The Public Company Accounting Reform and Investor Protection Act of 2002 (also known as the Sarbanes-Oxley Act of 2002) was passed by U.S. lawmakers to reinforce honest and transparent corporate practices in the wake of the various public accounting scandals and corporate failures of the 1990s. The Act, named after U.S. Senator Paul S. Sarbanes and U.S. Congressman Michael G. Oxley, has changed the way public companies do business. Although not specifically covered under the Act, non-public entities are also finding that bankers, investors, and acquisition candidates are now conditioned to expect increased transparency and real-time disclosures, in effect placing a greater accounting and reporting burden on companies that are not legally obligated to comply with this act.
As with any far-reaching legislation of this magnitude, plenty of hype emerged in connection with this law. Even though organizations needed to be compliant in 2004 or 2005 (depending on SEC status), many Sarbanes-Oxley questions and myths still hamper companies nationwide. This article is designed to help companies large and small navigate some of the hype that sometimes blurs the line between fact and fiction.
Separating Truth from Fiction
HYPE: Software applications should be “certified” for Sarbanes-Oxley compliance.
The Sarbanes-Oxley Act of 2002 mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It created the “Public Company Accounting Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.
There is, however, no software application certification provided under the Act. Nor is there any way to specifically address the internal control issues raised in the Act with software alone. Internal control regulations require an organization to have appropriate controls over its applications, people, and processes so that financial statements can be prepared in accordance with generally accepted accounting principles. In addition, organizations are required to document and follow these procedures.
Well-thought-out applications can help you in your compliance efforts by making information more accessible, more transparent, and by highlighting anomalies. However, you cannot shift the burden of Sarbanes-Oxley compliance to a “piece of software.” Your internal processes, culture, and disclosures are what matter—not which accounting system generates your financial reports and processes your journal entries.
HYPE: Use of a given product guarantees compliance with Sarbanes-Oxley.
No software application can ensure that an organization complies with this or any other internal control legislation. Any system can become non-compliant in the hands of an organization with lax security, undocumented procedures, or improper accounting methods. For example, no system exists today that could capture an erroneous journal entry set up to capitalize expenses. It is up to the personnel in an organization to set standards and then to implement them.
The American Institute of Certified Public Accountants (AICPA) has addressed the importance of management behavior in complying with internal controls in a document titled “Management Override Of Internal Controls: The Achilles’ Heel Of Fraud Prevention”.
HYPE: All U.S. organizations are subject to Sarbanes-Oxley.
The Act applies only to U.S. public companies. It also serves to modify sections of the Securities Act of 1933 and the Securities Exchange Act of 1934 that apply to publicly traded companies.
Although the Act is limited to U.S. public companies, non-publicly traded organizations are finding that they are also being subjected to increased scrutiny. The financial community is beginning to appreciate the value of enhanced transparency, increased management accountability, and timely disclosures.
Organizations outside of the U.S. may also be impacted by this Act if they are affiliates or subsidiaries of U.S. public companies, or if they trade on U.S. public markets.
HYPE: Sarbanes-Oxley mandates a specific approach to information technology control.
Two standards have emerged that many companies are choosing to follow, although neither Sarbanes-Oxley, nor the PCAOB (the Public Company Accounting Oversight Board, which was established under the Act) provide detailed information on information technology controls.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has defined one set of controls. Another framework is referred to as Control Objectives for Information and Related Technology (COBIT). Clearly these templates may be appropriate to certain organizations, but neither approach has any legal status.
HYPE: The main purpose of Sarbanes-Oxley is to address internal control issues.
Sarbanes-Oxley is designed “…to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” (Public Law 107-204)
Title I and Title II of the Act address new rules for the accounting community, while Titles III and IV address changes in corporate responsibility and disclosures.
Internal controls are addressed in Section 404 of the Act.
Equally important to financial consumers is Section 409, which mandates “real time issuer disclosure” and states that public companies “shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English.”
HYPE: All internal controls are covered under the Act.
Section 404 requires a public company to create an internal control report that includes:
- A statement of the “responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting”.
- “An assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”
HYPE: Auditors are primarily responsible for the internal controls of an organization.
The Sarbanes-Oxley Act makes corporate executives responsible for “establishing, and maintaining internal controls” (Sections 302 and 404). In addition, officers are required to “evaluate the effectiveness” of these controls. The Act further imposes financial penalties on certain officers for financial statement restatements resulting from an officer’s failure to comply.
