As you know, the Sarbanes-Oxley Act was signed into law in 2002 to tighten corporate financial reporting protocols. Its overall purpose is to encourage companies to improve their audit requirements and to protect investors by improving the accuracy and reliability of corporate disclosures. Since its implementation, there has been much controversy regarding the efficacy of the improvements themselves, the costs required to implement them, and the actual benefits derived from doing so.
By Lauron Lewis
Over the intervening years, most companies, and probably yours as well, have implemented tighter financial protocols to meet the intent of the legislation. But what if, unfortunately, your company inadvertently made some accounting errors and exposed your company to the kind of scrutiny Sarbanes-Oxley was designed to avoid? Are you confident you have the information protocols in place to ensure that further disclosures beyond your control do not ensue? If you have any doubt to that effect, following are 10 questions you need to ask yourself about Sarbanes-Oxley to ensure you have the necessary protocols and programs in place to avoid such a problem:
- Are my internal controls adequate?
Section 404 describes in detail management’s responsibility for building internal controls around the safeguarding of information assets related to the timely detection of unauthorized acquisition, use, or disposition of an enterprise’s assets that could have a material effect on the financial statements. Hopefully you already have the protocols in place to demonstrate that you have the capabilities to monitor, detect, and record electronic information disclosures. If you are not sure that this is so, you might consider requesting an update from your CFO on the status of your compliance.
- Can these firewalls be broken?
Frequently we hear about information leaks that jeopardize the financial integrity of various institutions. And, unfortunately, methodology for breaching existing firewalls improves as quickly as the latest safeguards are installed. But the more up to date your enterprise is in integrating the latest safeguards, the more likely you are to avoid these setbacks. To assist you in the effort, demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information, specifically the range of communications channels, including http, Simple Mail Transfer Protocol (SMTP), social media, etc. These technologies can monitor, record, and provide alerts on electronic disclosures of all types.
- What are the penalties for leaks?
Unfortunately, once information is leaked, whether it is “nonpublic” or not, it can be used as a catalyst for securities transactions. Such trading, when deemed “insider,” can result in a host of penalties, including exposure to investigations by the U.S. Securities and Exchange Commission (SEC); criminal and civil prosecution; the relinquishment of any profits; dollar penalties up to $1 million or three times the amount of any profits or losses (whichever is greater); and/or prison terms of up to 10 years. Furthermore, the government is quite aggressive in prosecuting egregious insider trading cases involving unduly leaked information.
- If a leak, what actions?
If you are alerted to nonpublic information being inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties and stakeholders. Section 409 of Sarbanes-Oxley clearly mandates that companies publicly disclose additional information concerning material changes in the company’s financial condition or operations. The key here is to respond as quickly as possible. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (within 48 hours) presents a significant challenge and requires that you have crisis protocols in place in case an exposure should occur. This is an area of concern you should seriously consider discussing with your CFO if you have not already done so.
- Who is personally liable?
The stakes for leadership in regard to Sarbanes-Oxley compliance are high indeed. The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years. Section 802 of Sarbanes-Oxley states, “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any records, documents, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any department or agency of the U.S. … or contemplation of any such matter or case, shall be fined … imprisoned not more than 20 years, or both.”
In tomorrow’s Advisor, learn five more tips about information protocols related to Sarbanes-Oxley.