The Sarbanes-Oxley Act of 2002

1 (800) 329-9691

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law signed into law on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom. These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."

The legislation is wide-ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Supporters of these reforms believe the legislation was necessary and useful while critics believe it does more economic damage than it prevents.

The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Provisions

The Sarbanes-Oxley Act's (SOX) major provisions include the following:

Title I creates the Public Company Accounting Oversight Board (PCAOB), a non-profit, private entity to oversee public accounting firms that perform audits of financial statements ("auditors"). Prior to SOX, the auditing profession was self-regulated. Sections within this Title address (among other topics): the registration of auditors with the PCAOB; inspections of such firms; disciplinary proceedings; and funding of the PCAOB by the audit firms.

Title II establishes auditor independence standards. Prior to SOX, public accounting firms were able to provide both audit and consulting (i.e., non-audit) services to the same company. Sections within this Title address (among other topics): outright bans on certain types of consulting work; pre-certification by the company's Audit Committee of the limited allowable non-audit work and related disclosure; mandatory rotation of lead audit partner assigned to the company every 5 years; conflicts of interest between management and the auditor; and enhanced auditor reporting to the Audit Committee regarding key accounting matters.

Title III establishes both Audit Committee independence standards and requirements related to the certification of financial statements by top management. Prior to SOX, Audit Committee members did not have to be independent of management and top management did not have to "sign-off" on the accuracy of financial statements. Sections within this Title address (among other topics): anonymous submission of complaints regarding accounting matters; signed certification by the chief executive officers and chief financial officers that financial statements present the company's financial position and results of operation fairly; management responsibility for effective internal control; and quarterly assessment and disclosure of critical changes to, and significant problems regarding, internal control procedures.

Title IV establishes additional disclosures for selected topics and the requirement that management annually evaluate and report on the effectiveness of internal controls related to accurate and complete financial reporting. Prior to SOX, management did not have to do so. The auditing firm is also required to attest to management's report, although in current practice this includes a separate opinion on the controls by the auditor, as well.

Title V relates to conflicts of interest in the securities trading industry. Prior to SOX, large brokerage firms were providing both investment banking services and equity research to companies. Sections within this Title include a variety of disclosure and other measures intended to enhance public confidence and reliability of the information provided by securities analysts.

Other SOX provisions include:

A ban on most personal loans to any executive officer or director;
Accelerated reporting of insider trading;
Prohibition on insider trades during pension fund blackout periods;
Enhanced criminal and civil penalties for violations of securities law;
Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences; and
Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs.

History & context: events contributing to the adoption of SOX

The neutrality of this section is disputed.
Please see the discussion on the talk page.

A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds at Enron (see Enron scandal), WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. These frauds and others resulted in over U.S. $500 billion in market value declines. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002. Specific contributing factors and events included.

Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management.

Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk.

Securities industry conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest.

Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. For example, several major banks provided large loans to Enron without understanding the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks.

Internet bubble: Investors had been stung in 2000 by the sharp declines in the technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors.

Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings. Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets.

Timeline and passage of SOX

The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.

Senator Sarbanes’s bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $7.2 billion during the past five quarters (15 months), primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes's bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)

The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."

Analyzing the cost-benefit of Sarbanes-Oxley

A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings. Conclusions from several of these studies and related criticism are summarized below:

FEI Survey: Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. For 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million, down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or large divisions) were more than twice those of centralized companies. Auditor costs did not decline. When asked whether the benefits of compliance with Section 404 have exceeded their costs, 22 percent, on average, agreed, with 78 percent saying instead that the costs have exceeded the benefits. 34 percent agreed that compliance with Section 404 has helped prevent or detect fraud.

Butler/Ribstein: Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.

Institute of Internal Auditors (IIA): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.

Skaife/Collins/Kinney/Lefond: This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).

Zhang: This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative "events." This number is based on the assumption that SOX was the cause of related short-duration market value changes. However, the S&P 500 index, a broad measure of U.S. stock value, increased 6% the day the law passed in Congress on July 24, 2002, and 1% the day after it was signed into law by President Bush on July 30. It then declined 7% in three trading days thereafter, regaining pre-signature levels by August 8. Measuring short-term fluctuations in market value is an acknowledged drawback in this study. One could have easily argued a $1.4 trillion benefit, using the 7% increase leading up to the day after signature, rather than the following 3-day decline.

Iliev: This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced -- rightly or wrongly -- stock valuations of small firms. Lower earnings often cause the share price to decrease.

