Sarbanes Oxley Explained

The Sarbanes Oxley Act of 2002 (SOX) was passed as a response to the accounting scandals of the early 2000s.  The malpractice committed by giant public companies like Enron, Tyco and Worldcom cost thousands of people their life savings and jobs.  The reforms mandated by the Act dramatically increase the reliability of reported financial information and help prevent accounting fraud. 

The Act dictates a large range of penalties for non-compliance including up to 20 years in prison and 5 million in fines.  Executives, corporate boards, analysts, lawyers, auditors, and directors are all subject to these penalties.

Sox is only mandatory for public companies that file a Form 10-K with the Securities and Exchange Commission. (The SEC) However, there is increasing pressure for private and non-profit organizations to adhere to the law as well.  Especially when these groups are looking for investors. Compliance generally will increase the reputation of a privately held company or non-profit and encourage investment.

The primary focus of SOX is accuracy and reliability.  While public companies were required to regularly disclose financial information prior to the ACT, this information was often inaccurate or deliberately misleading.  SOX has improved existing law by requiring companies to implement internal controls to ensure accurate reporting and by placing responsibility with corporate officers for the financial information made available to the public.

The Major Elements of the Act

Title I

• Creates an independent body to provide oversight to public accounting firms who audit publicly traded companies.  The body, the Public Accounting Oversight Board registers accountants, creates standards and procedures based on SOX, and polices accountants to ensure they are complying with the Act.  
• Requires that accountants retain records and conclusions related to audits for 7 years.  These records include all correspondence, communication, conclusions, and financial data.

Title II

Title II governs auditor independence to ensure there is no conflict of interest involved with audits.  It also mandates that auditors not provide other services such as consulting to clients they audit.

Prior to SOX accounting firms hired to audit the books for publicly traded companies also provided consulting and other services to those same companies.  These firms made far more money on consulting fees than audits which led them to not look as closely into the books as they should have in fear of losing their lucrative consulting contracts.

Title III

• Requires principle company officers to take individual responsibility and certify that financial statements are true and not misleading on a quarterly basis.  These officers are usually the Chief Executive Officer and the Chief Financial Officer.
• Makes management responsible for creating, implementing, and maintaining internal controls and measures to ensure accurate financial reports that are a fair representation of their company’s current situation. By making internal processes and controls and their effectiveness available to the public, SOX makes corporate officers accountable to their investors and the market.

A significant portion of complying with internal processes and controls is information security.  This includes logging, monitoring and auditing all internal controls, and all network activity, database activity, user activity account activity and login activity associated with sensitive financial information.

Audits must include a detailed accounting of all employee access and activity associated with sensitive financial information.

Internal control audits must examine all computers, networks, and devices that sensitive financial information flows through.  This includes an audit of IT security including password requirements and protection, access controls that stop unauthorized users from viewing sensitive financial data and network security to ensure that data is safe from forces outside of an organization.

Additionally, server and data centers must be in secure locations and backup systems must be used to protect financial data.  If data is stored offsite with 3^rd party companies, the information is subject to the same requirements and compliance.

Lastly, controls need to be in place add new users and computers securely and to keep records of these additions.  Changes to databases must also have controls and procedures and records must be kept of these changes.

• Requires that public accounting firms audit internal control assessments and attest to their accuracy and effectiveness in a report.
• Defines appropriate interactions between external auditors and internal employees involved with audits.
• Mandates specific penalties for non-compliance by corporate officers.

Title IV

• Details disclosure rules for stock transactions by company officers.
• Requires companies to detail all deficiencies in their internal controls.
• Requires companies to publish pertinent information about internal controls and their effectiveness in their annual reports. Requires organizations to report any fraudulent activity that involved employees.
• Requires companies to list “off-balance sheet” transactions that may materially affect the financial health of the organization.  For instance, a company may own part of a subsidiary.  Because the entity is not wholly owned by the parent, the subsidiary’s obligations will not be on the parent’s balance sheet.  However, subsidiaries might have significant debt for which the parent is partially responsible.  Under Sox, this debt must now be disclosed.  Both Enron and Lehman Brothers hid debt in “off-balance sheet” subsidiaries and gave investors a significantly inaccurate picture of their financial health and the result was catastrophic.
• Requires companies to report material changes in their financial condition immediately to the public and mandates that these reports be easy-to-understand and use tools like graphic presentations to ensure that investors understand the content.
• Requires companies to report these material changes to regulators within 48 hours.

Title IV includes Section 409 which was implemented to make sure the public was informed of company financial changes immediately.  It ensures that companies won’t “sit on” bad news.  This transparency bolsters public trust in the markets.

Recently, a financial organization failed to update their website when there were material changes in the default rate of one if it’s products.  Even if this company released the information elsewhere, such as through a press release, it must be updated on websites and company social media accounts as well to comply with section 409.

If a company chooses to release information via twitter or other social media, that information must also be available on the company website.  Outdated financial information attached to social media sites must be changed immediately.

Internal controls must include updates to websites and social media accounts to effectively comply with the Act.  Scheduling frequent audits of information on the web is a critical part of compliance.

Title V and VI

Title V and VI were implemented to restore public confidence in securities analysts by requiring conflict of interest disclosures and other mandates to ensure accurate, unbiased rating of securities.  This section also gives the SEC the power and the conditions needed to bar financial professionals from practice.

Section VII

Requires research and reports pertaining to the Act.

Section VIII

• Gives protection to whistleblowers.
• Imposes harsh penalties for anyone who attempts to destroy, alter, mutilate, conceal, or falsify documents or other information to obstruct a legal investigation.  Up to 20 years imprisonment can be handed out for violations.

Section IX

• Increases penalties for white-collar crimes and conspiracies.
• Adds “Failure to certify corporate financial reports” as a criminal offense.
• Recommends stronger sentencing guidelines for white-collar offenses relating to SOX.

Title X

Requires the Chief Executive Officer to sign the corporate tax return.

Title XI

• Enables the SEC to freeze large, suspicious payments.
• Makes corporate fraud and records tampering criminal offenses.
• Sets sentencing guidelines for these crimes.

Prior to SOX corporate accounting was poorly regulated and the pressure corporate officers felt to show growth every quarter pushed them to provide inaccurate or misleading financial data to the public. 

Now, corporate officers are personally responsible for the financial data they present to the public and the internal controls used to ensure accurate reporting.  Changes in financial health must be reported immediately, and the conflict of interest problems that plagued companies before SOX have been eliminated.  Investors now can have greater confidence that the information presented by companies is accurate and they can make informed decisions on their investments.

While compliance costs have been high, the benefits of investor confidence far outweigh the cost of publicly traded company expenses.  The financial meltdown of 2002 affected the entire marketplace.  Although compliance is often expensive and onerous, a healthy, transparent marketplace benefits every publicly traded company in it.