What is the Sarbanes-Oxley Act and how does AD auditing help with compliance?
The Sarbanes-Oxley Act of 2002, is one of the most consequential set of mandates involving business ethics, and applies to all publicly traded companies, including subsidiaries of foreign companies, in the US.
Going back to 2001, a number of irregularities associated with a large publicly trading company called Enron, began to raise public suspicion. Enron was widely regarded as well-established, financially sound company due to their consistency during times of economic turbulence. Yet, public conjectures surrounding claims that Enron was “cooking the books”, sent their blue-chip stocks tumbling. It emerged that the management team were trying to cover up losses from the previous years by fiddling the figures on their financial statements.
This turn of events prompted investors to start taking a closer look at the financial records of many other corporations. It turns out that many large companies, such as Athur Adersen, Global crossing, ImClone Systems Inc, Adelphia and WorldCom, were engaged in the same sort of activities. It was clear that action needed to be taken to restore investors faith in corporate America. Along came the Sarbanes-Oxley Act – introduced into congress by US senator Paul Sarbanes and US representative, Michael Oxley – which set out to impose stricter standards on financial reporting.
Under the Sarbanes-Oxley Act, company officials are required to sign financial statements for accuracy, which holds them personally accountable should any disclosed information turn out to be misrepresented. Should a company not comply with the Sarbanes-Oxley Act, they could face fines of up to $1m, and up to 10 years in jail. Likewise, should it come to light that a company is intentionally defrauding investors, they could face fines of up to $5m, and up to 20 years in jail.
Companies must provide a description of their internal controls, allowing investors to gain an insight into their procedures. Companies are also required to appoint an independent accounting firm to audit the accuracy of their financial reports. A section of the report is designated to capturing auditor’s comments about the accuracy of the presented figures. The report must also include all off-balance sheet transactions.
Finally, the securities and exchange commission (SEC), is granted extended authorization to closely examine companies that are suspected of foul play. The SEC may conduct random inspections of companies to ensure that they are complying with the Sarbanes-Oxley Act. Once published, these reports are released for public viewing. The Public Company Accounting Oversight Board (PCAOB) – a special division of the SEC – are designated to oversee the auditors of U.S. public companies.
So how can Active Directory be employed to assist with compliance?
Active Directory offers enterprise grade assistance in achieving regulatory compliance. Since company officials are held personally accountable for any potential malpractice, they will likely seek to administer protocols for tracking system changes and permissions. AD enables administrators to determine who has access to what information, and when. However, since Active Directory does not provide a set reports as such, companies should consider adopting a more sophisticated set of auditing and reporting solutions, such as those provided by Lepide.
Ajit Singh, Marketing Manager for IT auditing, security and compliance vendor, Lepide – www.lepide.com