Federal Laws
Sarbanes-Oxley (SOX) Compliance for HR Departments
Key Takeaways
- Sarbanes-Oxley (SOX) establishes strict requirements for U.S. corporations around the recording and reporting of accurate financial information.
- Many SOX requirements directly impact human resources functions.
- An important part of SOX compliance that’s often overlooked is the involvement of paid time off (PTO) data.
- HR should team up with the finance department to deliver time and cost savings in SOX compliance.
Sarbanes-Oxley (SOX) is a complex law that establishes strict regulatory requirements for U.S. corporations around the recording and reporting of accurate financial information. Human resources play a critical role in their company’s SOX compliance, so it’s important to understand both what the law entails and how it affects HR departments. By working together with finance to implement software that properly tracks PTO liabilities, HR can contribute to ensuring SOX compliance while delivering major cost savings.
What is Sarbanes-Oxley (SOX)?
The Sarbanes-Oxley Act of 2002 is a federal law passed by the U.S. government in response to high-profile financial scandals including Enron and Worldcom. Sarbanes-Oxley (abbreviated as SOX) establishes strong financial oversight for public and private corporations that operate in the U.S. The goal of the act is to rebuild public trust and confidence in auditing and financial reporting.
SOX consists of 11 sections (“titles”) that, among other things, require corporations to implement controls and systems to ensure the accurate recording and reporting of important financial information that can impact investors’ view of the company.
Non-compliance with SOX can lead to criminal penalties, including fines upwards of $5 million and up to 20 years in prison. The CEO and CFO have to sign off on their company’s financial statements and SOX audits, and are held personally responsible and accountable for their contents.
Who Has to Comply with Sarbanes-Oxley?
Sarbanes-Oxley applies to all U.S. publicly-traded companies, as well as publicly-traded foreign companies and wholly-owned subsidiaries that do business in the United States. Accounting firms that do SOX auditing must also comply with SOX.
Non-public companies such as private companies and nonprofits generally don’t have to comply with SOX. But as AuditBoard points out, some provisions of SOX–including their penalties–apply to both private and public companies. A non-public company that knowingly destroys or falsifies financial data, for example, could be liable under SOX. Violations can result in severe penalties, including bankruptcy, fines, and even imprisonment for the executives.
Some private companies and nonprofits choose to get SOX compliant voluntarily, to demonstrate their commitment to good business practices and data security. Companies that are planning to go public soon also often get themselves SOX-compliant ahead of time to help ensure a smooth IPO.
How Does Sarbanes-Oxley Impact HR Departments?
Although direct responsibility for SOX compliance usually falls outside of the human resources department, HR can and should be involved in the process. Of the 11 titles in SOX, seven are especially relevant for human resources departments:
SOX 302 states that a company’s Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for the accuracy and documentation of the financial reports they submit to the Securities and Exchange Commission (SEC). If HR gives inaccurate or false time off records or liabilities to the CFO, even by accident, they could be responsible for making the CEO and CFO personally liable.
SOX 303 prohibits anyone at a company from misleading, coercing, manipulating, or influencing the auditors who evaluate the company’s SOX compliance. HR should be very careful when sending data or interacting with SOX auditors: for example, if you know your time off data is unreliable or inaccurate, do not try to hide this fact from the auditors in any way. Similarly, do not conceal, alter, or falsify any records.
SOX 401 requires financial statements to be accurate, both in their contents and in their presentation. Financial statements must not contain incorrect information, and must not be presented in such a way as to hide or mislead away from certain information.
Human resources is often responsible for maintaining records, including time off, PTO liabilities, payroll accounting, and more. Because of this, HR leaders are often responsible for both the contents and the trustworthiness of very important information that a company submits as part of its SOX compliance. HR therefore has a vested interest in ensuring the accuracy, reliability, and up-to-date nature of your records.
SOX 404 says that annual financial reports have to include an Internal Control Report (ICR). The ICR must include both a statement that management is responsible for “adequate” internal controls, and an assessment by management of the effectiveness of these controls. An independent auditor must then attest to the accuracy of this assessment through an external SOX 404 audit.
Human resources may be involved in the development and maintenance of internal controls, such as controls around the handling of whistleblower complaints, or setting up a time off management system to accurately track PTO liabilities.
SOX 409 is meant to protect investors and the public by encouraging transparency. This section requires Real Time Issuer Disclosures, which means that companies have to disclose to the public “on a rapid and current basis” any material changes in the company’s financial condition or operations. Disclosures must be “in plain English” and can include text or graphic presentations.
HR may have to support SOX 409 disclosures: for example, if a large number of employees accrue a substantial amount of paid time off in a short period of time with no avenue to cash out or convert it, creating a sudden large financial liability for the company.
SOX 806 and SOX 1107 protect employees of publicly-traded companies who provide evidence of fraud (whistleblowers). SOX 806 authorizes the U.S. Department of Labor to protect whistleblowers from retaliation, and authorizes the Department of Justice to criminally charge whomever was responsible for the retaliation. SOX 1107 strengthens these whistleblower protections by setting federal criminal penalties of fines and prison time for retaliation.
When an employee submits a whistleblowing complaint to human resources, the HR department may be partly responsible for ensuring no retaliation occurs against the employee.
Sarbanes-Oxley (SOX) and Paid Time Off (PTO)
An important part of SOX compliance that’s often overlooked is the involvement of paid time off (PTO) data. Companies need to properly track, record, and report on PTO accruals and usage, as well as related financial liabilities and workflows.
Inaccurate or missing PTO data records could hamper a company’s SOX audit and potentially lead to penalties. This is why finance sometimes goes through the onerous process of time off reconciliation: tracking down unexplained absences and reconciling them against recorded PTO accruals and liabilities.
