Social Networks and Sox Compliance

This is the eighth in a series of postings on Social Networks and Networking.

A posting on new technological elements that challenge SOX compliance.

The following are made up statements:

  • Tweet – “The entire marketing department has just been laid-off.  Things are really bad.”
  • Blog – Our new product, which will be announced in October, has 3 features that the competition won’t have for a year.
  • Facebook – Am at the trade show where we just closed a $2.0M deal, our biggest ever.

A Sarbanes-Oxley (SOX) audit examines the controls on those elements that can cause a material misstatement to a financial report, such as those found in the areas of revenue recognition, transactions, inventory valuation, etc.  However, today few companies and auditors are examining the impact of social networks and networking related to the risks a company faces or the potential for financial misstatements.

Since the Sarbanes- Oxley Act (SOX) became effective in 2002, two changes that influence the way SOX audits are or should be conducted have occurred.  The first is the rapid growth of social networks and Internet information tools, e.g. Twitter, Facebook, LinkedIn, blogging, etc.  The second is a modification to SOX, which directs companies and their auditors to take a high-level, risk-based approach to compliance (404 Top Down Risk Assessment).

SOX provides investors assurance that large public companies have implemented adequate controls over their financial reporting, thereby reducing the potential for fraud.  Company management signs-off on these controls, and an independent third-party public auditing firm then renders an opinion or attestation on management’s statement.  (See Section 404).  Another Section of SOX is that it requires companies to have a corporate code of ethics.  This area of SOX is termed “Tone At The Top,” and is a reflection of management’s view of risks.

One significant case in 2007, relating to blogging, involved the CEO of Whole Foods Market Inc. who anonymously attacked Wild Oats, raising questions as to why anyone would buy Wild Oat’s stock, just before Whole Foods announced an offer to buy them.  If this blogging was a scheme to drive the price of Wild Oats stock down, and whether it played a role in the protracted FTC suit against Whole Foods is unknown, but I am sure that the entire episode was “material” to Whole Foods financials over the past two years.

Given the growth and usage of social networking tools, the number and frequency of “mistakes” will grow.  Whether the made-up examples are a violation of a company’s “Tone At The Top,” or could lead to material misstatements is up to management, their auditors and ultimately the courts.  However, the interpretation of posted information seems to place social networking squarely in the risk-based approach to compliance, as well as being reflective of management’s Tone At The Top.

As a Sox auditor, I would be looking for three things relating to social networks from a company in 2009.

  1. An updated (2009) policy concerning social networking, that details what is allowed, what is disallowed, emphasizing the employee’s code-of-conduct and detailing penalties for violations.
  2. An updated report (2009) on social networking training for new hires and all employees.
  3. A monitoring system of social networks, (Tweets, blogs, Facebook, LinkedIn, etc.) that is reviewed daily.

These controls will not stop employees from inappropriately using social networks, nor the possibility that financial misstatements may result.  However, they reflect an appreciation by management of the changing environment (Tone At The Top) and can alert management to a situation where corrective actions can be quickly taken.

As the CMO, have you worked with IT to develop policies and training about social networks?  Would your company “pass” a SOX audit if I were the auditor?

RHM  8/18/2009

1 comment to Social Networks and Sox Compliance

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>