The Sarbanes-Oxley Act of 2002

Presented by:
Ibrahim M. Conteh; Ruby Proctor Garcia; Kathleen M. Parry;
Joseph M. Schmerling; Jaime Ulloa

Auditing Theory and Practice
0902 ACCT422 4021
Due: April 29, 2009

Table of Contents

Page Number

What is the Sarbanes-Oxley Act of 2002? 3
Why was SOX established? 4

When did SOX take effect? 5

What companies were affected and how? 6

What does SOX compliance require? 9

Conclusion 11

References 13

What is the Sarbanes-Oxley Act of 2002? The Sarbanes-Oxley Act of 2002 – its official name being “Public Company Accounting Reform and Investor Protection Act of 2002” – is recognized to be the most significant U.S. federal disclosure and corporate governance legislation since the Securities Act of 1933 (the Securities Act) and the Securities Exchange Act of 1934 (the Exchange Act), and, the provisions of the Act are significant enough that it is considered by many to be the most significant change to federal securities laws in the U.S. since the New Deal. It is best understood, however, not as a piece of legislation centered on a new concept of regulation, but as a process which mandated that many major reforms be implemented as soon as possible (in some cases, within 30 days) on the precise schedule specified by Congress. In that sense, the Enron and WorldCom debacles provided the impetus of public outrage that forced into effect some of the most readily available reform proposals for publicly traded companies, many of which had existed for years without sufficient political imperative to be enacted.[1] The Act provides for new levels of auditor independence; personal accountability for CEOs and CFOs; additional accountability for corporate Boards; increased criminal and civil penalties for securities violations; increased disclosure regarding executive compensation, insider trading and financial statements; and certification of internal audit work by external auditors.[2]

