The Sarbanes-Oxley Legislation
The Sarbanes-Oxley Legislation, named after its creators - Paul Sarbanes and Michael Oxley, is a landmark act that came into effect in the year 2002 after big financial scandals destroyed investor confidence in big corporations. Big names like Enron, WorldCom and Tyco had come crashing down, shaking public confidence in the veracity of vital information provided to the stakeholders. It came as a measure to protect shareholders and investors from accounting errors and fraudulent practices that could be potentially carried out by an enterprise.
The act, also known as SOX in popular jargon, was mainly targeted at plugging the gaps in dated processes of auditing, accounting and management of financial information in a way that ensured that disclosures were authentic and accurate - that the interest of shareholders and investors were safeguarded. SOX is administered by the Securities and Exchange Commission (SEC). Leaving no room for ambiguity, the act's mandate is obvious: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes." The act provides for many safeguard measures such as establishing a Public Company Accounting Oversight Board (POACB), auditor independence, corporate responsibility and accurate financial disclosure.
Impact on HR
The implementation of SOX has completely rewritten the rules as far as conduct of business is concerned. It not only affects the way finance departments in organizations function, but has spelt lasting changes for HR processes and systems. An HR department manages a huge chunk of the organization’s finance by way functions that fall in its purview – payrolls, salary, bonus, employee training, stock options etc.
The two main components of SOX, which are especially meaningful in the context of HR need to be noted first:
- Section 302: This section makes the CEOs and the CFOs certify the financial reports of the organization, holding them accountable for accuracy. It requires that periodic statutory financial reports include certifications that the reports have been reviewed by the signing authorities and they do not contain any material untrue statements or material omission or be considered misleading. It holds the signing officers responsible for internal controls. It prohibits organizations from using any means to avoid these requirements either by reincorporating their activities or transferring their activities outside of the United States.
- Section 404: Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures. The registered accounting firm shall, in the same report, attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting.
Ensuring SOX Compliance
The requirements of SOX are not a one time affair but are a continuing one. Achieving compliance requires HR to re-look at processes, determine where the risks could be, deploy reliable controls and check again whether the controls are effective. The compliance implementation is an expensive proposition. It requires efficient as well as effective ways that work out in the long run. Even though many organizations cannot afford to take it up by themselves, they are taking up the services of BPO’s that provide them with standardized, documented processes.
However, outsourcing does not absolve an organization of responsibility. It will still rest with the organization to check the performance of the service provider and weigh the controls and standards that will be in place for compliance. It is always beneficial to outsource to a SAS70 leveraged BPO. Experts suggest some key measures to ensure SOX compliance: • Make the processes risk free to the maximum possible extent • Automate and restructure for increased efficiency • Build sustainable and integrated HRIS across the business • Outsource to a SAS70 leveraged BPO (it means that the organization went through a very in-depth audit of the different controls of the organization-control objective and control activities.) Although the HR department does get impacted in a huge way, it has the advantage of turning this legislation into a ticket for a more proactive role, to share talking space at the big table. HR has the potential of driving a managing culture from the very start by setting in motion hiring practices that incorporate strict verification checks and security clearances. Apart from this, open communication with the employees about policies and processes, and embedding a culture of accountability into employee training will further help achieve compliance.