The Sarbanes-Oxley Act (SOX) was enacted in 2002 following a series of corporate scandals involving large public companies in the United States. The main goal of the legislation was to restore the trust in the U.S. financial markets and prevent public companies from defrauding their investors.
The law, also known as the “Public Company Accounting Reform and Investor Protection Act” and the “Corporate and Auditing Accountability, Responsibility, and Transparency Act” was introduced by U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).
The legislation’s most well-known article is Section 404, which aims at increasing the control role of boards of directors and the independence of third-party auditors who certify the accuracy of corporate financial statements. The law also stipulates that directors and officers who put their signature under corporate financial statements should bear personal legal responsibility for the accuracy of the respective corporate disclosures.
Following the adoption of Sarbanes-Oxley, a top executive in a large public corporation has a strong motivation to certify fair and accurate company disclosures as otherwise he/she faces between 10 to 25 years in prison along with hefty financial penalties. Other penalties include a ban on taking positions as a C-level officer at a public company.
What is SOX 404?
The provisions of Section 404 read:
“Directs the SEC to require by rule that annual reports include an internal control report which: (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting; and (2) evaluates the efficacy of such mechanisms. Requires the public accounting firm responsible for the audit report to attest to and report on the assessment made by the issuer.”
The law does not exist in a vacuum and businesses need to look at other SOX sections to fully understand its meaning and intent. These articles include SOX Section 302 and SOX Section 906, which are part of the Corporate Responsibility and the White-Collar Crime Penalty Enhancements titles of SOX, respectively.
SOX 404 deals primarily with the annual evaluation of internal controls and procedures for financial reporting while Section 302 requires CEOs and CFOs to certify in person the accuracy of periodic financial statements. Section 906 asks for CEOs and CFOs to certify that company’s financial statements and attendant disclosures are fair and comply with the Securities and Exchange Commission disclosure requirements.
Therefore, Section 404 of the SOX aims at establishing a framework for periodic assessments of the internal control mechanisms for financial reporting and forces the public accounting firms which perform the auditing to also evaluate the report on the assessment made by the publicly listed corporation.
In short, Sections 302 and 906 speak about the personal responsibility of C-level executives in public corporations and establish criminal penalties for failing to fulfil these requirements while SOX 404 introduces a procedure for recurring internal controls evaluation and makes it mandatory for companies to include an internal-control report in their annual report.
While SOX 404 consists of only two sentences, it has long-lasting implications on both public U.S. corporations and foreign companies whose stocks are traded on the U.S. stock exchanges.
How Sarbanes-Oxley Affects U.S. and Foreign Businesses
SOX extends to all public companies in the United States, small businesses including, and extends to wholly-owned subsidiaries and foreign companies that are listed on U.S. stock exchanges and conduct business there. Sarbanes-Oxley Act also governs the way accounting firms operate when they audit companies that must comply with SOX.
When SOX was adopted, a number of foreign companies with a dual listing on a U.S. stock exchange, and having more than 500 U.S.-based investors, delisted and continued operating as private companies. Many U.S.-based small businesses were also puzzled on how to comply with the strict regulations of SOX.
A large publicly traded company in the US usually hires an outside consultant to make sure its internal control mechanisms follow the SOX regulations. A small public company has the same obligations to maintain a system of internal controls for ensuring it provides reliable financial statements.
At the time, the U.S. Securities and Exchange Commission (SEC) issued a statement saying that SEC does not have specific rules that tell smaller public companies how to do this. Instead, they recommend small public companies to consult the internal control framework by the Committee of Sponsoring Organizations of the Treadway Commission.
In any case, all public companies operating across the United States should be prepared for the Public Company Accounting Oversight Board to inspect the audits of their financial statements by an outside accounting firm for compliance with SOX 404 and Sarbanes-Oxley.
Businesses should also be aware that demonstrating compliance with Section 404 of the Sarbanes-Oxley Act is considered the costliest part of meeting the SOX requirements as compliance involves also adherence to strict data security and document management policies.
Data Security SOX Compliance Requirements
Performing extensive internal control tests and including an internal control report with their annual audits is just the tip of the iceberg for companies complying with SOX. The Sarbanes-Oxley Act encourages corporations to centralize, automate and optimize their financial reporting processes and procedures.
Companies that are subject to SOX compliance, should develop, implement and maintain comprehensive data security policies and then enforce these policies if they are to meet all the requirements set by SOX.
For instance, a company should protect all financial records it stores and utilizes during normal operations. Corporations should also maintain documentation that provides proof that they comply both with the law and in addition measure SOX compliance objectives, taking corrective measures if necessary.
SOX auditors evaluate four internal controls that are part of the yearly SOX audit. Those are:
- Physical and electronic controls over access to sensitive financial data
- Working protections against data breaches
- Presence of SOX compliant off-site backups of financial records
- Existence of change management policies as far as company financials are concerned
SOX compliance is not only mandatory for public companies, but has long-lasting effect on a company’s development plans and investment in new technologies. The best way for a company to demonstrate and maintain SOX compliance is by adoption of a data-centric software platform that finds and tags sensitive financial data, helps manage usage rights and permissions and prevents data breaches and accidental data leaks.
While SOX compliance comes with certain financial burdens for corporations, it also makes their financial data more predictable and improves cross-functional communication across the company. A SOX compliant company has easier access to funding on the financial markets and builds rapport with stakeholders in a natural way.
If a business intends to implement SOX requirements in full, they company will also be safer from cyber-attacks and the ensuing damages from a data breach which are usually in the range of hundreds of thousands or millions of dollars in remediation and legal claims from customers.
Is your business looking to become Sarbanes-Oxley compliant?
Datashield has experts on hand to provide industry-leading tools and services for public companies.