Sarbanes-Oxley Act 2002 – Intersecting Risk Management with Compliance Management
Jeff Ryall
Recently, Quality Award Partners® Managing Director Jeff Ryall completed an assignment with the Australian arm of an international software development company in the finance & insurance industry. The task was to provide all staff with an understanding of the Sarbanes-Oxley Act 2002, and its implications for the business and product.
What is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act 2002 (SOX) was introduced within the USA to deal with the fallout of major public company scandals, such as Enron and WorldCom. Underlying this, was the failure of institutional public accountability frameworks to identify and expose corrupt practices. The Act was designed to strengthen Corporate governance, and restore investor confidence in publicly listed companies in the USA. It mandated a rigorous regime of senior management and financial audit accountability.
SOX is wide ranging and establishes new or enhanced standards for all US public company Boards, Management, and public accounting firms. It contains additional Corporate Board responsibilities & criminal penalties.
The thrust of the SOX requirements is embodied in Section 404 of the Act. This requires a personal signoff of published company accounts by CEO and CFO. They must confirm that the published accounts are correct. They must also confirm the internal control systems that underpin the reporting integrity are sound and reliable. The sting in the Act is that company officers carry personal liability for this, and may be subject to jail terms for incorrect or misleading statement. Additionally, auditors are required to attest to and report on managements' assessment of control effectiveness.
This compliance requirement has been regarded by some as draconian. Indeed, there have been "regulatory refugees" from the New York Stock Exchange to the London Stock Exchange as a result. On the other hand some organisations such as not-for-profits have seen the benefits in transparency and have voluntarily embraced the Act’s requirements.
So how are those requirements to be met?
The only effective way to assure SOX compliance is to establish a comprehensive and appropriate system of internal controls. These need to be developed based on a comprehensive enterprise-wide approach to risk management.
It has to be built into the business - not bolted on.
It needs to cover all processes - from beginning to end.
It needs to impact all levels - from mailroom to boardroom
Your management system is crucial to achieving this. And the ISO 9001 framework is widely regarded as a most suitable basis for building SOX compliance, because its design is process-based and can cover all aspects of the business.
Additionally, in order to have a robust compliance system that operates effectively, a culture of compliance needs to be developed, nurtured and sustained within every organisation. SOX points to this in a number of places; for example severe penalties exist for destroying, covering up or failing to reveal necessary information to auditors or other investigators. (The ACCC also emphasises the importance of culture in achieving compliance.)
Risk management and compliance management are not the same, although they do need to operate interdependently within your organisation. Quality Award Partners® Advent ManageRTM risk and compliance software is designed as a practical solution to fulfilment of compliance obligations and the need for enterprise wide risk management, and fully supports SOX compliance requirements.