Regulatory compliance has always been an integral cost of running a business. Most market sectors, from healthcare and financial services to industrial manufacturing, are all subject to compliance and regulation by legislation and statute laws that impose demands on how they should conduct business and clearly state the penalties for non-compliance.
SOX compliance is an important tool for US companies implementing good financial reporting and corporate governance. But, why is a piece of US legislation also important to UK businesses? E RADAR's Will Roebuck discusses the issues.
SOX, or the Sarbanes Oxley Act 2002 (text) was introduced by US Congress following the high profile collapse of US corporate giants Enron and WorldCom. Both organisations had massively overstated their profits because of corruption within the boardroom.
In the case of Enron, 20,000 jobs were lost worldwide as a result of the collapse. The new SOX Act, named after its main architects Senator Paul Sarbanes and Representative Michael Oxley introduced major changes to the regulation of corporate financial practices and corporate governance for organisations listed in the US
The emergence of SOX compliance and other regulations such as HIPAA, the Gramm-Leach-Bliley Act and the Patriot Act has moved governance, risk and compliance to the forefront for businesses both in the US and worldwide. This new regulatory environment is onerous to all businesses regardless of geography, as many do not have the infrastructure in place to handle the costs of complying.
UK banking and capital markets are facing similar levels of regulation with Sarbanes-Oxley style compliance with the emerging presence of the Basel III Accord and Solvency II in Europe.
SOX compliance and UK businesses
SOX compliance is also important to UK businesses with US listings. With business systems between legal entities increasingly interconnected online, boardroom directors also have a responsibility to ensure that IT systems follow SOX compliance rules to ensure transparent accounting and audit reporting. If your business is a subsidiary of a US-listed company based in another country it will need to adopt SOX compliance.
Sarbanes-Oxley now places the responsibility and accountability for the tracking of information for full day-to-day activities that have an impact upon financial performance very clearly upon the shoulders of the management teams of those businesses, with teeth that do bite – the CEO and CFO can be fined up to £3million, go to prison for up to 20 years or both.
The UK has also strengthened its own governance laws to tighten reporting requirements under both the Companies (Audit, Investigations & Community Enterprise) Act 2004 and Companies Act 2006. The European Union is also introducing a system which aims to increase transparency and confidence in corporate governance, enhancing the protection of investors, employees and the public against corporate cheating, fraud and mismanagement.
Main provisions of SOX Act
Section 302 - Corporate Responsibility for Financial Reports
Periodic statutory financial reports require certifications that:
- The signing officers have reviewed the report
- The report does not contain any material untrue statements or material omission or be considered misleading;
- The financial statements and related information fairly present the financial condition and the results in all material respects;
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings;
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities;
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
Organizations cannot attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States.
Section 401 - Disclosures in periodic reports
- Financial statements published in periodic reports must be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. They must also include all material off-balance sheet liabilities, obligations or transactions.
Section 404 - Management assessment of internal controls
The scope and adequacy of the internal control structure and procedures for financial reporting must be published in annual reports. This statement shall also assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
- Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
- Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise;
- Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
- Perform a fraud risk assessment;
- Evaluate controls designed to prevent or detect fraud, including management override of controls;
- Evaluate controls over the period-end financial reporting process;
- Scale the assessment based on the size and complexity of the company;
- Rely on management's work based on factors such as competency, objectivity, and risk;
- Conclude on the adequacy of internal control over financial reporting.
Section 409 - real time issuer disclosures
Information on material changes in financial condition or operations must be disclosed to the public, urgently. These disclosures must be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations, as appropriate.
Section 802 - criminal penalties for altering documents
Penalties of fines and/or up to 20 years imprisonment can be imposed for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. Section 802 also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and wilfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.
Section 906 - corporate responsibility for financial reports
- The Chief Executive has responsibility for submitting written statements along with the periodic financial reports.The written statements are intended to certify that the reports "fairly presents in all material respects, the financial condition and results of operations of the issuer."
- Chief executives who submit reports which do not follow SOX Compliance rules can be fined up to $1 million or imprisoned for not more than 10 years, or both. Chief executives who willfully submit such statements are subject to possible fines up to $5 million and imprisonment of no more than 20 years, or both.
Section 1107 - retaliation against whistleblowers
- You cannot retaliate against whistleblowers who provide law enforcement with true information relating to a SOX investigation. This includes any interference with their lawful employment or livelihood of any person. Penalties include a fine or imprisonment up to 10 years, or both.
Supervision and enforcement
For further information on SOX IT Compliance, please visit the US Securities and Exchange Commission (SEC) website.
Sarbanes Oxley (SOX) Act 2002 (text)