In this excerpt from Chapter 1 of Sarbanes-Oxley for Dummies, author Jill Gilbert Welytok demystifies four common myths about SOX.
Although SOX costs corporations billions of dollars and diverts massive resources from production and profit-generating activities, it's not all bad. In fact, there are things it doesn't require; this section puts to rest four common SOX myths.
Myth #1: Auditors can't provide tax services
SOX doesn't segregate to absurd extremes the services accountants can provide to companies. For example, in passing SOX, Congress recognized that in many cases it's practical and cost-efficient for audit firms to prepare tax returns. Although SOX precludes auditors from providing certain services to their clients to prevent Enron-type conflicts of interest, the legislation doesn't ban tax preparation services outright. Rather, the company's audit committee is charged with the responsibility of determining who provides tax services. However, some caveats must be considered in each case; for example, SOX's ban on software consulting may sound a death knell for audit firms that sell tax software to their audit clients and provide consulting services to support it.
Myth #2: Internal control means data security
Internal control refers to financial controls that impact financial statements, not data security. SOX doesn't specifically spell out any data security requirements for companies. Other legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has rules about data security, but SOX is silent on things like password protection and encryption standards. This myth likely results (at least in part) from SOX's emphasis on internal control, which is a term sometimes used by information technology professionals.
Myth #3: The company isn't responsible for functions it outsources
Not true. Under SOX Section 404, it doesn't matter whether you outsource a system, process, or control or handle it internally -- if it impacts the financial statements, the reporting company is on the line. This means you may have to directly test the controls at your outside service providers. Or, in some circumstances, you may be able to get a special type of report called an SAS 70 (type 2) from the service provider; this report documents the effectiveness of the provider's internal controls. (For more on the SAS 70 report, flip to Chapter 13.)
Myth #4: My company met the deadline for Section 404 first-year compliance. We're home free!
Sorry, 404 certification is an annual event. And when it comes to Section 404 compliance, a corporation is never "done." Compliance is a continual and ongoing process. Your systems must evolve as the company evolves, and so must the tests that are performed on those systems.
Read the rest of Chapter 1 from Sarbanes-Oxley for Dummies