Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002, also known as Sarbox or SOX, is a U.S. federal law. It is the result of the Public Company Account Reform and Investor Protection Act and Corporate Accountability and Responsibility Act. SOX dramatically changed how public companies do business.

The bill stems from the fraud and accounting debacles at companies such as Enron and WorldCom. Former President Bush characterized the act “as the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt.” The act’s primary purpose was to restore public confidence in the financial reporting of publicly traded companies. As a result, the act mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud. SOX consists of the following 11 titles:

• Title I, Public Company Accounting Oversight Board—This title establishes the Public Company Accounting Oversight Board (PCAOB) . The PCAOB has several responsibilities, including overseeing public accounting firms, defining the process for compliance audits, and enforcing SOX compliance.

• Title II, Auditor Independence—This title establishes the conditions of services an auditor can perform while remaining independent. For example, a public accounting firm that performs external auditing services cannot provide financial information systems design or internal audit outsourcing services.

• Title III, Corporate Responsibility—This title requires the formation of audit committees. It also establishes the interactions between the committee and external auditors. Perhaps one of the more notable mandates of SOX is contained in Section 302, which requires the chief executive officer and the chief financial officer to take individual responsibility in certifying and approving the integrity of the company’s financial reports.

• Title IV, Enhanced Financial Disclosures—This title addresses the accuracy and features of financial disclosures. For example, this title specifically addresses and prevents what Enron did, such as selling liabilities on its balance sheet as assets to special purpose entities. This title also contains the controversial Section 404, which requires companies to report the adequacy of their internal controls.

• Title V, Analyst Conflicts of Interest—This title fosters public confidence in securities research and defines code of conducts between firms.

• Title VI, Commission Resources and Authority—This title provides greater authority to the SEC to fault or bar a securities professional from practice. This title also addresses the prevention of fraud schemes involving low-volume, low-price stocks.

• Title VII, Studies and Reports—This title requires the comptroller general and the SEC to conduct studies and report their findings. Examples include studying the effects of the consolidation of public accounting firms as well as studying previous corporate fraud and accounting scandals.

• Title VIII, Corporate and Criminal Fraud Accountability—This title provides the ramifications for corporate fraud and addresses the destruction of corporate audit records. This is a direct response to the auditing firm, Arthur Andersen, which shredded documents.

• Title IX, White Collar Crime Penalty Enhancement—This title reviews the rules and penalties regarding white-collar criminal offenses.

• Title X, Corporate Tax Returns—This title simply states that the CEO should sign the company tax return.

• Title XI, Corporate Fraud Accountability—Also known as the Corporate Fraud Accountability Act of 2002, this title provides additional guidelines regarding the consequences of corporate fraud. It also provides the SEC with the authority to freeze the funds of companies suspected of violating laws.

SOX is quite large and contains many reforms to rally public confidence. It also improves corporate accountability and helps to avoid corporate fraud and dishonesty. Two sections receive much of the attention, especially of IT. The first is Section 302, “Corporate Responsibility for Financial Reports.” The second is Section 404, “Management Assessment of Internal Controls.” These two sections place vast constraints on IT security. Although neither section mentions IT or IT security, financial accounting systems rely heavily on IT infrastructure. Thus, it has strongly driven the subject of IT security into the boardroom.

Section 302 requires the CEO and CFO to personally certify the truthfulness and accuracy of financial reports. They start and make internal controls. Then, they must assess and report upon the internal controls around financial reporting every quarter. Section 404 goes a step further. Section 404 requires the company to provide proof. Again, they must assess the effectiveness of their internal controls, which a public accounting firm must audit and attest. They then publish this information in the company’s annual report.

SOX is lengthy and is specific in many areas—for example, criminal penalties for noncompliance. It still is very high level and leaves a lot of room for interpretation, especially concerning IT controls. SOX does not directly address IT control requirements. As a result, you need to become familiar with a couple of publications. These include the auditing standards created by the PCAOB and the SEC’s release on management guidance—17 CFR Part 241. In this codification, the SEC issued further interpretation and guidance regarding Section 404. It provides “an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting.” PCAOB also made a formal process to further define the criteria within Section 404. This process became Auditing Standard No. 2. This standard is now superseded by Auditing Standard No. 5, “An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements.” Some notable changes to provide greater clarity and a more prescriptive approach include the following four areas:

• Aligning Auditing Standard No. 5 with the SEC’s management guidance, mostly with regard to prescriptive requirements and definitions

• Adjusting the audit to account for the particular circumstances regarding the different sizes and complexities of companies

• Encouraging auditors to use professional judgment, particularly in using a risk-assessment methodology

• Following a principles-based approach to determining when and to what extent the auditor can use the work of others to obtain evidence about the design and effectiveness of the control

The standard also states that the auditor should use the “same suitable, recognized control framework” as the management of the company they are auditing. Furthermore, it even goes as far to suggest a suitable framework. That framework is the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.