- 1 Basic structure
- 1.1 Title I: Public Company Acounting Oversight Board
- 1.2 Section 101
- 1.3 Title II: Auditor Independence
- 1.4 Title III: Corporate Responsibility
- 1.5 Title IV: Enhanced Financial Disclosures
- 1.6 Title V: Analyst Conflicts of Interest
- 1.7 Title VI: Commission Resources and Authority
- 1.8 Title VII: Studies and Reports
- 1.9 Title VIII: Corporate and Criminal Criminal Fraud Responsibilities
- 1.10 Title IX: White-collar Crime Penalty Enhancements
- 1.11 Title X: Corporate Tax Returns
- 1.12 Title XI: Corporate Fraud and Accountability
- 2 Technical considerations
- 3 Restrictions on Practice
- 4 Designing Internal Control
- 5 Political evolution
- 6 References
The Sarbanes-Oxley Act of 2002 (SOX) is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. It was the major U.S. government response to major corporate failures that involved poor auditing, such as Enron and Worldcom, beginning in late 2001.  While it primarily deals with finance, it has significant involvement in information security. The Act has been politically controversial, and recent attempts have been made to change it through legislation or the courts.
The Act, relatively speaking, tries to be neutral between the demands of regulation and the costs of additional internal control measures. There is a sense in the industry that the initial learning curve was steep and expensive, but costs drop considerably when affected firms continue to run with its regulations, especially Section 404, which covers Information and Communications Technology (ICT). Other sections that companies find challenging include 303 on debt and credit management, and 409 on prompt disclosure of changes to their financial positions.
Title I: Public Company Acounting Oversight Board
Establishes the Public Company Acountin Standards Board.
Title II: Auditor Independence
Title III: Corporate Responsibility
Section 302: Corporate Responsibility for Financial Reports
Section 302 makes the CEO and CFO personally and criminally liable for inaccurate reporting
- Management acknowledgement that it is responsible for internal control,
- Management identification of the framework that will be used to evaluate the efficacy of the internal controls over financial reporting,
- An assessment, by management, of how well the internal controls have worked in the most recent fiscal year, and a binary statement of whether it was effective or not. If it was not effective, the statement must identify any "material weaknesses" in the process. Management cannot state the controls were effective if there were any material weaknesses.
Organizations covered by the Act are in violation if they reincorporate, or transfer activities, outside the United States in an attempt to evade its provisions.
Section 303: Improper influence in conduct of audits
Section 307: Attorney conduct
Section 307 of the Act prescribes rules for lawyers practicing under its jurisdiction.  It requires attorneys to report irregularities to the chief counsel or CEO, and, if they do not respond, to the audit committee of the Board. While some say these were new requirements for lawyers, arguing "federal securities law did not require a lawyer to report corporate wrongdoing to anybody or to do anything about corporate fraud" and the American Bar Association Model Rules give attorneys substantial latitude since Rule 1.13 only requires that "the lawyer shall proceed as is reasonably necessary in the best interest of the organization." Section 307, in this view, appear to "significantly increase the ethical responsibilities and duties of corporate attorneys. Upon further analysis, however, it appears that the language of Section 307 does not give the Commission the authority to impose any obligations on lawyers beyond those which have long been required of them by courts, the Model Rules, and the Restatement"; the SEC was not given new authority over lawyers. In particular, in discussing Section 307 Senator Mike Enzi stated that it "basically instructs the SEC to start doing exactly what they were doing 20 years ago, to start enforcing this up-the-ladder principle. The drafters intended only to remind lawyers of their existing duties and ensure that the Commission and the ABA are appropriately enforcing those duties."
Title IV: Enhanced Financial Disclosures
Section 404: Manaement assessment of internal controls
Section 409: Real time issuer disclosures
Title V: Analyst Conflicts of Interest
Title VI: Commission Resources and Authority
Title VII: Studies and Reports
Title VIII: Corporate and Criminal Criminal Fraud Responsibilities
Section 802: Criminal penalties for altering documents
Title IX: White-collar Crime Penalty Enhancements
Title X: Corporate Tax Returns
Title XI: Corporate Fraud and Accountability
SOX requires that top managers certify that no one has tampered with their financial reports. Since the major financial scandals of recent years have come from trusted employees who should not have been trusted, classic information security requirements come into play:
- knowing who your people really are,
- intelligent use of the Principle of Least Privilege,
- establishing mechanisms by which they identify themselves to computer systems and the systems authenticate that claim of identity,
- giving authenticated users a set of credentials defining what they are allowed to access and do.