Why was SOX established? The Sarbanes-Oxley Act of 2002 was enacted at a time of remarkable turmoil for corporate America. Following the collapse of Enron Corp. in late 2001, the administration of President George W. Bush, members of the U.S. Congress, the Securities and Exchange Commission (SEC), and the stock exchanges proposed expansive regulation to address what were generally seen as systemic failures in the governance, internal controls, and disclosure practices of public companies and the existing regulation of these companies and the financial markets. In June 2002, seeking to determine whether or not fraud was widespread in major public companies, the SEC ordered the Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) of the 945 largest publicly-traded companies to file sworn statements attesting to the integrity of the financial and other information contained in their SEC filings for that year. Meanwhile, numerous pieces of reform legislation were working their way through both houses of Congress, going widely unnoticed until the landmark disclosure of a multi-billion dollar accounting scandal at WorldCom, Inc., one of "history’s largest frauds" in the words of the court-appointed monitor for the bankrupt company. The wave of corporate scandals culminating in WorldCom propelled Congress and the White House to action, and the Sarbanes-Oxley Act of 2002 (SOX, the Act) passed both houses by overwhelming margins (423 to 3 in the House and 99 to 0 in the Senate). It was signed into law by President Bush on July 30, 2002, just 35 days after WorldCom’s announcement that it had overstated its revenues by at least $3.8 billion (later considered to have been at least $9 billion in 1999 alone according to an SEC statement). The Act consists of 11 main sections which fix corporate responsibility and provide criminal penalties. [3] The Act also required the establishment of the five-member Public Company Accounting Oversight Board (PCAOB) to register, oversee, regulate, inspect and discipline public accounting firms, including foreign audit firms whose audit reports are included in SEC filings, and persons associated with such firms. The SEC appoints the members of the PCAOB and has oversight and enforcement authority over it. The PCAOB is charged with establishing and enforcing auditing, quality control, ethics and independence standards and rules for public company accountants. The SEC will not accept an audit report from an accounting firm that is not registered with the PCAOB. Thus, SEC reporting companies must engage the services of a registered public accounting firm. The PCAOB is funded by new fees imposed on publicly-traded companies based on their market capitalization – the fees range from as little as $100 for the very smallest companies to more than $1 million for a handful of the largest companies.[4]
When did SOX take effect? Elements of the Act were phased in over time. Those companies with a market capitalization between $75 million and $700 million whose fiscal years closed between November 15, 2004 and February 28, 2005 were granted an extension of 45 days on the internal controls portion of SOX financial reporting frameworks which were to be in place and operational for their first fiscal year-end reports after November 15, 2004, then all quarterly reports thereafter. Smaller companies had until their first fiscal year ending on or after July 15, 2005, to comply, and it will be for the first fiscal year-end, then the subsequent quarterly reports after July 15, 2007.[5] The chief objective of the Act was to enhance auditors’ independence, assigning responsibility for preparation of the financial statements, and augmenting the standards of reporting by the board of directors of all U.S. public companies and even public accounting firms. SOX effected sweeping changes in securities, criminal and other federal laws affecting public companies, public accounting firms, investment banks, lawyers and public company directors and executive officers. Principal provisions of SOX include the following: increased regulation and oversight of the accounting profession; more stringent auditor and audit committee independence requirements; greater corporate responsibility and accountability; increased issuer disclosure; increased regulation of securities analysts; increased criminal penalties; and new professional responsibility standards for attorneys.
What companies were affected and how? Every publicly traded company in the U.S. has felt its impact. Most provisions of the Sarbanes-Oxley Act apply only to publicly-traded companies. The law established new, stricter standards for all publicly traded companies, in every industry in the US; each of their divisions, and all of their wholly owned subsidiaries; any non-US public multinational company engaging in business in the U.S.; and while not required by law as yet, new or currently private firms may also comply with the SOX financial framework requirements in preparation for initial public offerings, private funding or simply to achieve a “best practices” benchmark – but it does not apply to privately-held companies. With respect to non-U.S. Companies, SOX applies to any issuer "the securities of which are registered under section 12 of that Act ... or that is required to file reports under section 15(d)." In practical terms, this includes any company that is required by the securities laws to file periodic reports with the SEC. To date, the SEC has generally provided only modest accommodations to foreign private issuers with respect to their rules adopted pursuant to the Act.[6] Also, nonprofits organizations should consider the Act's enhanced penalties for obstruction of justice, document tampering and impeding of official proceedings. They should also consider whether whistleblower provision (retaliation against informants) would be applicable to a nonprofit, as well as the Act's prohibition against conspiracy to commit fraud and its increased penalties for mail and wire fraud. Another mandate from the SEC includes implementation of SOX by the U.S. Postal Service which is the first federal agency mandated to comply with the Act by fiscal 2010. Given the reliance on information technology to move the mail and report financial transactions, the Postal Service Information Technology (IT) infrastructure and its management play a significant role in ensuring the integrity and reliability of the Postal Service’s financial reporting in support of SOX compliance which includes both business and information technology components. Among the most significant activities facing the Postal Service IT SOX team is the development of control activities beginning with an assessment of current IT policies, processes and controls measured using IT governance frameworks, and other sources of best-practices for IT control, which must be documented and subsequently tested. A new IT Manual/Web site will serve as the primary repository of all IT documentation including policies, processes, standards and services — all of which were developed considering best practices, and it will support the newly