2012 Software


Top ERP Software

Sarbanes Oxley (SOX) Compliance

The Sarbanes-Oxley Act of 2002, sponsored by Paul Sarbanes and Michael Oxley, represents a huge change to federal securities law. It came as a result of the corporate financial scandals involving Enron, WorldCom and Global Crossing. Effective in 2006, all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance.

Provisions of the Sarbanes Oxley Act (aka SOX, SARBOX or S-O) detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure. It affects public U.S. companies and non-U.S. companies with a U.S. presence. SOX is all about corporate governance and financial disclosure.

The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data accurate and adequate controls are in place to safeguard financial data. Year-end financial dislosure reports are also a requirement. A SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.

SOX auditing requires that internal controls and procedures can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information.

Sarbanes-Oxley also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities. Section 806 of Sarbanes Oxley the Act authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.

FAQ

What is the Sarbanes-Oxley Act of 2002?
Effective in 2006, all public companies will be required (for the first time) to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company?s financial statements.

Why was the Sarbanes-Oxley Act passed?
The Sarbanes-Oxley Act of 2002, also known as SOX, was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

What companies need to comply with Sarbanes-Oxley?
All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected. In addition, any private companies that are preparing for their initial public offering (IPO) may also need to comply with certain provisions of Sarbanes-Oxley.

When did Sarbanes-Oxley compliance take effect?
All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalization over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2006, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15, 2006.

What is the Sarbanes-Oxley Act comprised of?
The Sarbanes-Oxley Act itself is organized into eleven sections, but sections 302, 404, 401, 409, 802 and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. More specifically, Sarbanes-Oxley established new accountability standards for corporate boards and auditors, established a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), and specified civil and criminal penalties for noncompliance.

What does Sarbanes-Oxley compliance require?
All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

What are the penalties for noncompliance with Sarbanes-Oxley?
Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

What is a SAR report and when do I need to fill one out?
OFAC compliance involves the use a Suspicious Activity Report (SAR). If you are aware of, or observe, suspicious activity involving an individual on the OFAC list, you are required to fill out a SAR.

Can I tell the customer they are on the OFAC list?
You are permitted to inform customer they are on the OFAC list, and that is the reason their assets were blocked or transaction rejected.

How long do I need to keep OFAC records for?
OFAC-affected transactions must be kept for five years and made available to OFAC on request.

What is the punishment for OFAC non-compliance?
Failure to comply with OFAC can result in fines up to $10 million and 30 years in prison for a corporation.

What Federal law or regulation does OFAC fall under?
OFAC regulations fall under the Code of Federal Regulations (CFR) 31 CFR 500.

Sarbanes Oxley Auditing Requirements

The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data accurate and adequate controls are in place to safeguard financial data. Year-end financial dislosure reports are also a requirement. A SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.

SOX auditing requires that internal controls and procedures can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information.

Specifically, SOX sections 302, 404 and 409 require the following parameters and conditions must be monitored, logged and audited:

Internal controls

Network activity

Database activity

Login activity (success and failures)

Account activity

User activity

Information Access



Section 302:
Corporate Responsibility for Financial Reports

The essence of Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are directly reponsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure to the SEC. Here is the direct excerpt from the Sarbanes-Oxley Act of 2002 report:

a. Regulations Required. The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that--

  1. the signing officer has reviewed the report;

  2. based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;

  3. based on such officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
  4. the signing officers--

    A. are responsible for establishing and maintaining internal controls;
    B. have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
    C. have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report; and
    D. have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

  5. the signing officers have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)--

    A. all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and
    B. any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and

  6. the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

b. Foreign Reincorporations Have No Effect. Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.

Section 404:
Management Assessment of Internal Controls

Section 404 is the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective.

A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 404:

(a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall--
   (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
   (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Section 409: Real Time Issuer Disclosures

The essence of Section 302 of the Sarbanes-Oxley Act states that companies are required to disclose on an almost real-time basis information concerning material changes in its financial condition or operations. Here is a direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 409:

Section 13 of the Securities Exchange Act of 1934, as amended by this Act, is amended by adding at the end the following:

(l) Real Time Issuer Disclosures. Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.

SOX 806: Sarbanes Oxley Whistleblower

SEC. 806. PROTECTION FOR EMPLOYEES OF PUBLICLY TRADED COMPANIES WHO PROVIDE EVIDENCE OF FRAUD.

Sarbanes-Oxley encourages the disclosure of corporate fraud by protecting employees of publicly traded companies or their subsidiaries who report illegal activities. Section 806 of Sarbanes Oxley the Act authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.

Under Section 806 of SOX, an employee engages in protected whistleblower conduct by providing information that he or she reasonably believes is a violation of:

federal mail, wire, bank, or securities fraud

federal law relating to fraud against shareholders

any rule or regulation of the Securities and Exchange Commission (SEC)

Section 806 of SOX extends its protection to any whistleblower who is an officer, employee, contractor, subcontractor, or agent of:

a publicly traded company

a subsidiary of a publicly traded company

a nationally recognized statistical ratings organizations (NRSROs)

Section 1107 of SOX makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer regarding an alleged federal offense.

Section 902:
Attempts & Conspiracies to Commit Fraud Offenses

SOX 902 is listed under Title IX, which discusses white-collar crime penalty "enhancement". A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 902:

a. In General. Chapter 63 of title 18, United States Code, is amended by inserting after section 1348 as added by this Act the following:

Sec. 1349. Attempt and conspiracy
Any person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt or conspiracy.

Section 906:
Corporate Responsibility for Financial Reports

Section 906 addresses criminal penalties for certifying a misleading or fraudulent financial report. Under SOX 906, penalties can be upwards of $5 million in fines and 20 years in prison. A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 906:

(a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS. Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a) or 78o(d)) shall be accompanied by a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.

(b) CONTENT. The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

(c) CRIMINAL PENALTIES. Whoever - (1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or (2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.