When it comes to compliance regulations, the one that seems to strike the
most fear into the hearts of company executives is the Sarbanes-Oxley Act of
Nicknamed Sarbox, and sometimes SOX, the stringent regulation was created to provide
control over corporate governance, disclosure and financial accounting in
the auditing community after the Enron and WorldCom financial scandals led
to billion-dollar losses. The corruption affected financial markets and investor trust.
Gearing up For Sarbox
Each year, publicly traded corporations must submit an assessment of the
effectiveness of their internal financial auditing controls to the
Securities and Exchange Commission (SEC).
Moreover, each company’s external auditors are required to audit and report
on the internal control reports of management, in addition to the company’s
financial statements. Failure to meet reporting criteria can lead to hefty
fines or even jail time.
“The last thing they want to do is become the last Enron and WorldCom,” said
Aberdeen Group research analyst Jim Hurley, who specializes in global
compliance regulations. “It is the No. 1 thing for firms to get their
attestation from their auditors to make sure that they sign off on the
processes and the financials.”
So where does IT factor in the Sarbox issue? At the heart. Public companies must establish a digital accounting
framework that can generate reports that are verifiable with source data.
Source data must remain intact and any revisions must be documented as to
what changed, who changed it, why and when.
This means companies must install gear that ensures data is securely
stored and that a single file may be recalled from a trove of millions.
Deadlines in Place
Aside from the goal to track finances down to the penny, the tricky part of
Sarbox was meeting several deadlines to prove they have the right internal policies or gear in place for each of the many sections of the regulation, with closing dates varying on the size or type of company.
All parts of Sarbox are effective now, with the exception of Section 409.
But the one that every company seems to be especially wary of minding is
Section 404 requires that each annual report from an auditor contains an
“internal control report,” in which a public company’s management is
responsible for setting up and maintaining an internal control and
documentation for financial reporting.
Under Section 404, public companies with a market capitalization over $75
million were required to have their financial reporting frameworks
operational for their first fiscal year-end report after Nov. 15, 2004,
then for all quarterly reports thereafter.
For smaller companies, compliance is required for the first fiscal year-end
financial report, then for all subsequent quarterly financial reports after
July 15, 2005.
To make sure these rules were being followed to the letters and numbers, the
Public Company Accounting Oversight Board (PCAOB) was formed along with
Sarbox in 2002. Known as the “Peek-a-Boo Committee” in auditing circles, the
group is charged with overseeing what the auditors are doing and reviewing
financial statement by public companies.
In addition to the watchdog, there are very stiff civil and criminal
penalties associated with lying about financial statements. CEOs or other
executives who “knowingly” sign off on inaccurate financial statements face
10 years in jail and a $1 million fine. An executive who conspires to sign
off on false statements can receive 20 years and a $5 million fine.
Is it any wonder why Sarbox is a nightmare for businesses required to report
every iota of their accounting duties?
The Sarbox Nightmare?
For some businesses, the nightmare goes on. Companies that are filing Sarbox
compliance reports this year are
experiencing major disruptions, projects delays, and consolidations in IT
operations and planning, Aberdeen’s Hurley said.
The analyst, who recently published a report on the effects of Sarbox, said
only 64 percent of all commercial firms currently have an active Sarbox
compliance program, with 78 percent planning to have one before the end of
One of the reasons companies are finding Sarbox such a burden is that it is
costly. For many mid-tier firms, the cost of complying with Sarbox is as much
as it is for Fortune 2000 firms and is spelling the difference between
profit and loss.
“One senior executive of an industrial parts supplier said that the money
spent on Sarbox in their first year meant the firm reported a loss,” Hurley
said. “Another company in the telecommunications sector reported that its
profits vaporized due to the initial up-front costs related to Sarbox
In another problem, vendors have underestimated the challenge of Sarbox,”
“In early 2004, companies surveyed said their compliance efforts
were restricted to financial applications, and that ‘things are well in
But when these companies were contacted by Aberdeen in December 2004, their
leaders had changed their tunes, telling Hurley that auditors are regularly
testing information controls in data storage, software, networks, security,
transaction-processing systems and desktops.
Perhaps not surprisingly, security-control software is the No. 1 technology
being purchased to assist with Sarbox, Hurley said.
“The audits are finding security controls, processes and reporting
procedures that introduce too much risk, so that the auditor doesn’t trust
the procedures and data enough to sign off on the financial statements,”
These include everything from perimeter defenses and improved network
monitoring, to identity, information and provisioning controls.