Amadeus International  
Français

Sarbanes-Oxley Best Practices

Overview
21 CFR Part 11
Audit Management
Change Control
Corrective Preventive Action
Competency Management
Customer Complaint Management
Electronic Content Management
ISO
Risk Assessment
Sarbanes-Oxley
Validation
eQCM Solution  
Home / Best Practices / Sarbanes-Oxley  

The New Best Practice for Corporate Governance

The Sarbanes-Oxley Act (SOX) was passed by Congress and signed into law in July 2002. It was designed to protect investors by improving the accuracy and reliability of company financial disclosures. Consequently, SOX imposed major changes in corporate governance, financial reporting and auditing practices, while creating new financial oversight functions. Regardless of levels of security, the failure to perform best practice due diligence up front and throughout would result in non-compliance. In addition, audit and risk assessments are valueless without processes for continuous process improvement.

More specifically, SOX compliance requires public companies to validate the accuracy and integrity of their financial management.  In addition, companies must ensure that their processes and their documentation required for financial reporting and disclosure compliance are rigorous, must establish procedures for meeting their reporting obligations, and must address internal and external evaluations of the effectiveness of their controls over these financial processes.  The U.S. Securities and Exchange Commission (SEC) has stepped up its monitoring and enforcement in this compliance area to ensure that the accounting scandals and corporate malfeasance occurring more prevalently in the last decade are not repeated.    The “select SEC and market data – fiscal 2007” report issued for the SEC, listed over 200 enforcement cases, representing about one-third of its case load, primarily based on issuer reporting and disclosure noncompliance,

The "Public Company Only" Myth

There is a common myth propagated through the industry that SOX only impacts public companies. While it is true that SOX targets all U.S. public companies, it also impacts small and mid-sized businesses (SMBs), including those that are privately owned. For instance, smaller companies are affected by the law's provisions regarding document retention, criminal fraud and the Employee Retirement Income Security Act (ERISA). Furthermore, SOX requirements will concern any private company seeking venture capital funding, applying for commercial loans, planning an IPO, anticipating being acquired and/or doing business with a public company. Smaller companies should also be alert to the passage of new state rules that mirror or piggyback on SOX.

The SOX Compliance Framework

The role of information technology in compliance with SOX regulations is to support enterprise compliance around the key sections of SOX, and ensure business support systems have the proper security, change management, record management and other controls to facilitate compliance. Compliance with a regulation as comprehensive as SOX requires a multi-dimensional, focused strategy to achieve desired results. SOX compliance teams today understand the requirements that will serve as the foundation for the new compliance framework to comply with SOX. Most technology components already exist in many companies. However, the integration of these components to help automate processes and increase visibility is needed for greater compliance intelligence.

Process oversight and documentation are facilitated through the deployment of enterprise compliance process control systems coupled with compliance intelligence technologies. Compliance intelligence is the integration of business intelligence systems with compliance process control systems that empower management to view aggregated compliance information upon demand.

SOX Best Practices

The new SOX provisions should be treated as a new best practices standard for corporate governance. Although not required by law, smaller companies will experience substantial benefits through the implementation of SOX compliance best practices. There is no silver bullet for SOX compliance. Section 302 and 404 require a combination of policy and procedure coupled with advanced technology to ensure compliance. The following best practices will help you navigate the maze of solution offerings available.

  1. View SOX compliance as a strategic initiative–not a "one-off" compliance project. SOX regulations involve multiple business units and requires a comprehensive approach to ensure compliance. Current best practice is to address SOX as an integrated project

  2. View SOx compliance in the broader context of GRC. The trend in the market is not only to look at meeting the requirements of rules implementing SOx, but to optimize an enterprise’s ability to proactively mitigate issues in an efficient manner in accordance with a risk approach.  Therefore, governance, risk management, and compliance (GRC) are now coming under one umbrella.  Because compliance is intrinsically linked to enterprise risk management and governance, an effective “compliance” solution must incorporate each of these areas to be effective.  In fact, all three areas must be present in order to sustain an improvement framework within a company over time.

  3. Re-evaluate your strategy in a risk-based context.  In accordance with recent SEC interpretive guidance (Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting- June 2007), utilizing a risk-based approach to evaluating the effectiveness of internal controls over financial reporting, is a key strategy in adequately providing the “reasonable assurance” needed by the regulators while optimizing efficiency.

  4. Develop a SOX roadmap for compliance. Prior to deployment of any new technology, it is important to conduct a risk assessment to determine your organizations maturity level with respect to SOX. Some controls may already be in place, facilitated through existing technology, processes, and procedures. It is best practice to develop a SOX roadmap for compliance.

  5. Establish electronic records management system. Electronic records management is essential to ensure SOX compliance. It is recommended best practice to establish an effective records management and retention program to ensure the authenticity and integrity of all corporate record.

  6. Assess the ability of your company's existing technology systems to support SOX policies and processes. Most of the technology required for SOX exists within your organization. However, there are some technologies such as electronic record management and compliance process control that could help accelerate and fulfill requirements stipulated by the rule. It is good best practice to assess the existing technology and begin filling in technology gaps as appropriate to your goals.

  7. Establish effective training programs. It is good recommended best practice to implement ongoing training and competency management to ensure all relevant staff is informed about SOX process and reporting requirements and technology.
Copyright © 2008 Amadeus International Inc. | Privacy Policiy | Terms & Conditions | Site map
Print