Sarbanes Oxley act had been levied for tighter controls and stricter regulations for company’s internal controls. According to the Sarbanes Oxley compliance companies with market capitalization of more than $75 million need to file their financial reports by the June 15th. This date was alter amended up to 15th November. All other companies need to files their financial return for any fiscal year by 15th July.
Sarbanes Oxley compliance with section 302 requires any CEO or CFO to certify the accuracy of annual or quarterly financial reports for the company. Any inaccurate or falsified facts are subject to penalty under law. This section also makes a CEO or CFO to establish and maintain internal controls. It also makes them eligible to evaluate these controls and measure their effectiveness. As per Sarbanes Oxley compliance, a CEO or a CFO is eligible to report any deficiency in the design and operations of internal controls. They can report any fraud and rectify any errors in the system of internal controls.
Sarbanes Oxley compliance with section 404 requires the company’s annual report to carry a report on internal controls of the company. This report on internal controls as per the Sarbanes Oxley compliance should state the role of management in maintaining and establishing total internal controls in the financial system of the company.
In case of IT companies, they are also required to be in Sarbanes Oxley compliance while filing their financial reports for any fiscal year. An IT person with business perspective can spearhead the compliance effort of any IT project. IN case of IT companies the internal controls need to be broken up in to two categories of general controls and applications controls. As per the Sarbanes Oxley compliance for an IT company it is required to evaluate the systems processes that end up effecting key controls over financial reporting.
A good idea to implement Sarbanes Oxley compliance is to begin with simple and normal Sarbanes Oxley compliance controls. Then one should work backwards to determine the systems and processes that need to be documented in the financial report.
In case of companies where the work is outsourced the Sarbanes Oxley compliance needs to be documented in differently. This is because the total work is done by an external agency. This is also especially important because any external agency would never give any document or certificate like SAS70 Type II or similar report. In such a case the company is required to document the whole process that has been outsourced as if the whole process has been done internally and state all the internal controls and regulation applied on that process which has been outsourced.
In some cases it is suggested that as per Sarbanes Oxley compliance that the IT department is required to hold the keys to maintaining logs, usernames and passwords for the financial controls. This is not mandatory for all companies. Usually an IT department is required to create the roles and finance department directs as to who would hold the keys to those roles specified. But some times it is risky to implement such a practice. This is because if the IT department reviews the logs and holds the key to manage them it might be possible that some important records would be deleted. Thus in such a case the Sarbanes Oxley compliance states that the usernames and passwords etc should be with the IT department and finance department should have the last word on the same.