What is the Sarbanes-Oxley Act?
An Act passed in July 2002 by US congress to restore investor confidence after the high profile bankruptcies such as Enron that brought CEO’s, CFO’s and Auditors under heavy scrutiny. The Act applies to certain US and foreign companies registered at the SEC (including banks). For a while it was felt that this would only apply to companies in the USA but after the Parmalat fiasco there is now pressure to adopt similar legislation in Europe so it may well be that companies not yet affected will be soon. Sarbanes-Oxley is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of accounting since the US securities laws of the early 1930s. It is designed to reduce fraud and conflicts of interest, while increasing financial transparency and public confidence in the market. Sarbanes-Oxley is an Act with teeth, bringing with it the threat of fines and imprisonment for senior executives whose organisations are found to be non-compliant. The most significant aspect of the act is Section 404.
Section 404
Section 404 requires each annual report to contain an “internal control report” that:
- States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
- Contains an assessment, as at the year end, of the effectiveness of the internal control structure and procedures for financial reporting.
Section 404 is by far the most significant part of the Act as compliance involves extensive process documentation and control testing and the external auditors must attest to and report on management’s process and assessment. The auditors review must be in accordance with standards issued or adopted by the newly formed Public Company Accounting Oversight Board (PCAOB). Affected companies must comply for the year end 31 December 2005. An affected company must demonstrate that transactions are captured accurately and controls over financial reporting are effective. Section 404 has focus on significant processes and information systems that underpin the financial reporting of Group numbers. Management must document significant processes and controls and test all controls that are deemed significant to financial reporting and report on its evaluation in the financial statements. External auditors must follow PCAOB’s Auditing Standard No. 2 on how to test the management’s assertion and assess whether effective controls are in place and file an attestation report with the SEC.
Who is impacted?
Under Section 404 virtually everyone in a bank is considered part of the financial reporting infrastructure! Section 404 impacts business areas as well as Finance as virtually all of the information included in financial statements originates in the business. For example the integrity of interest income depends upon controls that are in place for initiation and authorisation of a loan, through to collection of interest income, entries in to the General Ledger and reporting in the financial statements. The standard required for compliance is very high and will require a bank to provide detailed documentation and provide evidence that procedures are understood and risks are controlled and managed. The challenge is greater in very large, diverse banks like UK Clearing Bank groups. Many of the processes are not owned entirely by discrete business units and relationships/hand offs between business units and external parties must be understood and built in to the documentation so that ownership and responsibility is clearly defined. For more on how accounting works in Banks see our report on Accounting in Banks.
Specifically what is the impact on IT managers of SOX?
One of the key audiences for the How Banks Work website are IT project managers and their strategy folk. It would appear there are two impacts:
1. One Time; there is an initial one off description of lots of processes so that they are understandable by the auditors. Examples might be human related such as
- Change control processes and their key measures/control points
Or systems related
- Interest calculation and posting algorithms.
This will distract a lot of staff from delivering change to describe the status quo in both AD and Operations.
2. Ongoing; every year there will be an exercise driven by both internal and external auditors of sampling key controls from key processes and analysing whether these controls are effective.
IT, particularly in banks, will be one of the most affected areas by SOX during 2005.