How to Write SOX Control Activities
"SOX control activities" is a term used to describe part of the regulations mandated by the Sarbanes-Oxley Act. Sarbanes-Oxley arose from the accounting abuses of some major corporations. Under the law, corporations are required to bring in outside auditors who have no accounting or other business ties to the company. The auditors write up a plan to help the company's internal auditors stay in legal compliance with SOX regulations. This plan must be agreed to by the CEO and accounting staff. Failure to abide by these regulations can result in fines and/or imprisonment for the executive staff.
Explain to management and key employees the purpose for a Control Activities write-up. Control Activities occur at all levels of a company. They include authorizations, verifications, reconciliations, performance reviews, security of assets and segregation of duties. Internal controls ensure that fraudulent activity or false reporting do not find their way into the financial statements of the company.
Communicate the responsibilities of management in dealing with internal control activities. The CEO is responsible for attesting to the accuracy of the financial statements at the end of the year under penalty of prison if the statements are not accurate. This is Section 404 of the SOX Act and some refer to the process of the audit as the "404." As such, the CEO must have a clear understanding of the plans and goals of the company and be able to track company achievements against the stated goals.
Establish clear guidelines for information processing. One common problem area in keeping accurate financial records is in the recording of data. For example, expense records from employees with expense accounts are submitted on paper, to be transferred to computer. The totals from the paper submissions must match the totals entered into the company database. An audit will compare the individual transactions to find inconsistencies or errors. Establish a policy that will ensure accuracy in the transfer of this data from one source to the other.
Consider the assets your company has that are most vulnerable to loss. Cash, inventory, vehicles or machinery are all easily stolen and transferred to someone else. Write clear rules in the handling of money for cashiers and other employees that have access to cash. For cash on hand, take a daily count at the beginning of the day to verify end totals from the night before. Conduct another count at night to verify the current day's totals and provide a framework for verifying total daily sales.
Conduct a monthly inventory count, or in the case of larger stores or businesses a quarterly count, and implement security measures to prevent employees and customers from walking out with your inventory or assets.
Divide the duties. Include the use of the internal control device known as "segregation of duties" in the write-up. Ensure there is a separation between the person who orders the inventory and the one who counts it. Also establish a separation between the person who writes the checks and the one who signs the checks. Having a number of people involved in this process reduces the opportunity for an individual to steal.
Distinguish the authority level of each member of the company organization. Spell out the authority of each employee and officer of the company. Only executive-level managers should have the authority to commit company resources and handle these types of transactions. Communicate these levels to both the employees and management. For example, have someone in management -- not another employee -- verify a travel expense report. An order for inventory should be completed by a management-level person, where the inventory will be counted by an employee.
Require the keeping and storage of written records, receipts and bills to be used to check against those entered into the computer. The write-up should make the importance of source documentation a priority. An audit will need to use these records to compare totals. If there is not verification of expenses or transactions from a source document, verify the amounts by contacting the vendors that these documents originally came from.
Print a copy of these internal controls policies for the management and employees to read. The policies and directives and all documentation must be managed and maintained. External auditors performing a SOX audit will use these documents to recommend changes in tightening internal control methods.