SOX Best Practices
Best-Practices Compliance
Though we can point to few mature compliance efforts, a consensus is emerging about what will make the most sense going forward. Companies will want to:
Define a compliance process that can be replicated. In this era of heightened wide-ranging corporate scrutiny and regulation, IT execs, working in conjunction with their counterparts in audit, finance and legal departments, can establish defined processes and procedures for complying with any regulations that come down the pipe. Roy Sanford, vice president of marketing and alliances for the Centera Storage division at EMC Corp. notes, "The companies that are furthest along are looking at compliance overall in their industry, not just at SOX, and are applying a definitive set of policies and procedures to address all of the regulations they need to comply with." Be sure to include provisions for ongoing management and maintenance.
Set up a monitoring system. Part of this process must involve monitoring others in your industry. By working together, companies within an industry can mitigate risks and liabilities. It also means dedicating IT resources to monitoring the regulatory Landscape. Rather than wait for finance and legal to drop compliance-related tasks in your lap, anticipate them and be prepared.
Align with legal and audit. Technology executives need to be joined at the hip with their legal team, especially when it comes to issues such as document retention. John Connor believes that, "The ability to generate and recover documents is increasingly important. Time frames are compressed. From a legal standpoint…retaining documents and producing them in legal proceedings is very IT intensive." In short, says Connor, "A good document retention policy can't be [created] by lawyers in a vacuum." The same is true with the audit team. Check with auditors before re-engineering processes or buying any new technology in order to determine exactly what will be required for compliance.
Consolidate systems and processes, and centralize control. Start by rationalizing the raft of budgeting and planning systems, ERP systems, business intelligence systems, and customized reports that currently feed into the general ledger or other key financial reports. Most banks, driven by increased regulations, have now moved to a central repository for data. Companies in other industries would do well to follow suit.
Begin now to assess existing IT infrastructure for its ability to quickly report material changes in company operations and financial reporting. Section 409 looms on the horizon and may prove the most difficult of all of SOX's provisions to comply with.
There's no shortage of corporate executives gnashing their teeth about the time and expense required to comply with SOX with no perceived benefit to the business. John Connor has a more sanguine view: "[SOX] will have a salutary effect in capital markets and in how companies are perceived and, therefore, in their ability to raise capital. If [a company] is more transparent and reliable in its reporting practices, it only helps them in the capital markets—equities will be more accurately priced in the marketplace."
In the end, SOX compliance, like death and taxes, isn't going away. By staking out a leadership position, mapping out a plan and tackling compliance one section and one process at a time, CIOs can mitigate their own personal risk and get their companies to compliance, whether by brass tacks or by best practices.
SIDEBAR Sarbanes-Oxley Backgrounder
The Sarbanes-Oxley Act of 2002 was written to improve financial transparency to increase (or restore) investor confidence while reducing fraud and conflicts of interest. The provisions of the law variously apply to publicly traded companies, privately held companies with public debt, and accounting firms. The law is comprised of 11 parts (or "Titles") and 66 Sections. While certain sections required compliance immediately (when the law was passed in June, 2002), others set a future date for compliance and still others have no set compliance date as yet.
Those Sections with the most direct impact on IT operations include:
Section 103—Corporations must retain records for seven years. (In effect now.)
Section 201—Firms that audit company books may no longer provide IT-related services. (In effect now.)
Section 301—Corporations need to create a way for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. (Effective date not yet set.)
Section 302—Corporate officers must attest to the accuracy and timeliness of data, a thorough understanding of the processes that create the data, and sufficiently detailed data. (In effect now.)
Section 401—Issuers must report accurately, must disclose material off-balance-sheet liabilities, obligations or transactions. (In effect now.)
Section 404—Corporate management must annually certify the accuracy and integrity of internal financial control processes, and auditors must attest to that certification. Auditors are still awaiting detailed standards from the Public Company Accounting Oversight Board (PCAOB) regarding which controls must be tested and how, although the SEC has confined the scope of the law to core financial processes. (Effective with the first annual report filed following June 2004 (for large companies) and April 2005 (for companies with a market cap under $75 million.
Though we can point to few mature compliance efforts, a consensus is emerging about what will make the most sense going forward. Companies will want to:
Define a compliance process that can be replicated. In this era of heightened wide-ranging corporate scrutiny and regulation, IT execs, working in conjunction with their counterparts in audit, finance and legal departments, can establish defined processes and procedures for complying with any regulations that come down the pipe. Roy Sanford, vice president of marketing and alliances for the Centera Storage division at EMC Corp. notes, "The companies that are furthest along are looking at compliance overall in their industry, not just at SOX, and are applying a definitive set of policies and procedures to address all of the regulations they need to comply with." Be sure to include provisions for ongoing management and maintenance.
