The Sarbanes-Oxley Act of 2002 (SOX) is legislation passed by the U.S. Congress to protect shareholders from accounting errors and fraudulent practices. SOX includes the following key Sections:
- Section 302 – Corporate Responsibility for Financial Reports
- Section 303 – Improper influence on the conduct of audits
- Section 401 – Disclosures in Periodic Reports
- Section 404 – Management Assessment of Internal Controls
- Section 409– Real-Time Issuer Disclosures
- Section 802– Criminal penalties for Altering Documents
- Section 906 – Criminal penalties for CEO/CFO financial statement certification
- Section 1107 – Criminal penalties for retaliation against whistleblowers
Sarbanes-Oxley impacts public companies, privately held companies raising capital in the public sector, and companies in the process of going public. Section 404 of the Sarbanes-Oxley Act is particularly challenging to companies due to its many requirements with respect to internal controls over financial reporting. SSC specializes in the implementation and ongoing support of SOX programs that align with the Public Company Accounting Oversight Board (PCAOB) standards and guidelines. We apply a risk-based, top-down approach that drives both efficiency and effectiveness into the program.
Detailed Approach to SOX Compliance
Our dedicated IT, financial, and operational audit professionals have experience working with a wide variety of industries of all sizes. We partner with you to assist your company in implementing and maintaining a comprehensive SOX program. Our SOX approach includes evaluating the design and testing the operating effectiveness of controls.
During our review of the design of the controls, we will take a top-down, risk-based approach to ensure that your organization has identified the significant risks to material misstatement and has put in place the proper key controls to adequately mitigate these risks. We will work collaboratively with management to ensure that the key SOX controls identified are adequate for this objective. Once we are certain that we have identified the adequate key controls, we will then work with management and perform walkthroughs of these key controls. We will document tests of one and work to understand the processes that management has put in place to mitigate the noted risks.
After we have gained a sufficient understanding of the design of the key SOX controls, we will work with management to plan and execute our tests of operating effectiveness for the key SOX controls. Our testing will be designed to be comprehensive in nature, and we will select sample sizes as appropriate based on the frequency of the controls in place. We will work collaboratively with management to obtain the evidence necessary to form our opinions and conclusions surrounding the operating effectiveness of the key controls. Our testing will conclude with a report that we will generate for management that outlines the results of our testing the design and operating effectiveness, along with recommendations to improve the control structure.
