that need to be changed.
- Backup Procedures: Any sensitive data produced or transferred by your company should be backed up. Any third party or data center that stores this information is subject to the same SOX compliance audit.
Internal controls are a crucial element to pay close attention to as they, “safeguard company assets, maintain the integrity of financial data/transactions, ensure compliance, support daily operations, and assist companies in achieving their objectives.” Preparing for this portion of the SOX compliance audit can be daunting but this SOX 404 Requirements Guide gives you all the information you need to be fully prepared for an audit.
There are several exemptions in place that are worth noting if you’re worried about the costly nature of an external audit. These exemptions include:
- Companies who are non-accelerated filers
- Companies with less than 75 million dollars in public float (the portion of shares held by public investors)
- Emerging Growth Companies for up to five years
Of course, laws continue to develop and adapt to meet public interest and a shifting economy and so the potential for other exemptions creation or removal is always a possibility. In fact, a group of senators recently proposed an amendment to the SOX act to encourage innovation by not bogging down start-up companies with costly audits and complex compliances.
The bill would allow for another five-year extension to Emerging Growth Companies who have an average annual revenue of fewer than 50 million dollars and fewer than 700 million dollars in public float. Not only would this revision be helpful to smaller start-up companies with innovative ideas, but also those companies that require longer periods of time to see significant revenue.
Take for example the comment by President, James Greenwood, of the Biotechnology Innovation Organization (BIO) who said, “[m]ost biotechnology companies remain pre-revenue for a decade or more until they receive their first product approval, long past the original five-year exemption…causing a damaging diversion of capital from science to compliance. By extending this commonsense exemption of the JOBS Act to qualifying companies, emerging biotechnology innovators will be able to devote more of their limited resources to potentially lifesaving research and development activities.”
This is a compelling argument versus the initial reasoning of the SOX Act. The design of the bill was to restore public trust in publically held corporate companies, but it runs the risk of too much government interference which can diminish public trust with the government. If everything is closely controlled, there is little room for creativity or innovation. Conversely, too little control leads to scandals and losses of billions of dollars.
Section 409: Disclosures of Changes to Financial Conditions or Operations
Should any of your company’s financial conditions or operations change, you’re legally required to update the public of these changes. A company working with the public should be transparent of financial transactions and operations, so keeping the public informed is a key element of meeting SOX requirements. Additionally, the information you present must be clear and using terms that the public can understand.
Section 802: Penalties for Altering Documents
The Enron scandal resulted in the creation of the SOX act with an important section detailing the penalties for altering or destroying important documents. One of the “Big Five” accounting firms in the States, Arthur Andersen LLP, was found guilty by the Securities and Exchange Commission of illegally destroying documents relevant to its investigation of Enron. As a result, Arthur Andersen lost its license to audit public companies and effectively was required to shut its doors.
The fines and penalties vary but apply to any figure or company that alters, destroys, mutilates, conceals, falsifies records, documents, or tangible objects with the intent to influence, obstruct, or impede a legal investigation. Furthermore, anyone who knowingly violates the requirements of a complete SOX compliance audit is also subject to fines and potential imprisonment. It might not be the best idea to have cousin Lou do the audit just because he comes cheap.
There are several key elements of a SOX compliance audit to remember:
- Make certain that the CEO, CFO, and any other executive members or those responsible for handling finances are on the same page.
- Make your financial records public as per federal regulation. Quarterly and annual reports should accurately represent your company’s finances.
- Keep track of your internal controls both physical and electronic. This is the largest part of the audit and the most comprehensive. It would of great benefit to partner your company with a trusted cybersecurity company like RSI Security to assess and test your internal control components.
- Should any of your financial matters or operations change, be sure to inform the public and show record that the public was notified in a clear manner.
- Do not for any reason tamper with, destroy, or alter financial documents for an audit.
If it’s that time of year again where you need to finalize year-end reports and prepare for an audit, don’t stress and lean on the expert advice of experts around you. A SOX compliance audit doesn’t have to be a dreadful annual process that makes you lose sleep at night. Schedule a free consultation from one of RSI Security’s experts today.