Sarbanes-Oxley Act 2002 is a US federal law enacted on July 30th, 2002. Commonly known as SOX, it came to be as a result of corporate scandals that put investors at risk due to misrepresented financial reporting. The main aim of this act is restoring investor confidence and trust by holding public company executives accountable for the reliability of the financial statements.

Drafted by U.S. Senator Paul Sarbanes and U.S. Representative Michael Oxley, it has 11 sections, and we’ll focus only on one section 404.  This has two parts Section 404a which all public companies must adhere to and Section 404b adherence to this section is based on the dollar value of its public float, $75 million or more. Section 404b applies in addition to 404a.

404a requires an additional report in the annual report. This additional report details the effectiveness of the company’s internal controls over their financial reporting (ICFR).  Compliance entails these requirements;

1. An annual assessment by a competent and objective party. This party is different from the external auditor. This is not a once and done activity.
2. The management must establish and document internal controls over financial reporting and the systems and applications used to generate financial reports. This is where technology supports by protecting the data using application access control, data encryption, segregation of duties, transaction monitoring with audit trails and implementation of solutions with workflow automation and risk assessment analysis and reporting.
3. The evaluation of the established internal controls is needed to prove that they are in place and functioning as expected. Technology also supports here as there are tests that can be run on the actual systems and application and test procedure and outcomes captured. Technology can also enhance the process by creating an easy solution to build, run and extract reports.
4. Finally, there is the attestation by executive management specifically the CEO and CFO that all controls are in place and have been tested as working. This also meets the requirement on Section 302 of the act which I’ll discuss in a later article.  Data captured as part of the 404a evaluation can be reliably referred to by the executives in the attestation effort.

404b requires that the business work with a registered public accounting firm (external auditor) to attest to and report on effectiveness of the internal controls over the financial reporting. The technology teams can support the accounting team by easing the process to request for data or reports with a quick turnaround.

In summary Implementing technology solutions that are SOX compliant is important and possible. It increases efficiency in the evaluation of the internal controls and overall ensures data is accurate with easy to run users reports to support attestation and audits.