Sarbanes Oxley Act Definition, Examples, Cases, Processes

Auditing departments typically first have a comprehensive external audit by a Sarbanes-Oxley compliance specialist performed to identify areas of risk. Next, specialized software is installed that provides the „electronic paper trails“ necessary to ensure Sarbanes-Oxley compliance. It should also be noted that these and other act provisions led to significant changes in the professional responsibility of attorneys and were recognized in large part as applicable in concept to nonprofit and private companies. The severity of penalty for noncompliance depends on which of the 11 sections of SOX were violated.

All of this takes a lot of work on the part of companies, and many look for help doing it. One organization that offers resources is the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Formed in 1985 to help fight corporate fraud, COSO has for years maintained a framework for internal controls that companies can follow in order to implement best anti-fraud practices. The most recent revision, which dates from 2013, specifically outlines how it can help you achieve Sarbanes-Oxley compliance. SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems.

Dig Deeper on Risk management and governance

The audit committee, a subset of the board of directors consisting of non-management members, gained new responsibilities, such as approving numerous audit and non-audit services, selecting and overseeing external auditors, and handling complaints regarding the management’s accounting practices. The Sarbanes-Oxley Act was passed by Congress to curb widespread fraudulence in corporate financial reports, scandals that rocked the early 2000s. The Act now holds CEOs responsible for their company’s financial statements. Under Section 404 of the Act, management is required to produce an „internal control report“ as part of each annual Exchange Act report.

Requirements

Not only must elaborate technical systems be set up to maintain data integrity and protection, but company management and outside auditors must regularly assess and document the effectiveness of those systems. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange. It may have convinced some businesses to use private equity funding instead of using the stock market. Specifically, proponents of the law acknowledged that the Act helped businesses improve their financial management by strengthening controls, standardizing processes, improving documentation and creating stronger board oversight. Banking practices of the time also contributed in a major way to the enactment of the Sarbanes-Oxley Act.

Sarbanes-Oxley controls

The report must affirm „the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting“. The report must also „contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting“. To do this, managers are generally adopting an internal control framework such as that described in COSO. Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are „responsible for establishing and maintaining internal controls“ and „have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared“.

The means by which Sarbanes-Oxley requirements are implemented within an organization are referred to as controls. A control in this context is an internal rule intended to prevent or detect errors or malfeasance within a cycle of financial reporting. These scandals unwound around the same time dot-com stock prices collapsed, and while none of those early-stage internet companies perpetrated fraud on quite such a scale as Enron, many people believed that they had inflated reports of their earning potential in advance of initially lucrative IPOs, essentially enriching company founders at the expense of investors. It’s a compliance audit done by a neutral third party to verify financial statements of a company and how they were created. The auditor will look at financial statements and interview certain employees of the company to ensure the company is in compliance with SOX.

SOX Section 906 – Corporate Responsibility for Financial Reports

• At his criminal trial, Yates argued that fish were not the kind of “tangible objects” referred to in the Act’s provision.
• The corporation and its investment bank were legally responsible for telling the truth.
• The Act primarily sought to regulate financial reporting, internal audits and other business practices at publicly traded companies.
• If the director or officer is convicted of a securities law violation, they can be prohibited from serving in the same role at the public company.
• Banking practices of the time also contributed in a major way to the enactment of the Sarbanes-Oxley Act.
• If a top manager knowingly or willfully makes a false certification, they can face between 10 to 20 years in prison.

Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms. The costliest part of the Sarbanes-Oxley Act is Section 404, which requires public companies to perform extensive internal control tests and include an internal control report with their annual audits. Testing and documenting manual and automated controls in financial reporting requires enormous effort and involvement of not only external accountants but also experienced IT personnel.

Timeline and passage

• Over time, the legitimacy of almost all these criticisms faded or failed to materialize.
• The audit committee receives wide leverage in overseeing the top management’s accounting decisions.
• The act does not specify a set of business practices in this regard but instead defines which company records need to be kept on file and for how long.
• However, many business leaders continue to believe that the resources required to meet the law’s mandates are burdensome, noting that research has found that smaller companies are disproportionately burdened by the Act.
• However, several major banks gave Enron loans while either ignoring or simply misunderstanding the risks the company was facing.
• After the implementation of the Sarbanes-Oxley act, financial crime and accounting fraud became much less widespread than before.

It prohibited auditors from doing consulting work for their auditing clients. That prevented the conflict of interest which led to the Enron fraud. Congress responded to the Enron media fallout, a lagging stock market, and looming reelections. Public corporations must hire an independent auditor to review their accounting practices. It deferred this rule for small-cap companies, those with a market capitalization of less than $75 million.

RSI security has a more in-depth look at what you need to do when facing a Sarbanes-Oxley compliance audit that has lots of great details. In particular, data integrity must be protected, data must be available to those who need it, and non-repudiation must be enforced to ensure that it’s possible to know who created or altered data. The provisions of subsection (a) shall be in addition to, and shall not supersede or preempt, any other provision of law or any rule or regulation issued thereunder. Under Sarbanes–Oxley, two separate sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

The officers must „have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report“ and „have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date“. Section 302 pertains to „Corporate Responsibility for Financial Reports.“ It established, in part, that CEOs and CFOs must review all financial reports and that the reports are „fairly presented“ and don’t contain misrepresentations. This section also established sabanes oxley act that CEOs and CFOs are responsible for internal accounting controls. The Act requires year-end financial disclosure reports and that all financial reports come with an Internal Controls Report. Financial disclosures must contain reporting of material changes in financial condition. Furthermore, the Act led to the creation of the Public Company Accounting Oversight Board (PCAOB), which sets standards and rules for audit reports.