SOX is in a way the mother of all internal control regulations. Although not the first internal control regulation by a long way, it is the one that has had the greatest impact in terms of its magnitude and its (global) area of application. Enacted in 2002 by the US Congress, it eventually led to the coining of the term Governance, Risk & Compliance, or GRC. OCEG has come up with one of the most widely used definitions, which is referenced in an article of Norman Marks. Given the breadth of "GRC", it is by no means an exaggeration that the ARIS Platform is a particularly good choice to tackle and integrate the various requirements, ranging from Governance to Strategy and Business Performance to Risk Management, Compliance, IT, down to Quality Management, to name just a few.
SOX resulted from a number of corporate accounting scandals, for example Enron, which hid its debts and losses in so-called special purpose entities (SPEs) that it controlled, thereby not reporting them in its own financial statements.
When referring to SOX, what is typically meant is one section of the entire legal text, which is Section 404. Entitled "Management Assessment of Internal Controls", it lays out more stringent requirements for an organization's management to produce internal evidence as to the correctness of its own financial reporting. The aim is to enable financial analysts to more accurately assess stock valuations, thereby giving investors and the informed public better guidance regarding the safety of their investments.
The PCAOB is a non-profit corporation created by the Sarbanes-Oxley Act to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports. The PCAOB governs SOX compliance via its Auditing Standard No. 5 (An Audit of Internal Control over Financial Reporting That Is Integrated with An Audit of Financial Statements), which supersedes Auditing Standard No. 2. The standard can be freely downloaded (www.pcaobus.org) and provides guidance along the lines of Audit Planning, Top-Down Approach, Entity-Level Controls, Control Testing, Evaluating Deficiencies, and Reporting on Internal Control.
SOX does not apply to privately held companies, only to publicly traded ones. Not a few companies, however, chose to voluntarily undergo an effort to become SOX compliant, for the perceived benefits such as enhanced corporate transparency, lower borrowing costs, increase in share price, more reliable financial statements, and improved investor confidence.
Offshoots of SOX include OMB-A 123 (for US federal agencies), Model Audit Rule / Annual Financial Reporting Model Regulation (for US insurers), SAS 70 (for service organizations), Bill 198 (in Canada), J-SOX (Japanese equivalent of SOX), the German Corporate Governance Code, CLERP 9 (Australian corporate reporting), the Loi de Sécurité Financière (French equivalent of SOX), L262/2005 (Italian equivalent of Sarbanes-Oxley Act for financial services institutions), and the King Report (South African corporate governance code). These regulations share great similarity with the original SOX requirements, thereby making it possible to apply a common approach and methodology to all of them.
Additional links:
- all articles of the #LoungeTalk series
- www.grc-lounge.com
- GRC discussion group at ARIS Community
- Governance, Risk, and Compliance category
