Corporate Governance in the US

Corporate Governance in the US is a complex subject, the roots of which go back to the 19th Century.  The one book that provides a clear and straightforward description of the corporate governance regime in the US - from its early days through to the most recent review of SOX, and what is also the most comprehensive introductory text available for this subject is: Corporate Governance: A Practical Guide to the Legal Frameworks and International Codes of Practice

Sarbanes Oxley

The Sarbanes-Oxley Act of 2002 (SOX), introduced in the United States of America in the aftermath of Enron, has fundamental governance implications for listed American companies, their foreign subsidiaries and foreign companies that have US listings. It applies to all Securities and Exchange Commission (SEC) registered organizations, irrespective of where their trading activities are geographically based. SOX is different from the UK's Combined Code, and from codes of corporate governance adopted elsewhere in the OECD, in that compliance is mandatory, rather than ‘comply or explain’. This aspect, combined with significant potential sanctions for individual directors, is driving SOX compliance requirements through the supply chain.

While the Act lays down detailed requirements for the governance of organizations, the three highest profile and most critical sections – which were implemented in phases - are 302, 404 and 409.

Sarbanes Oxley Act Sections 302, 404, 409

Internal controls and audit

Under SOX, management is required to certify the company’s financial reports and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether it is for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.  Unless appropriate internal controls are built into this infrastructure, management will not be able to make the required certification.

The SEC has mandated US companies to use a recognized internal control framework that has been established by an organization that developed the framework through a due process, including inviting public comment.  One widely used framework is known as the COSO framework or, to give it its own title, the ‘Internal Control – Integrated Framework’, which contains the recommendations of the Committee of Sponsoring Organizations of Treadway Commission (www.coso.org). you can download the small business version of the the framework.  

The COSO sponsoring organizations included the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants and the American Accounting Association.  The PCAOB (Public Company Accounting Oversight Board, at www.pcaobus.org , created under SOX to oversee the activity of the auditors of public companies in the United States) expects the majority of public companies to adopt the COSO framework and its Auditing Standard No 5, dealing with audit of internal control over financial reporting, assumes that the COSO framework (or one substantially like it) will have been adopted.

IT Governance

While IT governance is an overall response to the requirements of SOX, SOX compliance should not be isolated from other compliance activity. Emerging best practice recognizes that those organizations that build compliance into their processes, rather than bolting it on afterwards, tend to get more cost-effective, business-orientated results from their SOX projects. CobiT is one methodology that meets the PCAOB requirements.

SOX Compliance Resources

Through this site, you can access the most useful SOX resources in the world. We have a wide range of books, guides and toolkits for to Sarbanes Oxley compliance, the most important of which are:

1. Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance
2. Sarbanes-Oxley Guide for Finance and Information Technology Professionals, 2nd Edition
3. How to Comply with Sarbanes-Oxley Section 404, Third Edition

CobiT is widely used as part of the SOX compliance strategy.

Training is an essential component of effective compliance - and Sarbanes-Oxley Simplified is a practical elearning course.

Information security is also a fundamental component of a SOX general control environment, and the ISO27001 ISMS Toolkit is the most cost-effective way of implementing this core control - often integrated into a CobiT environment.