Fundamental Governance Concepts and Sarbanes-Oxley Rules

      Enterprise IT Governance

 The term enterprise IT governance is not new, but is a concept that has a meant different things to different people.  As a response to ongoing cycles of business frauds and failures particularly in the latter decades of the past century, there has been an increased emphasis on embellishing enterprise codes of conduct and establishing what are called corporate ethics departments. Strong enterprise governance emphasized general operations and with little emphasis on IT systems and operations.

Sarbanes-Oxley Act

 The Sarbanes-Oxley Act is a U.S law enacted in 2002 to improve public company financial reporting, audit, and enterprise governance processes.  It first had a major impact on businesses in the United States and now is recognized worldwide. Although SOx’s auditing and internal control rules have directly changed many external auditor and IT financial practices, Sox has also had a major impact on IT governance. A general understanding of SOx, with an emphasis on its Section 404 internal accounting control rules, is a key knowledge requirement for all senior managers.

Sarbanes-Oxley Act Key IT Governance Elements

The official name of SOx is the Public Accounting Reform and Investor Protection Act. It become law in 2002, with most of the final detailed rules and regulations. Its title being a bit long and mostly refer as SOx, SOX, or Sarbox. SOx introducted a series of totally changed processes for external auditing and gave new governance responsibilities to senior executives and board members. SOx established the Public Company Accounting Oversight Board (PCAOB), a rule setting authority under the Securities and Exchange Commission (SEC) that issues financial auditing standards and monitors external auditor governance.

SOx Key Provisions Summary

Exhibit 2.1 summarizes the major titles or section of SOx Titles I and IV. Our intent is not to describe all sections of SOx or to reproduce the full text of this legislation – it can be found on the Web – but to highlight portions of the law that are most significant to interested business professionals.

SOx Title I: Public Company Accounting Oversight Board

SOx introduced significant new rules for external auditors. Prior to SOx, the American Institute of Certified Public Accountants (AICPA) had guidance-setting responsibility for all external auditors and their public accounting firms through its overall responsibility for the Certified Public Accountant (CPA) certification. While state boards of accountancy actually licensed CPAs, the AICPA previously had overall responsibility for the profession. External audit standards also were set by the AICPA’s Auditing Standards Board (ASB). Although basic standards—called generally accepted auditing standards (GAAS)—have been in place over the years, newer auditing standards were released as numbered Statements on Auditing Standards (SASs). Much of GAAS was just good auditing practices, such as that accounting transactions must be backed by appropriate documentation, while the SASs covered specific areas requiring better definition.

SOx Title I External Audit Process rules:

• PCAOB administration and public accounting firm registration.
• Auditing, quality control, and independence standards.
• Audit workpapers retention.
• Scope of internal control testing.

     Title IV: Enhanced Financial Disclosures and Section 404

 SOx Title IV is designed to correct some financial reporting disclosure problems, to tighten up conflict-of-interest rules for corporate officers and directors, to mandate a management assessment of internal controls, to require senior officer codes of conduct, and other matters. The most significant nugget for most senior managers is Section 404 on Management’s Assessment of Internal Controls. SOx requires that all annual 10K reports must contain an internal controls report stating management’s responsibility for establishing and maintaining an adequate system of internal controls as well as management’s assessment, as of the fiscal year ending date, on the effectiveness of those installed internal control procedures.