SOX requirements are a subset of the field of identity management. Section 802 specifies, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object … shall be fined under this title, imprisoned not more than 20 years, or both." Claiming a false identity is a rather elementary form of covering up. Over the years, financial institutions have developed other safeguards, such as insisting employees take vacation so that they cannot continue to cover embezzlements.
Not only is identification and authentication needed during operations, identity verification must be done on new hires, and on contractors in sensitive roles. The more sensitive the job in SOX terms, the tighter the verification needs to be.
Restrictions on Practice
Many enterprises had accounting systems provided or built by the consulting arm of large accounting firms, which indeed have much experience. As a result of scandals such as Enron, where the outside accounting firm made more revenue from management reporting and tax services as from its presumably neutral role as an external auditor, the American Instute of Certified Public Accountants (AICPA) and others have mandated, essentially, that the roles of external auditor and of a firm supplying other services are incompatible. Prior to the Act, major accounting firms were implementing large financial software systems and other procedures that their audit practice might then have to inspect. While, in principle, there was a "Chinese Wal]l between auditors and other employees, both auditors and consultants on an engagement tended to report to the same firm executive, who had profit and& loss responsibility for the account. Now, the issue may be to buy systems from a spinoff of the accounting firm, or build them in-house.
Besides the restrictions on obvious conflicts of interest, the accounting profession formalized procedures about best practice in internal reporting. The auditing firm would verify these controls are in effect. Do note that a different accounting firm, which has no audit responsibility, is free to set up controls and supporting software. With the storm of mergers and acquisitions in public accounting, what might be separate companies today could become a single one tomorrow, and the new firm would need to divest tasks that lead to the appearance of conflict of interest.
In like manner, there are restrictions on internal auditors, who cannot build or operate the systems whose output they monitor. They do have the responsibility of recommending improvements.
Designing Internal Control
The Act created the Public Company Accounting Oversight Board (PCAOB), which is quasi-public, in the sense that various financial regulators such as the FDIC are quasi-public. PCAOB actually oversees auditors of public companies, rather than the companies themselves, including regulation and discipline. SOX further creates requirements for strong internal financial control, independence of outside auditors, and greater top management responsibilities for financial disclosure. PCAOB oversees the integrity of the audit process, but the independent Financial Accounting Standards Board will continue to develop the standards for accounting.
Financial scandals in the 1970s led to the Foreign Corrupt Practices Act of 1977 (FCPA), and eventually to the 1985 creation of the National Commission on Fraudulent Financial Reporting, called the Treadway Commission after its first chair. Its first report, issued in 1987, recommended that the Committee of Sponsoring Organizations (COSO), made up of five professional associations concerned with auditing, create integrated guidance on internal control. They contracted with a major accounting firm and drafted the first framework for COSO-approved internal control, published in 1992 as Internal Control: Integrated Framework. Let us hope your customer works on faster timelines than these.
This report presented a common definition of internal control (IC) and provided a framework against which IC systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA. COSO's framework defines the IC program that underlies SOX. This program has four principles and five components. COSO In addition, COSO defines the three goals of internal control as:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
The Principles establish the expectations of IC, while the Components deal with how to execute IC. COSO recognizes real-world constraints, and, in its Principles, both accepts that no IC system is perfect, but also requires due diligence in attempting to find problems not covered by IC.
Critics have suggested it was "unnecessary, harmful and inadequate", but it allowed officials to be seen as responsive. An argument that it was unnecessary included " the stock exchanges had already implemented most of the SOA changes in the rules of corporate governance in their new listing standards; the Securities and Exchange Commission (SEC) had full authority to approve and enforce accounting standards, the requirement that CEOs certify the financial statements of their firms, and the rules for corporate disclosure; and the Department of Justice had ample authority to prosecute executives for securities fraud. The expensive new Public Company Accounting Oversight Board (PCAOB) is especially unnecessary." Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH) both chose not to run for reelection from Congress at the end of the 2006 term. The Supreme Court of the United States agreed to hear a challenge in 2009;  in November 2009, the House Financial Services Committee passed an amendment, the Investor Protection Act of 2009, which, if enacted, would make many SOX provisions inoperative.