Sarbanes-Oxley (SOX) is an act originally signed into law in 2002. The act is named after Senator Paul Sarbanes and Representative Michael Oxley, who were the main architects of the act. The act includes a number of reforms to enhance corporate responsibility, improve disclosures, and combat corporate accounting fraud in public companies.
The SOX act is arranged into 11 titles:
- Public Company Accounting Oversight Board
- Auditor Independence
- Corporate Responsibility
- Enhanced Financial Disclosures
- Analyst Conflicts of Interest
- Commission Resources and Authority
- Studies and Reports
- Corporate and Criminal Fraud Accountability
- White-Collar Crime Penalty Enhancements
- Corporate Tax Returns
- Corporate Fraud and Accountability
The act was created as a reaction to a number of major corporate and accounting scandals, including Enron and Worldcom. The sections of the bill cover the responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations that define how public corporations are to comply with the law. The full act can be read on the SEC website.
Section 404
The section that most people hear about, and one of the most important sections as far as compliance is concerned, is section 404.
Section 404 states that an annual financial report for public companies must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure.
Any gaps in these controls must be reported. Also, a registered external auditor must attest to the accuracy of the company’s assertion. This involves ensuring internal accounting controls are in place and are operating effectively.
Additional Guidance
Additional guidance was approved by the Public Company Accounting Oversight Board (PCAOB) in 2007 in the form of Auditing Standard No. 5 (AS5), which supersedes Auditing Standard No. 2.
AS5 was intended to provide additional guidance for management. AS5 states that both management and external auditors are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base their assessment and evidence gathered on risk. This method gives management wider discretion in its assessment approach.
The standards require management to:
- Understand data flow in enough detail that they can identify areas at which a misstatement could happen.
- Using a test scaled for the size and complexity of the company, complete a fraud risk assessment over the period-end financial reporting process.
- Gauge the design and effectiveness of select internal controls related to relevant assertions, to lessen the risk of material misstatement.
- Evaluate company-level controls that have to do with the COSO framework.
- Assess fraud prevention controls and fraud detection controls.
- After assessment, draw up a conclusion on the adequacy of internal controls over financial reporting, including gaps to be remediated.
Since then, several additional auditing standards have been added. These address the responsibilities and functions of the independent auditor, including proficiency and due professional care, as well as audit risk, evidence, and documentation. These additional guidelines are designed to standardize the audit and ensure thoroughness.
Audit procedures have their own auditing standards, which guide identification and assessment of risk, response to risks, consideration of fraud and illegal acts by clients, and more. These are intended to provide support for specific circumstances, especially for the auditor. Per the nature of the act, additional auditing standards are expected in the future, and will supersede previous standards.
Value of the SOX Act
There is still debate on the benefit of SOX, especially for small- and medium-sized public companies. Many argue that since the act was signed in, there is greater confidence in public companies and the truthfulness and completeness of their financial statements. Others maintain that the cost to uphold the act far outweighs the benefit of it, given potential loopholes.
One benefit of the closer scrutiny of corporate governance and increased responsibility placed on directors to vouch for reports submitted to federal agencies is the growth of software solutions aimed at reducing the complexity, time, and expense involved in creating the reports. Several software companies streamline auditor reports and financial statements for public companies as part of the growing Software as a Service (SaaS) industry.
Summary
The SOX Act enhances corporate responsibility for public companies, by requiring an external audit of the efficacy of the company’s controls regarding mitigating the risk of fraud. Additionally, it requires annual financial reports to explicitly put the responsibility of gaps in these anti-fraud measures on management, and that said gaps must be disclosed. By requiring fraud risk assessment attestation and laying out penalties for noncompliance, the SOX Act arguably enhances public trust in corporations.
Although Linford and Company does not conduct SOX audits, our extensive experience in FedRAMP, SOC, and HIPAA audits gives us a unique edge in the realm of compliance. Contact us today to find out how we can help your company with risk assessment, no matter what your industry or size.
This article was originally published on 11/9/2016 and was updated on 8/13/24.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.