Compliance with the Sarbanes-Oxley Act (SOX)

Compliance with the Sarbanes-Oxley Act (SOX)

 
Promulgated in 2002, the Sarbanes-Oxley Act arose from a number of financial scandals in the United States and responded to the need to establish rules for public companies mainly with regard to issuing financial information.
 
All public companies listed on the US stock exchange are bound by the act, including their subsidiaries in other countries.
 
The act establishes that the administration of companies must set up and maintain an internal control structure based on the COSO model issued by the Committee of Sponsoring Organisations of the Treadway Commission, a private organisation set up in the United States in 1985 to promote the National Commission on Fraudulent Financial Reporting, a private body that studies factors that may result in fraudulent financial reports and makes recommendations to public companies and their independent auditors, and to the Security and Exchange Commission (SEC) and other regulatory bodies and educational institutions. This internal control structure is complemented with the Control Objectives for Information and Related Technology (COBIT) model, a specific and detailed internal control model that links control requirements, technical aspects of information systems and business risks.
 
The COSO internal control model has a high holistic level that makes its interpretation and implementation a real challenge and that creates a risk in these processes. The SOX establishes that internal control structures should be assessed on an ongoing basis and that administrators and senior executives should make a legal statement to the effect that an evaluation has been made and improvements implemented. The COBIT model covers 44 aspects, twelve of which are considered as necessary in order to comply with the SOX.
 
At the same time, the US Public Company Accounting Oversight Board, a body set up under the SOX Act to ensure compliance with the act, issued the Auditing Standard that includes specific rules and standards for external auditors and establishes that senior management has to make a statement regarding audits.
 
In practical terms, compliance with the SOX Act accounts for a major part  the documentation process of the general control environment and of specific control tasks in relation to issuing financial information (processes, critical controls, policies, procedures, etc.), a commitment to maintaining a proper internal control structure, an ongoing and recurring evaluation of the operation of critical controls (testing), including evidence that the evaluation has been carried out and the determination, development and ongoing implementation of improvements detected (correction plan).
 
Our know-how in this area and our specialisation enables us to provide a comprehensive service or a service in stages, based on the needs of each particular customer. Following are some of the services we can provide with regard to complying with the SOX Act:
  

  • Diagnosing implementation of compliance with the COSO and COBIT models, the Auditing Standard and the SOX Act.
  • Identifying, developing and implementing compliance.
  • Testing operating controls.
  • Preparing the correction plan and putting it into action.