A SOX control is a rule that prevents and detects errors within a process cycle of financial reporting. These controls fall under the Sarbanes-Oxley Act of 2002 (SOX). SOX is a U.S. federal law requiring all public companies doing business in the United States to comply with the regulation. Plus, Section 302 and Section 404 of SOX can apply to private companies. The law is intended to increase the accuracy and reliability of corporate disclosures in financial statements while protecting investors from corporate fraud. It also increases the responsibility of corporate governance. The bill was introduced following the Enron Corporation, WorldCom, and Tyco International fraud and accounting scandals in the early 2000s.
SOX compliance requires that these companies document, test, maintain and review controls over financial reporting. These internal controls are processes to either prevent or detect problems while meeting objectives. They are applied and reviewed for all cycles leading to financial reporting or financial results in a business. To prevent noncompliance, internal auditors perform a compliance audit on a routine basis.
SOX controls are the safeguards over the designated activities within a financial reporting process cycle. They are designed to help each overarching business process achieve its objectives. Their purpose is to prevent and detect errors that would cause deficiencies in the process itself. To ensure the consistent integrity of audits completed by accounting firms or by an external auditor, Congress created a nonprofit called The Public Company Accounting Oversight Board (PCAOB).
The majority of U.S. public companies have adopted the internal controls framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. When creating a system of internal controls for processes resulting in financial data, it is helpful to refer to the COSO Framework, designating the five types of internal control. These include control environment, risk assessment, control activities, information and communication, and monitoring.
SOX is a complex law with 11 sections, each delineating mandates including oversight, auditor independence, and corporate responsibility. Three of its key provisions are commonly referred to by their section numbers:
- Section 302 requires senior corporate officers personally certify the company’s financial reports are in compliance with SEC disclosure requirements and that they have adequate internal controls in place for public disclosure.
- Section 404 pertains to the establishment of internal controls and reporting methods to ensure the adequacy of those controls.
- Section 802 contains the three rules that affect recordkeeping dealing with destruction and falsification of records, defining the retention period for storing records and specifying which business records companies must store. And the applies to electronic communications as well.
SOX also requires controls for third-party contractors such as payroll processors, mandating them to provide assurance reports demonstrating compliance for their systems as well.
Examples of a company’s internal controls include:
- Sign-offs on financial disclosures being submitted to the Securities and Exchange Commission (SEC) by an executive officer, such as a CEO or CFO.
- Key steps in the hiring process such as approval by the hiring manager and HR showing that the candidate met all requirements.
- Approval requirements for access to the payroll processing system.
- Multiple sign-offs required when checks are being generated to prevent embezzling.
- Segregation of duties within the financial reporting process activities.