Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. The Act, relatively speaking, tries to be neutral between the demands of regulation and the costs of additional internal control measures. There is a sense in the industry that the initial learning curve was steep and expensive, but costs drop considerably when affected firms continue to run with its regulations, especially Section 404, which covers ICT. Other sections that companies find challenging include 303 on debt and credit management, and 409 on prompt disclosure of changes to their financial positions The Securities and Exchange Commission (SEC), which administers SOX, requires [SEC33-8238] several statements that must come from the management reporting system:
 * Management acknowledgement that it is responsible for internal control; Section 302 makes the CEO and CFO personally and criminally liable for inaccurate reporting
 * Management identification of the framework that will be used to evaluate the efficacy of the internal controls over financial reporting,
 * An assessment, by management, of how well the internal controls have worked in the most recent fiscal year, and a binary statement of whether it was effective or not. If it was not effective, the statement must identify any "material weaknesses" in the process. Management cannot state the controls were effective if there were any material weaknesses.

Identity
SOX requires that top managers certify that no one has tampered with their financial reports. Since the major financial scandals of recent years have come from employee chicanery, classic security requirements come into play:
 * knowing who your people really are,
 * establishing mechanisms by which they identify themselves to computer systems and the systems authenticate that claim of identity,
 * giving authenticated users a set of credentials defining what they are allowed to access and do.

SOX requirements are a subset of the field of identity management/ Section 802 specifies, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object … shall be fined under this title, imprisoned not more than 20 years, or both." Claiming a false identity is a rather elementary form of covering up. Over the years, financial institutions have developed other safeguards, such as insisting employees take vacation so that they cannot continue to cover embezzlements.

Not only do you dentification and authentication needed during operations, identity verification must be done on new hires, and on contractors in sensitive roles. The more sensitive the job in SOX terms, the tighter the verification may need to be.

Restrictions on Practice
Many enterprises had accounting systems provided or built by the consulting arm of large accounting firms, which indeed have much experience. As a result of scandals such as Enron, where the outside accounting firm made more revenue from management reporting and tax services as from its presumably neutral role as an external auditor, the American Instute of Certified Public Accountants (AICPA) and others have mandated, essentially, that the roles of external auditor and of a firm supplying other services are incompatible. Prior to the Act, major accounting firms were implementing large financial software systems and other procedures that their audit practice might then have to inspect. While, in principle, there was a "Chinese Wal]l between auditors and other employees, both auditors and consultants on an engagement tended to report to the same firm executive, who had profit and& loss responsibility for the account. Now, the issue may be to buy systems from a spinoff of the accounting firm, or build them in-house.

Besides the restrictions on obvious conflicts of interest, the accounting profession formalized procedures about best practice in internal reporting. The auditing firm would verify these controls are in effect. Do note that a different accounting firm, which has no audit responsibility, is free to set up controls and supporting software. With the storm of mergers and acquisitions in public accounting, what might be separate companies today could become a single one tomorrow, and the new firm would need to divest tasks that lead to the appearance of conflict of interest.

In like manner, there are restrictions on internal auditors, who cannot build or operate the systems whose output they monitor. They do have the responsibility of recommending improvements.

Designing Internal Control
The Act created the Public Company Accounting Oversight Board (PCAOB), which is quasi-public, in the sense that various financial regulators such as the FDIC are quasi-public. PCAOB actually oversees auditors of public companies, rather than the companies themselves, including regulation and discipline. SOX further creates requirements for strong internal financial control, independence of outside auditors, and greater top management responsibilities for financial disclosure.

Financial scandals in the 1970s led to the Foreign Corrupt Practices Act of 1977 (FCPA), and eventually to the 1985 creation of the National Commission on Fraudulent Financial Reporting, called the Treadway Commission after its first chair. Its first report, issued in 1987, recommended that the Committee of Sponsoring Organizations (COSO), made up of five professional associations concerned with auditing, create integrated guidance on internal control. They contracted with a major accounting firm and drafted the first framework for COSO-approved internal control, published in 1992 as Internal Control: Integrated Framework. Let us hope your customer works on faster timelines than these.

This report presented a common definition of internal control (IC) and provided a framework against which IC systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA. COSO's framework defines the IC program that underlies SOX. This program has four principles and five components. COSO In addition, COSO defines the three goals of internal control as: The Principles establish the expectations of IC, while the Components deal with how to execute IC. COSO recognizes real-world constraints, and, in its Principles, both accepts that no IC system is perfect, but also requires due diligence in attempting to find problems not covered by IC.
 * Effectiveness and efficiency of operations
 * Reliability of financial reporting
 * Compliance with applicable laws and regulations