Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002.13 More commonly known as the Sarbanes-Oxley Act of 2002, it is called SOX or Sarbox in many resources. The Act was named after its sponsors, Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio. It was passed in response to corporate scandals such as Enron, WorldCom, and Adelphia. SOX proposed extensive changes to the Securities Act of 1933 and the Securities Exchange Act of 1934.
SOX moved through both the U.S. House of Representatives and Senate at a quick pace. It was originally introduced in the U.S. House of Representatives in February 2002, just months after the Enron scandal became public. On July 25, 2002, both the House and Senate voted on the final version of SOX. President George W. Bush then signed SOX into law on July 30, 2002. As he signed it, he called SOX “the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt.”14
Congress hoped that SOX reforms would prevent another Enron scandal. The main goal of SOX was to protect shareholders and investors from financial fraud. SOX increased corporate disclosure requirements and created strict penalties for violations of its provisions. SOX has 11 different titles. They are:
NOTE
A company uses a prospectus to describe the securities that it offers for sale. The prospectus describes the company’s business plan.
SOX supplements current federal securities laws. It applies to publicly traded companies that must register with the SEC. This includes international companies that trade stock on U.S. stock exchanges. However, SOX does not apply to privately held companies.
NOTE
A small public company is a company with less than $75 million of public stock.
SOX is a very detailed act with many provisions. This chapter focuses on the parts of the act that have had the most impact on information technology (IT) functions. When SOX was first enacted, many companies assumed that it did not have any IT components. Congress did not mention IT anywhere within the act.
This opinion changed as companies began to review their SOX compliance requirements. Many SOX provisions require companies to verify the accuracy of their financial information. Because IT systems hold many types of financial information, companies and auditors quickly realized that these systems were in scope for SOX compliance. That meant that how those systems are used and the controls used to safeguard those systems had to be reviewed.
The relationship between IT and SOX compliance continues to evolve. This section reviews the SOX provisions that have an IT impact. First, this section reviews the PCAOB, which creates standards that auditors must follow when reviewing the activities of public companies. These standards help auditors determine the IT controls that they must review. The creation of the PCAOB is one of the most notable SOX reforms.
Second, this section reviews SOX provisions that impact records management functions. These provisions have an impact on IT operations because of the vast amount of data that is stored electronically. These provisions are important because they affect how IT systems are configured.
Finally, SOX requires the executive management of a company to certify that there are controls in place to protect the accuracy of company information. This is the area where SOX compliance has caused the biggest challenge for companies and IT professionals.
Before the creation of SOX, auditors and accountants belonged to a self-regulating profession. A profession is self-regulating when it creates and enforces its own rules of conduct. Federal and state laws place few oversight requirements on members of self-regulating professions.
An attorney is a common example of a member of a self-regulating profession. Attorneys must meet minimum state law requirements to become licensed. After that, their professional behavior is largely judged by commissions made up of other attorneys who enforce rules of professional conduct. The profession itself determines what these rules of professional conduct should be.
FYI
Information security professionals belong to a largely self-regulating profession. This is especially true when information security professionals obtain certifications that require the certificate holders to follow a code of conduct.
The Enron scandal proved that self-regulation does have some drawbacks. Enron’s accounting firm, Arthur Andersen, provided it with accounting, auditing, and consulting services. Enron was a large Andersen client that paid Andersen $52 million for auditing and consulting services in 2001.15 Even the Powers Report noted that there was a lack of critical advice from its auditors at Arthur Andersen in reviewing Enron’s publicly filed financial statements.16 This may have been because Arthur Andersen was reluctant to challenge such an important client.
Congress created the PCAOB to provide a layer of government oversight on auditing activities. The PCAOB, which oversees the audit of public companies, was created in order to ensure that audit reports for public companies are fair and independent. Under SOX, the PCAOB has several duties.17 It must:
The PCAOB has five members. The SEC selects these members and appoints them to staggered terms. The SEC can remove PCAOB members if needed. PCAOB members are to be “individuals of integrity and reputation who have a demonstrated commitment to the interests of investors and the public.”18 They must be financially literate. This means that they must be able to understand financial statements. Only two members of the PCAOB are allowed to be certified public accountants (CPAs); the remaining three members cannot. Furthermore, members of the PCAOB are not allowed to have any financial interest in an accounting firm. FIGURE 7-1 shows the structure of the PCAOB.