Paid Time Off Is a Financial Liability
Many U.S. states require you to pay out unused earned paid time off when an employee leaves your company. A smaller number of states also prohibit use-it-or-lose-it policies. In these states, PTO that your employees have accrued but haven’t used is a major financial liability on your balance sheet.
A study by Oxford Economics found that, at companies with over 500 employees, the average employee carries over $2,600 in unused paid time off—totalling $1.3 million in financial liability for a company of 500, and going up from there. In total, U.S. companies carry $224 billion in PTO liabilities.
Take note: for their study, Oxford Economics reviewed Form 10-K financial statements filed with the Securities and Exchange Commission (SEC) by 114 public companies. These companies reported the total cash value of accrued paid vacation in their statements––as all companies should.
In some cases, one highly-paid executive could single-handedly account for tens or even hundreds of thousands of dollars’ worth of unused paid time off. If the executive were to be terminated, the company could be on the hook to pay it out.
Because PTO liabilities add up to so much money at large organizations, they must be reported. A company that fails to disclose their PTO liabilities could be found to have misled investors and the public about the state of the company’s finances.
PTO Accrual is a Payroll Accounting Issue
SOX requires you to establish certain controls around your payroll systems. The act also requires companies to account for the financial side of employee benefits, including PTO-related liabilities. These are based on PTO accruals: and where does PTO accrual happen? In your payroll, HRIS, or time off management tool––or all three at once.
First and foremost, HR needs to ensure that these systems are in compliance with SOX requirements around data security. Beyond that, you also need to make sure that PTO accruals are being calculated accurately. SOX 401, for example, requires that financial statements contain correct information. Given that those statements must include PTO liabilities, and PTO liabilities are based on accruals, HR must ensure that PTO accruals are functioning smoothly.
Also note that many states with PTO laws require that companies actively inform employees of their available vacation and sick leave on a regular basis, such as on their pay stubs.
How HR Departments Can Help with Sarbanes-Oxley (SOX) Compliance
Human resources can and should play an integral role in your company’s SOX compliance program. HR is the keeper of sensitive employee information, along with data concerning payroll, accounting, expense management, and paid time off. All of this can materially impact a company’s financials, and thus becomes relevant to a SOX audit.
Employease recommends asking yourself operational questions like:
- Can we easily report on our processes to show workflow and approval?
- Do our HR and benefits systems provide structure to enforce workflows?
- Do our third party service providers integrate to avoid redundant data entry and opportunities for errors?
- Are all integration points with external service providers secure?
We can also add to this list other important questions like:
- How reliable are the PTO balances that we report on employees’ pay stubs?
- To what extent are PTO accrual calculations automated? How many hours per week do we spend checking or fixing errors in PTO balances?
- How much do we trust the PTO liability data we have access to?
- Does our time off management system (HRIS or dedicated tracker) allow for easy analysis and reporting on PTO liabilities?
- How secure are our third party service providers? Are they compliant with important security frameworks like SOC 2, HIPAA, ISO 27001, GDPR, etc.?
Another way to approach SOX compliance from an HR perspective is to follow the Identify, Document, Monitor process.
1. Identify areas where HR systems or processes can impact SOX compliance. This is a great opportunity to work collaboratively with your finance department (CFO or Controller/Comptroller). For example, HR typically runs the HRIS and payroll systems that store employee data. As a result, HR’s security practices can have a material impact on SOX controls related to protecting sensitive information.
Another example is time off management: accrued paid time off is a big financial liability, which must be reported in financial disclosures. HR is responsible for managing time off tracking, and often uses a time off tracker to manage it. More advanced time off management platforms can actually calculate and surface PTO liabilities, which is highly relevant to the CFO’s office.
[The Sarbox audit process is] an excellent opportunity to review your processes and controls while making sure that the way you think everything is happening is really happening.” — Pat Edwards, Human Resources VP, EOG Resources
2. Document the processes, systems and controls you’ve set up that impact SOX. As an example, make sure you keep good records of the security practices you’ve implemented to protect employee information. This may overlap with your company’s general security policies: for instance, your IT security policies may include procedures and governance of who can access which systems.
Also, write down your process for calculating PTO liability. If you use an automated time off platform that does this for you, make sure the process of running and downloading reports is well documented.
3. Monitor the performance of your processes, systems, and controls on an ongoing basis. Utilize technology (payroll, HRIS, and time off software) to automate as much as possible.
A big advantage of using technology here is that it dramatically improves the reliability of data and reports that you have to deliver as part of your SOX compliance. A spreadsheet is difficult to keep up to date; calculating PTO accruals behind is time-consuming and prone to errors. Platforms like PTO Genius make time off self-service for employees and managers, while delivering accurate, trustworthy data including PTO liabilities and time off records.
Where to Learn More
Of course, the above is just a small sample of all the ways HR departments can help their company save time, headaches, and money on SOX compliance. For more ideas and inspiration, it’s useful to read up on how SOX compliance works.
Many law firms, auditors, and data protection specialists who have written on the subject of SOX compliance. Here are some of the resources we found most useful while researching this article:
- This guide by Vice Vicente for AuditBoard which provides an auditor’s comprehensive perspective on SOX compliance and the audit process
- This blog by Bridget Miller on HR Daily Advisor that gives a basic overview of HR’s role in getting and staying SOX compliant
- This article by Aidan Simister at Lepide, a data protection company, which takes an IT security view of SOX compliance and audits
- H.R.3763 - Sarbanes-Oxley Act of 2002 at Congress.gov, where you can read the full text of the act