subject: Key Sections Of The Sarbanes-oxley Act For It Hosting Companies [print this page] Do you work for or with anIT hosting company? Are you looking for more information about how the Sarbanes-Oxley Act will affect IT hosting? This article will discuss the sections of the Sarbanes-Oxley Act that directly affect IT hosting companies.
Of the 70 pages in the Act, the two sections of Sarbanes-Oxley that directly impact IT hosting companies are sections 302 and 404. Summaries of these sections follow:
SECTION 302
Corporate Responsibility For Financial Reports
- CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures and that the report is accurate, complete, and fairly presented.
- Quarterly and annual filings must contain a certification that the CEO and CFO have performed an evaluation of the design and effectiveness of the disclosure controls.
- Certifying executives of IT hosting companies must state that they have disclosed to their independent auditor any significant control deficiencies, material weaknesses or acts of fraud, and significant changes in financial reporting internal controls.
SECTION 404
Management Assessment Of Internal Controls
- Companies must perform an annual evaluation of internal controls over financial reporting and a quarterly evaluation of any material change in the company's internal controls over financial reporting that occurred during the fiscal quarter.
- The company's independent auditor must issue an attestation report on management's assessment of the effectiveness of internal controls over financial reporting.
- Annual filings must contain a report of management on their assessment of the effectiveness of internal controls over financial reporting.
Clearly, the use of an IT hosting company doesn't mean that IT compliance is no longer management's concern. In fact, the PCAOB's Auditing Standard No. 2 specifically addresses the service auditor's reports. It states:
In short - you can't blame the IT hosting company.
IT hosting doesn't relieve companies of their responsibility to have accurate, compliant systems. If you can't blame the IT hosting company for passing along errors, then you must ensure they are in compliance as well.
How to Determine if Your Outsourced Services are Subject to SOX Compliance
To help determine if the work you are outsourcing to a service organization is subject to SOX compliance, The American Institute of Certified Public Accountants Professional Standards AU 324, Service Organizations, advises as follows:
A service organization's services are part of a company's information system if they affect any of the following:
- The classes of transactions in the company's operations that is significant to the company's financial statements
- The procedures, both automated and manual, by which the company's transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements
- The related accounting records, whether electronic or manual, supporting information and specific accounts in the company's financial statements involved in initiating, authorizing, and recording, processing, and reporting the company's transactions
- How the company's information system captures other events and conditions that are significant to the financial statements
- The financial reporting process used to prepare the company's financial statements, including significant accounting estimates and disclosures
With so much at stake for businesses, it's easy to see why SOX compliance is a very important aspect when it comes to choosing an IT hosting company.
