By Will Sturgeon, 10 June 2004 11:35
The Sarbanes-Oxley Act - what on earth is that?
It's the name of a piece of US compliance legislation, with global implications, which was signed off in 2002 and is soon to 'go live' with the intention of preventing financial malpractice and accounting scandals such as the Enron debacle. It's becoming known as SOX or SarbOx or SOA.
In fact, anything BUT 'the Sarbanes-Oxley Act', right? I can see why...
Indeed. The Sarbanes-Oxley Act is a bit of a mouthful, though it could be worse. It's also known as the Public Company Accounting Reform and Investor Protection Act. The shorter moniker comes from the names of Senator Paul Sarbanes and Representative Michael Oxley who are credited as the main architects of the Act.
And when is this all going to happen?
The straightforward answer is 15 November, 2004. That is the date on which the Act comes into effect. But in truth companies should have been working on their compliance issues for quite some time. This isn't just a case of flicking a switch at 10 minutes to midnight on 14 November.
So they should be looking at this now?
Companies should have started looking at their SOX issues some time ago - but many are still just waking up to the challenge. According to Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, finance departments 'get it' but "a lot of CIOs don't know what's going to hit them".
That's a bit harsh isn't it?
Well, one anonymous US CIO certainly concurred. "I feel like a bad storm's coming and I don't know what it is or when it's going to hit," he said at a recent industry event. It's certainly fair to state that it's an issue which relies heavily on IT and that sense of panic is not unique. Many companies are now aware of the spectre of SOX hanging over them without having a handle on what it is and what they have to do to ensure 'compliance'.
So in a nutshell, what does it all involve?
The Act covers a whole range of governance issues - many covering the types of trade that are allowed within a company, with an emphasis upon keeping everything above board. For example, the Act forbids personal loans to officers and directors. Disgraced former WorldCom boss Bernie Ebbers had taken considerable loans from his company shortly before it became the next corporate scandal to rock the US, post-Enron. Other measures regulate the responsibilities of audit committees sent in to check the health of companies' compliance. The Act also offers protection to 'whistleblowers' (for more specific details, see the links at the bottom of this article).
While much of this is common sense and achievable, the actual challenge of SOX is ensuring it is observed and that compliance can be demonstrated and accurately monitored and reported. The most common area of focus is the archiving of all communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence. This should mean traders can't contact one another, or analysts, 'on the sly' and deals can't be 'lost in the muddy waters of business'. Applications such as IM are also being singled out as areas that need to be secured and made clearly accountable.
Kailash Ambwani, CEO of secure IM provider FaceTime, believes IM is "mission critical" to most major financial institutions but he said: "These guys don't have in place the necessary security, accountability, logging or archiving to make those IM sessions compliant."
That is something that will have to change by 15 November.
So every file, every email, every IM, every phone call is going to have to be recorded?
That's been a lot of people's gut reaction, according to Mark Ellis, CA's director of storage and information management, but it's not quite so extreme. Many companies just assume as long as they do that they will be compliant with that aspect of SOX - which is true, if a little naïve regarding the storage and logistics implications of such thoroughness. Ellis describes this reaction as being "like a rabbit caught in the headlights" and explained that "people need to know what they must keep".
"Legal compliance is not about what you need to keep, it's about knowing what you can delete," he said, imploring companies to find out more about the complicated legislation.
And how can they do that?
Most companies are having to work with accredited auditors and consultants to ensure they have 'ticked all the right boxes'. In the US, Ernst & Young and PwC account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent each. A successful filing from these companies is priceless for the companies affected by SOX.
How so?
These firms are there to test compliance and search for 'material weaknesses' - flaws that would fail the SOX test - and there is a lot of shareholder trust to be gained from filing for SOX compliance. To date 5,685 firms have filed, which makes for 5,685 happy sets of shareholders.
Even if nothing bad ever happens, companies cannot afford to be remiss with their compliance. Non-compliance with SOX will probably mean heavy fines - which as yet have not been outlined or defined - and a serious loss of shareholder trust and brand value. After all, nobody wants to think their stocks might become the next Enron shares. Large financial institutions will probably be able to pay any fines with pocket change but loss of face and the ensuing PR disaster of public 'naming and shaming' could be colossal.
Quite. So compliant companies will be 100 per cent safe from that kind of corporate scandal?
Of course not. There's no such thing as 100 per cent safe but companies need to be able to demonstrate that they have shown due diligence. They may never be able to protect themselves against the actions of a rogue trader who goes offline but they will be able to demonstrably prove they did everything they could to cover their backs and hit their compliance targets.
So will everybody go for this and 'sign up'?
They have to really but it may require a cattle-prod approach - if only because it may be the only way to force the issue. One expert added: "The first major fine that lands on a 'high street' name will galvanise people into action."
