In the early 2000s, a series of major corporate scandals destroyed billions of dollars in market capitalization and caused thousands of people to lose their jobs. The failures of top executives caused shareholder stocks to become nearly worthless. Even major bondholders and investors with assets held at Enron, WorldCom, and Tyco lost millions without warning. Accounting executives managed to falsify earnings records to the SEC, the public, and even their own employees for months. At Enron, with Jeff Skilling at the helm, the evasion continued for years. Corporate leaders managed to skirt securities regulators undetected for too long; ultimately, this created a major dilemma for investor confidence in US markets.
The Securities Act of 1933 was then amended to become stronger and legislators created new laws with stringent auditing, reporting, records, customer privacy, and accounting requirements. In 2002, SOX, or the Sarbanes-Oxley Act, was enacted, and the newly introduced federal standard for publicly traded companies became known as SOX compliance. Publicly traded companies must now be SOX compliant, or they risk fines and other penalties.
Challenges of SOX compliance implementation
SOX compliance can present a major challenge for companies for several reasons. At a high level, every compliance measure added to business operations must be measurable, actively managed, and tested annually to make sure it still works. This begins with appointing a Chief Compliance Officer (CCO) or head of compliance.
This individual must be a subject matter expert (SME) in SOX law. The position appointment is suitable for trained corporate attorneys and those with decades of experience in compliance and internal auditing. The CCO is responsible for meeting with other department heads about federal requirements and learning how they currently handle customer data and financial statements, as well as how this information and documents are managed and retained.
If departmental records retention is inadequate, new electronic storage services must be purchased under the direction of IT. The CCO will also review the customer resource management (CRM) system to ensure that the visibility of customer data is appropriate for the employee-end user. If managers can’t prevent employees from viewing sensitive customer information where there isn’t a business need, the CRM will need to be upgraded, and that can be costly. Shredding services must also be hired to properly dispose of sensitive personal and financial records.
The responsibilities go on. The CCO will need to be in regular contact with business managers and must complete a yearly compliance program review and certification. The CCO must have in place a reliable way to annually measure employee knowledge on SOX compliance. The responsibility is daunting because the failure to comply with federal regulations can result in fines and penalties. By law, any executive who knowingly certifies a fraudulent statement can even face jail time.
How is Dodd-Frank different from SOX?
The Dodd-Frank Act of 2010 was passed in response to the financial downturn from the Great Recession of 2008. Dodd-Frank was written to protect consumers from risky sub-prime mortgage investments and to give more public transparency in the swaps markets. It also created the powerful Consumer Financial Protection Bureau (CFPB). While SOX was enacted to more tightly regulate all corporations, Dodd-Frank regulates the trade of derivatives products within financial markets.
Dodd-Frank also requires banks to give more transparency in how they charge fees as well as requiring them to disclose how consumer personal information will be used by 3rd party business partners. Under Dodd-Frank, banks also must give customers the opportunity to opt out of being contacted for marketing purposes.
While SOX and Dodd-Frank have different implications for different sectors, they can potentially have some overlap, and working with your CCO or an experienced external auditor is the best way to ensure that your company is meeting the requirements of both.
What to look for in a professional auditor
Compliance with the law needs to be not just a standard, but a top priority for any company. This can be a complicated process, however, that requires the leadership of someone with expert knowledge. Hiring an auditing professional who can come onsite and do the heavy lifting for your organization is one of the best ways to become SOX compliant.
These experts are experienced in conducting an independent audit of an existing program, reporting on weaknesses if they find them, and offering clear and achievable paths to compliance. Being proactive in auditing your compliance can prevent costly mistakes that can lead to fines, penalties, or even more serious consequences down the line.
Our audit and assurance team is registered with the Public Company Accounting Oversight Board (PCAOB) and the Canadian Public Accountability Board (CPAB)—and holds a zero percent deficiency rate. We’re here to give you peace of mind, while adding value to your business.