If you work for a publicly traded US company, chances are you’re pretty
familiar with the Sarbanes-Oxley Act (SOX). As a result of SOX, CEOs and CFOs
have for the first time personally asserted to the validity of financial statements,
exposing themselves to criminal prosecution. This was a landmark event, refocusing
the executives on “minding the mint” and raising the accounting
visibility across organizations.

What you may just be realizing is that confirming financial statements was
merely the first step in a series of evolutionary guidelines the act comprises.
What was once viewed as an accounting-only law is now being driven to all parts
of the organization. CIOs are increasingly involved as financial data guidelines
are escalating in importance and solutions are sought to support auditable

To determine your SOX readiness, consider these questions from the CEO/CFO

  • Would I be willing to put my neck on the line that all of the material
    accounts and transactions are documented accurately and completely?
  • Am I confident that all material accounts and operations have adequate
    and tested internal controls? Would a review of these tests satisfy an auditor?
  • Do I believe a consistent rigor is applied across the enterprise to enforce
    internal controls and assure adequacy for material operations?
  • Can I be sure that documents required to support legal inquiries are
    retained as needed to meet regulatory requirements?

If you answered no to any of these questions, chances are you’ll need
to pull up your SOX.

Although the act has a number of sections, we believe that those with the
most near-term impact are shown in Figure 1.

A SOX Action Plan

Obviously, these SOX requirements will have a pervasive impact on your organization.
No surprise here because the goal of SOX is to reach across the organization
creating a pervasively ethical corporate environment and appropriate business
behaviors. Given this broad goal, what can be done to make this a reality?

Since the assertions required are at the executive level, a top-down approach
offers the greatest promise that the executive will be satisfied with the methodology
and assertions that they must make on behalf of controls. To align with executive
needs, this top-down approach is best driven by a representative from the CFO’s
office or another senior resource charged specifically as a SOX program compliance
officer (see Table 1).



Planning is critical given the regulatory guidelines and time frames involved.
Assigning a goal-oriented compliance program manager helps drive compliance
activities within the organization. Frequently, outside support will be required
to help the program manager get up to speed and develop the materials to communicate
and train the staff. Since there are inherent conflicts between the external
auditor used by the firm and the SOX compliance process, companies typically
engage consulting firms with strong change management practices to drive the
change. In cases where particular issues of the Financial Accounting Standards
Board or generally accepted accounting principles apply, other audit firms
also are frequently engaged to provide deep technical expertise.


A number of vendor software solutions exist to support a centralized compliance
capability. Most solutions focus on a component of compliance (e.g., 404 or
802). However, a few bridge the gap. Some solutions have the added feature
of predefined control templates that help to expedite documenting controls
and increase overall SOX efficiency.

However, it’s important to note that software alone isn’t the answer.
With culture change and creation of a pervasively ethical business environment
as a goal, the project must be managed top-down to drive change in the organization.

Some Good News

The vision and direction provided by SOX provides the promise of simplified
accounting processes, enhanced technical capabilities, and ultimately increased
investor confidence in the coming years. Companies, now recognizing the SOX
work in front of them, are using it to drive process and organizational changes,
breaking through entrenched resistance and looking for opportunities to recast
the financial reporting landscape. In fact, over the next few years, a significant
portion of financial systems investments will be driven solely by SOX compliance

SOX is looming as a major “to do” for 2004. Many companies, still
in the (404, 802) awareness stage are unclear on the full scope of actions
required. Given the possibility of civil and criminal charges, as well as the
almost certain impact to share values if initiatives fall short, it’s
clearly time to get the compliance house in order. Key actions include:

  • Defining a compliance program management role;
  • Creating a SOX plan to meet requirement deadlines;
  • Determining what technologies will be employed to document and report
  • Working top-down to define controls and objectives; and
  • Monitoring compliance testing to verify the program is on track.

A critical point is that SOX is pervasive; it changes the way business is
conducted. As a result, SOX requires a hands-on effort and senior management
commitment. Chances are that there is still time to comply with requirements,
but the clock is ticking. For section 404 in particular, compliance can be
no later than the end of the third quarter of 2004, and it could be much earlier
depending upon your fiscal year.

How do you get started? Take the initial step to get a compliance office
up and running and identify your SOX reporting milestones. Hitting these
is critical. Remember, with SOX, there are no second chances.