Impact of Sarbanes-Oxley
There are various sections that might involve your business management software, such as Section 302 (corporate responsibility for financial reports) and Section 409 (real time issuer disclosures). However, in order for these responsibilities to be taken, a company must be confident that internal processes are capable of producing the appropriate information in the first place.
Section 404 relates to the “management assessment of internal controls” and relates most directly to systems like Sage 100 ERP (formerly MAS90/200), Deltek Vision, and NetSuite. Specifically, Section 404 makes management responsible for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” as well as assessing the “effectiveness of the internal control structure and procedures.”
To comply with Section 404, a company will need to approach internal processes both from an IT systems perspective as well as an operational perspective. For example, if many users are given the same login ID and password, there is no way to determine exactly who accessed the system at a given time, however good the software might be. Despite the need for extensive operational review, a strong business management system will significantly streamline compliance with Sarbanes-Oxley.
One area that many companies find problematic is if internal systems are fragmented and incompatible. For example, a manufacturer that uses one application for manufacturing operations and another for accounting may find itself exposed to potential control issues. This is because significant manual re-entry is usually needed to pass data (such as inventory valuation) from the operational system to the accounting system. Any lapse in this area will expose an organization to the risk of material inaccuracies.
Manufacturers are not the only types of organization to be at risk from disparate systems of course.
Project-based organizations that use Excel for tracking project performance will be at risk of accounting incorrectly for partially completed projects. Distributors must ensure their inventory levels are recorded accurately so that the accounts can reflect the correct stock valuations. In every case, an integrated system reduces the likelihood of accounting misrepresentation.
The ERP products carried by BCS ProSoft offer seamless integration between the inventory and/or project management system, the operations, and the accounting system. As long as the security features recommended by your BCS ProSoft Project Manager have been implemented appropriately, there is very limited scope for information to be lost between modules of your system.
Security by Design
The security features of a business management system are critical to a company’s ability to be compliant with Sarbanes-Oxley. The products we represent offer powerful and highly granular security features that restrict functions and reports to only authorized personnel. Indeed, menus, desktops, and even task screens are customizable so that staff members only see the specific applications (and data entry fields) for which they are authorized.
Security profiles can also restrict users to read-only access if updates should not be allowed by certain people. Furthermore, security profiles can be managed by role in each of the systems we sell, making it harder for a user to be accidentally given an over-generous security profile.
It is important to test whether the business application database can be accessed through tools other than the application client. With Microsoft Access (and similar applications) now widely available, a malicious employee should not be able to use their login information to access unauthorized data “through the back door”.
Reporting and Inquiry
Larger organizations often have multiple legal entities, with consolidated reporting being a major challenge. If each entity uses different business management systems, ensuring reporting consistency when preparing the consolidated financials can be nearly impossible. If all companies are using the same product, consolidated reporting becomes less challenging even if each entity retains distinct conventions, such as GL account structure. Many modern enterprise resource planning (ERP) systems (including those we support) have reporting tools that allow consolidated reports to be created more easily, reducing the chances of error.
In addition, when questions arise regarding particular transactions, the ability to follow that transaction through the system can be critical. BCS ProSoft’s products facilitate the viewing of the underlying documents for any GL transaction, and similarly the related documents to those transactions. This allows questions regarding a transaction in the system to be quickly answered by “navigating” through the chain of related documents and transactions.
Finally, for some situations, it may be useful to store inbound documents (such as POs and incoming invoices) as images. This facilitates rapid retrieval and reduces physical storage costs. With the cost of electronic storage systems falling rapidly, document imaging is now very cost effective for many organizations. Our ERP publishers (Sage Software, Deltek, and NetSuite) work closely with vendors of document imaging and retrieval systems to provide this valuable add-on functionality to their products.
Sarbanes-Oxley compliance is about managing your internal processes for reporting, auditing, and disclosure. While no software application will make you compliant, the right business management application can work in conjunction with your internal policies, compliance programs, and other technology investments to increase the transparency of financial events, ensure distribution of critical information in a timely manner, and provide the peace of mind you need on matters of security and access.
For additional details about complying with the Sarbanes-Oxley Act of 2002, or any other financial and accounting matters, consult your financial advisor.