SOX for Public Schools? 1794



  • I work for a Public School system in the technology department. I have been told that since we receive Federal dollars, that our district is now required to be SOX compliant. I have also been informed that since our IT department is not directly under the CFO organizational chart, then our department must either have no access to the servers housing the information or our department must merge with the Accounting/Finance division in order to be compliant.
    Can anyone confrim this for me or point me to some documentation that I can read to figure out exactly what we need to do in order to become compliant?
    Thank you



  • There is no Sox basis for your employer’s argument. Many times, employers use Sox as a way of forcing change on their business processes and functions.
    Sox applies to public companies traded on US stock exchanges. I hardly think your school district fits in this category. Good luck straightening this out.
    J



  • I figured as much, but wanted more verification.
    Thank you again.



  • Hi and welcome to the forums 🙂
    Jason is correct in that SOX doesn’t require government agencies to perform SEC filings, testing, etc. You definitely don’t have to adhere to full SOX standards.
    However, I was surprised a few months ago to learn that some government agencies have partially adopted subsets of the SOX standards . I believe most of this is related to SOX 404 IT controls. There might be other related standards to improve their controls and accountability.
    This thread and the related link are noted below:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1484
    Please add www and paste into browser
    cfoc.gov/documents/Implementation_Guide_for_OMB_Circular_A-123.pdf



  • Although an educational institution is not required to comply with SOX, a similar requirement exists…A-123.
    A previous question was posted and might also be helpful.
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1484-and-highlight=a123
    Milan



  • I guess this must be a reference to the US Government’s OMB Circular A-123, Management Accountability and Control. The idea of a similar SOX compliance for your school might be to tighten controls and bring control. A lot of organizations did adopt SOX though they didnt need to comply primarily to streamline the processes in the organization, and bring more accountability and control.
    Thats a good move by your school. Though in the short term it hurts, theres a lot more work to do, lot of complications, in the long term it will prove to be very useful. The work willbe more streamlined and if the compliance goes well, you can expect more accountability from everyone involved.
    Hari.



  • You folks have led us to another concept still in under deliberation i.e. Control Self Assessment (CSA). This OMB circular allows control self assessment by functions reporting to the CFO. I wish that our Big 4 auditors could have relied to some extent, on control self assessments performed by this self assessment functions. Their world quarters are still researching to deliberate, whether or not to rely on CSA’s perormed a specific self assessment function. We have been trying to convince our external to rely on our CSA.



  • I’d love it if they could. Given that SOX came about in part because of the warm relationship auditors had with their clients would the probablity of such reliance be nil? Imagine the auditors stating that everything was OK because management certified it was.
    Unless you mean CSA augmented with planned independent QA. Our auditor is prepared to place reliance on that type of work though they do reserve the right to undertake additional testing.



  • You can have CSA to support management’s assertion as it stands just now. Of course, external audit cannot place reliance on CSA, but you may still want to do it anyway.%0AWe do 100% CSA supported by 1/3 independent testing (i.e. Internal Audit) with all processes covered over a 3 year cycle.%0AI’m not convinced that external audit ordinarily place that much reliance on independent internal audit anyway.



  • Our auditors do place quite significant reliance on our independent testing (but they do not rely on internal audit…).
    My understanding is that management can rely on CSA but only with independent testing in tow. CSA on its own is insufficient for SOX purposes.



  • Many times, employers use Sox as a way of forcing change on their business processes and functions.
    J
    I firmly agree with this… I have been amazed at how often SOX is used as a stick to beat people with - often on TOTALLY non-financial issues. I think the SOX message has been completely lost.



  • I firmly agree with this… I have been amazed at how often SOX is used as a stick to beat people with - often on TOTALLY non-financial issues. I think the SOX message has been completely lost.
    Yes, we’ve seen some interesting situations, like placing a control on USD.50 pens and other misimplementations that create a negative tone and framework for SOX compliancy 😞 Using SOX compliancy to leverage and control items that are clearly non-SOX related will ultimately cost a company real USDUSDUSD and impact the morale of those doing the work.
    On any endeavor (and esp. something as subjective to interpretation as SOX), it’s impertative to get the right training (e.g., the ‘train the trainer’ approach). This foundational planning and training are a must for optimal and efficient SOX implementations.


Log in to reply