What is Sarbanes-Oxley?

The U.S. Congress passed the Sarbanes-Oxley Act of on July 30, to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act of , also known as the Corporate Responsibility Act of , mandated strict reforms to improve.
Table of contents

The negative effect among small firms is consistent with these companies being less able to absorb the incremental costs associated with SOX compliance. The screening of smaller firms with weaker governance attributes from U. Under Sarbanes—Oxley, two separate sections came into effect—one civil and the other criminal. Section of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls " and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared".

The officers must "have evaluated the effectiveness of the company 's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date".

The SEC interpreted the intention of Sec. In it, the SEC defines the new term " disclosure controls and procedures," which are distinct from " internal controls over financial reporting ".


  • .
  • The Best and Brightest?
  • SOX Compliance Requirements | SOX Compliant IT Security Solutions;

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary and appropriate in the public interest or for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.

In any civil proceeding, the Commission shall have exclusive authority to enforce this section and any rule or regulation issued under this section. No Preemption of Other Law. The provisions of subsection a shall be in addition to, and shall not supersede or preempt, any other provision of law or any rule or regulation issued thereunder. The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During , the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo " to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors.

Navigation menu

Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, The most contentious aspect of SOX is Section , which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting ICFR.

This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort. Under Section of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting".

Sarbanes–Oxley Act

The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company , of the effectiveness of the internal control structure and procedures of the issuer for financial reporting". To do this, managers are generally adopting an internal control framework such as that described in COSO. To help alleviate the high costs of compliance, guidance and practice have continued to evolve.

The SEC also released its interpretive guidance [44] on June 27, It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment , which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:. SOX compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems.

This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems.

BREAKING DOWN 'Sarbanes-Oxley Act Of 2002 - SOX'

The cost of complying with SOX impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. For example, during U. This disparity is a focal point of SEC and U. The SEC issued their guidance to management in June, Another extension was granted by the SEC for the outside auditor assessment until years ending after December 15, The reason for the timing disparity was to address the House Committee on Small Business concern that the cost of complying with Section of the Sarbanes—Oxley Act of was still unknown and could therefore be disproportionately high for smaller publicly held companies.

The SEC stated in their release that the extension was granted so that the SEC's Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in was effective in reducing the costs of compliance. They also stated that there will be no further extensions in the future. On September 15, the SEC issued final rule the permanently exempts registrants that are neither accelerated nor large accelerated filers as defined by Rule 12b-2 of the Securities and Exchange Act of from Section b internal control audit requirement.

Section a of the SOX, 18 U. Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Section of the Sarbanes—Oxley Act, also known as the whistleblower-protection provision, prohibits any "officer, employee, contractor, subcontractor, or agent" of a publicly traded company from retaliating against "an employee" for disclosing reasonably perceived potential or actual violations of the six enumerated categories of protected conduct in Section securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud.

Remedies under Section include: A reinstatement with the same seniority status that the employee would have had, but for the discrimination;. C compensation for any special damages sustained as a result of the discrimination, including litigation costs, expert witness fees, and reasonable attorney fees. General Counsel who was terminated after reporting potential violations of the Foreign Corrupt Practices Act;. A claim under the anti-retaliation provision of the Sarbanes—Oxley Act must be filed initially at the Occupational Safety and Health Administration at the U. Section of the SOX 18 U.

Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both. One of the highlights of the law was a provision that allowed the SEC to force a company's CEO or CFO to disgorge any executive compensation such as bonus pay or proceeds from stock sales earned within a year of misconduct that results in an earnings restatement.

However, according to Gretchen Morgenson of The New York Times , such clawbacks have actually been rare, due in part to the requirement that the misconduct must be either deliberate or reckless.

The Sarbanes Oxley Act of 2002

The SEC did not attempt to claw back any executive compensation until , and as of December had only brought 31 cases, 13 of which were begun after However, according to Dan Whalen of the accounting research firm Audit Analytics, the threat of clawbacks, and the time-consuming litigation associated with them, has forced companies to tighten their financial reporting standards. Congressman Ron Paul and others such as former Arkansas governor Mike Huckabee have contended that SOX was an unnecessary and costly government intrusion into corporate management that places U.

