The issue of compliance with SOX is one keenly felt by public companies. However, both public and private companies must prepare future-looking documents in the form of long-term projections as well as short-term budgets. Consequently, privately held companies would do well to consider the requirements of SOX and make sure they could meet the requirements as well. This could be a significant issue with potential investors.

Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 specifically require public companies to establish, implement, and evaluate their internal controls for purposes of financial statement reporting and operational integrity. While this is not the place for an in-depth treatment of the requirements of compliance with SOX, the following brief summary of some compliance issues will serve as a background to help identify how we, and our tools, can help. They apply equally well as guidelines for public and private companies.

Internal Controls

The internal controls referred to above generally consist of five interrelated components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communications
5. Monitoring

Control Environment

This component sets the tone of the entire organization. Management and organizational integrity influences the control culture and awareness of every person in the company. As the foundation for all other components of internal control, the control environment provides the discipline and structure for ethics, oversight, and management accountability.

Key control environment factors include:

• Integrity and ethical values
• Commitment to competence
• Participation by the board of directors or audit committee
• Management's philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and practices

Risk Assessment

This component is the process of identifying and analyzing both internal and external risks and threats to achieving the company's goals and objectives. Risk assessment can be performed either on the level of the whole organization or on the level of specific applications or transactions. Processes for both organization-level and application-level risk assessment form the basis of determining how to manage risk. Some of these risks are:

• Changes in operating environment
• New technology
• New or revamped information systems
• New personnel
• Rapid growth
• New lines, products, or activities
• Corporate restructurings
• Foreign operations
• Accounting pronouncements

Control Activities

This component consists of the specific policies and procedures that help ensure that management's directives are carried out. They can pertain to both entity-wide and application-level controls for different organizational, functional, and systems activities, as summarized below:

• Preventative, detective, and corrective controls
• Organization
• Segregation—separation of duties
• Hiring, duties, training, and supervision—performance reviews
• Systems
• Design and configuration
• Physical controls
• Logical controls—access and authorization
• Internal controls—document order, internal checks and balances

Knowledge about the presence or absence of control activities, obtained from gaining an understanding of the internal controls, can help management determine where to devote additional attention. Common types of controls management may wish to note or observe during the course of planning and evaluation should include:

• Policies and procedures
• Organization and budget information
• Plans and needs analysis
• Project management status reports
• System access controls
• Session processing controls
• Record control numbering and document validation and matching
• Account and ledger reconciliation
• Testing procedures and training programs
• Disaster back-up and recovery plans

Information and Communication

This component includes the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities. It can incorporate methods to record, process, summarize, and report transactions, events, and conditions, in order to maintain accountability for each respective control activity.

Communication can include not only a direct and systematic reporting process through the various chains and lines of command, but a means of providing an understanding of individual roles and responsibilities as well. Promoting this type of awareness can complement specific means of measuring and managing performance data, such as benchmark metrics, to achieve organization-wide objectives.

Monitoring

This component is a process that assesses the quality of the internal control process over time. Detection and timeliness of response are two key factors in maintaining and monitoring a system of internal controls. It is management's responsibility to establish and maintain controls to ensure that they operate as intended or are modified as appropriate.

Assessing the quality of internal controls involves a continuous process of evaluating the design and operation of controls on a timely basis and taking necessary corrective action as required. This process can take place as part of ongoing activities or as separate testing, and can result from such similar, parallel functions as internal audits or from the demands of external sources such as stakeholders or other parties.

Early analysis, including identification and resolution of problems, can develop either as an iterative process or develop into more formal procedures. Integration and coordination between different levels of management and functional areas should support firm violation enforcement provisions. These can include disciplinary and corrective actions to help reinforce enterprise codes of practice throughout the organization.

The Role of Our Tools and Services

Our tools and our other products and services provide an effective means of accomplishing the tasks of complying with SOX. They address the needs in all of the Internal Control processes described above as well as providing an effective methodology and support mechanism for management. Contact us to get more information.