designed Technology Solution Life Cycle (TSLC) process, which will provide program and project managers step-by-step tasks required for each phase of a project. The IT Manual/Web site will also be the single source for all project- related templates, each aligned with the appropriate phase of TSLC. The TSLC is designed with the flexibility to suit any technology project, from developing a new application to applying patches to existing servers. IT/SOX governance and the IT Manual/Web site will provide the Postal Service’s IT the tools to align and promote policy, process and standardization throughout the organization. This focal point for IT documents will also assist in simplifying the tasks involved in responding to audit requests. [7] Concerning SOX’s application to homeland security, in an attempt to improve corporate governance, the Act mandated that public companies take certain actions (for example, it requires that CEOs certify that they have reviewed the financial practices of their companies and, understand risks that may affect the financial reporting process). While improved corporate governance sounds good, especially after Enron and WorldCom scandals, how the Act would apply to homeland security issues is unclear. What would happen under SOX if a terrorist attack on a piece of critical infrastructure caused the value of a corporation’s stock to plummet? Could a stockholder sue the company for having an inadequate risk management strategies and failing to disclose its vulnerabilities?[8] To counter these concerns, Congress should create a list of actions that are deemed to be reasonable precautions, and possibly create safe harbors for certain sectors.
What does SOX compliance require? SOX compliance essentially requires a complete change in corporate mindset, not unlike that required for ISO 9000 certification during the 1990’s. But for SOX compliance a new corporate mindset had to be established permanently. Under SEC rules adopted pursuant to SOX, listed companies must disclose whether – and if not, why not – they have a code of ethics for the CEO and senior financial officers. Additionally, U.S. companies must promptly disclose any subsequent waivers or changes to this code on a Form 8-K or, if they have indicated an intent to do so in their periodic reports, on their website. Many companies blend such codes into lengthier codes of ethics and standards of business conduct such as those now required for New York Stock Exchange-listed companies. SOX also required the adoption by the SEC of rules regarding enhanced financial information disclosures in periodic reports filed with the SEC, including information on off-balance sheet transactions, aggregated and tabular information about contractual obligations and reconciliation of any "non-GAAP financial measures. The SEC rules also apply to any public disclosures containing material information that use non-GAAP financial measures, such as press releases. SOX further requires that each periodic report containing financial statements filed with the SEC must reflect all material correcting adjustments identified by the auditor.[9] The key sections of SOX are: Section 201 – Prohibited Auditor Activities.; Section 302 – CEO's and CFO's New Responsibilities Regarding Corporate Reports; Section 404 – Management Assessment of Internal Controls; Section 409 – Real Time Disclosure; Section 802 – Criminal penalties for altering documents; Section 806 – Whistleblower protection; and Section 807 – Criminal Penalties for Fraud. Prior to the passage of SOX, no company in America had in place a system of controls, auditing, and reporting that would have completely satisfied the language of SOX Section 302 or Section 404 which mandate that all publicly-traded organizations demonstrate due diligence in the disclosure of financial information by implementing internal controls and procedures to communicate, store, and protect that data. Further, management must protect these controls from internal and external threats and unauthorized access, including those that could occur through online systems and networks.[10] The most expensive and time-consuming SOX effort is represented in Section 404 of the Act which are the high-level requirements for management's assessment of the company's controls (referred to in Section 302). The detailed requirements for how management must conduct its assessment – and what standards external auditors must use in deciding whether they can sign off on that assessment – have been provided by auditing firms, under the direction of the PCAOB. To comply with Section 404, companies have had to assess whether their processes for working with financial data and information technology that manage financial data are established, documented, and structured to contain controls against risk, and to assess whether management has adequate security controls to ward off theft or corruption of data, and to determine whether their employees' roles, responsibilities, access rights, and permissions could allow material fraud or misrepresentation of financial data. There has been a universal outcry against the burden placed on public companies to comply with SOX. At the same time, there has been a quiet but persistent response that the Act simply made mandatory what were industry-accepted good practices, and that investors have a right to the levels of transparency and accountability that are the result of complying with Sections 302 and 404.[11]
Conclusion
The growth of the accounting scandals and growing abuse of the loose public reporting of financial accounts led many companies to swindle billions of public money and file bankruptcy. When SOX came into force in 2002, due to its complex nature and reporting requirements, the financial statements of almost all the companies were delayed beyond the normal period, and huge amounts of paper work were generated. IT projects were stopped midway as the existing ones were needed by all companies in order to be made SOX compliant. The implementation of the Act delayed a huge number of corporate projects as their timings clashed with the timing of filing returns under SOX every quarter, mid-year, and year-end. But the law is law and it needed to be honored, so the project managers took up the challenge and implemented SOX along with their usual projects.[12] The SEC has responded to complaints by softening some requirements and pushing back deadlines for others. According to the SEC, to meet the SOX compliance, each company’s projects will have to have an additional layer of compliance checks at every process and procedure that involves financial transactions for those companies which use public money to fund their projects. Further, the SEC has insisted that the reasons behind the Act are still valid today and that its provisions, on the whole, are in the best interest of the country. Congress and the investing public seem to agree, with no indication of a repeal. After almost a decade of SOX where do we stand? One thing is clear: the Sarbanes-Oxley Act will remain in order to protect the interest of the investing public.
References

