| Sarbanes Oxley act had been levied for tighter | | | | required to evaluate the systems processes that end |
| controls and stricter regulations for company's internal | | | | up effecting key controls over financial reporting. |
| controls. According to the Sarbanes Oxley compliance | | | | A good idea to implement Sarbanes Oxley compliance |
| companies with market capitalization of more than $75 | | | | is to begin with simple and normal Sarbanes Oxley |
| million need to file their financial reports by the June | | | | compliance controls. Then one should work backwards |
| 15th. This date was alter amended up to 15th | | | | to determine the systems and processes that need to |
| November. All other companies need to files their | | | | be documented in the financial report. |
| financial return for any fiscal year by 15th July. | | | | In case of companies where the work is outsourced |
| Sarbanes Oxley compliance with section 302 requires | | | | the Sarbanes Oxley compliance needs to be |
| any CEO or CFO to certify the accuracy of annual or | | | | documented in differently. This is because the total |
| quarterly financial reports for the company. Any | | | | work is done by an external agency. This is also |
| inaccurate or falsified facts are subject to penalty | | | | especially important because any external agency |
| under law. This section also makes a CEO or CFO to | | | | would never give any document or certificate like |
| establish and maintain internal controls. It also makes | | | | SAS70 Type II or similar report. In such a case the |
| them eligible to evaluate these controls and measure | | | | company is required to document the whole process |
| their effectiveness. As per Sarbanes Oxley | | | | that has been outsourced as if the whole process has |
| compliance, a CEO or a CFO is eligible to report any | | | | been done internally and state all the internal controls |
| deficiency in the design and operations of internal | | | | and regulation applied on that process which has been |
| controls. They can report any fraud and rectify any | | | | outsourced. |
| errors in the system of internal controls. | | | | In some cases it is suggested that as per Sarbanes |
| Sarbanes Oxley compliance with section 404 requires | | | | Oxley compliance that the IT department is required to |
| the company's annual report to carry a report on | | | | hold the keys to maintaining logs, usernames and |
| internal controls of the company. This report on internal | | | | passwords for the financial controls. This is not |
| controls as per the Sarbanes Oxley compliance should | | | | mandatory for all companies. Usually an IT department |
| state the role of management in maintaining and | | | | is required to create the roles and finance department |
| establishing total internal controls in the financial system | | | | directs as to who would hold the keys to those roles |
| of the company. | | | | specified. But some times it is risky to implement such |
| In case of IT companies, they are also required to be | | | | a practice. This is because if the IT department |
| in Sarbanes Oxley compliance while filing their financial | | | | reviews the logs and holds the key to manage them it |
| reports for any fiscal year. An IT person with business | | | | might be possible that some important records would |
| perspective can spearhead the compliance effort of | | | | be deleted. Thus in such a case the Sarbanes Oxley |
| any IT project. IN case of IT companies the internal | | | | compliance states that the usernames and passwords |
| controls need to be broken up in to two categories of | | | | etc should be with the IT department and finance |
| general controls and applications controls. As per the | | | | department should have the last word on the same. |
| Sarbanes Oxley compliance for an IT company it is | | | | |