Sarbanes-Oxley cheat sheet

The clock's ticking for companies to get up to speed on compliance with the new financial accounting rules. Here's all you need to know about the law.

The Sarbanes-Oxley Act--what on earth is that?
It's the name of a piece of U.S. compliance legislation, with global implications, which was signed off in 2002. A key section, Section 404, went live on Nov. 15. It's designed to prevent financial malpractice and accounting scandals such as the Enron debacle. It's becoming known as SOX or SarbOx or SOA.

In fact, anything but 'the Sarbanes-Oxley Act'? I can see why...
Indeed. The Sarbanes-Oxley Act is a bit of a mouthful, though it could be worse. It's also known as the Public Company Accounting Reform and Investor Protection Act. The shorter moniker comes from the names of Sen. Paul Sarbanes, a Democrat from Maryland, and Rep. Michael Oxley, R-Ohio, who are credited as the main architects of the Act.

And when is this all going to happen?
The straightforward answer was Nov. 15, 2004. That is the date on which a key section of the Act came into effect. But in truth, companies should have been working on their compliance issues for quite some time. This isn't just a case of flicking a switch at 10 minutes to midnight on Nov. 14.

So they should be looking at this now?
Companies should have started looking at their SOX issues some time ago, but many are still just waking up to the challenge. Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, said finance departments "get it" but "a lot of CIOs don't know what's going to hit them."

That's a bit harsh isn't it?
Well, one American chief information officer who preferred to remain anonymous certainly concurred. "I feel like a bad storm's coming, and I don't know what it is or when it's going to hit," the CIO said at a recent industry event. It's certainly fair to state that it's an issue that relies heavily on information technology and that his sense of panic is not unique. Many companies are now aware of the specter of SOX hanging over them without having a handle on what it is and what they have to do to ensure compliance.

So in a nutshell, what does it all involve?
The Act covers a whole range of governance issues, many covering the types of trade that are allowed within a company, with an emphasis upon keeping everything above board. For example, the Act forbids personal loans to officers and directors. Former WorldCom boss Bernie Ebbers had taken considerable loans from his company shortly before it became the center of a corporate scandal. Other measures regulate the responsibilities of audit committees sent in to check the health of companies' compliance. The Act also offers protection to whistleblowers. (For more specific details, see the links at the bottom of this article).

While much of this is common sense and achievable, the actual challenge of SOX is ensuring it is observed and that compliance can be demonstrated and accurately monitored and reported. The most common area of focus is the archiving of all communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence. This should mean traders can't contact one another or analysts on the quiet, and deals can't be lost in the muddy waters of business. Applications such as instant messaging are also being singled out as areas that need to be secured and made clearly accountable.

Kailash Ambwani, CEO of secure instant messaging software provider FaceTime, believes instant messaging is "mission critical" to most major financial institutions. He said: "These guys don't have in place the necessary security, accountability, logging or archiving to make those IM sessions compliant."

So every file, every e-mail, every IM, every phone call is going to have to be recorded?
That's been a lot of people's gut reaction, according to Mark Ellis, Computer Associates' director of storage and information management. But it's not quite that extreme. Many companies just assume that as long as they record that data, they will be compliant with that aspect of SOX--which is true, if a little na?ve regarding the storage and logistics implications of such thoroughness. Ellis describes this reaction as being "like a rabbit caught in the headlights" and explained that "people need to know what they must keep."

"Legal compliance is not about what you need to keep, it's about knowing what you can delete," he said, imploring companies to find out more about the complicated legislation.

And how can they do that?
Most companies are having to work with accredited auditors and consultants to ensure they have checked all the right boxes. In the United States, Ernst & Young and PricewaterhouseCoopers account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent each. A successful filing from these companies is priceless for the companies affected by SOX.

How so?
These firms are there to test compliance and search for material weaknesses--flaws that would fail the SOX test--and there is a lot of shareholder trust to be gained from filing for SOX compliance. To date 5,685 companies have filed, which makes for 5,685 happy sets of shareholders.

Even if nothing bad ever happens, companies cannot afford to be remiss with their compliance. Noncompliance with SOX will probably mean heavy fines--which as yet have not been outlined or defined--and a serious loss of shareholder trust and brand value. After all, nobody wants to think their stocks might become the next Enron shares. Large financial institutions will probably be able to pay any fines with pocket change but the loss of face and the ensuing PR disaster of public naming and shaming could be colossal.

Quite. So compliant companies will be 100 percent safe from that kind of corporate scandal?
Of course not. There's no such thing as 100 per cent safe, but companies need to be able to demonstrate that they have shown due diligence. They may never be able to protect themselves against the actions of a rogue trader who goes offline, but they will be able to demonstrably prove they did everything they could to cover their backs and hit their compliance targets.

So will everybody go for this and sign up?
They have to really, but it may require a cattle-prod approach, if only because it may be the only way to force the issue.

Staff from Silicon.com reported from London.

For more information about Sarbanes-Oxley, see:
Securities and Exchange Commission
Sarbanes-Oxley.com
Deloitte and Touche
PricewaterhouseCoopers
KPMG