Sarbanes-Oxley (SOX) Detailed Analysis

Sarbanes-Oxley (SOX) is a federal law that aims to ensure accurate information is provided to investors. To understand how to comply with SOX, we have to drill through multiple layers:
  • The Federal Law (SOX)
  • The SEC regulation
  • The compliance framework
  • Practical Oracle database auditing
This article shows our analysis of SOX and the different layers from the federal law to practical requirements as they relate to Oracle database auditing.
Go to page1234All

The Regulation

The Securities and Exchange Commission (SEC) is responsible for enforcing SOX. As such, it adds more detail about the implementation of the law.
Title 17 of the Code of Federal Regulations is Commodity and Securities Exchanges. Chapter II is the Securities and Exchange Commission.
Part 229 Item 308 deals with the internal controls:
§229.308 (Item 308) Internal control over financial reporting.
(a) Management’s annual report on internal control over financial reporting.
Provide a report of management on the registrant’s internal control over financial reporting... that contains:
(1) A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control...
(3) Management’s assessment of the effectiveness of the registrant’s internal control... This discussion must include disclosure of any material weakness... identified by management. Management is not permitted to conclude that the registrant’s internal control... is effective if there are one or more material weaknesses...
(4) ...
(b) Attestation report of the registered public accounting firm...
(c) Changes in internal control over financial reporting...
Instructions to Item 308:
1. ...
2. The registrant must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the registrant’s internal control over financial reporting.
Going into more detail about the controls:
§240.13a–15 Controls and procedures.
(a) Every issuer... must maintain disclosure controls and procedures...
(b) Each such issuer’s management must evaluate... the effectiveness of the issuer’s disclosure controls and procedures...
(1) ...
(2) ... within the 90-day period prior to the filing date of each report...
(c) The management... must evaluate... the effectiveness... of the issuer’s internal control over financial reporting. The framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework...
(d) The management... must evaluate... any change in the issuer’s internal control...
(e) ...the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed... is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms.
Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed... is accumulated and communicated to the issuer’s management... to allow timely decisions regarding required disclosure.
(f) The term internal control over financial reporting is defined as a process... to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements... and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements..., and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.

The Regulation in a Nutshell

There are two kinds of controls:
  • Disclosure Controls – ensure all the relevant financial information is processed correctly, and in a timely manner
  • Internal Controls – ensure the financial information is reliable.
The Internal Controls must:
  • Be based on a suitable, recognized control framework (e.g. CobiT)
  • Include prevention and detection of unauthorized changes
The financial reports must include:
  • A report from a registered public accounting firm
  • Identification of the framework used for internal controls
  • Effectiveness of the internal controls
  • Material weaknesses in the internal controls
  • Changes made to the internal controls
Additionally, the company must maintain evidence to support the effectiveness of the controls.
Next we need to drill into the internal controls.