News Stay informed about the latest enterprise technology news and product updates.

Sarbanes-Oxley's Men in Black

You might be surprised about who's really in charge of making sure that publicly traded companies are complying with the Sarbanes-Oxley Act and other regulations that affect IT.

Last in a series.

Under the Sarbanes-Oxley Act (SOX) of 2002, public companies are required to not only disclose the data in their accounting books, they also have to show how they arrived at those numbers in the first place.

But who will be watching to see if companies comply in the wake of the scandals surrounding the likes of Enron and WorldCom, whose cooked books resulted in millions in investor losses?

The true enforcers of SOX

The Public Company Accounting Oversight Board, under the jurisdiction of the U.S. Securities

The law doesn't say what you have to invest [in].

John Nester, SEC spokesman

and Exchange Commission, has the ultimate say over whether a company has met Sarbanes-Oxley's reporting requirements. But it is independent auditors from public accounting firms that will tell the SEC which companies comply and which don't.

"Companies are required to do their own assessment, [and then an] auditor has to assess the assessment of the infrastructure," said John Nester, a spokesman for the SEC. "They have to assess how it works. That's what our people will be looking at -- the auditor's assessment of that assessment. We won't be making the judgment calls."

If problems are found, a publicly traded company is responsible for disclosing them and fixing them. "They are supposed to do it by law," said Alex Bakman, CEO of Ecora Software Corp., in Portsmouth, N.H. Lack of compliance with it results in not only company liability, but personal liability as well, including criminal actions against chief executive officers and chief financial officers. "The SEC is not messing around," he said. "This thing has teeth."

Critical sections of the law

There are two sections in Sarbanes-Oxley that IT administrators need to pay close attention to: Section 302 and Section 404. Section 302 puts responsibility for creating accurate

For more information

Special report: Coming to terms with compliance

financial reports on the CEO and CFO of a public corporation. Section 404 requires companies to assess their internal controls.

"If you said, 'I got freeware off the Internet and that's our IT system, and it seems to work, and we've tested it and it works,' you've satisfied the law's requirement," Nester said. "The law doesn't say what you have to invest [in]. It says that you have to assess what it is that you use in IT and report to the extent that it works."

Companies with revenues of more than $70 million for 2004 are required to file their annual reports, including SOX Section 404 reports, with the SEC 75 days after the end of the fiscal year. Late last year, companies with revenues of less than $70 million were given a 75-day extension for filing Section 404 reports.

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.