US Corporate Governance
 |
Corporate Governance in the US is a complex subject, the roots of which go back to the 19th Century. The one book that provides a clear and straightforward description of the corporate governance regime in the US - from its early days through to the most recent review of SOX, and what is also the most comprehensive introductory text available for this subject is Corporate Governance: A Practical Guide to the Legal Frameworks and International Codes of Practice |
Sarbanes Oxley
The Sarbanes-Oxley Act of 2002 (SOX), introduced in the United States of America in the aftermath of Enron, has fundamental governance implications for listed American companies, their foreign subsidiaries and foreign companies that have US listings. It applies to all Securities and Exchange Commission (SEC) registered organizations, irrespective of where their trading activities are geographically based. SOX is different from the UK's Combined Code, and from codes of corporate governance adopted elsewhere in the OECD, in that compliance is mandatory, rather than ‘comply or explain’. This aspect, combined with significant potential sanctions for individual directors, is driving SOX compliance requirements through the supply chain.
While the Act lays down detailed requirements for the governance of organizations, the three highest profile and most critical sections – which were implemented in phases - are 302, 404 and 409.
Sarbanes Oxley Act Sections 302, 404, 409
|
302
|
404
|
409
|
|
|
Required:
|
· Quarterly certification of financial reports · Disclosure of all known control deficiencies · Disclose acts of fraud |
· Management annually certify internal controls · Independent accountant must attest report · Quarterly change reviews |
· Monitor operational risks · Material event reporting · ‘Real-time’ implications – 4 business days for report to be filed |
|
Responsible
|
• CEO |
• Management |
• Management |
The SEC, which is responsible for implementation of SOX, has relevant information available at www.sec.gov/spotlight/sarbanes-oxley.htm, and the Sarbanes-Oxley web site itself is at http://www.sarbanes-oxley.com/
Internal controls and audit
Under SOX, management is required to certify the company’s financial reports and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether it is for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system. Unless appropriate internal controls are built into this infrastructure, management will not be able to make the required certification.
The SEC has mandated US companies to use a recognized internal control framework that has been established by an organization that developed the framework through a due process, including inviting public comment. One widely used framework is known as the COSO framework or, to give it its own title, the ‘Internal Control – Integrated Framework’, which contains the recommendations of the Committee of Sponsoring Organizations of Treadway Commission (www.coso.org). The small business version of the framework is available from here.
The COSO sponsoring organizations included the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants and the American Accounting Association. The PCAOB (Public Company Accounting Oversight Board, at www.pcaobus.org , created under SOX to oversee the activity of the auditors of public companies in the United States) expects the majority of public companies to adopt the COSO framework and its Auditing Standard No 2, dealing with audit of internal control over financial reporting, assumes that the COSO framework (or one substantially like it) will have been adopted.
IT Governance
While IT governance is an overall response to the requirements of SOX, SOX compliance should not be isolated from other compliance activity. Emerging best practice recognizes that those organizations that build compliance into their processes, rather than bolting it on afterwards, tend to get more cost-effective, business-orientated results from their SOX projects. CobiT is one methodology that meets the PCAOB requirements; deployed within the Calder-Moir IT Governance framework, it can be a significant part of a total IT governance response to the requirements of Sarbanes Oxley. Access a webinar here on how to leverage best practice frameworks to simplify SOX compliance.
SOX Resources
Through this site, you can access the most useful SOX resources in the world. Our online shop contains key guides and toolkits for to Sarbanes Oxley compliance, the most important of which are:
- Sarbanes Oxley Section 404 Compliance Tips for IT Managers
- Sarbanes Oxley: a Practical Guide to Implementation Challenges and Global Response
- Manager's Guide to the Sarbanes Oxley Act
In addition, the Sarbanes Oxley Section 404 Implementation Toolkit, Second Edition is an enormously valuable resource, while the Sarbanes Oxley for Dummies, Second Edition is an outstanding starting point for the freshman.
CobiT is widely used as part of the SOX compliance strategy.
Information security is also a fundamental component of a SOX general control environment, and the ISO27001 ISMS Toolkit is the most cost-effective way of implementing this core control - often integrated into a CobiT environment. We also have a specific North American ISO27001 Information Security Site.
Training is also an essential part of Sarbanes Oxley compliance, and SOX e-learning courses are a cost-effective method of achieving staff compliance.
