Regulatory Compliance and Governance
Regulations are guidelines that help in giving directions and restrictions regarding a particular issue of concern. The Sarbanes-Oxley Act (SOX) was enacted in 2002 to guard against fraud and scandals that arise from manipulation of records by company management, directors and other top officials of an organization (Financial Executives Research Foundation, 2003). Further, it guards against the involvement of external auditors in the process of manipulation of information and compromise (Financial Executives Research Foundation, 2003). SOX is named after Senator Paul Sarbanes and Representative Michael Oxley, who were responsible for drafting and proposing the law. The law outlines the responsibilities of managers in the process of financial control and evaluation. Additionally, it describes criminal penalty to be applied if managers go against SOX (Financial Executives Research Foundation, 2003).
Section 302 of SOX commonly referred to as disclosure control requires that managers sign giving accurate and transparent financial reporting and implement effective internal structures of financial controls. Additionally, it requires that managers must report on the effectiveness of the control structures ninety days before the day of company report release. Section 401 also known as disclosure in the periodic report reinforces Section 302 by further defining extra roles of the management.
Illustratively, it requires that managers declare off-balance sheet items and instruments used together with the extent of their application (Howell & Ray, 2015). Section 404 of SOX known as the assessment of internal controls, mandates managers to disclose transparently the effectiveness and applicability of internal financial controls and checks implemented in the company (Menzies, 2004). Further, it requires that external auditors give their assessment of the internal controls. Section 802 of SOX gives the criminal penalty to serve managers and any other person who gives false or misguiding information with the aim of influencing or obstructing an investigation. It states that the individual will be fined according to the acts or receive an imprisonment term of not more than twenty years or both (Howell & Ray, 2015).
SOX is important in protecting investor, shareholders and the government against frauds resulting from manipulation of information in a bid to influence an investigation. Further, it outlines the duties of managers and requires them to take up responsibilities for any misguided information they give.
Successful Compliance Program
Previous studies have confirmed that SOX subjects companies to challenges, especially during the first year of implementation and putting structures in position so as to comply with the outlines framework. In most cases, SOX comes with a new set of standards, defines corporate responsibility and further calling upon the executive management to confirm the functionality of the internal controls within the organization. There must be a good roadmap defining the entire necessary steps, or less companies may find themselves lost and implementing unnecessary detours during their business activities. The following steps will help the organization come up with a straight forward, effective and more efficient framework for realizing a successful SOX compliance:
- Starting the Project
The senior management must come together and set the appropriate tone, prove that they are committed to the project and further emphasize on the relevance of the internal controls. The organization must identify the individual owning the project, and in most cases a compliance officer, who will be responsible for managing the project. The compliance officer will be expected to monitor the project on a daily basis, with the management coming on board to ensure that the entire personnel are meeting their responsibilities.
- Risk Assessment and Scoping
The organization must lay out a project plan prior, since this will see the entire process running smoothly. The project plan should comprise of risk assessment (RA), scope evaluation (SE), testing timeline (TT) and compliance testing coordination (CTC). The risk-based approach will create room for the auditors to completely focus on relevant controls and analyzing the identified financial risks. The SE will entail assessing the nature, timing as well as the level of testing that have to be undertaken.
- Documenting Internal Controls
It is important for the organization to pinpoint on some of the risks that may be encountered in the respective business levels. In doing so, they should only identify some of the risks that are believed to have material impacts on the financial statements, hence coming up with mitigation measures. The documentation of the internal controls paves way for identifying the possible risks that may not be mitigated through the formalized process.
- Compliance Testing
The entire document controls must be subjected to evaluation to check on their effective operation. Some of the testing process may encompass inquiry, observation, examination and other appropriate performance procedures to ensure proper functioning of the controls.
- Evaluation Process
In each financial year, the management has to subject the entire exceptions to evaluation and further group them into two classes: control deficiencies (CD) and material weaknesses (MW), all which must be reported to the management board.
Howell, J., & Ray, T. (2015). What the PCAOB’s inspection results mean for your company: many audit and control failures can be attributed to failures of documentation by the public company. Financial Executive, 31(1), 26-30.
Financial Executives Research Foundation. (2003). Sarbanes-Oxley Act of 2002: Financial executive checklist.