Sarbanes-Oxley Act

From Citizendium
Jump to navigation Jump to search
This article is developing and not approved.
Main Article
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and subject to a disclaimer.

The Sarbanes-Oxley Act of 2002 (SOX) is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. It was the major U.S. government response to major corporate failures that involved poor auditing, such as Enron and Worldcom, beginning in late 2001. [1] While it primarily deals with finance, it has significant involvement in information security. The Act has been politically controversial, and recent attempts have been made to change it through legislation or the courts.

Basic structure

The Act, relatively speaking, tries to be neutral between the demands of regulation and the costs of additional internal control measures. There is a sense in the industry that the initial learning curve was steep and expensive, but costs drop considerably when affected firms continue to run with its regulations, especially Section 404, which covers Information and Communications Technology (ICT). Other sections that companies find challenging include 303 on debt and credit management, and 409 on prompt disclosure of changes to their financial positions.

The Securities and Exchange Commission (SEC), which administers SOX, requires several statements that must come from the management reporting system:[2]

Title I: Public Company Acounting Oversight Board

Section 101

Establishes the Public Company Acountin Standards Board.

Title II: Auditor Independence

Title III: Corporate Responsibility

Section 302: Corporate Responsibility for Financial Reports

Section 302 makes the CEO and CFO personally and criminally liable for inaccurate reporting

  • Management acknowledgement that it is responsible for internal control,
  • Management identification of the framework that will be used to evaluate the efficacy of the internal controls over financial reporting,
  • An assessment, by management, of how well the internal controls have worked in the most recent fiscal year, and a binary statement of whether it was effective or not. If it was not effective, the statement must identify any "material weaknesses" in the process. Management cannot state the controls were effective if there were any material weaknesses.

Organizations covered by the Act are in violation if they reincorporate, or transfer activities, outside the United States in an attempt to evade its provisions.

Section 303: Improper influence in conduct of audits

Section 307: Attorney conduct

Section 307 of the Act prescribes rules for lawyers practicing under its jurisdiction. [3] It requires attorneys to report irregularities to the chief counsel or CEO, and, if they do not respond, to the audit committee of the Board. While some say these were new requirements for lawyers, arguing "federal securities law did not require a lawyer to report corporate wrongdoing to anybody or to do anything about corporate fraud" and the American Bar Association Model Rules give attorneys substantial latitude since Rule 1.13 only requires that "the lawyer shall proceed as is reasonably necessary in the best interest of the organization." Section 307, in this view, appear to "significantly increase the ethical responsibilities and duties of corporate attorneys. Upon further analysis, however, it appears that the language of Section 307 does not give the Commission the authority to impose any obligations on lawyers beyond those which have long been required of them by courts, the Model Rules, and the Restatement"; the SEC was not given new authority over lawyers. In particular, in discussing Section 307 Senator Mike Enzi stated that it "basically instructs the SEC to start doing exactly what they were doing 20 years ago, to start enforcing this up-the-ladder principle. The drafters intended only to remind lawyers of their existing duties and ensure that the Commission and the ABA are appropriately enforcing those duties."

Title IV: Enhanced Financial Disclosures

Section 404: Manaement assessment of internal controls

Section 409: Real time issuer disclosures

Title V: Analyst Conflicts of Interest

Title VI: Commission Resources and Authority

Title VII: Studies and Reports

Title VIII: Corporate and Criminal Criminal Fraud Responsibilities

Section 802: Criminal penalties for altering documents

Title IX: White-collar Crime Penalty Enhancements

Title X: Corporate Tax Returns

Title XI: Corporate Fraud and Accountability

Technical considerations

SOX requires that top managers certify that no one has tampered with their financial reports. Since the major financial scandals of recent years have come from trusted employees who should not have been trusted, classic information security requirements come into play:

SOX requirements are a subset of the field of identity management. Section 802 specifies, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object … shall be fined under this title, imprisoned not more than 20 years, or both." Claiming a false identity is a rather elementary form of covering up. Over the years, financial institutions have developed other safeguards, such as insisting employees take vacation so that they cannot continue to cover embezzlements.

Not only is identification and authentication needed during operations, identity verification must be done on new hires, and on contractors in sensitive roles. The more sensitive the job in SOX terms, the tighter the verification needs to be.

Restrictions on Practice

Many enterprises had accounting systems provided or built by the consulting arm of large accounting firms, which indeed have much experience. As a result of scandals such as Enron, where the outside accounting firm made more revenue from management reporting and tax services as from its presumably neutral role as an external auditor, the American Instute of Certified Public Accountants (AICPA) and others have mandated, essentially, that the roles of external auditor and of a firm supplying other services are incompatible. Prior to the Act, major accounting firms were implementing large financial software systems and other procedures that their audit practice might then have to inspect. While, in principle, there was a "Chinese Wal]l between auditors and other employees, both auditors and consultants on an engagement tended to report to the same firm executive, who had profit and& loss responsibility for the account. Now, the issue may be to buy systems from a spinoff of the accounting firm, or build them in-house.

