Home > Article > ADP Canada

What is the Sarbanes-Oxley act and how does it affect your business?

Written by : ADP Canada
Given that payroll, HR management and benefits administration generate a large number of transactions and involve large dollar amounts on companies’ financial statements, their administration is considered to be “in scope” under Section 404 of the Sarbanes-Oxley Act (SOX) and CSA Multilateral Instrument 52-1111. Though compliance with existing employment and income tax legislations is already an important administrative burden, compliance with SOX and the CSA’s multilateral instruments is a new element to be factored into the equation. Both the U.S. legislation and Canadian regulations are constantly evolving and repeatedly placing new demands on public companies. Thus, compliance to all these new regulations is a perpetual process that requires ongoing attention.

Historical context

The Sarbanes-Oxley Act (SOX) was introduced in the United States in 2002 to restore investor confidence in the markets and prevent occurrences of corporate fraud in the aftermath of a series of major corporate scandals involving such public companies as Enron, WorldCom and Tyco. Given that 15% of Canadian firms listed on the Toronto Stock Exchange were also listed on a U.S. stock exchange, Canadian regulators had no choice but to adopt similar reforms. However, Canadian regulators adopted a less coercitive approach and adapted the American reform to the Canadian environment.

However, both here in Canada and in the United States, the regulatory reforms are an ongoing process. In Canada, the Canadian Securities Administrators (CSA), after extensive consultations with all provincial and territorial securities commissions and other stakeholders, has introduced a series of national instruments and policies, called multilateral instruments or MI in order to cover most major provisions of SOX.

Applicable rules in Canada

The first set of rules, already in force, requires certification of annual and quarterly reports as well as the adoption of disclosure controls and procedures with regards to financial reporting. The second set of rules, also in force, proposes new standards and an expanded role for the audit committee. The third set of rules (MI 52-1111), of greater interest hereby, relate to internal controls - requiring companies to perform detailed tests of all their internal accounting processes and have their external auditors examine and validate these tests. These regulations will be phased in over a period of four years, starting with the financial years ending on, or after, June 30, 2007.

Businesses are forever striving to reduce and control their operating costs, focus on their core business and competencies, and gain access to external capabilities to handle complex and time-consuming tasks. With the enactment of SOX in 2002 and the CSA’s MI since then, compliance with this new complex and ever changing legislation, has placed an extra burden on public companies who are often ill-equipped to satisfy them. Companies who were already outsourcing certain of their administrative processes such as payroll and HR management are reaping an ancillary benefit in terms of compliance.

Another challenge relies in the fact that no internal systems have been specifically designed to comply with such a complex legislation. Most internal systems contain hidden operating fees, making ownership a much more expensive proposal than imagined. These hidden costs, when added to known ownership costs, often result in resistance to change, thereby increasing the risk of non-compliance.

Disclosure and transparency of financial statements

Both the SOX and the Multilateral Instruments sets standards for acceptable financial behaviour and responsibility for public companies. Both have resulted in significant changes and enhancements to financial reporting, records management, disclosure policies, and other considerations. Both require that you and your auditor test and certify that all “in-scope” processes have sufficient internal controls.

In the case where companies outsource various administrative services, the third party service provider performs most of the tasks for testing and documenting internal controls. When the services outsourced impact on how the company’s financial transactions are captured, recorded, processed or reported in the financial statements, they will need to be audited.

Substantiation is delivered annually in the form of a SAS 70 Type II Report for U.S. listed companies and/or CICA 5970 report for companies listed on Canadian exchanges. These reports are then directly delivered to an outsourcer’s own external auditor. Moreover, it is important to note that the publicly registered company always remains responsible for ensuring effective financial controls. Finally, non-compliance risks decrease when a public company chooses to outsource certain administrative tasks with a third party service provider.

Since the ultimate objective of SOX and MI is to enhance the credibility of public companies in the eyes of shareholders, there should be no compromising on attaining compliance. Furthermore, companies should embrace these new requirements as an opportunity to review, standardize and enhance the effectiveness of their processes and controls. Finally, good governance and sound internal controls and disclosure practices are part of a good corporate reputation that can contribute in attracting investors and increased investments.
Other articles on Columnist finance
Financing to Start a Business 3 Sources of Franchise Financing Productivity Chain…The Rules of Human Productivity