Sarbanes–Oxley Act (SOX)

---

Sarbanes–Oxley Act (SOX) regulates financial data, operations, and assets for publicly held companies.

• Est. 2002
• established due to incidents of financial fraud (Enron of 2001)
• proposed extensive changes to the Securities Act of 1933 and the Securities Exchange Act of 1934
• The Securities and Exchange Commission (SEC) is responsible for
  • establishing SOX standards and guidelines
  • conducting audits
  • imposing fines

Purpose and Scope

• main goal of SOX was to protect shareholders and investors from financial fraud
• increased corporate disclosure requirements
• created strict penalties for violations of its provisions
• applies to publicly traded companies that must register with the SEC
  • includes international companies that trade stock on U.S. stock exchanges
• does not apply to privately held companies

11 Titles

1. Title 1 — Public Company Accounting Oversight Board
   • established the Public Company Accounting Oversight Board (PCAOB)
   • overseas public accounting firms and independently ensure compliance with SOX for auditing practices
2. Title II — Auditor Independence
   • Forbids auditors from providing some types of non-audit services to their clients
3. Title III — Corporate Responsibility
   • Requires corporations to create audit committees on their board of directors
   • responsible for hiring the corporation’s outside auditors
4. Title IV — Enhanced Financial Disclosures
   • Enhances the amount of information that public companies must provide on their SEC filings
   • requires companies to report on internal controls that affect their financial reports
5. Title V — Analyst Conflicts of Interest
   • Establishes rules to make sure that securities analysts can give independent opinions about a public company’s stock risk
6. Title VI — Commission Resources and Authority
   • Gives the SEC authority to discipline investment firms for unprofessional conduct
   • gives the SEC additional funding to support its programs
7. Title VII — Studies and Reports
   • Requires the SEC to review public accounting firms
     • every 3 years
   • requires the SEC to issue reports about how the securities market operates
8. Title VIII — Corporate and Criminal Fraud Accountability
   • Imposes document retention requirements on companies and auditors
   • protects whistleblowers and bans retaliation against employees who participate in fraud investigations
   • imposes criminal penalties for violating SOX
9. Title IX — White-Collar Crime Penalty Enhancements
   • Requires CEOs and CFOs to certify that the company’s financial reports fairly represent its financial condition
   • creates criminal penalties for signing fraudulent statements
10. Title X — Corporate Tax Returns
    • statement from Congress that strongly suggests that a CEO sign the federal income tax return of a corporation
11. Title XI — Corporate Fraud and Accountability
    • Establishes criminal liability for certain types of fraud committed by corporate officers
    • increases penalties for some types of corporate crime

Requirements

• Places specific requirements on an organization’s electronic record keeping
  • integrity of records
  • retention periods for certain kinds of information
  • methods of storing electronic communications
• Mandates standards in
  • corporate board responsibility
  • auditor independence
  • fraud accountability
  • internal controls assessment
  • enhanced financial disclosures

Public Company Accounting Oversight Board

PCAOB has several duties:

• Register accounting firms that prepare audit reports for public companies
• Establish standards for the preparation of audit reports
• Conduct inspections of registered public accounting firms
• Conduct investigations and disciplinary proceedings against registered public accounting firms
• Perform other duties or functions necessary to carry out SOX
• Enforce SOX compliance
• Set a budget for the PCAOB, and manage its operations

Has 5 Members

• SEC selects these members and appoints them to staggered terms
• 2 CPAs, 3 non-CPAs

Document Retention

• requires auditors and public companies to maintain audit papers for 7 years
• permanently retain the records and documentation that it uses to assess its ICFR (internal controls over financial reporting)
• makes it a crime for a person or company to knowingly and willfully violate its records retention provisions
  • can face fines and serve up to 10 years in prison
• makes it a crime for any person to tamper with or destroy any record in an attempt to interfere with a federal investigation
  • applies to any organization
  • can face fines of up to $10 million and 20 years in prison

Certification

• requires companies to report accurate financial data to protect their investors from harm
• requires its CEO and CFO to certify the company’s SEC filings
  • each must certify that:
    • They have reviewed the report
    • report does not contain untrue or misleading statements about the company
    • financial statements fairly represent the company’s financial condition
    • executive is responsible for creating disclosure controls and procedures that are designed to bring material information about the company to the executive’s attention, and the controls are reviewed 90 days before filing the report
    • executive has disclosed all significant deficiencies in its internal controls to their auditor
    • Whether any significant changes in the internal controls have occurred since they were last evaluated
  • required under Section 302, called disclosure controls
    • processes and procedures that a company puts in place to make sure that it makes timely disclosures to the SEC
    • different from internal controls
      • are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable
• ICFR
  • required under Section 404
  • management must create, document, and test ICFR
  • provide reasonable assurance that:
    • Financial reports, records, and data are accurately maintained
    • Transactions are prepared according to GAAP rules and are properly recorded
    • Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner
  • requires use of evaluation criteria established by recognized experts to review the company’s ICFR
    • Committee of Sponsoring Organizations (COSO) framework
  • must review general IT controls to make sure that IT systems operate properly and consistently
    • if outsourcing IT functions, need a System Organization Control (SOC) report from service

Oversight

• SEC oversees most SOX provisions
• SOX gives the SEC specific duties
  • SEC is required to designate the members of the PCAOB
  • requires the SEC to review a public company’s Form 10-K and Form 10-Q reports at least once every 3 years
• SEC enforces SOX compliance
  • has the power to investigate and sanction public companies

Frameworks for Assessing ICFR

• Control Objectives for Information and Related Technology (COBIT)
• GAIT
• International Organization for Standardization (ISO)
• ISO/IEC Standards
  • 2 standards that work together
  • ISO-IEC 27001
  • ISO-IEC 27002
• National Institute of Standards and Technology (NIST)

Resources

• Sarbanes Oxley Act Summary
• Understanding and Complying With The Sarbanes-Oxley Act
• Sarbanes-Oxley Rulemaking and Reports