Home | Services | Solutions | Small Businesses | News | Downloads | Partners | Profile | Contact

Support

Please download any of our support files:
RCR Suite Brochure
IPTAP Data Sheet
IPTAP Installation Guide
IPTAP Installation Guide (Arabic)
IPTAP Mapping of Targets Guide
IPTAP Mapping of Targets Guide (Arabic)
nORM Data Sheet
nORM Brochure 4.1 Arabic
nORM User Guide 4.1 English
PAE Data Sheet
PAE User Guide 1.1 English

Software Licence Agreement SLA Terms
Schedule to Licence Agreement

QSL Demo Files

Resources

Regulations
Sarbanes Oxley
Basel II Accord
Solvency II

Risk Management
OCTAVE
COBIT

Standards
ISO31000 (NEW)
ISO/IEC 27002
AS/NZS4360
AS/NZS3931

Business Continuity
BS 25777:2008
BS25999
BS ISO/IEC 27002:2005
BS 7799-1:2005,
BS ISO/IEC 17799:2005

 

Sarbanes Oxley

The Sarbanes-Oxley Act of 2002 is a United States federal law signed into law on July 30, 2002 in response to a number of major corporate accounting scandals. The legislation comprises 11 titles and is wide-ranging, establishing new or enhanced standards for all U.S. public company boards, management, and public accounting firms.

The Act established a new quasi-public agency, the Public Company Accounting Oversight Board (PCAOB), which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.


Key Provisions
SOX Section 302: Internal Control Certifications
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. Company officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”

Additionally, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements.

SOX Section 404: Assessment of Internal Control
Section 404 requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk.

SOX 404: Information Technology
The financial reporting processes of many companies depend to some extent on IT systems. Thus, Information technology controls that specifically address financial risks fall within the scope of a SOX 404 assessment. Chief information officers are typically responsible for the IT organization and IT personnel may be directly involved in SOX compliance efforts.

The SOX 404 guidance requires the usage of an internal control framework. The IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" is used by many companies as a framework supporting IT SOX 404 efforts. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation.