Sarbanes-oxley Act Website Links For
Act 		 

Information About

Sarbanes-oxley Act
  CATEGORIES ABOUT SARBANES-OXLEY ACT
   
2002 in law
   
auditing
   
corporate governance
   
corporations law
   
united states federal financial legislation
   
united states securities law
   
united states federal securities legislation
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



The Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002), is a United States Federal Law also known as the '''Public Company Accounting Reform and Investor Protection Act of 2002''' (and commonly called '''SOX''' or '''SarbOx''').

The Act covers issues such as establishing a Public Company Accounting Oversight Board , Auditor independence, Corporate Responsibility and enhanced financial disclosure. It was designed to review the dated legislative Audit requirements, and is considered one of the most significant changes to United States Securities Law s since the New Deal in the 1930 s. The Act gives additional powers and responsibilities to the U.S. Securities And Exchange Commission .

The Act came in the wake of a series of Corporate Financial Scandals , including those affecting Enron , Tyco International , and WorldCom (now MCI ). Named after sponsors Senator Paul Sarbanes ( DMd. ) and Representative Michael G. Oxley ( ROh. ), the Act was approved by the House by a vote of 423-3 and by the Senate 97-0.


HISTORY


The House passed Representative Oxley 's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President Bush and the SEC . At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal: Senate Bill 2673.

Senator Sarbanes’s bill passed the Senate Banking Committee on June 18, 2002, by a vote of seventeen to four. On June 25, 2002, WorldCom revealed that it had overstated its earnings by more than $3.8 billion during the past five Quarters , primarily by improperly accounting for its operating costs. Senator Sarbanes introduced Senate Bill 2673 to the full Senate that very same day and it passed 79 to 0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Senator Sarbanes's bill (S. 2673) and Representative Oxley's bill (H.R. 3763). The conference committee relied heavily on Senate Bill 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)

The Committee approved the final conference bill on July 24, 2002 and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of ." ("Elisabeth Bumiller, Bush Signs Bill Aimed at Fraud in Corporations", '' The New York Times '', July 31, 2002, page A1.)


PROVISIONS

The Sarbanes-Oxley Act's major provisions include:

  • Certification of Financial Reports by Chief Executive Officer s and Chief Financial Officer s

  • Ban on personal loans to any Executive Officer and Director

  • Accelerated reporting of Trades By Insiders

  • Prohibition on insider trades during Pension Fund blackout periods

  • Public reporting of CEO and CFO Compensation and Profit s

  • Additional disclosure

  • Auditor independence, including outright bans on certain types of work and pre-certification by the company's Audit Committee of all other non-audit work

  • Criminal and civil penalties for violations of Securities Law

  • Significantly longer jail sentences and larger fines for corporate executives who knowingly and willfully misstate Financial Statements .

  • Prohibition on audit firms providing extra "value-added" services to their clients including Actuarial Services , legal and extra services (such as consulting) unrelated to their audit work.

  • A requirement that publicly traded companies furnish independent annual audit reports on the existence and condition (i.e., reliability) of internal controls as they relate to financial reporting.



OVERVIEW OF THE PCAOB 'S REQUIREMENTS

(Source: KPMG report)

' Audit ing Standard No. 2' of the Public Company Accounting Oversight Board (PCAOB) has the following key requirements:
  • The design of controls relevant assertions related to all significant accounts and disclosures in the Financial Statements

  • Information about how significant transactions are initiated, authorized, supported, processed, and reported

  • Enough information about the flow of transactions to identify where material misstatements due to Error or Fraud could occur

  • Controls designed to prevent or detect fraud, including who performs the controls and the regulated Segregation Of Duties

  • Controls over the period-end Financial reporting process

  • Controls over safeguarding of Asset s

  • The results of Management 's testing and evaluation



INTERNAL CONTROLS

Under Sarbanes-Oxley, two separate certification sections came into effect – one civil and the other criminal. ''See'' (Section 302) (civil provision); (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the Company and its Consolidated Subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” . The officers must “have evaluated the effectiveness of the Company ’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” ''Id.''

Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. ''See'' . The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” . The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company , of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. Finally, under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)

"SOX 404 Compliance" has had serious effects on those found to have material weaknesses in internal control. Under the Act companies must, for the first time, provide attestation of internal control assessment. This presents new challenges to businesses, specifically, documentation of control procedures related to Information Technology .

Additionally, PCAOB has issued guidelines on how management should render their opinion. The main point of these guidelines is that management should use an internal control framework such as COSO (which describes how to assess the control environment, determine control objectives, perform risk assesments, and identify controls and monitor compliance). Companies have almost uniformly elected COSO as the standard when choosing an internal control framework.


Information technology and SOX 404

The PCAOB suggests considering the COSO framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's " COBIT : Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on IT processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.


IT controls, IT audit, and SOX

In today's business environment, the financial reporting processes of most organizations are driven by Information Technology (IT) systems. Few companies manage their data manually and most companies have moved to electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB 's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."


Chief information officers are responsible for the Security , accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP ( Enterprise Resource Planning ) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.

For a detailed discussion on the impact of SOX on IT audit and controls, see Information Technology Controls .


COST OF IMPLEMENTATION

There is some debate over the specific requirements of the Sarbanes-Oxley act, as written. The business community has generally acknowledged that, as John Thain , CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary" {Link without Title} . However, the cost of implementing the new requirements has led some to question how effective or necessary the specific provisions of the law truly are.

One key area of cost is the updating of information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.

Costs associated with SOX 404 compliance have proven to be higher than first anticipated. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The survey also indicated actual costs of to be approximately 39% higher than companies expected to spend. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement. However, non-compliance comes with an even higher cost in terms of stiffer penalties and jail sentences.

Year One Resources Spent on Section 404 Compliance

''Roundtable Survey, December 2004, by Revenue''



CASE STUDIES

Case Studies of Companies with Sarbanes Oxley Certification Delays, Material Weaknesses, Etc. Caused By Information Technology Issues:

  • Cray Inc. - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation



THE FUTURE OF SOX 404 COMPLIANCE

In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to immediately transition into a long-term strategy. The following areas are described as impedances to the process:

  • # "Project mindset: … many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."

  • # "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."

  • # "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"

  • # "Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."

  • # "Underestimation of technology impacts and implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting — a critical requirement at most large and complex enterprises."

  • # "Ignored risks: Effective internal control is predicated on risk… the controls themselves — exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought — if addressed at all."


The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":
  • Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls

  • Integrated financial and internal control processes

  • Technology to enable compliance

  • Clearly articulated roles and responsibilities and assigned accountability

  • Education and training to reinforce the "control environment"

  • Adaptability and flexibility to respond to organizational and regulatory change.



LEGISLATIVE INFORMATION

  • House : 107 H.R. 3763, H. Rept. 107-414, H. Rept. 107-610

  • Senate : 107 S. 2673, S. Rept. 107-205

  • Law: Pub. L. 107-204, 116 Stat. 745.



LAW REVIEW COMMENTARIES


Carl Oxholm III, Sarbanes-Oxley in Higher Education: Bringing Corporate America’s “Best Practices” to Academia, 31 J.C. & U.L. 351 (2005).

"Sarbanes-Oxley §§ 302 & 906: Corporate reform or legislative redundancy? A critical look at the 'new' corporate responsibility for financial reports" by Luke Alverson, 33 Sec. Reg. L.J. 15 (2005)

"Company Liability After the Act Sarbanes-Oxley," by Peri Nielsen & Claudia Main, 18 No. 10 Insights 2 (Oct. 2004)

"Enron--The bankruptcy heard around the world and the international ricochet of Sarbanes-Oxley," by John Paul Lucci, 67 Alb. L. Rev. 211 (2003)

"A Pox on Both Your Houses: Enron, Sarbanes-Oxley and the Debate Concerning the Relative Efficacy of Mandatory Versus Enabling Rules," by Jonathan R. Macey, 81 Wash. U. L.Q. 329, 333 (2003)

"United States v. Simon and the new certification provisions," by Christian J. Mixter, 76 St.John's L.Rev. 699 (2002)


SEE ALSO



EXTERNAL LINKS



Forum



Articles



Surveys