All public companies doing business in the United States must comply with the Sarbanes-Oxley Act (SOX). Co-sponsored by Senators Paul Sarbanes and Michael Oxley, SOX was designed to improve the accuracy and reliability of corporate disclosures in financial statements and to protect investors from fraudulent accounting practices. The bill was introduced following the Enron Corporation, WorldCom, and Tyco International fraud and accounting scandals in the early 2000s.
In order to achieve SOX Compliance, a company must meet all requirements included within the regulation. While the Act has eleven titles divided into sections, a significant amount of SOX requirements are focused within Section 302 and Section 404. SOX compliance activities include identification and testing of internal controls over the financial reporting process and submitting specific financial certifications within quarterly and annual reports to the SEC.
Section 302 requires that the principal executive and financial officers of a company, typically the CEO and CFO, personally attest that financial reporting information is accurate and reliable within the quarterly 10-Q and annual 10-K reports filed with the SEC. The certification also covers the implementation and maintenance of internal controls and procedures and the reporting of deficiencies or changes related to internal controls.
Section 404 requires that, on an annual basis, companies assess and report on the effectiveness of their internal control structure. This assessment includes testing of the company’s financial controls, information technology general controls (ITGC) and company wide (entity level) internal controls. The focus of this testing is to evaluate and report on the design and operating effectiveness of the controls. The results of the testing must be reviewed by management and all control testing failures identified must be categorized as a deficiency, significant deficiency or material weakness. The company is required to report on deficiencies to the Audit Committee of the Board of Directors and material weaknesses must be disclosed in the company’s annual 10-K financial report. In addition to the internal control assessment, SOX requirements mandate that public companies obtain an independent audit of their internal control practices and include the auditor’s opinion within the company’s financial report.