Sarbanes-Oxley Act kicked off a new era in corporate governance. Four key sections in the Act are:
- Section 302 - Officers to certify annual or quarterly report to SEC or be subject to penalties defined in Section 906.
- Section 404 – Management assessment of Internal controls process.
- Section 409 – Real-Time Issue Disclosure
- Section 802 - Criminal Penalties for Altering Documents
Section 404 places emphasis on the quality of the financial reporting process. Rules are based on the definition of Internal Control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) - summarized as:
- Effectiveness and efficiency of operations
- Relaibility of financial reporting
- Compliance with applicable laws and regulations
To achieve this COSO offered an internal control framework – endorsed by the SEC consisting of 5 interrelated components:
- Control activities that encompass the policies and procedures of control
- Risk assessment
- Information and communication about relevant internal and external events
- Monitoring to assess quality through ongoing activities and evaluations
- Control environment to set the tone and provide a foundation
From a technology perspective, the software application business processes that are likely to be particularly relevant to Section 404 include:
- Data submission, financial consolidation and financial statement generation
- Purchase requisition to vendor payment
- Sales order to customer remittance
- Asset acquisition to disposal/writeoff
- Project initiation to revenue recognition
- Intercompany processing
- Currency translation
In terms of these processes control issues revolve around:
- Source of data for information presented in reports
- Who entered, changed or approved the data
- Process the information has gone through to reach the report
- What roles people have in this process
- How exceptions are highlighted in report information
- How secure the process is to prevent tampering
