Sarbanes Oxley Act of 2002 – SOX
Saturday, July 04, 2020
The Sarbanes-Oxley Act of 2002 is a United state-federal law (US LAW- Pub. L. 107-204, and U.S. Statutes at Large – 116 Stat. 745), passed by U.S. Congress on July 30, 2002; to protect investors from fraudulent financial reporting by listed corporations. The Sarbanes-Oxley (SOX) Act of 2002 is also known as “SOX 2002”, “Public Company Accounting Reform and Investor Protection Act”, and “Corporate and Auditing Accountability, Responsibility, and Transparency Act”. It came in response to highly publicized corporate financial scams in that decade i.e. the Enron scandal, Tyco scandal, and the WorldCom scandal. The Sarbanes Oxley Act was passed in an effort to safeguard investors and to prevent further financial scandals from organizations. It mandated strict reforms (like SOX audits, Internal controls, SOX compliance regulations, etc) to existing securities & financial regulations and imposed tough new penalties on lawbreakers.
Introduced: Jan 2002 under U.S. Legislation bill no H.R. 3763 (107th Congress)
Signed into law / Enacted on July 30, 2002
Effective date: July 30, 2002
What is the Sarbanes Oxley Act?
Sarbanes–Oxley or SOX, is a United States federal law that contains 11 sections and has set new financial security regulations and requirements for all U.S. public company boards, management, and public accounting firms. The act took its name from its two sponsors—Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio).
The rules and enforcement policies outlined in the Sarbanes-Oxley Act of 2002 amended or supplemented existing laws dealing with security regulation, including the Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). A number of provisions of the Act also apply to privately held companies, such as the wilful destruction of evidence to impede a federal investigation.
Sarbanes Oxley Act 2002 purpose
When Congress passed the Sarbanes-Oxley Act of 2002, it had in mind combating fraud, improving the reliability of financial reporting, and restoring investor confidence. As a result of SOX, Company Financial transactions & records must be – transparent, with clear intentions, without any partiality or biased behavior, and with properly maintained process & records. The company’s top management must individually certify the accuracy of financial information and records. In addition, penalties for fraudulent financial activity are much more severe. Also, SOX increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements
SOX set out reforms and additions in four principal areas:
- Corporate responsibility
- Increased criminal punishment
- Accounting regulation
- New protections
Sarbanes Oxley Act of 2002 definitions
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.
SOX has certain defined definitions with clear terms as below:
- AUDIT—The term ‘‘audit’’ means an examination of the financial statements of any issuer by an independent public accounting firm in accordance with the rules of the Board or the Commission, for the purpose of expressing an opinion on such statements.
- AUDIT COMMITTEE—The term ‘‘audit committee’’ means— a committee (or equivalent body) established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer.
- AUDIT REPORT—The term ‘‘audit report’’ means a document or other record— (A) prepared following an audit performed for purposes of compliance by an issuer with the requirements of the securities laws; and (B) in which a public accounting firm either— (i) sets forth the opinion of that firm regarding a financial statement, report, or other documents; or (ii) asserts that no such opinion can be expressed.
Sarbanes Oxley act (SOX) 2002 Summary
SOX is all about corporate governance and financial disclosure. SOX act contains eleven titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. The Sarbanes-Oxley Act is arranged into eleven titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802, and 906.
Highlights of Sarbanes Oxley act – SOX 2002 are as below:
- Public Company Accounting Oversight Board (PCAOB)
Title I PCAOB, establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services (“auditors”). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.
- Auditor Independence
The second title establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients.
- Corporate Responsibility
This title mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports.
- Enhanced Financial Disclosures
This Section/title describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures, and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.
- Analyst Conflicts of Interest
Title V defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.
- Commission Resources and Authority
Title VI defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer.
- Studies and Reports
This title requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations, and enforcement actions, and whether investment banks assisted Enron, Global Crossing, and others to manipulate earnings and obfuscate true financial conditions.
- Corporate and Criminal Fraud Accountability
Title eight consists of seven sections and is also referred to as the “Corporate and Criminal Fraud Accountability Act of 2002”. It describes specific criminal penalties for manipulation, destruction, or alteration of financial records or other interference with investigations while providing certain protections for whistle-blowers.
