When was sox signed into law

That lack of attention left the company susceptible to unenforceable contract provisions, miscalculated rent escalations, and unexecuted underlying agreements. After disciplining the negligent parties, the company instituted far more rigorous cross-checks of contracts and leases. Not long ago, board seats were considered by some to be plum assignments, bringing stature and financial rewards but requiring only limited effort.

Today, by contrast, directors face increased legal liability for inattention and, thus, a heavier workload. If not, the company must say so. Thus, it should come as no surprise that board membership has changed substantially.

It appears that both recruits and veterans are taking their new responsibilities very seriously, as evidenced by longer and more frequent committee meetings and the more pointed questions members pose. Besanko explains that before Sarbanes-Oxley, many companies used the same Big Four accounting firm for both auditing and consulting, often with the preponderance of fees going to consultants.

While SEC rules forbid independent auditors to assist in the design of internal financial information systems, other types of consulting services are permissible. Two approaches to Sarbanes-Oxley predominate. Some executives dutifully meet SOX requirements, but at minimum cost and utilizing the fewest possible resources. Others leverage the resources expended on compliance to obtain a return on their investment.

One area of convergence was employee record keeping. Various laws and regulations govern the handling of these records: Financial information is protected under Sarbanes-Oxley, health benefits under HIPAA, and Social Security and other personal information under various federal and state privacy statutes. In response, functions such as IT and HR adopted a single set of controls that determined employee level of access to the computer system.

An example of this consolidation was a single log-on for benefits, payroll, and other data. RSA Security adopted a similar convergence approach for its International Organization for Standardization ISO project, an international certification program administered by a Geneva-based NGO representing hundreds of national standard-setting bodies.

ISO sets standards for quality management and quality assurance in such areas as production processes, record keeping, equipment maintenance, employee training, and customer relations. Both teams were charged with documenting dozens of business processes and determining how efficiently they were designed and operated. The ISO team, for example, examined processes established to ensure that only high-quality, fully debugged software reached the marketplace, while the SOX team, for example, scrutinized the account reconciliation process.

When Parsons examined a detailed flowchart of the revenue cycle that his SOX team had prepared, it occurred to him that the ISO team was mapping exactly the same process. So we drove what were completely parallel ISO and SOX processes into one converged process map and operational approach. The benefits have gone beyond cost savings. Instead of tying up so many employees in the revenue-draining chores of compliance and certification, RSA Security rededicated some of them to operational improvements, such as streamlining the customer order process and expanding supply chain capabilities.

The work of identifying and addressing inconsistencies across operating units and locations can be substantial, but so can the yield. Consider the case of a large clothing manufacturer that operates retail outlets nationwide under several well-known brand names. We started with accounts receivable and learned that each division of the company imposed different due and dunning dates, late fees, and interest rates on customers.

If the divisions had been independent companies, these inconsistencies would have been innocuous, but each of these units fed its financial data into consolidated financial statements, and these nonstandardized processes made a mess of the aged-receivable and bad-debt accounts.

An analogous situation existed at Sunoco. This consistency, Hofmann says, reduces the chances for error in data entry and consolidation. Having to rebill customers to correct invoicing mistakes can have a cascading effect on operations: Every invoicing discrepancy, whether caught internally or flagged by a customer, must be investigated and reconciled, and the invoice must then be canceled, redone, and redelivered.

As a consequence, the cash flow cycle is interrupted, and customer relations may become strained. At Sunoco, creating a single, standardized form for every type of product reduced these problems to a minimum. The potential benefits of standardization also caught the attention of executives at Kimberly-Clark, the consumer products manufacturer. The process for reviewing the entries was also fragmented, with some reviews conducted by people not senior enough.

Data are now more consistent and reliable, and fewer employees and man-hours are required to accomplish the same task, he says.

To guard against these types of errors, Manpower standardized its change-management process for software development. Any code alterations are now subjected to a series of reviews, tests, analyses, and approvals before going live. A regression test is introduced near the end of the development process to validate the new code. During the test, technicians operate two machines concurrently, one running the old code and the other the new.

