After a spate of events where corporate conformity with regulatory policies and with their own internal policies was found to be weak, there have been well publicized requirements for compliance with regulations. Some of these are mandated by the government – Sarbanes Oxley (SOX) and HIPAA are examples, some are by the industry – say the payment card industry (PCI) guidelines, while others could have been specified internally by the company itself.
Do businesses understand what these “internal controls” are? Can they design these internal controls and evaluate their effectiveness to ensure that they do not default on SOX?
The fact is that most businesses – especially the small / medium businesses do not have either the knowledge or expertise to check compliance. SMBs work with small, staff and may not have the IT or legal skills to check if they are fully compliant with say SOX or HIPAA. This complexity adds significant costs as well. It has been estimated that a company with revenues of $75 to $100 million could spend up to 2.55% of revenues just to ensure compliance with SOX
Non-compliance can have serious consequences. There could be litigation, fines, loss of reputation or even loss of license to operate. Businesses need to have a foolproof audit mechanism to find areas where they are not in complete compliance with the law and take timely corrective action.
15 U.S. Code § 7241 – Corporate responsibility for financial reports-
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report;