The Sarbanes-Oxley Act (SOX) was passed in the year 2002 by the Public Company Accounting Oversight Board (PCAOB) after several corporate scandals rocked the USA. It was sponsored by Paul Sarbanes and Michael G. Oxley. It was designed to improve transparency in financial reporting and corporate governance and to enact a structure of internal checks and balances. This act was set up with the hope of dissuading corporate fraud, protecting investors and whistle-blowers, and refining financial disclosures.
Sarbanes-Oxley audit and compliance are not only a legal obligation but also a best practice. Employing SOX Audit and financial security controls provides the benefit of protecting the company from data theft by cyber-attacks or insider threats.
CFOs and CEOs must accept responsibility for the precision, documentation, submission of all financial reports, and SOX audit’s internal control structures to the necessary authorities. These officers risk monetary penalties and even jail time for any compliance failure that may occur, whether intentional or not.
A SOX internal control report that states higher management is accountable for an appropriate internal control structure for their financial records. Any issues at hand must be reported immediately to maintain transparency.
A SOX compliance audit requires the formulation of formal data security policies and the communication and enforcement of said data security policies. The prepared data policies must be comprehensive to safeguard and secure all financial data stored and used regularly.
A SOX compliance audit requires that companies preserve and provide documentation that they are compliant with the SOX.
A SOX compliance audit is a measure of a company’s financial statements and how well it manages internal controls. Internal control is defined as any type of protocol that deals with the infrastructure that takes care of a company’s financial data. In terms of the financial statements, auditors compare current accounts with the past reports to verify that everything is in place to maintain SOX compliance requirements standards.
The first steps of a SOX compliance audit are to comprehend which sections of the act have implications for data reporting, management, and security. These sections include:
Section 302: This section of the SOX audit relates to the financial reporting of an organisation. According to this section, the CEO and CFO of a company have to certify that all company records are comprehensive and accurate.
Furthermore, they have to confirm to accept personal responsibility for all internal controls and that these controls have been reviewed in the past three months.
Section 401: As per this section of the SOX audit, disclosures in public financial reports have to be prepared according to accepted accounting standards. It also states that companies have to keep a report of off-balance-sheet discoveries to comply with the accounting standards.
Section 404: According to Section 404 of the SOX, the management and the auditor who participate in the SOX audit have to report the company’s SOX internal controls adequately and accurately on financial reporting. This section also includes that the security of data cannot be hidden from the scrutiny of external auditors. If any security breaches occur, they have to be reported.
After the company in question hires an impartial, independent auditor, the first step usually includes a discussion between the higher management and the auditing firm. This discussion comprises where the audit will occur, what will be examined, and what results does the administration expect.
Apart from this, during the Sarbanes-Oxley audit, the auditor may even interview employees to verify and match job descriptions and to ensure that the employees have received proper in-depth training for protecting the company’s financial assets.
Once this is carried out, the audit can begin. The SOX audit process and SOX compliance requirements for the same, consists of six steps, let’s take a look at them:
Step 1: Defining the Scope of the SOX Audit Process with the Help of a Risk Assessment Approach
This step of the Sarbanes-Oxley audit involves the auditor analysing the company’s procedures and internal controls to identify potential risks, how they may impact the company, and if the company is capable of handling these risks.
Step 2: Identifying SOX Controls
In this step, the auditor will recognise and document SOX internal controls that may detect or prevent transactions from being recorded incorrectly. These SOX audit controls help in ensuring that the balances, checks, and transactions recorded in the final reporting process are logged correctly, and the account balances are calculated accurately. Some SOX preventive and detective SOX audit’s internal controls include:
Approving and posting invoices
Reviewing transactions recorded in a particular period
Step 3: Performing a Fraud Assessment
The next measure for the auditor is to assess possible fraudulent activity. Early detection is critical for reducing the chances of fraud occurring in an organisation. Sarbanes-Oxley audit’s internal controls play an important role in reducing the opportunities to commit fraud.
Step 4: Testing Key Controls
In this step of the SOX audit process, critical controls of the organisation are tested. This testing process involves a combination of several testing procedures such as observation, ongoing evaluation, walkthrough of the transactions, inquiries with process owners, and inspection of the documentation.
Step 5: Analysing Deficiencies in SOX
During the testing process, auditors may come across anomalies or deficiencies in the tested SOX internal control, leading to the creation of an issue. Apart from fixing the problem, the audit team is also responsible for reviewing whether it was a design failure or an operating failure.
When this is done, the management works in coordination with the audit team to ascertain if the issue at hand has a high risk. If that is the case, then the issue is documented in the year-end financials for SOX audits.
Step 6: Delivering the Management’s Report on Controls
The end product of the SOX internal control and audit process is the management’s report about financial reporting that is provided to the audit committee. This report should generally include the following:
Appraisal of the SOX internal control and audit process framework used, evidence collected, and the overall summary.
Results of the critical control testing.
Identification of gaps and control failures.
Assessment made by an independent auditor.
We, at TRC Corporate Consulting, provide expert advice and assistance related to SOX, the SOX compliance requirements, and the audit process. For further understanding, please contact our team.