« Smaller Public Companies Reporting on Internal Control over Financial Reporting | Main | SOX 404 & ISO 9001 & ISO 14001 & ISO 27001 (BS 7799) »

SOX for Small and unlisted businesses

While SOX requirements are being pushed down to the small companies listed on stock exchanges, many unlisted companies seem happy with financial "business as usual".

Now if your small and unlisted company has a quality management system with quality objectives of growth, then at some point the management will have “public” decisions to make:

  • raise public funds,
  • become listed on a stock exchange,
  • become acquired by a larger company

In these public cases, your company's financial records and controls will be scrutinized for accuracy and transparency. This is where the Sarbanes-Oxley (SOX) discipline is required.  

Why not start today with accurate and transparent operational records for the finance and accounting departments to summarize for top management and the board of directors?

Posted by John Walz on January 29, 2006 10:59 AM |

Email this entry to:


Your email address:


Message (optional):




Comments

How are "controlled items" identified under SOX?
If the question were posed by a Japanese colleague, where are the guidance provisions for determining "controlled items" under SOX to qualify as a supplier to US firms?

Posted by: Thomas M Kurihara | January 30, 2006 01:19 PM

SOX law and regulations don't differentiate between companies with paper processes and records vs. those with automated IT systems. So SOX external financial auditors use both AS2 http://www.sec.gov/rules/pcaob/34-49544.htm and industry best practices to determine the risks involved and test the internal controls for evidence of errors and risks. IT systems containing financial information are within the scope of these SOX audits. When IT system components are acquired from suppliers or IT system functions are outsourced, additional control must be managed. Software acquisition requires initial testing for both functionality and security. Outsource IT financial functions require on-going oversight. Many companies required their outsourced company to provide evidence of their SAS-70 http://www.sas70.com/faq/faq1.htm audit report at their own expense.
I recommend the article:
But I Only Changed One Line of Code! http://www.stsc.hill.af.mil/crosstalk/2003/01/leishman.html by Theron R. Leishman, Software Technology Support Center/TRW and David A. Cook, Ph.D., Software Technology Support Center/Shim Enterprises, Inc.

Posted by: John Walz | January 30, 2006 05:55 PM

Post a comment