And when might that happen?
Some time after 15 November. Watch this space...
For more information about Sarbanes-Oxley, see:
Securities and Exchange Commission
Sarbanes-Oxley.com
Deloitte and Touche
PricewaterhouseCoopers
KPMG
Comments
There are 14 comments. Join the discussion
1. anonymous
Your article is incorrect. The SOX Act became effective in 2002. Only Section 404 is effective November 15th. Section 302 also deals with internal control and has been in effect since August, 2002.
(Ed note. You are right - and the first section of the Cheat Sheet acknowledges the 2002 date.)
2. anonymous
I do not know of any companies who have meet SOX 404 requirements and filed a report with the auditors opinion. Where can I find the list of the 5,600 companies that have happy shareholders?
3. Marc W.
I am and have been very intrigued by this topic because I own a data disaster recovery company that is working with the Federal compliancies and issues pertaining to HIPAA and Sarbanes Oxley issues.
The compliancies, as written, seem open to interpretation and are, at the very least, vague. I suspect that companies will go overboard in what they comply with just to be or stay out of harms way regarding penalties and constant review by the governing body of auditors.
No entity that is forced to comply is going to be happy with the nature of compliancy, but there are easy measures to ensure total compliancy without breaking the bank. The art of the game is to do the due dillegence needed to get you past the auditors.
Marc
4. Rick Barry
Can the author/Eds tell us simply: what organizations are covered under SOX? I understand that it is limited to private sector companies only. But is it limited to only those trading in financial transactions, or does it cover all publicly owned companies listed on the US stock exchanges or doing business in the US? I've followed the links but can't seem to get this basic information and it isn't covered in Sturgeon's otherwise excellent article. Thanks.
(Ed note. Rick, apologies if that point hasn't been made clear - perhaps the wrong assumption has been that by now companies who are affected will all know, and our 'cheat sheets' really are only intended to serve as a basic overview. Essentially, as you'll note the cheat sheet refers to the full name of SOX as the 'public company accounting reform and investor protection act'. This means it applies to all publicly traded companies, registered public accounting firms and companies in the process of registering securities.)
5. anonymous
Can someone please tell me when the UK companies have to comply by, by this i mean the ones owned or trading to the USA...I can't seem to find an exact date anywhere!
(Ed note. It's in the third paragraph. Have another look - go on, you know you want to. That's as close to an exact date as you'll get.)
6. G Greenham
There are several sections with different effective dates. However, id beleive the short answer, for Section 404 is: Foreign Private Issues (not accelerated files, but with market cap > $75m USD) require that the first annual report after July 15, 2005 will require an assertion from management about its internal control et al and have the external auditor express an opinion about that statement in its audit of the companies financial statements.
7. anonymous
After the Oliver North case, companies in US have tended to implement email deletion policies. Now they are going to have to change those deletion routines into archiving ones.
Although Dilbert recently mocked the practice, some investment in Ethics awareness for these companies and their employees would not go amiss.
8. anonymous
Hi, I work for a uk based limited company, who are owned by a UK Plc. We sell to the US, can someone tell me if we should be doing something about SOX ourselves or our parent company?
thanks from 'confused of south coast'
(Ed note. At the moment SOX relates to companies listed in the US. If your parent company is listed on any US markets there is a strong likelihood aspect of SOX may impact your business practices and it is worth looking into the matter. The US deadline has been extended for companies based 'overseas'.)
9. anonymous
Hi, I work for a uk based limited company, who are owned by a UK Plc. We sell to the US, can someone tell me if we should be doing something about SOX ourselves or our parent company?
thanks from 'confused of south coast'
10. anonymous
Hi Confused... :)
SOX is US legislation, a little like FDA (Food and Drug Administration) and as far as I'm aware, SOX only applies for companies which are stated with the US SEC (Securites and Exchange Comission), or where if you are providing a Service to a US company which relies on your results to feed into their published results.
So net, if you're not owned by a Yankee company or reporting results into a US company as a supplier, you're ok... Though, someone please tell me if I'm wrong here...
Just give it a couple of years though, and the Uk are bound to follow suit on legislation...
11. anonymous
YOu're reporting to a US company?? You need to be compliant today in essence.. Check with your external Auditor, and also you can use your companies Financial Year end as another indicator... ie, P&G files end March for SOX, so I have until then.... oh the joys of yet another bit of US legislation..
12. anonymous
I work for a large telecoms company, do SOX controls drill down to ensuring that the company has accurate equipment and asset records
13. anonymous
If you are not a brokerage or financial institution but you are a publically traded company, does Sarbanes Oxley require that Instant message logging be performed and the messages themselves retained for any period of time?
14. anonymous
Does Sarbanes-Oxley affect european countries or multinational companies active in USA ?