For some people, the Sarbanes-Oxley Act of 2002 represents pain and expense. For others it represents opportunity. For almost everybody, it represents confusion, misunderstanding and uncertainty. This statement goes for CEOs, CIOs, staff, and even the outside auditors. So how does one explain it in as straight forward and simply as possible? One place to start would be to hand them a copy of the Jill Gilbert Welytok's Sarbanes-Oxley for Dummies (2006, John Wiley and Sons, 384 Pages, ISBN 0471768464). While not perfect, the book will provide a quick and dirty overview of SarBox, its history, its historical context, what it requires, and more importantly, what it does not require.
The book starts out with the saga of SarBox. The author covers the political environment, loopholes that existed before the legislation, and how the legislation sought to close them. The author also attempts to debunk myths about SarBox. For this reader, the most important myth is that "internal control means data security". The author states up front and for all to hear that SarBox does not specify any specific data security requirements. This is something all auditors and auditees need to hear and accept.
Chapter 2 covers "SOX in 60 Seconds", or what a sales person might call the "elevator pitch". Essentially this is the who, what, where and why. From here, the author goes into more details about how SarBox fits into the context of other securities regulations and laws. An important part of this chapter (Chapter 3) is the discussion why private companies should and do care are about the legislation and rules. In Chapter 4, SarBox and how it ties into specific financial statements such as the income statement and balance sheet. For those unfamiliar with these statements, it is a good quick and dirt overview.
Part II of the book goes into more details about roles and responsibilities under SarBox. This starts out with the auditors, and then the discussion extends to the audit committee, the board of directors, management and employees. The most important point to take home from this section is that in order to play the game, you have to 'know the playbook'. The rules of the game have changed and everyone needs to know the roles and responsibilities.
Part III of the book goes into a detailed overview of controls and audits. An important aspect of this is clearing up confusion about how the definition of controls is distinct in Sections 302 and 404. From here, the author covers what is covered under a 404 audit, how not to live in fear of it, and how it can be leveraged for success.
Part IV of the book, "Software for SOX Techies", is the weakest part of the book for this reader. The author does give some tips about specific tools. However, the tools selected are very narrow in scope. The discussion seems to miss the important point that organizations should look to build a "compliance oriented architecture" as opposed to buying silo-based solutions.
The remaining parts of the book cover the SarBox horizon, the potential legal repercussions (including discussions about who can and cannot file lawsuits and when they can be filed), the impact of SarBox on outsourcing, and more. Finally, the book goes into "rules of tens", such as 10 ways to avoid prosecution, 10 tips for an effective audit committee, and more.
As I said earlier, the book provides a good quick and dirty overview. It falls short in its discussion of software tools. The other thing that I did not like was the inclusion of the full text of the Act as an appendix. No, not the fact that they included it, but the fact that the text was entirely too small to be read. At that point, they should have just left it out.
Who Should Read This Book?
This book should be read by anybody who has an interest in the Sarbanes-Oxley Act of 2002 and its implications but does not want to get into too much detail. There are better titles for CEOs and CFOs who want a detailed discussion. But for the quick and dirty, it is a good first read on the topic.
Par on an average Par 4