Solving the Sarbanes-Oxley Riddle
The intent of the Sarbanes Oxley Act of 2002 was simple to guarantee that the information we rely on to make investment decisions is trustworthy and complete — but the actual implementation has proven to be anything but simple. The Sarbanes Oxley Act (SOX) includes eleven Titles, comprising sixty-six Sections, spanning from the establishment of new auditing oversight committees to new levels of auditor independence, specific attestation requirements for CEOs and CFOs, and criminal penalties for non-compliance. Meeting SOX compliance is a complex task for IT professionals as well as senior management.
SOX Compliance, specifically Section 404 is one of the shortest and broadest-reaching statutes ever brought to bear on American business. It outlines management’s responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and for certifying the “effectiveness of the internal control structure and procedures.”
While the focus of SOX compliance and auditing is on top tier management, the real impact is being felt lower down the totem pole of organizations. Since SOX does not provide specific “best practices” for the implementation of its requirements, departmental managers and individuals responsible for specific operations are forced to define compliance and implement systems and procedures.
Corporate personnel and consultants spend long hours deciding how to satisfy Sarbanes Oxley Section 404. One estimate states, that in 2004, the average Fortune 500 organization spent 100,000 person hours on SOX compliance activities.
The current challenge of SOX compliance is, first, to create controls that ensure compliance, and then to establish practices for monitoring and adapting theses controls to changing business realities. Organizations that most efficiently accomplish these tasks will minimize the risk to their senior executives and corporate image while gaining insight into business processes, potentially gaining sustainable competitive advantage as a result.
SOX Section 404: Management Assessment of Internal Controls
SOX Compliance Section 404 is one of the broadest-reaching statutes within the legislation. It is also one of the most disputed. Sarbanes Oxley Section 404 outlines management’s responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and for certifying the “effectiveness of the internal control structure and procedures”. SOX Section 404 demands that companies (a) evaluate the adequacy of internal controls as they relate to financial reporting, (b) institute new controls as necessary, and (c) perform and report an assessment of these controls on an annual basis. Section 404 says, "Management must ensure that appropriate internal controls for financial reporting are in place".
SOX Compliance Section 404 requires that corporations immediately institute internal controls to protect the integrity of financial data (and implied: all systems that access that data) and demonstrate that appropriate controls are in place. Any shortcomings, in these controls, must also be reported. Registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
Log Fidelity’s log management and data security solution
The LogClarity® Suite is the choice of security administrators worldwide that want to increase security by monitoring all database activity including customer private data, increase log retention, and utilize the most accurate SOX Compliance forensics and reporting solution available today!
Find out how The LogClarity® Suite can help your organization meet SOX compliance by ensuring enterprise auditing is achieved, security is increased and enterprise reporting is attained.
