Sarbanes Oxley
Challenges and Solutions,
the Sarbanes-Oxley Act of 2002
With the inception of the Sarbanes-Oxley Act of 2002, many companies as well
as all Registered Public Accounting Firms are now held to a set of stringent
guidelines regarding the storage and management of their financial data.
These rules set guidelines for how data should be stored, accessed, and
retrieved.
Companies using Circadian Force will find that our Remote Backup solution is
fully compliant with Sarbanes-Oxley as well as intelligently reformed in
order to make the necessary audits and record keeping as easy as possible.
Circadian Force has taken
measures to ensure that our product has been tailored to help companies meet
compliancy regulations quickly and easily.
Section
103: Auditing, Quality Control, And Independence Standards And Rules.
Section 104: Inspections of Registered Public Accounting
Firms
Section 105(d): Investigations And Disciplinary
Proceedings; Reporting of Sanctions.
Section 107(d): Censure Of The Board And Other
Sanctions.
Section 203: Audit Partner Rotation.
Section 302: Corporate Responsibility For Financial
Reports.
Section 401(a): Disclosures In Periodic Reports;
Disclosures Required.
Section 404: Management Assessment Of Internal Controls.
Title VIII: Corporate and Criminal Fraud Accountability
Act of 2002.
Section 802: Mandatory Document Retention
Section 1102: Tampering With a Record or Otherwise
Impeding an Official Proceeding
Section 103: Auditing, Quality Control, And Independence Standards And
Rules.
The Board
shall:
(1) register public accounting firms;
(2) establish, or adopt, by rule, "auditing, quality control, ethics,
independence, and other standards relating to the preparation of audit
reports for issuers;"
DataForce
moves the data to a secure off-site datacenter where it safely stored and
readily available for an audit. An auditor can simply log into the software,
extract the necessary files (with the decryption key, of course), and
conduct the audit off-site. They can also use this process to ensure the
necessary files are being produced in a timely manner. This allows for
quality control and remote-auditing.
(3)
conduct inspections of accounting firms;
(4) conduct investigations and disciplinary proceedings, and impose
appropriate sanctions;
(5) perform such other duties or functions as necessary or appropriate;
(6) enforce compliance with the Act, the rules of the Board, professional
standards, and the securities laws relating to the preparation and issuance
of audit reports and the obligations and liabilities of accountants with
respect thereto;
(7) set the budget and manage the operations of the Board and the staff of
the Board.
The Board
must require registered public accounting firms to "prepare, and maintain
for a period of not less than 7 years, audit work papers, and other
information related to any audit report, in sufficient detail to support the
conclusions reached in such report."
DataForce
automates this process to a large degree. As the accountants create their
financials, they can be 'captured' on a daily basis. An audit report can be
generated as to when the reports were created and then the necessary files
can be pulled up for review. The "other information related to any audit
report" will be the time and date that the report was created, the size of
the file, the time stamp on the file, and whether or not it was updated
since its creation. These reports can be sent to the Accountants and/or the
Board on a daily, weekly, monthly, or quarterly basis.
The Board
must adopt an audit standard to implement the internal control review
required by section 404(b). This standard must require the auditor evaluate
whether the internal control structure and procedures include records that
accurately and fairly reflect the transactions of the issuer, provide
reasonable assurance that the transactions are recorded in a manner that
will permit the preparation of financial statements in accordance with GAAP,
and a description of any material weaknesses in the internal controls.
DataForce
captures every single record that is created requiring an audit.
Furthermore, the auditor can review these records remotely, having access
not only to the records themselves but also to the detailed reports that
show when they were created. This allows the auditor to judge whether the
records fairly and accurately reflect the transactions of the issuer and
allow the auditor to determine exactly
how and when the transactions were recorded for GAAP accordance. The entire
process will take place in an automated fashion, allowing the auditor to
easily assess weaknesses in the internal controls and the timing of any
critical operations.
Section 104: Inspections of Registered Public Accounting Firms
Annual
quality reviews (inspections) must be conducted for firms that audit more
than 100 issues, all others must be conducted every 3 years. The SEC and/or
the Board may order a special inspection of any firm at any time.
With
DataForce, all the information required for an audit is readily available at
any time, at the drop of a hat. This drastically reduces the amount of
preparation work traditionally required for an audit. Even if a firm has 10
years worth of financial records that must pass a quality review/inspection,
all those records can be accessed through DataForce within minutes, complete
with an audit trail.
Section 105(d): Investigations And Disciplinary Proceedings; Reporting of
Sanctions.
All
documents and information prepared or received by the Board shall be
"confidential and privileged as an evidentiary matter (and shall not be
subject to civil discovery other legal process) in any proceeding in any
Federal or State court or administrative agency, . . . unless and until
presented in connection with a public proceeding or [otherwise] released" in
connection with a disciplinary action. However, all such documents and
information can be made available to the SEC, the U.S. Attorney General, and
other federal and appropriate state agencies.
Confidentiality and security are keystone features of the DataForce
software. In addition to the extremely powerful 128-bit encryption algorithm
and the SSL secure connection, DataForce can restrict access to audit
information and financials by allowing access only to a specific range of IP
addresses. This allows a firm to hand-select the computers that are allowed
to access their information.
Section 107(d): Censure Of The Board And Other Sanctions.
The SEC
shall have "oversight and enforcement authority over the Board." The SEC
can, by rule or order, give the Board additional responsibilities. The SEC
may require the Board to keep certain records, and it has the power to
inspect the Board itself, in the same manner as it can with regard to SROs
such as the NASD.
If the board
is required to keep current or archived records available, DataForce can do
this automatically. The records can be mirrored between multiple datacenters
and made completely fault-tolerant. Information can be archived for an
indefinite amount of time.
