Compliance Sarbanes Oxley

Board directors need to personally sign off on the company’s financial statements, and are liable if there are any untrue statements. That is why many people have quit boards.

I am looking for information regarding Sarbanes-Oxley destruction of records. How long should records be kept? We are a nonprofit organization and are trying to follow federal guidelines.

I am interested in seeing a sample destruction policy which
specifically addresses Sarbanes-Oxley.

I am not interested in having a generic document destruction policy, we already have that in place.

http://www.ncna.org/index.cfm?fuseaction=Page.viewPage&pageId=429#q6

They have a sample there…

That’s a loaded question.

If you are talking about section 404 of the Sarbanes-Oxley act, if properly implemented, the Corporation should have the appropriate controls over information security in place. Those controls should be documented and tested.

Use Sarbanes-Oxley (SOX) compliance as an opportunity to solve additional problems, and to upgrade infrastructure to meet other business objectives at the same time.

Generally, a Sarbanes-Oxley compliance effort will start with a focus on processes and procedures, not infrastructure. But you may be able to make a good business case for upgrading infrastructure to support improved controls and reporting.

It should be evaluated following CobiT standards, linked below

Is there a sister act that covers government accounting?

No Sarbanes-Oxley is only for corporations with publicly traded shares.

There is no similar statute for government accounting, but there are government standards established by the accounting industry. The Government Accounting Standards Board. Their standards are analogous to GAAP for private companies. See the link below.

what exactly does is do and why ?

go on wikipedia

would a graduate certificate in Accounting due? or do i need a masters in accounting?

To answer your question, either could would probably give you what you need… which boils down to a foot in the door, so that you can work at a company that needs to comply with SOX requirements. The best place to learn about this sort of stuff is in the real world, not in a classroom.

A question back at you: why do you want to specifically become a SOX expert? If you focus on this too much, there’s a risk that you’ll become redundant when the regulations change again, which seems to happen every few years. And along these same lines, the latest talk I’ve heard is that people are pushing for relaxation of SOX requirements anyway, as they’re impacting US firms’ ability to compete with European and Asian companies… might be just talk, but you never know…

Can anyone tell me what if any requirements there are relative to email and/or disater recovery and co-locattion facilities from a Sarbanes-Oxley compliance perspective?

While many public companies have increased the attention they place on having adequate disaster recovery and data-backup plans because of theoretical Sarbox concerns, I don’t believe Sarbox has specific requirements per se on email and disaster recovery.

Sarbox primarily (1) prohibits certain kinds of actions (officer loans, using auditors for non-audit services without pre-approval) and (2) requires more stringent internal controls and procedures (mostly relating to insuring prevention of fraud in financial statements). Unless your auditors require you to show that there are adequate disaster recovery plans as a condition to certifying you have adequate internal controls and procedures (which I don’t think is the case), I don’t think it bears directly.

There should be a web site that explains it.