- White-Collar Crime Penalty Enhancement
This section is also called the “White Collar Crime Penalty Enhancement Act of 2002”. This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
- Corporate Tax Returns
Title ten consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
- Corporate Fraud Accountability
Section 1101 recommends a name for this title as the “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to resort to temporarily freezing transactions or payments that have been deemed “large” or “unusual”.
Sarbanes Oxley act 2002 (SOX) applicability
SOX is a set of standards that all U.S. public companies and public accounting firms must comply with & adhere to good quality financial reporting. All U.S. public companies must comply with SOX, both on the financial side and on the IT side. The way in which IT departments store corporate electronic records changed as a result of SOX. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for the storage.
Private companies, charities, and non-profits are generally not required to comply with all of SOX provisions. But, as per SOX, Private organizations shouldn’t knowingly destroy or falsify financial data, and SOX does have the language to penalize those companies that do. Private companies that are planning an Initial Public Offering (IPO) should prepare to comply with SOX before they go public.
It affects the public (and private) U.S. companies and non-U.S. companies with a U.S. presence.
Compliance with the legislation need not be a daunting task. Like every other regulatory requirement, it should be addressed methodically, via proper analysis and study. To comply with the Sarbanes Oxley act 2002 – SOX, corporations must maintain a clear book of records with transparency & actual facts in place. They must save all business records, including electronic records and electronic messages, for “not less than five years.” Consequences for non-compliance include fines or imprisonment, or both.
As defined under the SOX act, companies have to follow the rules defined under the law and by the enforcement committee. Several rules which are important to follow are:
- SOX requires public corporations to hire independent auditors to review their accounting practices.
- SOX also created rules for separation of duties by detailing several non-audit services that a company’s auditor cannot perform during audits. These rules are designed to further guard against fraudulent financial practices.
- SOX led to the creation of the Public Company Accounting Oversight Board (PCAOB), which sets standards and rules for audit reports. Under SOX, all accounting firms that audit public companies are required to register with the PCAOB. The PCAOB investigates and enforces compliance at the registered accounting firms.
Why SOX? – A History, full of Scams
Due to the numerous corporate scandals in the US and other countries during the start of the 21st century, SOX was brought to establish investor’s confidence in the corporate governance and financial reporting process. Some of those Scams that led to the introduction of a newer and stronger Law were –
The ENRON scandal
It was the Seventh largest US-based company. Due to a whistle-blower, Sherron Watkins, it was investigated for its complex network of offshore partnerships & accounting practices. It had used Special Purpose Entities (SPEs) to move debt off the balance sheet & transfer risk for their other business ventures. On investigation, Arthur Anderson (their Auditors), Skilling and Ken Lay (the principal officers) were charged for fraud & negligence.
The WorldCom scandal
The WorldCom scandal was a major accounting scandal that came to light in the summer of 2002 at WorldCom, the nation’s second-largest long-distance telephone company at the time. In 2002, SEC was suspicious of WorldCom’s increasing profits when other telecom industries were losing. The fraud was uncovered in June 2002 when the company’s internal audit unit, led by Vice President Cynthia Cooper, discovered over $3.8 billion of fraudulent balance sheet entries. Eventually, WorldCom was forced to admit that it had overstated its assets by over $11 billion. At the time, it was the largest accounting fraud in American history. In 2004, finally, it was declared bankrupt.
The Tyco scandal
In 1999, SEC investigated Tyco for its reporting anomalies. It was discovered that the CEO and CFO of Tyco had hoaxed multimillion dollars by way of bonuses and misuse of Employee Loan Programs.
In wake of the above scandals, SOX Act was introduced to:
- Strengthen the Internal Control Mechanisms
- Ensure full disclosure in financial reports
- Transact Corporate Governance with full transparency
- Company Management to take accountability & responsibility for all financial statements
- Rigid penalties and fines
- Having rules and regulations in the process
SOX Penalties & fines
Provisions of the Sarbanes-Oxley Act (aka SOX, Sarbox, or SOA) detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure.
Fines ranges are from a few thousand dollars to $5 million and jail time of up to 20 years, based on the severity of the offense.
For the protection of Whistle-blowers, Section 1107 of the SOX states- Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both.