NOTE
You can learn more about the role of the PCAOB by visiting its webpage at http://pcaobus.org.
FYI
The SEC believes that a single set of globally accepted accounting principles will benefit U.S. companies. Therefore, it is evaluating whether it should adopt the International Financial Reporting Standards (IFRS), created by the International Accounting Standards Board. You can learn about IFRS at http://www.ifrs.com/ifrs_faqs.html. The SEC has studied the IFRS extensively and compared them with U.S. accounting principles. Although the SEC has not approved IFRS for use by U.S. public companies, interest in a global framework for financial reporting remains.19
One of the main functions of the PCAOB is to set standards for how auditors review public companies. It has created standards related to auditing, ethics and independence, quality control, and attestation, which must be approved by the SEC. The PCAOB bases many of its standards on GAAP, the principles established by the Financial Accounting Standards Board (FASB). The SEC has recognized GAAP as authoritative and requires financial statements to be prepared in accordance with GAAP.
The PCAOB’s Auditing Standard 2201 provides guidance on how an auditor performs an audit of a company’s internal controls over financial reporting (ICFR). This standard addresses how to audit controls applied to a company’s IT systems and processes where those systems and processes impact the production of the company’s financial reports. The standard specifies a top-down approach that might limit the scope of review of IT systems. The standard also recommends that auditors focus their review on areas of the highest risk. In 2019, the PCAOB reported that auditors need to be aware of cybersecurity incidents at the companies that they audit. This is because the integrity of the data generated by the company’s IT systems could be compromised by a cybersecurity incident. If the data generated or processed by the IT systems is not accurate, then the company’s financial statements could contain errors.20
SOX contains some records retention provisions. It is important to know about them because companies store many of their records electronically; in fact, some studies estimate that 93 percent of all business documents are created and stored electronically.22 Companies must understand how their IT systems work in order to meet SOX retention requirements.
NOTE
At the end of 2019 there were over 7,000 U.S. public companies. The market value of their stock was over $45 trillion.21
SOX requires auditors and public companies to maintain audit papers for 7 years.23 Audit papers are documents used in an audit that support the conclusions made in an audit report. SOX takes a very broad view of the type of records that must be saved. This includes work papers, memoranda, and correspondence. It also includes any other records created, sent, or received in connection with the audit. SOX also includes electronic records.
SOX also requires that a public company retain the records and documentation that it uses to assess its ICFR. These controls are discussed in the next section. Guidance issued by the SEC recognizes that this documentation takes several different forms, as well as electronic data. Companies must permanently retain this information.
Is the PCAOB Constitutional?
The constitutionality of SOX was challenged soon after it was enacted into law in a case called Free Enterprise Fund and Beckstead and Watts v. Public Company Accounting Oversight Board.
The Free Enterprise Fund and Beckstead and Watts LLP filed the case in 2006. The Free Enterprise Fund is a public interest organization, whereas Beckstead and Watts LLP was an accounting firm. The plaintiffs argued that SOX is unconstitutional. In particular, they argued that the PCAOB is unconstitutional because its creation and operation violate the constitutional separation of powers doctrine.
The plaintiffs argued that separation of powers is violated because the PCAOB is an executive branch agency that the president has virtually no control over. Under SOX, the SEC alone has the power to appoint PCAOB members. In addition, PCAOB members can be fired only for cause, and only by the SEC. The president, and even the SEC, has little authority to control PCAOB members once they are appointed.
The plaintiffs argued that it violates the section of the Constitution that gives the president the power to appoint and remove officers of the executive branch. They also argued that under the Constitution, Congress is not permitted to set up a structure that bypasses the president’s authority.
The case was filed in the U.S. District Court for the District of Columbia. The District Court granted summary judgment for the PCAOB and upheld the constitutionality of SOX. In August 2008, the Circuit Court for the D.C. Circuit affirmed the decision of the lower court. The U.S. Supreme Court heard arguments in the case on December 7, 2009, and issued its decision in June 2010.
In its decision, the Court found that the way that the PCAOB is created does indeed violate the separation of powers doctrine. Even though the portion of SOX that creates the PCAOB is unconstitutional, however, the Court said that SOX is still good law. It also said that the PCAOB could continue to function. The Court’s decision means that the SEC can now fire PCAOB members at will (or for any reason at all), instead of just for good cause.
You can view the Supreme Court’s decision on the Free Enterprise case at https://www.supremecourt.gov/opinions/09pdf/08-861.pdf.
