Sarbanes-Oxley Act’s compliance requirements for publicly listed companies have been around for a while and still many organizations still struggle to fully comply. Most companies either underestimate or simply do not realize the magnitude of task in hand required to fulfill compliance requirements, particularly with Section 404 of the Sarbanes-Oxley Act (SOX). Compliance with Section 404 needs proper planning in advance along with well documented processes, evaluation procedures, detailed allocation of resources and strict testing measures to ensure quality control.
A primary segment of Section 404 compliance is the audit of internal controls. Listed companies must hire an independent auditor to avoid any conflict of interest to conduct SOX audit of company’s internal controls, once a year. The independent auditors then inspect the financial statements to confirm accuracy and/or flag any major discrepancy. It is this step in the compliance assessment process where most companies falter. Here are 3 major internal control challenges that listed companies’ management must address to fully comply with Section 404:
Inadequate Internal Control Management Program: Section 404 encompasses financial reports from all business units of the company. Management must realise this and have adequate allocation of resources and personnel to address this aspect. Section 404 compliance is not restricted to just one department, rather is requires synchronization of financial statements from all division and functions of the business. Hence, management must assign specific responsibilities from members of each business units to work on Section 404 compliance on a joint-effort.
Predictable Year-around Processes: SOX audit happens once every year. However, many companies fail to have predictable year-around processes in place to facilitate SOX audit. This leads to them starting the audit support and documentation process every year. Management can set predictable year-around processes in place for smooth proceedings of SOX audits. This will also help them with having understanding of the internal controls audit process and what is required to get compliant.
Allocation of Human Resources: Having the right people at the right job may sound cliché, however, it holds true particularly when it comes to compliance with Section 404. A detailed Human Resource planning must be developed in accordance with the skills-set requirements to handle SOX compliance audits. Resources must be hired, trained, developed and effectively positioned to become internal control specialists. As SOX audit is a year-around process these resources can enhance compliance competencies to develop an effective internal controls audit process so that when an independent auditor comes in, they get the required documentations and statements in a timely and effective manner.
CompCiti is a New York based IT compliance and auditing specialist company, helping businesses with SOX Section 404 compliance for over a decade. CompCiti IT Security Auditors helps businesses to comply with SOX requirements to avoid the risks and penalties by reviewing:
- IT security policies
- Access Controls
- Data Backups
- Change Management process