Sarbanes-Oxley is legislation passed by the United States Congress that requires publicly held companies to undergo strict audits on financial information and internal controls. These audits — known as SOX audits — are quite common and do not necessarily mean a company is incorrect in its accounting processes. The audit provides information for investors and other stakeholders with information on how well the company maintains general accounting standards and has adequate management controls over business and financial information.
The SOX audit will start with a meeting between auditors and company management. During this meeting, the auditors will discuss the scope, length, purpose and expected results of the review process. Publicly held companies have some allowances when hiring an auditor for the SOX audit process. The accounting firm conducting the audit must be registered with government or accounting oversight agencies, however. This assures the public that auditors conducting the fieldwork and review have the adequate education and training necessary to conduct the audit. SOX auditors must also be separate from the company’s regular auditors. If the same auditors conduct both audits, this can be a conflict of interest.
A SOX audit tests for variances and misstatements in a company’s financial information, strength of internal controls and governance in the accounting department. When testing for variances and misstatements, auditors will review documents prepared by the company. Auditors may also recalculate the financial paperwork and compare the preparation instructions to standard accounting principles. While some variances are typically acceptable, variances or misstatements that exceed five percent are generally seen as significant.
Internal control reviews test which employees are responsible for certain activities, how many similar tasks one individual completes, which manager oversees various employees, who has access to the accounting software and what defaults are in place to discover errors in the accounting software. The SOX audit will focus heavily on internal controls, as these are the procedures specifically meant to limit errors and prohibit fraudulent activities relating to the company’s financial information.
The SOX audit will not generally provide a company’s management with corrective actions necessary to resolve accounting issues. While some guidance is certainly necessary, SOX auditors will quickly blur their independence by offering too many corrective actions, as this enters the field of consultation services. Under SOX laws, auditors cannot offer consulting services to their audit clients, as this will result in multiple accounting services offered through one accounting firm.
Failing a SOX audit will often result in a required remedial audit. Most auditors will score the audit on a 100 point scale, with anything less than 70 points resulting in a scheduled re-audit. The remedial audit will test the areas that the company failed during the initial audit, and will ensure the company’s corrections are effective and will continue in perpetuity for safeguarding the company’s information.