Sarbanes-Oxley Summary for IT Professionals & Projects
I am often asked by customers on SOX compliance and how DBSync replication and integration address SOX regulations requirements
Key Sections for IT Managers to look at are
Section 302, 404, 1102, Title IX
I would like to get the focus of IT Managers to Section 404 which requires Internal Controls to be in place across there CRM, ERP and SCM, along with document archiving requirements and ability to find and recover documents and records for seven year time period. When Cloud and On-premise apps are used to implement CRM, ERP, and SCM, it becomes important to have controls in place to reflect front end Sales activity to communicate and respond to its Supply Chain and Vice versa.
Although the entire Act is too large to cover here, there are some key regulations implementing the critical sections of Sarbanes-Oxley that IT executives and managers alike need to be aware of:
Section 101: Public Company Accounting Oversight Board
(PCAOB) Membership.
The board shall consist of five full-time members (two CPAs and three non-CPAs) who are all financially literate. No member of the board may be receiving payment or sharing in the profit of any public accounting firm other than retirement benefits or other fixed payments. The chair may not have practiced as a CPA within the previous five years.
Section 103: PCAOB’s Duties.
The board is responsible for:
● Setting the budget and managing its operations.
● Establishing “auditing, quality control, ethics, independence,
and other standards relating to the preparation of audit reports
for issuers.”
● Registering and inspecting accounting firms.
● Investigating irregularities and imposing appropriate sanctions.
● Enforcing compliance with the Act and other laws or standards relating to the preparation and issuance of audit reports.
● Performing other duties as required.
The board must adopt an audit standard to implement the internal control review required by Section 404.
Section 105: PCAOB Investigations.
Information received or prepared by the PCAOB shall be “confidential and privileged as an evidentiary matter (and shall not be subject to civil discovery or
other legal processes) in any proceeding in any Federal or State court or administrative agency, unless and until presented in connection with a public proceeding or [otherwise] released.” No sanctions report will be made available to the public unless and until stays pending appeal have been lifted.
Section 107(d): PCAOB Sanctions.
The SEC has the right to require the board to carry out additional responsibilities, such as keeping certain records, and it can inspect the board as necessary.
Section 107(c): Review of Disciplinary Action Taken by the PCAOB.
The SEC can change, cancel, reduce, or increase sanctions applied by the board.
Section 108: Accounting Standards.
The SEC recognizes GAAP and all the principles therein, and any new procedures must adhere to the GAAP principles.
Section 201: Prohibited Activities of Professional Service
Providers. The firm that supplies auditing services to a client cannot provide bookkeeping or other accounting record service to the audit client; financial information systems design and implementation; appraisal or valuation services; actuarial services; internal audit outsourcing services; management functions or human resources; brokerage, investment adviser, or investment banking services; legal services; or any other service that the board determines, by regulation, is impermissible.
Section 206: Conflict of Interest.
The CEO, controller, CFO, and so on cannot have worked for the company’s external audit firm in the year preceding the audit.
Section 301: Public Company Audit Committees.
The audit committee is to be made up of board members who are guaranteed to be independent and free of interests that conflict with those of the corporation.
Section 302: Certification.
CEOs and CFOs must certify in each reporting period that the information presented is accurate and fairly represents the financial position of the company and operational results. Certifying officers will face penalties for false certification of $1 million and/or up to 10 years’ imprisonment for a “knowing” violation and $5 million and/or up to 20 years’ imprisonment for a “willing” violation.
Section 304: Forfeiture of Certain Bonuses and Profits.
If an issuer is required to prepare an accounting restatement due to a material noncompliance of the issuer, as a result of misconduct, with any financial reporting requirement under the securities laws, the CEO and CFO of the issuer shall reimburse the issuer for any bonus or other incentive-based or equity-based compensation received by that person from the issuer during the 12- month period following the first public issuance or filing with the SEC (whichever first occurs) of the financial document embodying such financial reporting requirement; and any profits realized from the sale of securities of the issuer during that 12-month period.
Section 306: Blackout Periods.
Officers, directors, and other insiders may not purchase or sell stock during blackout periods.
Section 401(a): Disclosures in Periodic Reports.
All financial reports are to be prepared according to GAAP and shall “reflect all material correcting adjustments . . . that have been identified by a registered accounting firm
Section 401 (c): Off-Balance Sheet Disclosures.
The SEC shall study off-balance sheet disclosures to determine the extent of the transaction and whether GAAP rules were applied such that the transactions are transparent to investors.
Section 402: Prohibition of Personal Loans to Executives.
No public company, except consumer credit institutions, may loan or renew a loan of a personal nature to its executive officers or directors. A credit company may issue consumer loans and credit cards
to its directors and executive officers if it does so in the ordinary course of business on the same terms and conditions offered to the general public.
Section 403: Disclosures of Insider Trades.
Directors, officers, and 10 percent of owners must report insider trades within two business days of the transaction.
Section 404: Internal Controls.
Management must state their responsibility in establishing, maintaining, and analyzing the internal control structure, and must assess the effectiveness of such processes.
Section 406: Codes of Ethics.
A corporation is required to have a code of ethics that addresses financial data and record integrity. If a corporation does not have a code of ethics it must justify its position.
Section 407: Financial Expert.
At least one member of the audit committee must be a “financial expert,” a person who has education and experience as a public accountant, auditor, principal financial officer, controller, or principal accounting officer.
Section 409: Real-Time Disclosure.
Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.
Title VIII: Corporate and Criminal Fraud:
● It is a felony to “knowingly” obstruct a federal investigation by tampering with documents or other such actions.
● Auditors are required to maintain records for five years.
Section 806
Employees are given “whistleblower protection” that prohibits the employer from taking retaliatory action against employees who disclose information relevant to a fraud claim.
Title IX: White-Collar Crime:
● Maximum imprisonment for mail and wire fraud is increased from five to ten years.
● Tampering with a record or otherwise obstructing a proceeding is a crime.
● A CEO or CFO who knowingly or willfully certifies financial reports that are misleading faces a fine of up to $5 million and/or imprisonment of up to 20 years.
Section 1102: Tampering with a Record.
It a crime to alter, destroy, or conceal any document with the intent to obstruct an official proceeding; the penalty is up to 20 years in prison and a fine.
Section 1105: Prohibited Board Members.
A person who has committed securities fraud may be prohibited by the SEC from serving as a board member.