Major Provisions of the Sarbanes-Oxley (SOX) Act of 2002
Sarbanes Oxley Acts section 302 – Disclosure controls
Section 302 of the SOX Act mandates a set of internal procedures designed to ensure accurate financial disclosure. This section mandates that senior corporate officers personally certify in writing that the company’s financial statements “comply with SEC disclosure requirements and fairly present in all material aspects the operations and financial condition of the issuer.” Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.
Periodic statutory financial reports are to include certifications that:
- The signing officers have reviewed the report
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
Sarbanes Oxley Act Section 404 – Assessment of internal control
This Section requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR). This is the most expensive aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls require enormous effort.
Section 404 of the SOX Act of 2002 requires that management and auditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies due to the heavy expenses it requires to implement the same.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems
Sarbanes Oxley Act Section 802 – Criminal Penalties for Altering Documents
Section 802 states – Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. This section also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.
Sarbanes Oxley Whistleblower Protection Act
Protection for whistle-blowers is another significant provision in the Sarbanes-Oxley Act under section 806.
SOX states that employees (and even contractors) who report fraud and/or testify about fraud committed by their employers are protected against retaliation, including dismissal and discrimination.
With the inclusion of the above provision, the Sarbanes Oxley act values whistleblowing and it dramatically took the attention of whistle-blowers and provide confidence to them, who were afraid of revealing the frauds.
Remedies under Section 806 include:
- reinstatement with the same seniority status that the employee would have had, but for the discrimination.
- the amount of back pay, with interest; and
- compensation for any special damages sustained as a result of the discrimination, including litigation costs, expert witness fees, and reasonable attorney fees.
There is one name that pops up in history whenever we talk about whistle-blowers – Edward Joseph Snowden. He was a former CIA employee who leaked classified and restricted information to the public from the United States National Security Agency in 2013. Similarly, there are many other examples like – recently in 2019, the explosive whistleblower complaint concerning President Trump’s dealings with the president of Ukraine; and Li Wenliang – who warned about the COVID-19 pandemic on 30 December 2019.
Corporate whistleblowing has become more common, precipitating many a corporate scandal. Around 40% of fraud schemes are unearthed through clues, the bulk of which come from employees.
Impact & benefits of SOX (Sarbanes-Oxley act) to companies
While SOX was enacted to combating fraud, improving the reliability of financial reporting, and restoring investor confidence, it levied a heavy burden of compliance and process implementation on companies. The act created strict new rules for accountants, auditors, and corporate officers and imposed more stringent recordkeeping requirements. The act also added new criminal penalties for violating securities laws.
According to a 2008 SEC survey of officers at public companies, Sarbanes-Oxley costs the average company $2.3 million annually in direct compliance costs, including staff time, documentation, and external audits, compared with estimates of $91,000 in annual costs before the Act was passed.
While the law was majorly on the bitter side for the corporates, it also added some benefits in longer-term, like:
- Strengthening the Control Environment with robust policies and procedures
- Improved Documentation and record-keeping
- Better Audits and engagements
- Becoming inline with other compliance like PCI, HIPPA, etc, got easy
- Standardizing Processes to become a process-driven organization
- Increased trust factors and it made ease the company acquiring process
- Minimizing issues due to policies and standards and the effectiveness of the same increase
Companies are becoming more vigilant and transparent after the passage of the Sarbanes-Oxley Act of 2002.
Critics on SOX
SOX had critics from the start, including many top executives who felt they were being unfairly burdened by new regulations due to the dishonest and negligent acts of a few others.
Corporate leaders also voiced concerns that meeting the regulations laid out in SOX would take too much executive time and cost an excessive amount of money.
Sarbanes Oxley Act pdf
Sarbanes Oxley law pdf can be downloaded as below:
US LAW– Publication L. 107-204
U.S. Statutes at Large – 116 Stat. 745
U.S. Legislation bill no H.R. 3763 (107th Congress)
SOX Act – Updates since its inception
Despite early and ongoing criticism, SOX remains in place, essentially unchanged from when it was first enacted in 2002.
Some Relevant Laws / Acts
General Data Protection Regulation (GDPR)– Personal Data Protection law for European Citizens.
Personal Data Protect Bill (PDP) – India – Personal Data Protection law for Indian Citizens.
California Consumer Privacy Act (CCPA) – California, United States – Personal Data Protection law for Citizens of California.
The Brazilian Data Protection Law — LGPD Brazil – Data protection act of Brazilians.
External References / Citations
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts nor assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.