Set up a monitoring system. Part of this process must involve monitoring others in your industry. By working together, companies within an industry can mitigate risks and liabilities. It also means dedicating IT resources to monitoring the regulatory Landscape. Rather than wait for finance and legal to drop compliance-related tasks in your lap, anticipate them and be prepared.
Align with legal and audit. Technology executives need to be joined at the hip with their legal team, especially when it comes to issues such as document retention. John Connor believes that, "The ability to generate and recover documents is increasingly important. Time frames are compressed. From a legal standpoint…retaining documents and producing them in legal proceedings is very IT intensive." In short, says Connor, "A good document retention policy can't be [created] by lawyers in a vacuum." The same is true with the audit team. Check with auditors before re-engineering processes or buying any new technology in order to determine exactly what will be required for compliance.
Consolidate systems and processes, and centralize control. Start by rationalizing the raft of budgeting and planning systems, ERP systems, business intelligence systems, and customized reports that currently feed into the general ledger or other key financial reports. Most banks, driven by increased regulations, have now moved to a central repository for data. Companies in other industries would do well to follow suit.
Begin now to assess existing IT infrastructure for its ability to quickly report material changes in company operations and financial reporting. Section 409 looms on the horizon and may prove the most difficult of all of SOX's provisions to comply with.
There's no shortage of corporate executives gnashing their teeth about the time and expense required to comply with SOX with no perceived benefit to the business. John Connor has a more sanguine view: "[SOX] will have a salutary effect in capital markets and in how companies are perceived and, therefore, in their ability to raise capital. If [a company] is more transparent and reliable in its reporting practices, it only helps them in the capital markets—equities will be more accurately priced in the marketplace."
In the end, SOX compliance, like death and taxes, isn't going away. By staking out a leadership position, mapping out a plan and tackling compliance one section and one process at a time, CIOs can mitigate their own personal risk and get their companies to compliance, whether by brass tacks or by best practices.
SIDEBAR Sarbanes-Oxley Backgrounder
The Sarbanes-Oxley Act of 2002 was written to improve financial transparency to increase (or restore) investor confidence while reducing fraud and conflicts of interest. The provisions of the law variously apply to publicly traded companies, privately held companies with public debt, and accounting firms. The law is comprised of 11 parts (or "Titles") and 66 Sections. While certain sections required compliance immediately (when the law was passed in June, 2002), others set a future date for compliance and still others have no set compliance date as yet.
Those Sections with the most direct impact on IT operations include:
Section 103—Corporations must retain records for seven years. (In effect now.)
Section 201—Firms that audit company books may no longer provide IT-related services. (In effect now.)
Section 301—Corporations need to create a way for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. (Effective date not yet set.)
Section 302—Corporate officers must attest to the accuracy and timeliness of data, a thorough understanding of the processes that create the data, and sufficiently detailed data. (In effect now.)
Section 401—Issuers must report accurately, must disclose material off-balance-sheet liabilities, obligations or transactions. (In effect now.)
Section 404—Corporate management must annually certify the accuracy and integrity of internal financial control processes, and auditors must attest to that certification. Auditors are still awaiting detailed standards from the Public Company Accounting Oversight Board (PCAOB) regarding which controls must be tested and how, although the SEC has confined the scope of the law to core financial processes. (Effective with the first annual report filed following June 2004 (for large companies) and April 2005 (for companies with a market cap under $75 million.
})();
 |
**All state laws apply. Certain federal laws may also apply. Contact us for more info at info@accws.com
___________________________________________________________ To obtain a free copy of any warranty by mail please send a request to: Warranty Requests at The Acc Warranty Group, 8888 Keystone Crossing, 13th Floor, Indianapolis Indiana 46240 stating your request along with your name and a self-addressed stamped envelope. We use the term "extended warranty" and "warranty"interchangeably with the term "service plan - extended service plan - vehicle service contract - service contract," variations thereof, or "VSC," throughout the web site.
* This is an overview of coverage only - not an actual warranty or service plan.
** You must refer to the actual vehicle service contract to obtain specific information about definitions; terms and conditions; coverages; benefits; claim instructions; exclusions; and special state requirements.
Definitions are explained in this site under Magnuson-Moss.
__________________________________________________________ **All Quotes are non-binding and are based upon the accuracy of information you have provided to us. **All applications are submitted to the administrator of their respective company for verification and acceptance.
__________________________________________________
**Some plans require an acceped vehicle inspection report prior to a claim being honored and/or a 30 day and 1000 mile waiting period.
______________________________________________
- File A Claim
- Mobile Service Request Form
- ACC Towing and RV Roadservice
- Service Contract Consulting
- ACC Partners
- About Us
- When To Buy A Warranty
- Tips For Buying A Used RV
- Shuttle Bus and Limousine Warranty
- Free RV Service Downloads
- News & Events
- Frequently Asked Questions
- Repair and Service Locator Directory
ACCWS on Facebook
Add to Google
