The Sarbanes-Oxley Act is a U.S. federal law that applies to all publicly traded businesses in the United States. It imposes sweeping corporate governance standards on those businesses to improve accountability in the boardroom and among senior executives, to make corporate financial statements more reliable.
The law’s formal name is the Public Company Accounting Reform and Investor Protection Act, although it quickly became known as Sarbanes-Oxley Act — “SOX” for short — in honor of its namesakes, Sen. Paul Sarbanes and Rep. Michael Oxley. They were the two crucial lawmakers who drafted the legislation and got SOX enacted in 2002.
Why was SOX drafted at all? The law came about in response to a string of corporate financial scandals that ruined businesses such as WorldCom and Enron, and the millions of people who had invested in them.
The scandals exposed an absence of corporate oversight, which led to accounting fraud in companies’ financial statements. Some financial statements and records were tampered with or hidden from internal and external auditors; in some cases no internal control structure existed to catch mismanagement before things reached a crisis.
The goal of SOX is to protect those who invest in public companies by elevating corporate responsibility and transparency. It imposes demands for effective internal control over financial reporting, and effective disclosure controls to report other material items to investors. It also establishes penalties for corporate executives and boards that are found to mismanage or tamper with a corporation’s financial reports to mislead investors.
The Role of the SEC and the Structure of SOX
The U.S. Securities and Exchange Commission (SEC) is in charge of implementing SOX. It also brings civil enforcement actions against companies or individuals who violate SOX rules. In severe cases, the U.S. Justice Department may bring criminal charges against the offenders, and people can face prison time for egregious misconduct.
SOX has 11 “titles” (that is, major sections). To achieve SOX compliance, a company must meet all requirements included within the applicable regulation.
A quick overview of the 11 titles is as follows:
- The Public Company Accounting Oversight Board. The PCAOB is established by this title. The PCAOB is tasked with overseeing public accounting firms and independent auditors.
- Auditor independence. This title establishes rules that spell out what services audit firms can or can’t provide to clients, to avoid conflicts of interest.
- Corporate responsibility. This title holds corporate executives individually responsible for the accuracy of financial reports.
- Enhanced financial disclosures. This requires that both an internal control structure and external auditing be used to assure that financial information is correct and that major changes are reported in a timely fashion.
- Analyst conflicts of interest. This title requires disclosure of conflict of interest that analysts might have with a corporation, to build investor confidence in the corporate research market. SE
- SEC resources and authority. This title defines the SEC’s role in enforcement and potential penalties.
- Studies and reports. This title spells out how the SEC and the Comptroller General should conduct various studies related to financial reporting and how they should report their findings.
- Corporate and criminal fraud accountability. This title explains which criminal penalties apply to manipulation or destruction of corporate financial reports.
- White-collar crime penalty enforcement. This title makes it a crime to tamper with corporate records.
- Corporate tax returns. This title requires that the chief executive officer signs the corporation’s tax return.
- Corporate fraud accountability. This last title dictates sentencing guidelines and gives the SEC the power to freeze unusual financial activity during a fraud investigation.
More in-depth SOX information is available from SoxLaw.com.
Some SOX sections apply to a larger number of businesses and corporations than others, and are often cited as examples of what a company must do to obtain SOX compliance.
Important SOX Sections Include:
- Section 302, which requires periodic financial reports that have been reviewed and signed by corporate officers.
- Section 401 calls for all financial statements to be accurate and presented fully and accurately.
- Section 404 requires that internal control measures are described in annual reports. Section 404(a) requires management to assess the state of internal controls, and applies to all firms; Section 404(b) also requires an independent audit of internal control over financial reporting, and mostly applies to large, established firms.
Why Is SOX Compliance So Important?
In the simplest analysis, SOX compliance is important because it’s the law. Public companies have no choice except to comply with all relevant sections. Non-compliance is illegal, and can lead to substantial fines and penalties for both the company and its individual leaders alike.
Making sure that your business is in full SOX compliance should be part of your regular compliance management program. You should have internal control systems in place that will alert you to any mismanagement, just like you have systems in place that alert to data breaches and other data security issues.
Performing a SOX compliance audit on a regular basis is important. It begins with determining which parts of SOX apply to your specific business (above all, whether Section 404(b) applies to you).
What Does SOX Compliance Entail?
SOX compliance activities include the testing of internal control systems and examining financial reporting structures, often done by an external auditor. That will help you identify which corporate governance practices are weak and need attention.
Your chief financial officer should always be aware of the progress of your SOX compliance audit, as well as any findings and remediation steps that result from that audit. For a business of any appreciable size, it’s wise to use dedicated compliance management software, to automate as many of these tasks as possible and to provide the documentation you’ll need to pass muster with external auditors or regulatory examiners.
Non-compliance with SOX can result in millions of dollars in fines and penalties leveraged against the company, as well as removal from listings on public stock exchanges. Civil and criminal penalties for officers of the company can include fines up to $5 million dollars and prison terms up to 20 years.
The Benefits of SOX Compliance
Once you have developed a strong SOX compliance checklist to help guide your actions toward compliance, you’ll find that a strong internal control environment reduces the risk of internal tampering with financial statements. That, in turn, enhances public confidence in your company based on its strong financial reporting. Excellent oversight improves corporate governance overall, and reduces the risk that you will ever be fined because you are found to be out of SOX compliance.
If you’re struggling with your SOX compliance efforts, ZenGRC has the solution. Our software will streamline and organize the compliance process, and includes automation that can save you time and resources. Our experts are knowledgeable on all compliance frameworks and can help you determine where you’re covered and where changes need to be made. Schedule a demo today to learn more about how ZenGRC can keep your company SOX compliant.