In an April 14, speech before the U. House of Representatives, Paul stated [54]. These regulations are damaging American capital markets by providing an incentive for small US firms and foreign firms to deregister from US stock exchanges. According to a study by a researcher at the Wharton Business School, the number of American companies deregistering from public stock exchanges nearly tripled during the year after Sarbanes—Oxley became law, while the New York Stock Exchange had only 10 new foreign listings in all of Some historical context is useful when discussing SOX.

The act arose as a result of a specific set of incidents, and understanding them can help your organization integrate SOX compliance with your overall security goals and priorities. The act was passed on July 30, , in the wake of the Enron, Worldcom, Tyco International and other high profile corporate scandals. While much of it deals with financial governance and accountability, sections of the act have clear implications for data storage and transmission, as well as information security.

For IT managers and executives setting out high-level data security goals, compliance with SOX is an important ongoing concern.


  • What is the 'Sarbanes-Oxley Act Of 2002 - SOX'.
  • Fogueira Santa (Portuguese Edition)?
  • .
  • SOX Compliance Requirements!
  • .
  • Adventures of Toby and Wilbur Bear: Funny Stories About Bears (Fiction Short Story Collection Series.
  • Incesto, Crimen o Amor prohibido (Spanish Edition).

But SOX compliance is about more than just being able to pass an audit — when appropriate data governance procedures are properly implemented, they can have a number of tangible benefits for your business. In fact, in a survey of more than executives , conducted by Protiviti, it was found that:.

Sarbanes-Oxley Act Of 2002 - SOX

This is one of the outcomes the framers of the SOX legislation intended. With that in mind, how can SOX compliance benefit you? Aside from eliminating the threat of fines and other penalties, smart organizations are using SOX as a framework for:. The first thing an IT manager must do to prepare their organization for SOX compliance is to understand which sections of the act have clear implications for data management, reporting and security.

A SOX compliance audit is a measure of how well your company manages its internal controls. Indeed, one of the biggest criticisms of SOX is that, particularly for smaller firms, this requirement that all accounting systems must be subject to auditing is prohibitively expensive. The Sarbanes-Oxley Act is over 60 pages long.

Beyond that, it has spawned a number of related concepts, committees and policies related to the auditing process. An independent auditor must conduct SOX audits. To avoid a conflict of interest, SOX audits must be separate from other internal audits undertaken by the company. Many companies will time the audit so that results are available for inclusion in their annual report, thus satisfying the requirement of making findings easily accessible to stockholders. The first step in a SOX audit usually involves a meeting between management and the auditing firm. In this meeting, both parties will discuss the specifics of the audit, including when it will take place, what it will look at, what its purposes are and what results management expects to see.

An audit will also look at personnel and may interview staff to confirm that their regular duties match their job description, and that they have the training necessary to access financial information safely. A review of internal controls comprises one of the largest components of a SOX compliance audit. As noted above, internal controls include any computers, network hardware and other electronic infrastructure that financial data passes through.

Sarbanes–Oxley Act - Wikipedia

From the IT side of things, a typical audit will look at four things:. Access refers to both the physical and electronic controls that prevent unauthorized users from viewing sensitive information. The Act was in response to accounting malpractice in the early s when public scandals such as Enron Corporation , Tyco International plc and WorldCom shook investor confidence in financial statements and demanded an overhaul of regulatory standards. The rules and enforcement policies outlined by the SOX Act of amend or supplement existing legislation dealing with security regulations.

The Act swept reforms in the following four areas:. Section of the SOX Act of is a mandate that requires senior management to certify the accuracy of the reported financial statement. Section of the SOX Act of is a requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls. Section has very costly implications for publicly traded companies as it is expensive to establish and maintain the required internal controls.

Section of the SOX Act of contains the three rules that affect record keeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records.