The same data are put into each, and the output is compared in order to identify coding errors. Besides averting financial losses, standardizing the software coding processes also helps streamline the development cycle. For a company that develops global software applications for its business units, development and support costs can be cut substantially. Further benefits accrue when internal and external auditors come knocking, since standardized processes can be evaluated more quickly and thus more cheaply.

Some tasks are inherently complex—designing computer chips, tracking weather patterns, mapping the human genome. Others are needlessly so. Over a ten-year period, the company had acquired more than competitors and complementary businesses. It acquired another 50 companies indirectly when it purchased its largest competitor, Pierce Leahy, which had just completed an acquisition spree of its own. Simplification was always the game plan at Iron Mountain, says John F. Kenny, Jr.

Each acquired company came with its own organizational chart; Iron Mountain integrated and streamlined the reporting structure. Each acquisition brought its own accounting practices; Iron Mountain centralized all accounting activities. Many of the companies calculated taxes by hand or on spreadsheets; Iron Mountain automated tax estimation and payments. Section , codified 15 U. Section —, codified 15 U. In , the U. Section , codified 18 U. It also requires management to submit an end-of-the-year assessment on the effectiveness of the internal control structure.

Particularly in response to the Enron accounting scandal, Congress sought to regulate certain types of public disclosures used to cover losses. Section amended 15 U. Sarbanes-Oxley Act Origins The late s were a wild time in corporate finance.

Companies that must comply with the Sarbanes-Oxley Act include: US publicly traded companies larger than a certain size. The act created this board, which is responsible for setting the standards and rules for audits, as well as monitoring and enforcing compliance with the law. Title II: Auditor Independence. This section includes regulations intended to ensure that auditors are truly independent, including a requirement that firms providing the audit cannot provide any other services to the company they are auditing.

Corporate executives are individually and personally responsible for seeing that the company complies with SOX. Failure to comply can have personal penalties, not just penalties on the business. This section added a lot of new mandatory financial disclosures that public companies must comply with, including insider trading and off balance sheet transactions.

Title V: Analyst Conflict of Interest. This section was intended to boost investor confidence in securities analysts. This section is not particularly relevant to companies concerned about compliance; it gives the SEC authority to remove people from positions such as brokers or dealers under certain circumstances. Specifies that anyone with a role in defrauding shareholders of public companies can be subject to fines and prison.

Also makes it illegal to alter, conceal, or destroy records that could be relevant in an investigation. This title is focused on increasing penalties for white collar crime. Specifies that the company CEO must be the one to sign the corporate tax return — and is therefore responsible for any misstatements to the IRS.

This title includes definitions of behavior that would constitute fraud, along with sentencing guidelines and penalties. Here are some suggested steps in getting on the road to SOX compliance: Develop a plan. Be very clear about the timeline of what information must be reported when.

Have both short-term goals, for the current fiscal year, as well as long-term goals. Select one or more frameworks to support SOX compliance. There are several different organizations that have developed frameworks and models that companies can use in developing their SOX internal controls and compliance plan. COSO was established by a group of five accounting and financial industry organizations to help companies improve their performance through improved internal controls and risk management.

Conduct a risk assessment. Those potential problem areas should be addressed as the company develops its compliance plan. Assess entity level controls.

What controls are in place in different locations or divisions? Document existing processes. Controls for the processes that could help protect against fraud or other financial risks should be specified.

Assess IT Controls. Most companies focus on protecting the IT infrastructure from outside threats such as hackers. Identify and evaluate any third-party providers. Many companies outsource different financial reporting processes. You have to make certain that any vendors also have adequate controls in place to protect the integrity of your financial information. Vendors are often evaluated on the basis of Service Organization Control SOC reports that are prepared by independent accounting firms.

If no SOC is available, you will need to dedicate resources to evaluating the vendor yourself. Test the Internal Controls.