SOX Compliance Checklists

In this article

• What is the Sarbanes-Oxley Act?
• What is SOX Internal Control?
• SOX Compliance in 2020
• What are the Requirements for a SOX Audit?
• What is the Difference Between SOX and J-SOX?
• What is SOX Procedure?
• What are SOX Compliance Requirements?
• How to Use the SOX Compliance Checklist
• Digital Solution to Proactively Ensure SOX Compliance
• Featured SOX Compliance Checklists

What is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act” in the Senate and the “Corporate and Auditing Accountability and Responsibility Act” in the House of Representatives, was named after its sponsors, Sen. Paul Sarbanes (D-Md) and Rep. Michael Oxley (R-Ohio). The U.S. Congress passed SOX due to the accounting scandals at Enron, WorldCom, and Arthur Andersen, among others.

The U.S. SEC enforces SOX to prevent deceptive business conduct such as keeping huge debts off balance sheets, underreporting line costs by capitalizing rather than expensing, and inflating revenues with fake accounting entries that eventually lead to millions of dollars in fines and criminal conviction.

What is SOX Internal Control?

Under SOX Section 404, each annual financial report must include an internal control report, stating that the management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Every internal control report should also contain the management’s assessment of the effectiveness of the aforementioned structure and procedures and disclosure of security safeguards, breaches, and failures, attested to, and reported on by registered external auditors.

SOX Compliance in 2020

The SEC’s final rule that would exempt more categories of companies from auditor attestation of management’s financials has been effective since April 27, 2020. Adopting amendments has been decided upon to reduce compliance burdens for companies, especially for the most complicated, contested, and expensive to implement—SOX Section 404: Management Assessment of Internal Controls.

This change means certain low-revenue companies can file their managements’ effectiveness assessment in the internal control over financial reporting, or ICFR, without any independent auditor attestation. The SEC estimated that 539 companies would be exempted, saving compliance costs, and possibly encouraging more businesses to go public.

However, investors are also likely to price the loss of the internal controls audit attestation in their equity risk premium, making them buy stocks at higher discount rates because of the increased risk of potentially weak internal controls. Ultimately, SOX 404 compliance can be summed up from a previous SEC press release:

“Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.”

What are the Requirements for a SOX Audit?

The audit entails reviewing controls, policies, and the procedures of a 404 audit. It will also look into the staff, their duties and job description, and if they have received relevant training to safely access financial information. According to sections 302, 404, and 409 of the Sarbanes Oxley Act, the following conditions are required to be monitored, logged, and audited:

• Internal controls
• Network activity
• Database activity
• Login activity
• Account activity
• User activity
• Information access

Failing a SOX compliance audit can result in fines and significant penalties that can damage the organization’s reputation.

What is the Difference Between SOX and J-SOX?

J-SOX is the Japanese equivalent of the Sarbanes Oxley Act of the US. Both SOX and J-SOX regulations aim to evaluate internal control systems related to financial reporting. While there are similarities in their standards and requirements, both have their differences. Among those are the internal control framework, evaluation approach, the scope of entities, the scope of the process, etc.

What is SOX Procedure?

All entities subject to SOX should provide IFCR according to Section 404, while some smaller reporting companies’ management effectiveness assessments in the IFCR can be submitted without external auditor attestation according to the SEC’s final rule. Private companies preparing for their initial public offering (IPO) should also comply with the Sarbanes-Oxley Act.

Moreover, the U.S. SEC Division of Corporate Finance undertakes some level of review of each reporting company at least once every three years and reviews a significant number of companies more frequently.

What are SOX Compliance Requirements?

Since SOX compliance is crucial to keeping your company afloat, here are the other Sarbanes-Oxley sections you should focus on:

SOX Section 302: Corporate Responsibility for Financial Reports

A company’s Chief Executive Officer, or CEO, and Chief Financial Officer, or CFO, are directly responsible for the accurate documentation and certification of all financial reports submitted to the SEC. Setting up audit committees, compensation committees, and disclosure committees composed of board members and getting good legal counsel can help reinforce internal controls and limit corporate liability.

Since SOX Section 302 is intended to safeguard against faulty financial reporting, make sure your verifiable security controls that prevent data tampering, establish timelines, and track data access are operational, periodically reviewed for effectiveness, and capable of detecting security breaches.

SOX Section 401: Disclosures in Periodic Reports

All of the company’s financial statements in periodic reports should be made with all material off-balance sheet liabilities, obligations, or transactions, audited by a registered public accounting firm, and published to the public.

SOX Section 409: Real Time Issuer Disclosures

Any changes in a company’s financial condition or operations should be reported on an almost real-time basis using trend and qualitative information and graphic presentations to protect investors and public interest.

SOX Section 802: Criminal Penalties for Altering Documents

Penalties of up to 20 years imprisonment await anyone who alters, destroys, mutilates, conceals, covers up, or falsifies any record, document, or tangible object with the intent to influence, obstruct, or impede a legal investigation. Any auditor who fails to maintain review papers for a period of 5 years shall be fined and/or imprisoned for not more than 10 years.

SOX Section 906: Corporate Responsibility for Financial Reports

All of the company’s financial statements in periodic reports should be certified by the CEO and CFO with a written statement, on top of the one required by Section 302, that they fully comply with the requirements and that information contained in them fairly presents the financial condition and results of the company’s operations.

How to Use the SOX Compliance Checklist

Since SOX compliance is essential for publicly-traded companies, it is important that an organization has a standardized approach when it comes to tracking its very own conformance. A SOX compliance checklist enables businesses to list down their points of compliance and avoid missing critical areas that can result in non-conformance to the act. Using this in a highly-intuitive platform, however, raises its documentation, accuracy, and speed.

Steps to Using the SOX Compliance Checklist

An effective SOX compliance follows these steps:

• Establish relevant roles from the management team – Specify who will be conducting the SOX audits or inspections to ensure a smooth internal implementation of the act.
• Identify areas for compliance – Tailor your checklist to meet the requirements of SOX compliance. Use this as a well-founded basis to ask the right questions and determine critical points for the approach to ensuring and maintaining compliance.
• Determine if key controls work – Analyze if currently implemented systems work by choosing between Yes, No, or N/A, organizations can even customize their own set of answers.
• Recognize potential areas of non-compliance – Using this document, the management team can proactively spot incidents of non-conformance and assess how they can be improved and avoided moving forward.
• Input additional comments – Add any recommendations, suggestions, or comments to further reinforce the organization’s approach to SOX compliance, before signing off.