Last in a series.
Under the Sarbanes-Oxley Act (SOX) of 2002, public companies are required to not only disclose the data in their accounting books, they also have to show how they arrived at those numbers in
But who will be watching to see if companies comply in the wake of the scandals surrounding the likes of Enron and WorldCom, whose cooked books resulted in millions in investor losses?
The true enforcers of SOX
The Public Company Accounting Oversight Board, under the jurisdiction of the U.S. Securities
"Companies are required to do their own assessment, [and then an] auditor has to assess the assessment of the infrastructure," said John Nester, a spokesman for the SEC. "They have to assess how it works. That's what our people will be looking at -- the auditor's assessment of that assessment. We won't be making the judgment calls."
If problems are found, a publicly traded company is responsible for disclosing them and fixing them. "They are supposed to do it by law," said Alex Bakman, CEO of Ecora Software Corp., in Portsmouth, N.H. Lack of compliance with it results in not only company liability, but personal liability as well, including criminal actions against chief executive officers and chief financial officers. "The SEC is not messing around," he said. "This thing has teeth."
Critical sections of the law
There are two sections in Sarbanes-Oxley that IT administrators need to pay close attention to: Section 302 and Section 404. Section 302 puts responsibility for creating accurate
"If you said, 'I got freeware off the Internet and that's our IT system, and it seems to work, and we've tested it and it works,' you've satisfied the law's requirement," Nester said. "The law doesn't say what you have to invest [in]. It says that you have to assess what it is that you use in IT and report to the extent that it works."
Companies with revenues of more than $70 million for 2004 are required to file their annual reports, including SOX Section 404 reports, with the SEC 75 days after the end of the fiscal year. Late last year, companies with revenues of less than $70 million were given a 75-day extension for filing Section 404 reports.