In 2002, the U.S. Congress passed H.R.3763, also known as the Sarbanes-Oxley Act. It was named for its congressional authors, Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio). Adhering to the requirements contained within this law is often referred to as "SOX compliance."
The law was passed with bipartisan support in the aftermath of several high-profile corporate financial scandals in the years preceding the law, which led to huge corporate and investor losses and turmoil in financial markets.
The purpose of the legislation was to introduce reforms in the accounting procedures at public corporations to increase accountability and transparency and to restore public trust.
All publicly traded companies in the United States must comply with the law. This includes wholly-owned subsidiaries and publicly traded non-US companies doing business in the US. Private companies preparing for their initial public offering (IPO) must also comply with certain provisions.
Sarbanes-Oxley is a regulation comprising 11 sections that span more than 60 pages. It implemented strict new rules regarding the keeping of accounting records, which apply to accountants, auditors, and corporate officers.
As part of the regulation and to ensure enforcement, SOX Section 906 outlines significant penalties for non-compliance, including up to 20 years in prison for violations.
SOX requirements are often referred to by their section number within the text of the law.
They fall into one of four basic areas of reform:
Corporate Responsibility for Financial Reports (Section 302)
Disclosures in Periodic Reports (Section 401)
Management Assessment of Internal Controls (Section 404)
Corporate Responsibility for Financial Reports (Section 906)
SOX Section 302: Corporate Responsibility for Financial Reports
SOX requires senior corporate officers, namely the CEO and CFO, to personally certify in writing that the company's quarterly and annual financial reports, as well as internal controls, comply with Securities Exchange Commission (SEC) disclosure requirements and that they "fairly present" the financial conditions of the company.
To meet this requirement, many organizations have adopted representation letter processes allowing the organization to formally document certification of financial statements as financials are consolidated and combined from business entities to the corporate function.
Finance and accounting ledger and/or entity owners may be responsible for certifying the financials they support before a senior corporate officer certifies the company’s financial reports.
SOX Section 401: Disclosures in Periodic Reports
Section 401 outlines the need for accuracy in financial statements to be presented in a manner that does not contain or omit information that would make financial statements appear misleading. The regulation also requires including all material off-balance sheet transactions, such as those that may expose the company to a risk.
SOX Section 404: Management Assessment of Internal Controls
Section 404 requires management and auditors to establish internal controls and reporting methods to ensure the adequacy of those controls. More importantly, management must annually certify the effectiveness of the internal controls and document any shortcomings.
This section may be arguably the most complex and costly as it requires an organization to implement a rigorous internal control structure to ensure the accuracy of financial reports. To do this, organizations may need to transform their accounting processes, adopt new approaches, and implement technology.
SOX Section 906: Corporate Responsibility for Financial Reports
As it concerns criminal punishment, Section 906 imposes penalties of up to $5 million in fines and 20 years in prison for certifying a misleading or fraudulent financial report.
Other notable sections:
Section 802 contains three rules concerning recordkeeping. They prohibit the destruction and falsification of records, define the retention period for storing records, and explain what specific business records companies need to store, including electronic communications.
SOX also implemented protections for whistleblowers or individuals who report illegal behavior. Specifically, Sections 806 and 1107 prohibit retaliation against employees of public companies who report suspected violations to the SEC.
Summary:
SOX has been around for over 20 years, providing a foundational approach for finance and accounting organizations to ensure an effective approach to maintaining the accuracy and transparency of financial statements and reports to the public and SEC.
SOX compliance applies to a company’s financials and record keeping. It also impacts information technology (IT).
Financially, a business must do several things, including:
Reporting financial reports to the SEC
Performing external audits of those reports
Establishing internal controls and creating an internal controls report to ensure the accuracy of financial reports
Executing audits of staffing, job descriptions, and training concerning financial data
Adopting effective frameworks to audit internal controls and procedures concerning interaction with sensitive data
IT staff will need to be concerned with the following:
Delivering real-time reporting on internal controls
Identifying key systems and processes related to financial information
Implementing software systems that use appropriate alert mechanisms
Preserving all records related to financial transactions, including internal automated backup
Implementing the appropriate training of staff who will have access to financial data