A high enough penalty for failure means you should be able to get the attention of management if you believe your department is at risk. Even if you don’t own company stock, you should care if your department is at risk because:
- A failed audit could lead to layoffs.
- Recognizing a potential failure point and correcting it can improve your image, marking you as business-savvy.
- The way to avoid a failure might be to implement a productivity tool you’ve long wanted but couldn’t justify.
What is your argument if you believe you’re at risk, but you’ve already been audited and your department wasn’t cited? That doesn’t mean it won’t be next year. Auditing guidelines for evaluating database compliance came out so late in 2004 that many firms gave databases little attention during the last auditing cycle. Now that expected controls for databases have been established, you can expect more attention in the next cycle.
The Impact of SOX
SOX affects many areas of your company. Your board of directors, for example, is required to serve in a stronger checks-and-balance position, offsetting the power held by the corporate CEO and CFO. The board is required to include a minimal number of independent directors, and board members (instead of executives) are now required to take responsibility for engaging auditors. A board committee is charged with providing oversight of the company’s internal control system, and all board members face greater personal responsibilities and liabilities.
The CEO and CFO are also affected:
- They can’t control the company’s outside auditors or the reports they produce.
- The CEO and CFO must personally attest to the accuracy of the data in corporate financial reports and that the company has adequate internal controls over financial reporting. Such controls must protect financial processes and also the IT systems and processes that feed them.