The documentation required for SOX compliance are highlighted in sections 302, 401, 404, 409, 802, and 906 of the Act. As per Section 302, the principal executive officer(s) and the principal finance officer(s) are required to certify any annual or quarterly report that is submitted to the securities exchange Commission (SEC). This is indicative of the signing officer having reviewed the document to ascertain that they represent a true, fair, and complete nature of the financial statements. In addition, disclosures pertaining to materiality are to be made on all pro forma statements as per the requirements of Section 401 (SEC)
Further, Sections 404 and 409 calls for management to provide an assessment of an organization’s internal controls to which an auditor is required to attest to as well as provide disclosures by its issuers on securities listed on national security exchanges (U.S. House of Representatives). It is in the same gist that section 802 require for accountants to retain a client’s working papers and documents containing data that was used towards drawing conclusions, opinions, analysis and financial data for a period of seven years (SEC). Section 906 requires the chief executive or finance officer to submit a written statement indicating that the financial statements have met the requirements of the securities exchange act and that the statements are a fair presentation of all conditions and outcomes of the organization (SEC).
It is important for accountants involved with Sox compliance to understand both the manual and automated work process and systems used internally since they play a huge role in ensuring that the organization complies with laws and regulations. To this end, by understanding both the aforementioned workflows, an accountant is able to ensure that control environment, risk assessment, control activities, information and communication, and monitoring (Federal Deposit Insurance Corporation) are effective as a means of ensuring the internal controls set by management are met.
The (American Institute of CPAs)defines deficiency as a shortcoming in the design or operation of a control that limits both management and employees to prevent, detect or correct misstatements in a timely fashion within their work roles and responsibilities. Froom this, a significant deficiency is defined as either singular or combined deficiencies that exist in internal control as regards organization’s financial statements that lead to a material misstatement that requires attention from n organizations management. This differs from material weakness which refers to a deficiency or combination of deficiencies in internal controls that have a high possibility of averting the prevention, detection and or correcting material misstatements thereof (American Institute of CPAs)
The reporting requirements for significant deficiencies, management is not under any obligation to publicly disclose such a deficiency. However, where a significant deficiency or a combination of significant deficiencies indicate a material weakness, management is under obligation to disclose the nature of the deficiency. In addition, management should also disclose material changes in its internal and disclosure controls where significant deficiencies are noted. To this end, management has the discretion to discuss the nature of the change so that the disclosure does not mislead users of financial statements (Office of the Chief Accountant)
As concerns material weakness, (SEC) indicates that management has to disclose any material weaknesses that have been identified and as such, cannot conclude that the internal control over financial reporting is effective. Further, the accounting firm is required to present an attestation on management’s analysis of its internal control in light of its financial reporting.