The Sarbanes-Oxley Act came into being in 2002 in response to the inadequacies of corporate governance that were becoming increasingly prevalent. Its introduction was also meant to gain better control while managing and reporting corporate financial information as well as safeguarding the interests of employees and business partners.
While Sarbanes-Oxley does not explicitly cater to business continuity, it does provide a framework for using business continuity to develop a comprehensive controls ecosystem in the organization.
Background
Executives started addressing corporate governance from the late sixties onward when many big corporations came under scrutiny for inefficient management. The topic became less prominent in the following decades as other issues took center stage. For instance,
- The savings & loan crisis, and markets and credit risk in the eighties
- Operational risk and corporate re-engineering in the nineties
- Challenges related to meeting new economy demands and adopting new technologies in the 2000s
A series of incidents around the turn of the century, including accounting irregularities in many big corporations, made it necessary to introduce stringent anti-fraud legislation that squarely addressed corporate misconduct.
Sarbanes-Oxley is an exhaustive compilation of corporate anti-crime laws that targets issues such as altering financial statements, misrepresenting facts to auditors, bullying whistle blowers and so on. The act marked a significant moment in corporate governance history as it gave the CEO autonomous control over governance.
Today, its scope extends beyond just C-suite issues and is a driving factor at the corporate board level. Leadership and management teams are looking to incorporate corporate governance into every aspect of business.
Aligning Business Continuity with Sarbanes-Oxley
Section 404 of the Sarbanes-Oxley Act obliges organizations to gain comprehensive knowledge on all the risks that might hamper their financial reporting framework and then establish controls that impede financial offenses. This is a vital aspect of internal controls in any organization.
Section 404 also mandates that firms filing an annual report include an internal controls report that details the management’s efforts towards implementing and managing a comprehensive internal controls framework along with the processes for financial reporting. This internal controls structure and the procedures implemented by the issuer for financial reporting must be compulsorily evaluated on a yearly basis. As per Section 404, the organization’s auditor also has to validate that the management is adhering to the norms outlined by the Public Company Accounting Oversight Board while evaluating the effectiveness of these controls and procedures.
Management personnel can be severely penalized for not adhering to Sarbanes-Oxley norms. In order to stay compliant, companies must invest in an infrastructure that:
- Safeguards vital data and records
- Prevents damage and loss
- Eliminates the possibility of unwarranted alteration or misuse
In order to do this, the company needs to:
- Implement relevant controls
- Conduct risk assessments
- Develop channels and protocols for sharing information
- Monitor the entire system
Companies must align this infrastructure with a structured framework for internal controls such as the Treadway Commission’s COSO. The COSO framework can cater to operations, finance and compliance in areas such as:
Control Environment – Increasing employee awareness and inculcating the discipline and structure required to foster an ambiance for governance and control
Risk Assessment – Detecting and analyzing internal and external risks in order to determine the most feasible strategy for handling them
Control Activities – Policies and procedures that ensure that the course of action as outlined by the management is implemented across the enterprise
Information & Communication – Ensuring the relevance and timeliness of all information shared in order to support the related support entities
Monitoring – Ensuring that internal controls satisfactorily provide the organization an effective framework for implementing corporate governance
All online and manual financial reporting methods must be brought under the management’s radar.
Risk assessment and business impact analysis, crucial components of any business continuity solution, play a vital role while developing the infrastructure outlined in Section 404 of Sarbanes-Oxley. This is followed by establishing the resource requirements based on the RTO and RPO values, and recovery resources so that the impact of business disruptions are mitigated in a cost-effective manner.
These requirements are then contrasted with currently available resources to identify insufficiencies in:
Data – Data that is lost in the time-frame between the last scheduled backup that happened and the moment when a business disruption occurs
Time – Gaps between the organization’s RTO value and the actual time it takes to restore operations to a predefined level of production
Resources – Insufficiencies detected in existing recovery resources (technical, operational and administrative) based on established requirements
An organization’s internal controls would be hampered when any of these three categories fall short.
Sample Scenario
An organization takes copies of its data every night at 12. A major business disruption occurs at noon one day and consequently, all newly added data and changes made to existing data since the last backup would be lost and cause inaccuracies. The internal controls framework would need to develop a plan to handle incidents like these.
Supply Chain
Businesses today are more interdependent than ever and an organization’s internal controls must also include external dependencies if it has to be effective. Processes that involve third party entities such as vendors, suppliers and other contractual partners must also be taken into consideration. Section 404 also mentions that companies must draft contracts and SLAs that give them the jurisdiction to evaluate the effectiveness of their vendor’s internal controls if these outsourced processes can directly impact the company’s financial statement.
Today, as companies operate with a granular level of visibility over all their supply chains, it has become mandatory for third party entities to maintain documented proof of their disaster preparedness. This, along with Section 404, has helped propel business continuity to the forefront of business criteria across the corporate world. For instance, only recently, a wireless and broadband communications provider with a global presence introduced a new policy that made it necessary for all its vendors to demonstrate disaster preparedness through documented plans.
Reinventing Business Continuity through Sarbanes-Oxley
C-suite executives are viewing the Sarbanes-Oxley Act as an ideal opportunity to reinforce compliance measures. Sarbanes-Oxley for its part is transforming companies’ approach to implementing business continuity solutions. Some of the highlights of this shift in perspective include:
Yearly Evaluation of Business Continuity Plans
Traditionally, business continuity plans have always been treated as a routine task with a narrow scope that rarely extended beyond the purview of IT operations. They were handled by the middle management and plans were updated only when required. Senior executives seldom got involved. The only exceptions were banks that had to abide by FFIEC rules where top management had to compulsorily assess the plan’s development and testing procedures.
Today, companies have policies in place that require a yearly review of business continuity plans that are a lot more detailed in description and exhaustive in coverage. These reviews involve tests, drills and simulation exercises.
Senior Management Involvement
Leadership and management teams are today required to be directly involved in the development and maintenance of internal controls. As a result, business continuity steering committees are becoming more common and are even being insisted upon in firms.
Planning for External Risks
Vulnerabilities in third party operations can severely hamper business operations and executive teams are acutely aware of the need to be prepared for these contingencies.
Insisting on Business Continuity Plans in SLAs
Companies nowadays are a lot more tuned in to the implications of not adopting risk management best practices and tend to partner with vendors who are equally committed to staying resilient. As a result, business continuity specifics have become a standard inclusion in service level agreements.
Increased Financial Support for Business Continuity
Executives today appreciate the gravity of not being able to continue operating after a crisis and are willing to invest in full fledged business continuity programs.
Conclusion
All public firms, irrespective of industry or sector, must align the evaluation of their internal controls and processes for financial reporting with Sarbanes-Oxley norms. This can be a long and tedious process that companies must plan for well in advance if they are to avoid inaccuracies and meet the yearly deadline set by Sarbanes-Oxley for filing the report.
By adhering to Sarbanes-Oxley rules, organizations have the means to gain new and invaluable insights into their processes and design relevant controls that enhance overall governance.
See for yourself how the application works
Witness our cloud based platform’s security capabilities in action
Play around with the software and explore its features
Compare and choose a solution that’s relevant to your organization
Consult our experts and decide on a pricing mechanism
Disasters
