How to move a company to SOX Compliance?

Hi All,


In this topic, I'll be sharing with you some basic requirements which a company shoudl consider when going for SOX Compliance.

Pls share in case you have other tips to add.

Step 1: Embedding compliance firmly in ongoing operations will require:

• an organizational structure with clear accountability,
• an efficient operating structure, and
• an enabling technology structure

Step 2: First-year Section 404 compliance is all about project management, with companies organizing teams to:

• Identify significant business units, financial statement accounts and related processes
• Update or create process-flow documentation
• Assess risks related to financial reporting and identify control activities in place to address those risks
• Validate processes and controls via walkthroughs or other means
• Develop and execute test plans
• Evaluate test results and remediate design and/or operating control deficiencies where necessary

Step 3. A typical company having accomplished this successfully would now have the following areas addressed:

• basic documentation in place,
• key controls identified,
• test plans developed and,
• most importantly, control issues that needed remediation

Step4:  How to establish a mechanism that both confirms the evaluation of DC&P (Disclosure Control & Procedures) on a quarterly basis to support the Section 302 certification, and provides for the periodic testing of controls over financial reporting for the annual Section 404 assertion. (Under Section 404, management demonstrates through testing that internal controls over financial reporting operate effectively as of year-end. Under Section 302, management certifies that it has evaluated its DC&P as of quarter-end. Section 302 also requires management to report material changes to its internal control over financial reporting). Given the level of regulatory oversight, this is a decision that should not be taken lightly. Alternatives can be:

• Although testing is not specifically prescribed in order to comply with the requirements of Section 302, executing test plans throughout the year, allowing for timely recognition of control issues, remediation and retesting, if needed, as well as for the updating of the control evaluation at year-end can be an option. Through testing, management attains comfort with regard to quarterly reporting, while at the same time accomplishing the work required for the year-end assertion.
• Perform tests quarterly for higher-risk processes and controls, supplemented by self-assessments for other processes.
• A third possibility is to rely solely on a self-assessment process for quarterly reporting, with no reliance on testing for the evaluation of DC&P.
Complicating consideration of these alternatives are the nature and frequency of the control activities performed, which can dictate the timing and extent of testing. Choosing from among these alternatives is dependent on management’s comfort with the alternatives. Fundamentally, the chosen approach must enable the identification of material changes in internal control over financial reporting and provide reasonable assurance that controls over financial reporting are effective at quarter-end, as well as at the end of each fiscal

Step 5: Several elements must be considered in developing a compliance process that is responsible, cost-efficient and effective. These can be classified into three major categories:

• An accountability structure that ensures the appropriate level of oversight and process ownership and drives the right attitude throughout the business.
• An operating structure that facilitates cost-effective and streamlined processes for execution of Sarbanes-Oxley requirement.
• A technology support structure that supports the efficiency and effectiveness of compliance processes

Step 6: Accountability Structure


The accountability structure needs to:
• Define ownership of the design and operation of controls within the organization
• Create the appropriate tone at the top to reinforce delegation without allowing abdication.
• Define appropriate organizational roles and responsibilities
• Communicate what people are supposed to do and
• Reinforce accountability to ensure that they do it.