In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act expanded the role of the PCAOB. The Act gave the PCAOB additional oversight of the audits of brokers and dealers. It also gave the PCAOB the power to conduct inspections, bring enforcement action, and set standards.24
FYI
Many federal and state laws contain records retention requirements. SOX is another law to add to that list. Organizations should develop document retention policies to help them track their different obligations.
The penalties for failing to retain records for the right amount of time can be severe. SOX makes it a crime for a person or company to knowingly and willfully violate its records retention provisions. A person who violates this provision can face fines and serve up to 10 years in prison.
SOX also makes it a crime for any person to tamper with or destroy any record in an attempt to interfere with a federal investigation.25 Unlike other parts of SOX, this provision applies to any organization. Private companies also must follow it. People who violate this section can face fines of up to $10 million, as well as up to 20 years in prison.
Companies must make sure that electronic records are stored properly so that they can satisfy SOX retention requirements. They must store the records for the right amount of time. They also must make sure that those records are destroyed properly when the retention period expires.
SOX requires companies to report accurate financial data to protect their investors from harm. To encourage a company to report accurate data, SOX requires its CEO and CFO to certify the company’s SEC filings. SOX certification provisions require executives to establish, maintain, and review certain types of internal controls for their company.
Disclosure Controls. SOX Section 302 requires CEOs and CFOs to certify a company’s SEC reports. The purpose of the certifications is to put executive management on notice of the company’s financial condition. The SEC can hold a CEO or CFO liable for submitting inaccurate financial reports. It makes sense that both the CEO and CFO would have to make these certifications as they are the officers who are most knowledgeable about the company’s finances and overall condition.
A certification attests to the truth of certain facts. The SEC requires a certification to be included on several different forms, such as a company’s Form 10-Q and Form 10-K reports. (These certifications do not need to be included on Form 8-K.) Under the law,26 a CEO and CFO each must certify that:27
The controls required under Section 302, called disclosure controls, are very broad. They are the processes and procedures that a company puts in place to make sure that it makes timely disclosures to the SEC. They are how management stays informed about the company’s operations. These controls must address any change in information that affects company resources. They bring events to the executive’s attention so that they can be reported to the SEC.
Disclosure controls are different from SOX internal controls. Internal controls are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable. The next section reviews these controls. Internal controls address only processes that protect the reliability of financial reports, whereas disclosure controls are broader. They include internal controls.28 FIGURE 7-2 shows the relationship between disclosure controls and internal controls.
SOX Section 906 imposes criminal liability for fraudulent certifications. Under this section, CEOs and CFOs who knowingly certify fraudulent reports may be fined up to $1 million. They also could be imprisoned for up to 10 years. An officer who willfully makes a fraudulent certification may be fined up to $5 million and could be imprisoned up to 20 years.29
Internal Controls. SOX Section 404 requires a company’s executive management to report on the effectiveness of the company’s ICFR.30 They must make this report each year on their Form 10-K filing. Under this section, management must create, document, and test ICFR. After management makes its yearly report on its ICFR, outside auditors must review the report and verify that the ICFR work. This section has caused compliance headaches for IT professionals.
Under SEC rules, ICFR are processes that provide reasonable assurance that financial reports are reliable.31 ICFR provide management with reasonable assurance that:
SOX does not define reasonable assurance. The SEC and PCAOB recognize that reasonable assurance does not mean absolute assurance.32 However, it is a high level of assurance that satisfies management that ICFR are effective. Management must be confident that these controls protect financial reporting mechanisms.
NOTE
SOX has no specific requirements that cybersecurity risks and incidents must be disclosed. However, the SEC has issued guidance that an organization may need to disclose any cybersecurity risks and incidents in order to ensure that its other required disclosures are not misleading.34 For example, it must disclose its cybersecurity risks if those risks would make investment in the organization risky.
The SEC requires that management use evaluation criteria established by recognized experts to review the company’s ICFR and help ensure that they are effective. The SEC has recognized only one specific framework that meets its requirements: the COSO Framework. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission first created its “Internal Control—Integrated Framework” in 1992. The framework, commonly called the “COSO Framework,” was revised in 2013. Many U.S. businesses use this framework to assess their internal control systems.33
What Is COSO?
