| SOX FAQ

What was the impetus behind the Sarbanes-Oxley Act?

The US Sarbanes-Oxley Act was passed in the wake of a myriad of corporate scandals that broke as a result of skewed reporting of selected financial transactions. Companies such as Enron, WorldCom and Tyco covered up or misrepresented a variety of questionable transactions, resulting in huge losses to stakeholders and a crisis in investor confidence. The legislation had been in the mind of US Senator Paul S. Sarbanes for some time, prompted by the failure at Enron. It languished in the face of strong opposition until the WorldCom debacle made it politically imperative for the US government to take action.

How is the Act intended to address the problem?

Sarbanes-Oxley aims to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. The Act is intended to address the problems that generated it by instituting various new levels of control and sign-off designed to ensure that financial reporting exercises full disclosure and corporate governance is transacted with full transparency. Generally speaking, there are three areas of special concern to those involved in internal and IT audit and control. Section 302 requires the CEO and CFO to personally sign off on the appropriateness of the firm’s financial statement. Section 404 covers attestation of financial reporting controls. And, section 409 calls for more frequent reporting.

Is the Act of concern to US companies only?

No, there are potential international implications as well. In fact, among the many factors that must be considered in complying with Sarbanes-Oxley, some will uniquely impact international organizations. Specifically, global organizations, or non-US-based companies that are required to comply with Sarbanes-Oxley, need to examine their IT operations and determine if they are significant to the organization as a whole. Significant business units can include financial business units or IT business units. The assessment of whether an IT business unit is significant can be impacted by the materiality of transactions processed by the IT business unit, the potential impact on financial reporting if an IT business unit fails and other qualitative risk factors. The issue is that there are financial materiality and significant risk considerations, quantitative and qualitative, and both aspects provide focus.

Examples of international IT assessment considerations include:

Where the financial business units within a country are not significant individually, but IT processing occurs in a central location, then the IT business unit may be significant, e.g., a US multinational’s British financial business units that are not individually significant (although they would be significant on a consolidated basis) and most financial reporting IT processing performed by a single IT business unit
Where the financial business unit is not significant in a particular country, but the local IT business unit is responsible for regional IT processing, e.g. an IT business unit in Singapore that is responsible for IT processing throughout Asia and the Pacific
Where there is no financial business unit in a particular country, but US-based IT responsibilities have been outsourced to that country, e.g., a US insurance company that outsources IT processing and maintenance to an IT business unit based in India

What effect does the Act have on the IT profession and/or ISACA members?

IT professionals, especially those in executive positions, need to become well versed in internal control theory and practice to meet the requirements of the Act. CIOs must take on the challenges of (1) Enhancing their knowledge of internal control, (2) Understanding their company’s overall Sarbanes-Oxley compliance plan, (3) Developing a compliance plan to specifically address IT controls, and (4) Integrating this plan into the overall Sarbanes-Oxley compliance plan.

The Act sections of greatest concern to IT professionals are sections 404 and 409. Section 404 reads as follows:

Management Assessment of Internal Controls

a.   RULES REQUIRED—The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall:
      1.   State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
      2.   Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

b. INTERNAL CONTROL EVALUATION AND REPORTING—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Real-time Issuer Disclosures

1. REAL-TIME ISSUER DISCLOSURES—Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.

This rule has been currently interpreted as a mandate for the SEC to force faster reporting on several of its forms.

What do ISACA members need to know and know how to do?

Sarbanes-Oxley makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting. For most organizations, the role of information technology will be crucial to achieving this objective. Whether through a unified enterprise resource planning system or a disparate collection of operational and financial management software applications, IT is the foundation of an effective system of internal control over financial reporting.

Therefore, ISACA members must be expert in establishing, maintaining and monitoring an effective system of internal control. With the passing of the Act and subsequent interpretations and discussions of the Act by the Public Company Accounting Oversight Board (PCAOB), the Internal Control—Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is becoming the de facto international control framework for financial reporting. Additionally, the implementation of IT corporate governance for US Security and Exchange Commission (SEC) registrants may one day be mandatory.

In addition to mastery of COSO, ISACA members should hone their expertise in Control Objectives for Information and related Technology (COBIT). Although COBIT was originally viewed as being primarily an IT assurance tool, with subsequent releases, the development of the Management Guidelines and implementation in thousands of organizations worldwide, COBIT has become an internationally recognized IT governance and control framework. Other standards, such as ISO 17799, address specific aspects of IT control (e.g., security), and other best practice guidelines (e.g., ITIL) focus on service management. However, these other standards were not designed to be a part of an integrated approach to IT management and control. Sarbanes-Oxley provides the impetus to develop an IT financial reporting controls framework that links COSO financial reporting objectives to existing IT management and control frameworks.