CIO magazine. “SEC/Sarbanes Oxley Changes to Give Small Public Firms a Break.” December 11, 2006. Accessed April 1, 2009 from: http://www.cio.com/.

Kochems, Alane. “Who’s on First? A Strategy for Protection Critical Infrastructure. May 5, 2005. Accessed April 9, 2009 from: The Hertiage Foundation website at http://www.heritage.org/research/homelandsecurity/bg1851.cfm.

The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Publicly Traded Companies.” January 2004. Assessed April 1, 2009 from: http://www.theiia.org/.

The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Organizations Not Publicly Traded.” January 2004. Accessed April 1, 2009 from: http://www.itaudit.org/.

The National Council of Nonprofit Organizations. “Learning from Sarbanes-Oxley: A Checklist for Nonprofits and Foundations”. June 2004. Assessed April 1, 2009 from: http://www.councilofnonprofits.org/. PCAOB. “Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (NOTE: Auditing Standard No. 2 was superseded by Auditing Standard No. 5 for fiscal years ending on or after November 15, 2007). June 17, 2004. Accessed April 1, 2009 from: http://www.pcaobus.org/. PCAOB. “Auditing Standard No. 3 – Audit Documentation.” June 9, 2004.
Accessed April 1, 2009 from: http://www.pcaobus.org/.

PCAOB. “Conforming Amendments to PCAOB Auditing Standards: Amendment to Auditing Standard No. 3 resulting from Auditing Standard No. 5.” August 25, 2004. Accessed April 1, 2009 from: http://www.pcaobus.org/.

The U.S. General Accounting Office. “Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies.” GAO-06-361, April 13, 2006. Accessed April 1, 2009 from: http://www.gao.gov/.

Wright, George W. “Postal Service readies for Sarbanes-Oxley Act.” February 4, 2008. Accessed April 1, 2009 from: http://federaltimes.com/index.php?S=3348921.

-----------------------
[1] The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Publicly Traded Companies.” January 2004. Assessed April 1, 2009 from: http://www.theiia.org/.

[2] The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Organizations Not Publicly Traded.” January 2004. Accessed April 1, 2009 from: http://www.itaudit.org/

[3] CIO magazine. “SEC/Sarbanes Oxley Changes to Give Small Public Firms a Break.” December 11, 2006. Accessed April 1, 2009 from: http://www.cio.com/

[4] The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Organizations Not Publicly Traded.” January 2004. Accessed April 1, 2009 from: http://www.itaudit.org/

[5] The Institute of Internal Auditors. “The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Organizations Not Publicly Traded.” January 2004. Accessed April 1, 2009 from: http://www.itaudit.org/
[6] The National Council of Nonprofit Organizations. “Learning from Sarbanes-Oxley: A Checklist for Nonprofits and Foundations”. June 2004. Assessed April 1, 2009 from: http://www.councilofnonprofits.org/ [7] Wright, George W. “Postal Service readies for Sarbanes-Oxley Act.” February 4, 2008. Accessed
April 1, 2009 from: http://federaltimes.com/index.php?S=3348921.

[8] Kochems, Alane. “Who’s on First? A Strategy for Protection Critical Infrastructure. May 5, 2005. Accessed April 9, 2009 from: The Hertiage Foundation website at http://www.heritage.org/research/homelandsecurity/bg1851.cfm
[9] PCAOB. “Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (NOTE: Auditing Standard No. 2 was superseded by Auditing Standard No. 5 for fiscal years ending on or after November 15, 2007). June 17, 2004. Accessed April 1, 2009 from: http://www.pcaobus.org/.

[10] Kochems, Alane. “Who’s on First? A Strategy for Protection Critical Infrastructure. May 5, 2005. Accessed April 9, 2009 from: The Hertiage Foundation website at http://www.heritage.org/research/homelandsecurity/bg1851.cfm.

[11] The U.S. General Accounting Office. “Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies.” GAO-06-361, April 13, 2006. Accessed
April 1, 2009 from: http://www.gao.gov/.

[12] CIO magazine. “SEC/Sarbanes Oxley Changes to Give Small Public Firms a Break.” December 11, 2006. Accessed April 1, 2009 from: http://www.cio.com/