Section 203: Audit Partner Rotation.
The lead
audit or coordinating partner and the reviewing partner must rotate off of
the audit every 5 years.
By having the
DataForce product paving the way for automation and simplified reporting,
this makes a transition simple and painless. i.e., there isn't the need to
spend countless hours bringing a new lead audit or reviewing partner up to
speed every 5 years - DataForce allows them to quickly see what has occurred
in the last 5 years and easily transition into the new environment.
Section 302: Corporate Responsibility For Financial Reports.
The CEO
and CFO of each issuer shall prepare a statement to accompany the audit
report to certify the "appropriateness of the financial statements and
disclosures contained in the periodic report, and that those financial
statements and disclosures fairly present, in all material respects, the
operations and financial condition of the issuer." A violation of this
section must be knowing and intentional to give rise to liability.
DataForce
gives the chief executives visibility as to what is being presented. They
can review the audit reports in advance to become personally familiar with
what information is being shared and how it has evolved from day to day,
month to month. This gives them confidence because all the information is at
their fingertips allowing them to approve financial statements with greater
peace of mind.
Having everything clearly documented in a report is
much more reassuring than relying on the record-keeping abilities of others,
which may or may not be 100% reliable. This mitigates the risks described in
the Sarbanes-Oxley Act for the chief executives.
Section 401(a): Disclosures In Periodic Reports; Disclosures Required.
Each
financial report that is required to be prepared in accordance with GAAP
shall "reflect all material correcting adjustments . . . that have been
identified by a registered accounting firm . . . ."
"Each
annual and quarterly financial report . . . shall disclose all material
off-balance sheet transactions" and "other relationships" with
"unconsolidated entities" that may have a material current or future effect
on the financial condition of the issuer.
The SEC
shall issue rules providing that pro forma financial information must be
presented so as not to "contain an untrue statement" or omit to state a
material fact necessary in order to make the pro forma financial information
not misleading.
DataForce
captures every change that is made to financial records and stores those
files as evolving 'versions' of the same document. Therefore, any
adjustments that are made to financial reports are captured by the DataForce
software and an audit report is generated stating that the file was changed.
It therefore becomes impossible for information to be 'hidden' in this
record, as the full history of that record is stored by DataForce. At any
given time, an auditor can pull up a financial report and view current or
historical data, even if the information was created a month ago, a year
ago, or 5 years ago. The auditor has the entire history of that document
available to him/her, complete with a report showing what dates that
document was altered.
Section 404: Management Assessment Of Internal Controls.
Requires
each annual report of an issuer to contain an "internal control report",
which shall:
(1) state
the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting;
and
The internal
control structure can be handled almost entirely by DataForce, as DataForce
will fully capture evolving versions of the financial records as they are
created and updated. Furthermore, it will automatically create detailed
reports showing when the file was updated and/or changed for someone
requiring a high level overview on the history of the records. As for the
internal control structure itself, Circadian Force can create supporting
artifacts documenting the process used and technologies in place for this
strategy.
The reports
generated by DataForce can be used as an "internal control report"
documenting exactly what transpired over the course of the year. This is a
fully automated process and the reports can be manually generated at any
time.
(2)
contain an assessment, as of the end of the issuer's fiscal year, of the
effectiveness of the internal control structure and procedures of the issuer
for financial reporting.
DataForce
provides all the background reporting information to make this assessment
and determination. It automates much of the internal control report and
reduces the man-hours required for the creation of an annual assessment. In
the end, DataForce provides a solution for much of the effort Sarbanes-Oxley
requires a company to exert, which:
a) Reduces the time it takes a firm to prepare for an audit;
b) Automates much of the reporting process;
c) Establishes an internal process for financial reporting;
d) Increases the security of financial records;
e) Increases the availability of financial records;
f) Keeps as many versions of the document available as are created,
meaning the financial records will always be available - even 5 years down
the road when an audit is required on outdated financials.
Title
VIII: Corporate and Criminal Fraud Accountability Act of 2002.
It is a
felony to "knowingly" destroy or create documents to "impede, obstruct or
influence" any existing or contemplated federal investigation.
DataForce
prevents any one party from destroying records vital to the
company's well-being. A common user cannot destroy the
records, as they are stored in an off-site datacenter cluster array. Only an
Administrator that has been granted specific rights to the datacenter can
permanently delete a record.
Section 802: Mandatory Document Retention
Directs
accountants to maintain certain corporate audit records or to review work
papers for a period of five years from the end of the fiscal period during
which the audit or review was concluded. It also directs the Securities and
Exchange Commission (SEC) to promulgate, within 180 days, any necessary
rules and regulations relating to the retention of relevant records from an
audit or review. This section makes it unlawful knowingly and willfully to
violate these new provisions -- including any rules and regulations
promulgated by the SEC -- and imposes fines, a maximum term of 10 years'
imprisonment or both. Auditors are required to maintain "all audit or review
work papers" for five years.
DataForce not
only stores audit and review work papers for an indefinite amount of time,
but it also stores every version
of those papers.
Section 802: Document Alteration or destruction
and
Section 1102: Tampering With a Record or Otherwise Impeding an Official
Proceeding
Makes it
a crime for any person to corruptly alter, destroy, mutilate, or conceal any
document with the intent to impair the object's integrity or availability
for use in an official proceeding or to otherwise obstruct, influence or
impede any official proceeding is liable for up to 20 years in prison and a
fine.
If any attempts are made to alter, destroy, mutilate, or conceal
documents protected by DataForce, an audit report will be generated stating
when such actions took place and (in some cases) the party responsible
for such actions can be easily determined. Furthermore, even if the
integrity of a document is impaired, DataForce has earlier versions of that
same document readily available for restoration at any time.
|
