Sarbanes-Oxley's Men in Black

You might be surprised about who's really in charge of making sure that publicly traded companies are complying with the Sarbanes-Oxley Act and other regulations that affect IT.

Last in a series.

Under the Sarbanes-Oxley Act (SOX) of 2002, public companies are required to not only disclose the data in their accounting books, they also have to show how they arrived at those numbers in the first place.

But who will be watching to see if companies comply in the wake of the scandals surrounding the likes of Enron and WorldCom, whose cooked books resulted in millions in investor losses?

The true enforcers of SOX

The Public Company Accounting Oversight Board, under the jurisdiction of the U.S. Securities

The law doesn't say what you have to invest [in].


John Nester, SEC spokesman

,
and Exchange Commission, has the ultimate say over whether a company has met Sarbanes-Oxley's reporting requirements. But it is independent auditors from public accounting firms that will tell the SEC which companies comply and which don't.

"Companies are required to do their own assessment, [and then an] auditor has to assess the assessment of the infrastructure," said John Nester, a spokesman for the SEC. "They have to assess how it works. That's what our people will be looking at -- the auditor's assessment of that assessment. We won't be making the judgment calls."

If problems are found, a publicly traded company is responsible for disclosing them and fixing them. "They are supposed to do it by law," said Alex Bakman, CEO of Ecora Software Corp., in Portsmouth, N.H. Lack of compliance with it results in not only company liability, but personal liability as well, including criminal actions against chief executive officers and chief financial officers. "The SEC is not messing around," he said. "This thing has teeth."

Critical sections of the law

There are two sections in Sarbanes-Oxley that IT administrators need to pay close attention to: Section 302 and Section 404. Section 302 puts responsibility for creating accurate

For more information

Special report: Coming to terms with compliance

financial reports on the CEO and CFO of a public corporation. Section 404 requires companies to assess their internal controls.

"If you said, 'I got freeware off the Internet and that's our IT system, and it seems to work, and we've tested it and it works,' you've satisfied the law's requirement," Nester said. "The law doesn't say what you have to invest [in]. It says that you have to assess what it is that you use in IT and report to the extent that it works."

Companies with revenues of more than $70 million for 2004 are required to file their annual reports, including SOX Section 404 reports, with the SEC 75 days after the end of the fiscal year. Late last year, companies with revenues of less than $70 million were given a 75-day extension for filing Section 404 reports.

Dig deeper on Enterprise Infrastructure Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close