The Sarbanes-Oxley Act of 2002, commonly known as SOX, was written to reduce accounting fraud and protect investors in publicly-held US companies. It requires stringent monitoring and reporting of financial activity to hold companies accountable and reduce misleading, omitted and fraudulent financial statements.
While SOX compliance can be complex, remembering these four simple steps will put your company on the right track.
Boost compliance with just one tool.
Case management software provides all the information you need to identify trends and areas of risk, reducing the chance of a SOX compliance lapse. Learn how in our free eBook.
1. Assess Your Internal Auditing Systems
As part of your yearly SOX compliance audit, the auditor will check your financial software and systems for four key controls.
- Access: How easily can someone access your company's financial data? Assess both your physical controls (e.g. locks on doors and cabinets, keypads, badges, biometrics) and electronic ones (login credentials, access and permissions for employees). SOX requires that employees have the least access possible to complete their job tasks, so be sure to change your policies and procedures to match this.
- Security: How do you ensure the security of your financial data? What controls do you have in place to prevent breaches and to address the problem if a breach occurs?
- Data Backup: What backup procedures and systems do you have in place for your financial data? Remember to audit your off-site data centers to ensure they are SOX compliant.
- Change Management: How do you ensure that changes made to your systems are secure? For example, what controls do you have in place to keep data secure when you add a new user, install new software and make changes to databases that contain financial information?
Make sure that your systems are functional and consistent for each of these controls. In addition, keep them up to date with best practices to not only stay compliant with SOX, but to protect your company and customers, too.
RELATED: 5 Internal Audit Red Flags That Should Trigger a Fraud Investigation
2. Conduct Annual Audits
As mentioned above, a major aspect of SOX compliance is the annual audit. In order to avoid potential conflicts of interest, this audit must be completed separately of other audits and completed by an independent auditor.
The main purpose of this audit is to see how your organization handles finances. Are you recording and reporting your finances accurately? What do you do to ensure your financial data is secure?
The auditor will check your company's financial statements from the previous year against your systems to ensure no information has been omitted or falsified. They'll also check your system controls, as described above. Finally, they might interview employees to double-check that everyday controls and processes are SOX compliant. It's important to ensure your employees are knowledgeable about your policies and procedures as well as where they can be found if they need to reference them.
3. Disclose Financial Changes ASAP
Per Section 409 (Real Time Issuer Disclosures) of the Act, companies must disclose financial changes to the public "on a rapid and current basis." The aim of this requirement is to protect the financial interests of investors and the public.
In other words, any time that your organization's financial situation or operations change, you need to issue a public statement ASAP. Disclosures must be "in plain English" and include "trend and qualitative information and graphic presentations" if the SEC deems them necessary.
If you're not sure what types of changes require disclosure or how quickly you need to issue a statement, consult with a lawyer or other SOX compliance expert.
RELATED: A Practical Guide to Whistleblower Protections in 2020
4. Keep Good Records
Finally, make sure that your company's financial information is well-documented. Records should be up to date, accurate, and thorough.
SOX compliance requires companies to submit financial reports to the SEC, signed off by the CEO and CFO (or equivalents). These signatures are to confirm that the contents of the report are accurate and complete. If information is left out of reports as a result of poor documentation, your company could be hit with non-compliance fines.
Most importantly, limit the number of employees who work with financial data and establish checks and balances. Anyone found to have altered, destroyed or falsified a report to the SEC in order to impede their work can be fined, face a prison sentence up to 20 years, or both.
Following these four steps helps protect your company from financial fraud and data breaches. Not only will these measures ensure you're SOX compliant, but you'll also boost your reputation as an honest company and protect your bottom line.