SOX Compliance How the Sarbanes-Oxley

SOX Compliance

How the Sarbanes-Oxley Act Relates to Internal Controls

The impacts of the Sarbanes-Oxley Act (SOX) of 2002 on the internal controls of businesses that are publically traded on U.S.-based stock exchanges continue to be costly, significant and strategic in their impact. Most significant have been the requirement of supporting real-time reporting to the Securities and Exchange Commission (SEC) through the use of the evolving XBRL data integration standard and the supporting processes and systems re-engineering needed to accomplish this (Devonish-Mills, 2007). At a more fundamental level, SOX has completely redefined the underlying accounting and finance systems of companies, often requiring entirely new system integration, process re-definition and reporting processes and reviews to be in place (Hemani, 2005). Market research firm Gartner Inc. said that the cost of compliance for a typical Fortune 1,000 company is nearly $16 M. To redesign and implement new systems and processes to bring them into compliance with SOX regulations and requirements (Bedard, Graham, Hoitash, Hoitash, 2007). Clearly the impact on internal controls is very significant, as nearly every company who makes this sizable of an investment is auditing its own compliance rather than just leaving it up to the SEC to audit and potentially impose fees as well (Bedard, Graham, Hoitash, Hoitash, 2007).

Internal Control Impacts of SOX

Beginning with the accounting and finance systems and progressing through Information Technologies (it) and the need for XBRL reporting (Devonish-Mills, 2007), to the auditing of the to the supply chain transactions of the company (Hemani, 2005) SOX is reorienting and redefining transaction and process workflows very significantly.

Companies who are coping with these significant changes to their accounting, it, purchasing and supply chain processes are adopting Governance, Risk and Compliance (GRC) initiatives to unify all aspects of these strategies. Unifying all compliance strategies throughout a business and placing internal auditors in the position of managing variations in processes and reporting results has emerged as a critical success factor for GRC strategies (Michelman, Waldrup, 2008). The businesses that are minimizing the disruption of SOX-related it, process and strategy changes have successfully implemented internal auditing oversight programs. This aspect of internal controls is struggling in some businesses as resistance to change and the oversight function is seen as a threat to political power (Michelman, Waldrup, 2008). CEOs and the senior management team of an organization however must be in compliance to Section 302, Corporate Responsibility for Financial Reports, which states they have audited and personally verify the accuracy of their financial statements (Bedard, Graham, Hoitash, Hoitash, 2007). Section 404 holds a company officer liable for the accuracy and veracity of the data on financial statement (Hemani, 2005).