If you haven't already encountered Sarbanes Oxley in your current or most recent job, chances are you will encounter it while interviewing for your next position. Having at least a basic understanding of the SOX act will provide you with a basis to participate in a conversation about it.
If you don't have experience with SOX but the company you're interviewing with is implementing an initiative concerning it, you don't want to lie and say you have worked with it personally. But having an understanding can enable you to listen to their SOX activities and comment on how your experience in other areas may be relevant to their objectives.
What SOX Is
The Sarbanes Oxley Act is comprised of many complex provisions but the most relevant sections are Section 302 and Section 404. Section 302 mandates that CEOs and CFOs, independent auditors and audit committees personally certify financial statements and filings as well as affirm responsibility for establishing and enforcing disclosure controls and procedures at all levels of their corporation. Section 404 requires annual evaluation of internal controls and procedures for financial reporting. All public companies, whether small or large, must comply.
According to Forbes, in a survey of 217 public companies, it was estimated that SOX compliance required an additional 26,000 man-hours and approximately $4.3 million dollars and that was just to comply with Section 404. That breaks down to about $91,000 per company.
While providing better controls and more stringent security so companies will avoid Enron-like fiascos, the Sarbanes Oxley Act is becoming one of the most dreaded words in the corporate world today.
One of the largest impacts to companies from complying with SOX requirements has been in the form of dollars. When it is time for a SOX audit, companies must ramp up their internal temporary staffing as well as hire an external audit firm to assist in the onerous task of meeting all the requirements. The costs for the additional staff and the external consulting firm can add up rapidly and many of your smaller public companies can barely afford this.
What does that mean for you?
Depending on what part of the organization you work for, you may or may not be involved in the SOX audit process. The finance department is one of the heaviest hit in terms of demands on time and resources to provide all the necessary information for the audit.
When Sox was initially passed into law, all public companies and specifically the Finance department of those companies were tasked with the daunting chore of identifying all areas of the company, specifically transactional areas, that might be at risk for embezzlement or fraud. They then had to put controls in place to show that they were mitigating the risk.
Each successive year, the Finance department is tasked with proving that they have continued to abide by the guidelines they created to comply with SOX.
If you are in the IT department, you are tasked with proving to the SOX auditors that all systems being used by the company allow for security measures and access controls that reinforce the protection against the risks identified by Finance. This includes not being able to approve your own purchase requisitions, establishing a standard approval hierarchy and ensuring job roles do not overlap.
Most other departments within an organization are not tasked with assisting the auditors during the audit. There are some peripheral departments that may get involved like sales, inventory and engineering but in general, the monster share is on Finance with the rest falling to IT.
While none of the tasks assigned during a SOX audit are difficult, they are time-consuming and take you away from your regular duties. So, moving forward and looking towards your next audit, just look at it as a time-consuming endeavor that protects you and your company from becoming the next Enron.