Besides the restrictions on obvious conflicts of interest, the accounting profession formalized procedures about best practice in internal reporting. The auditing firm would verify these controls are in effect. Do note that a different accounting firm, which has no audit responsibility, is free to set up controls and supporting software. With the storm of mergers and acquisitions in public accounting, what might be separate companies today could become a single one tomorrow, and the new firm would need to divest tasks that lead to the appearance of conflict of interest.

In like manner, there are restrictions on internal auditors, who cannot build or operate the systems whose output they monitor. They do have the responsibility of recommending improvements.

Designing Internal Control

The Act created the Public Company Accounting Oversight Board (PCAOB), which is quasi-public, in the sense that various financial regulators such as the FDIC are quasi-public. PCAOB actually oversees auditors of public companies, rather than the companies themselves, including regulation and discipline. SOX further creates requirements for strong internal financial control, independence of outside auditors, and greater top management responsibilities for financial disclosure. PCAOB oversees the integrity of the audit process, but the independent Financial Accounting Standards Board will continue to develop the standards for accounting.

Financial scandals in the 1970s led to the Foreign Corrupt Practices Act of 1977 (FCPA), and eventually to the 1985 creation of the National Commission on Fraudulent Financial Reporting, called the Treadway Commission after its first chair. Its first report, issued in 1987, recommended that the Committee of Sponsoring Organizations (COSO), made up of five professional associations concerned with auditing, create integrated guidance on internal control. They contracted with a major accounting firm and drafted the first framework for COSO-approved internal control, published in 1992 as Internal Control: Integrated Framework. Let us hope your customer works on faster timelines than these.

This report presented a common definition of internal control (IC) and provided a framework against which IC systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA. COSO's framework defines the IC program that underlies SOX. This program has four principles and five components. COSO In addition, COSO defines the three goals of internal control as:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

The Principles establish the expectations of IC, while the Components deal with how to execute IC. COSO recognizes real-world constraints, and, in its Principles, both accepts that no IC system is perfect, but also requires due diligence in attempting to find problems not covered by IC.

  1. The first Principle emphasizes that IC is a process that is a means to an end, which end being accurate financial reporting. It is not an end in itself.
  2. With all the documentation in the world, it is still going to stand or fail based on the work of people at all levels of the enterprise.
  3. It is imperfect. It provides warnings to upper management and the board, but the people of the enterprise must always be proactive about financial reporting.
  4. IC is oriented to objectives, which may overlap.

  1. The foundation for all else is the control environment, which makes its personnel conscious of the need for, and value of, control. Providing discipline and structure for the other components, it must be consistent with ethical management, based on integrity. Organizations constantly build their own control organizations through appropriate delegation of authority and staff development.
  2. Before risk assessment, the organization must define its objectives, to which it will then assign risks and approaches to risk management.
  3. Where information and communications are the technical enablers, control activities are the rules and guidance for the people executing control and risk management. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  4. Information and communications systems are essential to the actual functioning of IC systems. They produce information about operations, finance, and regulatory compliance. Producing information is not enough; the information must flow up, down, and across the enterprise, and, where appropriate, to external stakeholders such as customers, suppliers, regulators, financial analysts and reporters, and shareholders.
  5. Monitoring IC systems, that are meant to monitor enterprise finances, must themselves be required Monitoring is feedback into the architectural systems, and the architectural process, subject to accounting and legal oversight, must constantly improve the system. There are caveats that changes in reporting may need external approval, and that they may need to be changed at specific points in time, such as quarterly or at the end of the fiscal year. Changing analysis methods such that a given period has calculations with different methods can make tax and financial reporting inconsistent.

Political evolution

Critics have suggested it was "unnecessary, harmful and inadequate", but it allowed officials to be seen as responsive. An argument that it was unnecessary included " the stock exchanges had already implemented most of the SOA changes in the rules of corporate governance in their new listing standards; the Securities and Exchange Commission (SEC) had full authority to approve and enforce accounting standards, the requirement that CEOs certify the financial statements of their firms, and the rules for corporate disclosure; and the Department of Justice had ample authority to prosecute executives for securities fraud. The expensive new Public Company Accounting Oversight Board (PCAOB) is especially unnecessary." Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH) both chose not to run for reelection from Congress at the end of the 2006 term.[4] The Supreme Court of the United States agreed to hear a challenge in 2009; [5] in November 2009, the House Financial Services Committee passed an amendment, the Investor Protection Act of 2009, which, if enacted, would make many SOX provisions inoperative.[6]