Sarbanes-Oxley Act Origins
The late 1990s were a wild time in corporate finance. The dot com boom was in full swing. The internet was beginning to have an impact on how many industries functioned.
The fast times and rapid changes attracted many entrepreneurs who came up with great new ways of doing things, such as Jeff Bezos and Amazon – and not a few scam artists or crooks who were determined to cash in on the boom times and who didn’t care who they defrauded or who got hurt in the process.
WorldCom, Enron, and Tyco were just a few of the more high-profile companies to bend or ignore rules designed to protect shareholders. WorldCom went bust in a $104 billion bankruptcy after whistleblower and WorldCom VP Cynthia Cooper discovered nearly $4 billion worth of fraudulent balance sheet entries.
Enron was particularly brazen: management not only inflated the company’s earnings, but they also manipulated the energy market and embezzled corporate funds. By one estimate, the bursting of the dot com bubble – at least partly attributable to these notable fraud cases – destroyed over $6 trillion (that’s TRILLION, not billion) of household wealth over a two-year period.
The massive fraud – which hurt many small investors – led to a bipartisan effort by Senators Paul Sarbanes (a Democrat from Maryland) and Michael Oxley (a Republican from Ohio) to create and pass a bill that would “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.” Congress passed the bill, and President George Bush signed it into law in 2002. The bill was given the name of its sponsors, so it’s known as the Sarbanes-Oxley Act of 2002, commonly referred to as SOX or the SOX Act. It’s also known as the “Public Company Accounting Reform and Investor Protection Act.”
Companies that must comply with the Sarbanes-Oxley Act include:
- US publicly traded companies larger than a certain size. It doesn’t matter where the stocks are traded: NYSE, Nasdaq, and over the counter stocks are all subject to SOX compliance.
- Foreign companies that have registered debt or equity with the US Security and Exchange Commission (SEC).
- Accounting firms that audit companies that are required to comply with SOX must themselves also comply with SOX.
There are a few exceptions for certain public companies that do not need to comply with the SOX audit requirements: 1) “non-accelerated filers,” which as of March 2020 includes companies with annual revenues of less than $100 million and public float of less than $700 million; 2) emerging growth companies for five years.
Privately held companies and nonprofits do not generally need to comply with SOX, although many of the SOX requirements are “best practices” that would be beneficial to adopt regardless of whether the firm is legally obligated to do so.
The corporate CEOs and CFOs are directly responsible to ensure compliance. The law has real teeth: failure to comply can result in hefty fines and possibly even jail time.
Overview of SOX Provisions
CEOs and CFOs are obligated under Sarbanes Oxley to assure that financial records are accurate, and that reports submitted to the SEC are accurate. They are penalized for non-compliance even if the non-compliance was accidental.
SOX covers not only financial records and reporting, it also has provisions relating to data security and IT that must be complied with.
Covered companies must maintain records proving they comply with SOX, and they must complete an annual audit, the results of which must be easily available to all stakeholders.
SOX contains 11 sections, called “Titles” in the legislation, as follows:
- Title I: Public Company Accounting Oversight Board. The act created this board, which is responsible for setting the standards and rules for audits, as well as monitoring and enforcing compliance with the law.
- Title II: Auditor Independence. This section includes regulations intended to ensure that auditors are truly independent, including a requirement that firms providing the audit cannot provide any other services to the company they are auditing.
- Title III: Corporate Responsibility. Corporate executives are individually and personally responsible for seeing that the company complies with SOX. Failure to comply can have personal penalties, not just penalties on the business.
- Title IV: Enhanced Financial Disclosures. This section added a lot of new mandatory financial disclosures that public companies must comply with, including insider trading and off balance sheet transactions.
- Title V: Analyst Conflict of Interest. This section was intended to boost investor confidence in securities analysts. Analysts must disclose if they have any potential conflicts of interest, whether it’s holding shares of the company being analyzed or having the company as a client.
- Title VI: Commission Resources and Authority. This section is not particularly relevant to companies concerned about compliance; it gives the SEC authority to remove people from positions such as brokers or dealers under certain circumstances.
- Title VII: Studies and Reports. Details reports that the SEC or Comptroller General must perform.
- Title VIII: Corporate and Criminal Fraud Accountability. Specifies that anyone with a role in defrauding shareholders of public companies can be subject to fines and prison. Also makes it illegal to alter, conceal, or destroy records that could be relevant in an investigation.
