Conducting internal audits is an essential and legally required component of a company’s compliance obligations under the Sarbanes-Oxley Act. As the last step in a successful compliance setup, internal audits can ensure that your compliance protocols are working the way they are supposed to work and insulating your company from potential legal liability and scrutiny.
The internal auditing team at Corporate Investigation Consulting has helped numerous publicly traded corporations and accounting firms come into not just strict compliance with the Sarbanes-Oxley Act, but also efficient compliance that does not needlessly sap the company’s resources in its compliance efforts.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act, sometimes referred to as Sarbox or SOX, is a federal law that was passed in reaction to the Enron scandal.
In that scandal, as well as other scandals like it, Enron and its accounting firm, Arthur Andersen, used fraudulent accounting methods to hide the extent of its financial liabilities. This let the company continue to solicit confident investments with healthy financial reports, even though it was drowning in debt. When the debt finally proved to be too much, Enron declared bankruptcy in an announcement that shocked the business world, which had been led to believe that it was still extremely profitable. The loss in value left shareholders with billions of dollars in securities of the company that had become worthless nearly overnight.
The Sarbanes-Oxley Act was meant to protect consumers and investors by keeping this type of scandal from happening again. It passed with extremely little dissent in Congress and was signed into law in 2002 by President George W. Bush.
The Act focuses on the role of the auditors who failed to detect, or who actively enabled, accounting fraud that was meant to hide a company’s value. It also empowers the U.S. Securities and Exchange Commission (SEC) to promulgate further rules to enforce the law.
Among the most important aspects of the Sarbanes-Oxley Act is the requirement that all publicly traded corporations in the U.S. to have internal controls that ensure their financial records are reliable and to audit those records and controls at least annually.
Covered Companies Must Have Internal Controls
Section 404 of the Sarbanes-Oxley Act (15 U.S.C. § 7262) requires all covered corporations to create and implement internal controls to find and to prevent errors and falsifications in the company’s financial records. While each corporation may create its own set of internal controls that is best tailored to its needs and circumstances, they generally have to include:
- Direct responsibility of the corporation’s senior management, typically the CEO or CFO, over any financial report that gets filed with the SEC and over the success of the internal controls, themselves
- Ongoing compliance requirements for the corporation to meet
- A data security policy to protect the use and storage of financial information
These controls then need to be audited regularly by external auditors who are sufficiently independent from the company.
Put our highly experienced team on your side
The Goals of a Sarbanes-Oxley Internal Audit
The bulk of a Sarbanes-Oxley internal audit focuses on the internal controls that are meant to ensure the accuracy of the company’s financial information and prevent errors and fraud from infiltrating it. These audits include the cybersecurity and network systems that handle the company’s financial information. This includes reviewing:
- Information technology (IT) security
- Data backup
- Access controls
- Change management
Problems on any of these fronts can alter the financial statements that the corporation produces and distributes to its shareholders and to potential investors. Because incorrect financial statements can harm investors and the public, the Sarbanes-Oxley Act makes senior management within the corporation directly responsible for the contents of those statements. They can be held civilly or potentially even criminally liable for errors or fraud in them. Conducting an internal audit can avoid this outcome.
Penalties of Noncompliance
Auditing a corporation’s internal controls for producing a reliable financial statement or report is crucial, not just for the Sarbanes-Oxley Act, but for the company’s continued upstanding reputation. Public corporations that release suspicious statements about the health of the company’s finances can draw increased scrutiny and raise the eyebrows of both regulators and the investing public, undermining the company’s financial success and ability to raise funding. With such massive accounting scandals in the recent past that have cost investors billions of dollars, expectations are high.
With the Sarbanes-Oxley Act, though, not meeting those expectations also runs afoul of the law and can lead to substantial penalties. Because SOX makes high-level executives personally responsible for the veracity of their corporation’s financial reports, it can also lead to prison time. If an executive knowingly certifies a financial report that does not live up to the standards required under the Sarbanes-Oxley Act, they can face up to a million dollars in fines and a decade in federal prison.
