Sarbanes-Oxley (SOX) is an act originally signed into law in 2002. The act is named after Senator Paul Sarbanes and Representative Michael Oxley, who were the main architects of the act. The act includes a number of reforms to enhance corporate responsibility, enhance disclosures and combat corporate accounting fraud in public companies.
The SOX act is a 66 page document and is arranged into eleven titles (Public Company Accounting Oversight Board, Auditor Independence, Corporate Responsibility, Enhanced Financial Disclosures, Analyst Conflicts of Interest, Commission Resources and Authority, Studies and Reports, Corporate and Criminal Fraud Accountability, White-Collar Crime Penalty Enhancements, Corporate Tax Returns and Corporate Fraud and Accountability). The act was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and Worldcom. The sections of the bill cover responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct and required the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. The full act can be read on the SEC website Click Here. The section that most people hear about, and one of the most important sections as far a compliance is concerned, is section 404.
Section 404 states that for public companies, an annual financial report must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any gaps in these controls must be reported. Also, a registered external auditor must attest to the accuracy of the company’s assertion. This involves ensuring internal accounting controls are in place and are operating effectively.
Additional guidance was approved by the Public Company Accounting Oversight Board (PCAOB) in 2007 in the form of Auditing Standard No. 5 (AS5), which superseded Auditing Standard No. 2, which was the initial guidance provided in 2004. AS5 was intended to provide additional guidance for management. AS5 states that both management and the external auditors are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base their assessment and evidence gathered on risk. This method gives management wider discretion in its assessment approach. The standards require management to:
- Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
- Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;
- Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
- Perform a fraud risk assessment;
- Evaluate controls designed to prevent or detect fraud, including management override of controls;
- Evaluate controls over the period-end financial reporting process;
- Scale the assessment based on the size and complexity of the company;
- Rely on management’s work based on factors such as competency, objectivity and risk;
- Conclude on the adequacy of internal control over financial reporting.
There is still debate on the benefit of SOX, especially for small- and medium-sized public companies. Though many will argue that since the act was signed in, there is greater confidence in public companies and the truthfulness and completeness of their financial statements.