- Title IX: White Collar Crime Penalty Enhancement. This title is focused on increasing penalties for white collar crime. It encourages courts to have sentencing guidelines with harsh enough penalties to deter financial misconduct – in other words, to make sure that “crime doesn’t pay.”
- Title X: Corporate Tax Returns. Specifies that the company CEO must be the one to sign the corporate tax return – and is therefore responsible for any misstatements to the IRS.
- Title XI: Corporate Fraud Accountability. This title includes definitions of behavior that would constitute fraud, along with sentencing guidelines and penalties.
Clearly not all of the Titles are relevant to a company concerned with SOX compliance. The relevant titles from a compliance perspective are Titles 3, 4, 8, and 9.
Specific Sections of SOX Relevant to Compliance
Each of the Titles of SOX are further broken down into “Sections.” There are eight sections that are especially relevant from a compliance perspective. A summary of each follows:
Complying with SOX
Modern corporations run on computers. Everything from recognizing revenue to tracking expenses to generating reports to internal and external communications all happens on a company’s IT network. Therefore, a lot of the internal controls companies are required to have in place to verify the integrity of their financial reports have to do with the company’s IT policies and controls. Who has access to data? Is data secure from tampering?
Companies that have recently gone public (“emerging growth companies”) have a window of a few years before they must be fully SOX-compliant. Given the severe penalties for failing to comply with SOX, and given the complexity of the task, companies are advised to start on the process of SOX compliance as early as possible. Since many of the SOX requirements are good business practices whether or not the company is subject to mandatory compliance, there’s little downside to getting a head start.
Here are some suggested steps in getting on the road to SOX compliance:
- Develop a plan. Be very clear about the timeline of what information must be reported when. Have both short-term goals, for the current fiscal year, as well as long-term goals. As the company grows, it’s important that processes and controls are updated and appropriate to the scale of the company.
- Select one or more frameworks to support SOX compliance. There are several different organizations that have developed frameworks and models that companies can use in developing their SOX internal controls and compliance plan. The better-known ones are:
- COSO (The Committee of Sponsoring Organizations of the Treadway Commission). COSO was established by a group of five accounting and financial industry organizations to help companies improve their performance through improved internal controls and risk management. They developed an “Internal Control – Integrated Framework” that is a useful guide for developing effective internal controls.
- COBIT (Control Objectives for Information and Related Technologies). ISACA is an industry group focused on IT governance. They developed COBIT as a framework for IT governance looking at the different IT processes within a company, their inputs and outputs, objectives, etc.
- ITGI (The Information Technology Governance Institute). ITGI is another industry group that has developed a framework applicable to SOX compliance. ITGI uses COBIT and COSO, but it’s more focused on security than it is on general compliance.
- Conduct a risk assessment. It’s important to understand which processes within the company are material to compliance and to proactively identify possible problem areas. Those potential problem areas should be addressed as the company develops its compliance plan.
- Assess entity level controls. What controls are in place in different locations or divisions?
- Document existing processes. Any of the company’s financial reporting processes that are relevant for SOX should be documented so that the flow of information is clear, as well as the lines of responsibility for different organizations or staff members who may be involved in the process. Controls for the processes that could help protect against fraud or other financial risks should be specified.
- Assess IT Controls. The security of the company’s financial data will in large measure be a factor of the security of the company’s IT infrastructure. Is the company’s IT infrastructure safe from tampering? Most companies focus on protecting the IT infrastructure from outside threats such as hackers. However, the “trusted insider” can also be a major security risk, especially when it comes to the potential for financial fraud.
- Identify and evaluate any third-party providers. Many companies outsource different financial reporting processes. Outsourcing doesn’t get management off the hook for Sarbanes Oxley compliance. You have to make certain that any vendors also have adequate controls in place to protect the integrity of your financial information. Vendors are often evaluated on the basis of Service Organization Control (SOC) reports that are prepared by independent accounting firms. If no SOC is available, you will need to dedicate resources to evaluating the vendor yourself.
- Test the Internal Controls. It’s important to verify that the controls in place are actually effective. Key controls should be tested to make sure that they are working the way they are supposed to work.
