Yesterday’s Advisor presented the first five tips about information protocols related to Sarbanes-Oxley; today’s issue presents the final five:
By Lauron Lewis
- Is there a compliance “reach back”?
Yes, there is, and it comes in two parts: the date of discovery and the date of the violation. Section 804 of the Sarbanes-Oxley Act extends the statute of limitations in private securities fraud actions to the earlier of 2 years after the discovery of the facts constituting the violation or 5 years from the violation.
- Is there an effective preemptive strategy?
Clearly it is better to take an offensive, action-oriented perspective regarding compliance to Sarbanes-Oxley rather than a defensive stance. Deploy strategies that provide you with the evidentiary support you need when things go wrong. You may already have these in place; if not, this is another good conversation to have with your CFO. Today there are an abundance of network security appliance choices designed to capture and record all electronic communications and can provide forensic capabilities with automated reporting that corresponds to compliance needs. These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously identify and monitor risks; establish effective internal controls; test the validity of the controls; support CEO and CFO certifications; conduct third-party audits; and monitor for changes in risks, controls, and compliance needs. Many of these can be acquired with the option for automatic upgrades as needed.
- Are compliance standards tightening?
Since the introduction of the Public Company Accounting Oversight Board (PCAOB) as part of the Sarbanes-Oxley Act, compliance standards have tightened in a variety of areas. Since that time, the PCAOB has periodically issued rigorous compliance auditing standards, with the last one, Standard 18, having been issued in June 2014. It was issued to strengthen auditor performance requirements in three critical areas of the audit: (1) related party transactions, (2) significant unusual transactions, and (3) a company’s financial relationships and transactions with its executive officers.
Standard 2, issued in 2004, originally covered audits of internal control over financial reporting conducted with an audit of financial statements. Since then, several standards, especially Standards 5 and 11, have also addressed this area.
- Is it possible to totally prevent leaks?
Not now, and probably never. The risk of imprudent leaks occurring is one that can be minimized but never eliminated. It is important to have the most rigorous reporting controls possible in place, and frequently review and update those protocols on a timely basis. If a breach does occur and your enterprise is investigated, the most important thing you can do is to establish that you had the best possible controls in place and that you consistently pursued a course of due diligence.
- What happens if I am investigated?
Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation’s lines of business. The bottom line is that management must be able to answer two fundamental questions: (1) Is the corporation’s compliance program well-designed? (2) Did you do everything possible to make it as breachproof as possible given commonly available procedures and protocols. If you can answer these questions positively, you have a good case.