If you are working with ERP software, management information systems or accounting systems you might have heard about Sarbanes-Oxley (also called SOX) and that certain companies have to be in compliance with SOX.
But what does it mean to be SOX compliant? Is it something your company should worry about? Are there any benefits or downfalls to being SOX compliant? How do I make sure that my current ERP system can support SOX?
Sarbanes-Oxley (SOX) is a US federal law enacted on July 30, 2002 as a reaction to a number of major accounting scandals (like Enron and Tyco International) which ended up costing investors billions of dollars.
The legislation sets certain standards for all US public companies including their accounting firms. The act contains eleven sections, ranging from board responsibilities to criminal penalties.
It is named after is sponsors US Senator Paul Sarbanes (D-MD) and US Representative Michael G. Oxley (R-OH).
SOX is only required for US publicly traded companies. Privately held companies do not have to be SOX compliant. That doesn’t mean that they can’t be in compliance as there are certain benefits to SOX.
Sometimes shareholders in privately held companies want their company to comply with some of all sections of SOX to hold management and their accounting firms to certain standards to ensure that things are run properly.
SOX is a very comprehensive law that has many provisions but there are a few important ones I would like to mention.
This mandates a set of internal procedures to ensure accurate financial disclosure. Basically the company’s officers certify that they are responsible for maintaining and evaluating effectiveness of internal controls.
This mandates that all off-balance sheet items be disclosed. An off-balance sheet item could be an assets or liability that is not showing up in the company’s balance sheet.
This is the most contentious aspect of SOX. It involves management and the external auditor to report on the adequacy of the company’s internal control over the financial reporting. It sets requirements to the use of the accounting and ERP systems along with the data flow inside the system, including who has access to what and why.
Other sections discuss criminal penalties for violation of SOX and retaliations against whistleblowers.
One of the benefits of SOX is that shareholders can better rely on managements and auditors financial reports. All the many internal control procedures and the direct liability on management help to prevent new Enron and Lehman Brother scandals.
Some contend that SOX is an unnecessary and costly intrusion into corporate management that places US corporations at a disadvantage over foreign corporations, thus driving business out of the US.
Since SOX is primarily about data, analysis and reporting, the IT environment will be critical on determining whether you are able to be compliant.
The following concepts are invaluable in SOX compliance and any ERP solution should address these concepts when used in context of SOX:
Access to financial information should be limited to those who have authorization to the system or to the sections of the system. This must be in place to avoid unauthorized access and fraud.
Information should only come fro a reliable, trusted source. Only certain people or groups can post or alter information.
Information is only accepted when entered in the correct format. Furthermore, information may only be entered once – duplicate entries are detected and then rejected. All information is kept as current as possible.
All transactions should be backed up. Additionally, a log of users, their sessions and transactions is ideal for tracking inconsistencies in the system.
Microsoft Dynamics NAV can help you get SOX compliant. Please see the attached whitepaper about SOX readiness with Microsoft Dynamics NAV
Check out this Whitepaper.