- Evaluate deficiencies. As deficiencies are noted in either the planning or testing process, they need to be evaluated to determine if they are significant or material. Senior management needs to be aware of any significant deficiencies. Any deficiencies that have a materal effect on the company will need to be reported to the public in a 10-K.
- Communicate the results. Since senior management is responsible for ensuring SOX compliance, they will want regular updates on the status of internal controls and compliance. The company’s Audit Committee should also be kept in the loop.
In addition to the above, it’s worth considering the use of Sarbanes Oxley software. SOX compliance software can help with tracking data, flagging potential problem areas, and generating reports.
Prior to SOX, financial reporting was largely self-regulated by the industry. SOX created the Public Company Accounting Oversight Board (PCAOB) whose mission is as follows:
(to oversee) the audits of public companies and SEC-registered brokers and dealers in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.
Companies subject to SOX must have a SOX compliant audit every year. The PCAOB oversees firms that conduct audits and sets standards and advises on procedures.
The following are some of the steps in a SOX audit:
- Risk assessment to define audit scope. The PCAOB standards say A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.
- Determining materiality. The auditor does a determination of materiality to decide where to focus. Anything in a financial statement that could influence the economic decisions of readers is considered “material.” Typically, anything involving more than 5% of assets or 3-5% of operating income is definitely considered material. The auditor will look at transactions that went into determining the values of material accounts. The auditor will seek to understand financial reporting risks in those accounts: what could go wrong? What could be subject to misrepresentation?
- Identify SOX controls. When determining materiality, the auditors will also look at the controls that protect the integrity of those numbers. Controls may include things such as making sure conflicting duties are segregated. People who post invoices should not have authority to approve invoices. Auditors will seek to differentiate between “key” and “non-key” controls. It’s important that not everything is designated as “key.” As the old saying goes, “if everything’s important, nothing’s important.” Key controls should be for things that really protect against higher levels of risk.
- Fraud risk assessment. SOX was passed largely in response to some very high profile cases of massive fraud. The auditors will be looking to see if internal controls are adequate to detect fraud early. In addition to segregation of duties mentioned above, periodic bank account reconciliation is an important fraud detection tool. One common fraud vehicle is employees making reimbursement claims for fictitious expenses; the auditors will want to see that there are controls in place that would catch such activity.
- Controls documentation. Auditors will want to see that controls are properly documented and communicated. Compliance software can be helpful to auditors as it can allow them to access information and review the impact throughout the organization.
- Testing key controls. The auditors will want to make sure the key controls actually work the way they are designed to work. Auditors may interview process owners, watch the process at work, etc., as part of the testing process.
- Assessing deficiencies. The auditors will be on the lookout for ways that SOX compliance can be improved. If they see a problem, they analyze whether the problem is a poorly designed control or whether it’s a problem with the implementation of the control. In some case the control may need to be changed, in others it may mean staff needs better training or a process needs to be adjusted.
- Management’s report on controls. At the end of the control testing, management delivers its assessment of the internal controls, including the assessment made by the independent auditor.
The Sarbanes-Oxley Act has been widely praised as having helped improve corporate governance, transparency, and accountability in corporate America. Back in 2005, only a few years after SOX was enacted, former Federal Reserve Chairman Alan Greenspan said,
I am surprised that the Sarbanes–Oxley Act, so rapidly developed and enacted, has functioned as well as it has … the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use.
There are those who have criticized Sarbanes Oxley, pointing to the fact that very few CEOs or CFOs have been charged with criminal violations of the SOX Act. On the other hand, many take the lack of criminal charges as a sign of the success of the SOX Act. Being aware of the stiff penalties that can be imposed for willful violation of SOX, CEOs and CFOs have become very cautious about making sure they comply with SOX provisions.
Being aware of the penalties, many CEOs insist on “sub-certifications.” They will refuse to sign the corporate certification until lower-level executives sign off on certifications for their areas of responsibility. This has the effect of making executives throughout the organization more aware of SOX, more aware of the penalties, and more cautious in their financial reporting. This is exactly what the law was intended to do: get executives to be more accountable, and less likely to engage in fraud.
There are a lot of different pieces involved in getting your organization “SOX audit ready.” With proper planning and preparation and a methodical approach it doesn’t have to be an overwhelming task, and it can help your company put in place the controls that will allow it to operate more effectively and efficiently.