The Sarbanes-Oxley Act of 2002 (SOA or SOX)
“The Act does not differentiate between U.S. and Non U.S. companies in its application.”
What is Sarbanes Oxley Act of 2002?
Legislation passed by the US Congress providing new corporate governance rules, regulations and standards for specified public companies including the Security Exchange Commission (SEC) registrants.
This act is designed to address the issues arising from the well-publicized Enron, WorldCom, ImClone, Anderson and other fiascos of the late 2001 and early 2002.
Why it is launched?
To protect investors by improving the accuracy and reliability of corporate disclosures. It created new standards for corporate accountability, as well as stringent penalties for acts of wrongdoing.
What are the implications for CXOs?
The SOA makes CEOs and CFOs explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal control over financial reporting and disclosures. Organizations will need to incur considerable efforts for effective compliance.
What organizations are covered?
It applies equally to domestic registrants and “foreign filers.” Thus all public U.S. and international companies those have registered equity or debt securities with the Securities and Exchange Commission need to comply.
What are the Key Sections of Sarbanes-Oxley?
SOX was originally coined on 11 sections covering various topics like Public Company Accounting Oversight Board (PCAOB), Auditor Independence, Corporate Responsibility, Enhanced Financial Disclosures, Analyst Conflicts of Interest, Commission interest of Authority, Studies and Reports, Corporate and Criminal Fraud Accountability, White collar Crime Penalty Enhancements, Corporate Tax Returns and Corporate Fraud and Accountability.
As far as compliance is concerned, the most important sections within these are often considered to be:
- 302: pertains to Corporate Responsibility for Financial Reports
- 401: pertains to Disclosures in Periodic Reports
- 404: pertains to Management Assessment of Internal Controls
- 409: pertains to Real Time Issuer Disclosures
- 802: pertains to Criminal Penalties for Altering Documents
- 906: pertains to Compliance Failure Penalties
What are the legislation’s basic objectives?
- Create an explicit responsibility on management for the maintenance of an effective control environment
- Require management to develop a systematic, transparent and auditable process to assess effectiveness of internal control
- Establish cross-functional responsibility for maintaining effective controls through a structured sign-off mechanism
- Have the independent auditors of the company agree with management assertion
What are the key challenges?
- Scope and coverage of internal controls-operational controls v/s Financial Controls
- Involvement of all process owners
- Project Management-Finance function v/s internal audit.
- Identification of key Controls.
- Documentation protocol- what to do document in respect of tests of internal controls
- Extent of reliance External Auditors would place on Company generated documentation
- Skills required to complete internal controls documentation- Financial Reporting/Risk
- Management/Internal Audit.
What is the corporate responsibility for financial reports?
- Evaluate disclosure controls and procedures as of the end of the period covered.
- Procedures designed to ensure information required to be disclosed is:
o Recorded, processed, summarized and reported within the specified time period
o Accumulated and communicated to management and principal offers to allow timely decisions regarding required disclosures - Present conclusions on the effectiveness of disclosure controls and procedures
- Evaluate and disclose any material change in internal control over financial reporting during the period: for foreign private issuers, material changes are disclosed in the annual report.
- Disclose to auditors and audit committee:
o All significant deficiencies and material weakness in the design or operation of internal control over financial reporting
o Any fraud, whether or not material, that involves management or other employees who have a significant role internal control over financial reporting - Section 906 requires a separate certification to be signed by the CEO and CFO and included in periodic filings that they have:
o -Reviewed the report
o -Report does not contain untrue statements of material respects, the financial condition, results of operations and cash flows. - Criminal penalties and heavy monetary fines for officers who provide false statements. The certification is administered by the U.S. Department of Justice and therefore, the Securities & Exchange Commission (SEC) has no jurisdiction over the certification.
In conclusion, quality financial reporting is a critical cornerstone to our capital markets, and investors are entitled to rely upon it. Hence, the major stress of the act is on the disclosures and internal controls. Thinking a little outside of the box can take you a long way in complying and using compliance as a lever for positioning your company for maximum business effectiveness and continued success during the long term.