The effect of SOX on non-US companies

Some have asserted that Sarbanes-Oxley legislation has helped displace business from New York to London , where the Financial Services Authority allegedly regulates the financial sector with a lighter touch. But this claim is hard to reconcile with the fact that a greater amount of resources are dedicated to enforcement of securities laws in the UK than in the US -- see Howell E. Jackson & Mark J. Roe, “Public Enforcement of Securities Laws: Preliminary Evidence,” (Working Paper January 16, 2007). The amount of business displaced from Wall Street to the City of London remains disputed. The Alternative Investment Market claims that its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg, New York 's mayor, and Charles Schumer, a U.S. senator, expressed their concern.

The Sarbanes-Oxley Act's effect on Non-US companies cross-listed in the US is different on firms from developed and well regulated countries than on firms from less developed countries according to Kate Litvak. Companies from badly regulated countries benefit from better credit ratings by complying to regulations in a highly regulated country (USA) that is higher than the cost, but companies from developed countries only incur the cost, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange. However, the administrative cost of SOX is considered a drag on the productivity of capital regardless of the rate at which it is borrowed, and it is ironically the financial catastrophes caused by the 2000 bubble market and subsequent scandals that forced the federal reserve to flood money into the market via lower interest rates. Contrary to logical thinking, it was massive economic irresponsibility that led to improved credit ratings and lower rates.

Implementation of Key Provisions

SOX Section 302: Internal control certifications

Under Sarbanes-Oxley, two separate certification sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.”

15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id. .

Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.”

15 U.S.C. § 7262)a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. To do this, managers are generally adopting an internal control framework such as that described in COSO.

Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

SOX Section 404: Assessment of internal control

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.

Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. Both the PCAOB and SEC recently issued guidance on this topic to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas.

The recently released Auditing Standard No. 5 of the Public Company Accounting Oversight Board (PCAOB), which superseded Auditing Standard No 2., has the following key requirements for the external auditor:

Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
Understand the flow of transactions, including IT aspects, sufficiently to identify points at which a misstatement could arise;
Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
Perform a fraud risk assessment;
Evaluate controls designed to prevent or detect fraud, including management override of controls;
Evaluate controls over the period-end financial reporting process;
Scale the assessment based on the size and complexity of the company;
Rely on management's work based on factors such as competency, objectivity, and risk;
Evaluate controls over the safeguarding of assets; and
Conclude on the adequacy of internal control over financial reporting.

The recently released SEC guidance is generally consistent with the PCAOB's guidance above, only intended for management.

SOX 404 and smaller public companies

The cost of complying with SOX 404 impacts smaller companies dis-proportionally, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent .06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.

This disparity is a focal point of 2007 SEC and U.S. Senate action. The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007.

SOX 404 and information technology

The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in management's assessment of internal control under Section 404 and in supporting the financial statement certification process.

The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication".

However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. IT application controls (i.e., transaction processing controls) that address material misstatement risks are a critical part of the SOX 404 assessment. However, the extent of SOX testing to perform related to IT General Controls (ITGC) has been a topic of contention.By nature, ITGC have an indirect effect on financial statements. The 2007 SEC guidance states: "...management only needs to evaluate those ITGC that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks." ITGC efforts will likely be carefully scrutinized in light of the new guidance, which encourages focus on the most critical financial risks.

Another aspect of SOX 404 is the preservation of electronic data as apart of a comprehensive document retention policy, and in particular email. Email has emerged as a medium that carries as much, if not more, important and sensitive information as paper documents. Some of the information transmitted is in the form of contracts, intellectual property, competitive, financial and confidential company information. Some of this information has a direct bearing on investor results. Therefore several regulatory agencies have, in conjunction with SOX, specified certain periods of time that this data needs to be preserved. In addition, suggestions have been made as the such aspects of the preservation as the medium on which the data is archived. Moreover the changes in the FCRP (Federal Rules of Civil Procedure) make it incumbent on almost every company to have an email archiving policy in place. Even school systems have seen the need to archive their email as a result of FRCP and also FOIA (Freedom of Information Act).

One way to comply with the e-data archiving requirement is install in a companies infrastructure an appliance to capture the data and place the data in storage in an undeletable, unalterable and inaccessible format. Another approach is the use an ASP (Application Service Provider) model. In this model, email is captured to an off-site storage facility, which then indexes and catalogs all of the characteristics of the message. This minimizes the initial investment in achieving compliance. The factors of an ASP provider that should be used to determine the best solution of a given company is 1) ease of use, 2) speed of searches, 3) searching capabilities an flexibilities, and 4) results precision.

Miscellaneous SOX Topics

Impact of SOX on the corporate IT department

For another description of the COSO framework, see: COSO

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:

Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.

Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.

Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the specifications, business requirements and other documentation expected for each project.

Monitoring. Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.

Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.

Source: (www.en.wikipedia.org) 2007