Sarbanes-Oxley Essential Information
Read our editors’ summary of the the impacts of the Act (especially Sections 302 and 404), here.
What the term ‘Sarbanes-Oxley’ stands for
Senator Paul Sarbanes and Representative Michael Oxley, who drafted the Sarbanes-Oxley Act of 2002. If you want to read more about the authors of this act, start with our Sarbanes and Oxley page.
The intent of the the Sarbanes-Oxley Act
To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.
What the Act is about
The Sarbanes-Oxley Act created new standards for corporate accountability as well as new penalties for acts of wrongdoing. It changes how corporate boards and executives must interact with each other and with corporate auditors. It removes the defense of “I wasn’t aware of financial issues” from CEOs and CFOs, holding them accountable for the accuracy of financial statements. The Act specifies new financial reporting responsibilities, including adherence to new internal controls and procedures designed to ensure the validity of their financial records.
The Act requires all financial reports to include an internal control report. This is designed to show that not only are the company’s financial data accurate, but the company has confidence in them because adequate controls are in place to safeguard financial data. Year-end financial reports must contain an assessment of the effectiveness of the internal controls. The issuer’s auditing firm is required to attest to that assessment. The auditing firm does this after reviewing controls, policies, and procedures during a Section 4040 audit, conducted along with a traditional financial audit.
The Act itself
Why Congress thought the Act was needed
The US Sarbanes-Oxley Act was passed in the wake of a myriad of corporate scandals. What these scandals had in common was skewed reporting of selected financial transactions. For instance, companies such as Enron, WorldCom and Tyco covered up or misrepresented a variety of questionable transactions, resulting in huge losses to stakeholders and a crisis in investor confidence. How did Congress think the Act would address the problem? Sarbanes-Oxley aims to enhance corporate governance and strengthen corporate accountability. It does that by:
- formalizing and strengthening internal checks and balances within corporations
- instituting various new levels of control and sign-off designed to
- ensure that financial reporting exercises full disclosure
- corporate governance is transacted with full transparency.
If a company isn’t in compliance…
What happens depends on which section of the act they’re out of compliance with. Non compliance penalties range from the loss of exchange listing, loss of D&O insurance to multimillion dollar fines and imprisonment. It can result in a lack of investor confidence. A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years. If the wrong certification was submitted “willfully”, the fine can be increased up to $5 million and the prison term can be increased up to twenty years.
Who the Act applies to
SOX applies to all public companies in the U.S. and international companies that have registered equity or debt securities with the Securities and Exchange Commission and the accounting firms that provide auditing services to them.
Is the Act of concern to US companies only?
Here’s a great answer from ISACA: “No, there are potential international implications as well. In fact, among the many factors that must be considered in complying with Sarbanes-Oxley, some will uniquely impact international organizations. Specifically, global organizations, or non-US-based companies that are required to comply with Sarbanes-Oxley, need to examine their IT operations and determine if they are significant to the organization as a whole. Significant business units can include financial business units or IT business units. The assessment of whether an IT business unit is significant can be impacted by the materiality of transactions processed by the IT business unit, the potential impact on financial reporting if an IT business unit fails and other qualitative risk factors. The issue is that there are financial materiality and significant risk considerations, quantitative and qualitative, and both aspects provide focus.”