COSO was established in 1985 to identify factors that contributed to fraudulent financial reporting. Five U.S. financial organizations sponsored COSO: the American Accounting Association, the American Institute of Certified Public Accountants (AICPA), Financial Executives International, the Institute of Internal Auditors (IIA), and the Institute of Management Accountants. COSO is a nonprofit organization.
Since 1987, COSO has recognized the need for the creation of ICFR. It released its first guidance on internal controls, called the “COSO Internal Control—Integrated Framework,” in 1992. The COSO framework says that internal controls are effective when they give the management of a company reasonable assurance that:
The COSO Framework was updated in 2013 because the business environment has grown more complex since the framework was initially issued. One of the primary contributors to this complexity is the use of IT in business.
The COSO Framework has five components that organizations can use to review their IT profile. They are:
You can learn more about COSO’s “Internal Control—Integrated Framework” by visiting its website: https://www.coso.org/Pages/default.aspx.
SOX Section 404 compliance is not easy. It is very general about the types of ICFR that companies must implement. It does not give a good definition for ICFR generally, and it does not address IT controls at all. In 2007, the SEC issued additional guidance to help companies assess ICFR during their Section 404 review in response to many complaints about the large scope of a Section 404 review. Many of these complaints focused on how to address IT controls.
The SEC stated two broad principles in its guidance:
The SEC also said that management must exercise its professional judgment to limit the scope of a Section 404 review. It reminded companies that SOX applies to internal controls, including IT controls, that affect financial reporting only.35
Management must review general IT controls to make sure that IT systems operate properly and consistently. The controls must provide management with reasonable assurance that IT systems operate properly to protect financial reporting. TABLE 7-1 shows how the goals of ICFR match up with information security goals.
TABLE 7-1 Internal Controls and Information Security Goals
STEPS TAKEN TO MEET INTERNAL CONTROLS | INFORMATION SECURITY GOALS |
---|---|
Financial reports, records, and data are accurately maintained. |
Integrity |
Transactions are prepared according to GAAP rules and properly recorded. |
Integrity, availability |
Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner. |
Confidentiality, integrity, availability |
It is clear today that management’s review of an organization’s ICFR must include a review of IT controls as well. Although the COSO Framework does not specifically address the types of IT controls that an organization should implement, it issues guidance on how to address IT risk. Organizations use many approaches to evaluate their IT controls. Some organizations follow the Guide to Assessment of IT Risk (GAIT) framework. Others use “Control Objectives for Information and Related Technology” (COBIT). Both of these frameworks appear to meet the SEC’s requirements for a suitable evaluation framework.
Some companies outsource their IT functions; however, a company cannot escape SOX Section 404 liability by outsourcing financial functions. SOX requires companies to monitor ICFR for outsourced operations as well. Many companies do this by asking their outsourcing companies to provide them with a System and Organization Controls (SOC) report.
NOTE
SOX does not specify the IT controls that companies need to implement. Instead, companies must determine the best controls for their own systems.
Created by the AICPA, SOC audits review a service organization’s control activities related to the services that it provides to its customers. These audits review the IT controls on the outsourced service. A SOC audit helps a service organization show that it has proper safeguards in place to protect its customer’s data.
There are three levels of SOC reports:
NOTE
In 2017, the AICPA created the SOC for Cybersecurity. This framework helps an organization assess its own cybersecurity risk management program and helps the organization report on the effectiveness of its controls for information security.
Many companies may ask a service provider to share its SOC 2 or SOC 3 report before entering into an outsourcing relationship. Many service organizations have these reports prepared in advance so that they can respond quickly to a customer request.
The SEC oversees most SOX provisions. The mission of the SEC, which was created under the Securities and Exchange Act of 1934, is to protect investors and maintain the integrity of the securities industry.
The SEC has five commissioners, all appointed by the U.S. president, who each serve for 5-year terms. No more than three of the commissioners may belong to the same political party. The SEC has 11 regional offices in the United States.37
SOX gives the SEC specific duties. For example, the SEC is required to designate the members of the PCAOB. It is also required to review various operations of public companies to make sure that they are following SOX.
SOX requires the SEC to review a public company’s Form 10-K and Form 10-Q reports at least once every 3 years.38 It must do this to try to detect fraud and inaccurate financial statements that could harm the investing public. The SEC has discretion in deciding how often to review companies. SOX states the factors that the SEC should consider when deciding to conduct a review. Under SOX, the SEC must consider:
The SEC also enforces SOX compliance. It has the power to investigate and sanction public companies that do not comply with SOX.