Frequently Asked Questions About SOX Compliance, Internal Auditing, and Corporate Investigation Consultants
Can I Conduct a SOX Audit In-House?
No. The Sarbanes-Oxley Act, in 15 U.S.C. § 7233(b), requires auditors to be independent of the company that they are auditing. The law forbids auditors or auditing firms from preparing or issuing an audit report about a corporation if they have any of the connections with that company listed in 15 U.S.C. § 78j-1(g) through (l). These include connections such as:
- The corporation’s CEO, CFO, controller, or equivalent was employed by the auditing firm, and
- Providing the corporation other services, such as actuarial, internal audit outsourcing, bookkeeping, legal, or investment banking services.
These and other, similar connections are meant to get as many new and independent eyeballs on the corporation’s financial documents.
What Companies Need to Conduct SOX Internal Audits?
The Sarbanes-Oxley Act does not apply to all companies, particularly with regard to its auditing requirements. In fact, it only applies to a limited set of organizations, mainly large-scale corporations that fall under one of the following four categories:
- Publicly traded companies that are based in the United States, including their wholly-owned subsidiaries
- Publicly traded foreign companies that do business in the U.S.
- Private companies that are preparing for an initial public offering, or IPO
- Accounting firms of other covered parties
Other provisions of the Sarbanes-Oxley Act may have wider applications, though.
What Organizations are Involved in Sarbanes-Oxley Act Compliance?
Because the Sarbanes-Oxley Act is so complex and the compliance mechanisms so nuanced, several organizations are involved in implementing and explaining the requirements and ensuring that companies can meet them.
One of the most important is the Public Company Accounting Oversight Board, or PCAOB. This non-profit corporation was established by the Sarbanes-Oxley Act to independently oversee SOX audits. It also has the responsibility of training Sarbanes-Oxley auditors and establishing best auditing practices.
Another important organization to be aware of it is the Committee of Sponsoring Organizations, or COSO. This organization maintains an ongoing and frequently updates database of recommendations for internal controls that comply with SOX’s requirements. These recommendations interplay with the PCAOB’s role in setting auditing standards and training auditors to perform effective Sarbanes-Oxley audits.
What Role Does Internal Auditing Play in SOX Compliance?
Internal auditing is just one of the facets of a strong compliance mechanism.
First, companies need to perform a gap analysis to review their current compliance protocols, compare them to the requirements of the Sarbanes-Oxley Act, and note any gaps between them. Those gaps are where the company is falling short and where their compliance efforts need to be concentrated.
Second, the company and its compliance team need to establish a plan that will fill those compliance gaps in the most efficient way possible. This entails satisfying the Sarbanes-Oxley Act’s requirements without needlessly spending money or time on excessive or extraneous compliance measures.
It is only after executing on that plan that internal auditing becomes a part of the compliance mechanism. By auditing the scheme that was developed and implemented, you can ensure that it is performing the way that it should perform or if it needs to be tweaked or altered to be made more efficient or improved to successfully cover the compliance gaps that were identified.
The Sarbanes-Oxley Auditors at Corporate Investigation Consulting
Coming into compliance with all of the legal requirements of the Sarbanes-Oxley Act is a daunting task. Hiring an auditing team that understands the ins and outs of the law can be tricky. Numerous firms say that they know how to perform internal audits that satisfy the Sarbanes-Oxley Act, but not all of them can live up to their claims.
The internal auditing team at Corporate Investigation Consulting team, however, is made up of numerous investigators and agents who have spent years within the SEC and other major federal law enforcement agencies, including the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice (DOJ). We know how companies can best comply with the Sarbanes-Oxley Act because we have helped prosecutors investigate and pursue cases of alleged noncompliance.
Call our auditing firm at (866) 352-9324 or contact us online to get started on your situation.