In this excerpt from Chapter 1 of Sarbanes-Oxley for Dummies, author Jill Gilbert Welytok demystifies four common myths about SOX.
Requires Free Membership to View
Although SOX costs corporations billions of dollars and diverts massive
resources from production and profit-generating activities, it's not all bad. In
fact, there are things it doesn't require; this section puts to rest four common
SOX myths.
Myth #1: Auditors can't provide tax services
SOX doesn't segregate to absurd extremes the services accountants can provide
to companies. For example, in passing SOX, Congress recognized that in many
cases it's practical and cost-efficient for audit firms to prepare tax returns.
Although SOX precludes auditors from providing certain services to their
clients to prevent Enron-type conflicts of interest, the legislation doesn't ban
tax preparation services outright. Rather, the company's audit committee is
charged with the responsibility of determining who provides tax services.
However, some caveats must be considered in each case; for example, SOX's
ban on software consulting may sound a death knell for audit firms that sell tax
software to their audit clients and provide consulting services to support it.
Myth #2: Internal control means data security
Internal control refers to financial controls that impact financial statements, not
data security. SOX doesn't specifically spell out any data security requirements
for companies. Other legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has rules about data security, but SOX is
silent on things like password protection and encryption standards. This myth
likely results (at least in part) from SOX's emphasis on internal control, which
is a term sometimes used by information technology professionals.
Myth #3: The company isn't responsible for functions it outsources
Not true. Under SOX Section 404, it doesn't matter whether you outsource a system, process, or control or handle it internally -- if it impacts the financial statements, the reporting company is on the line. This means you may have to directly test the controls at your outside service providers. Or, in some circumstances, you may be able to get a special type of report called an SAS 70 (type 2) from the service provider; this report documents the effectiveness of the provider's internal controls. (For more on the SAS 70 report, flip to Chapter 13.)
Myth #4: My company met the deadline for Section 404 first-year compliance.
We're home free!
Sorry, 404 certification is an annual event. And when it comes to Section 404
compliance, a corporation is never "done." Compliance is a continual and
ongoing process. Your systems must evolve as the company evolves, and so
must the tests that are performed on those systems.
Read the rest of Chapter 1 from Sarbanes-Oxley for Dummies
This was first published in January 2008