More on the Sarbanes-Oxley Act

Sarbanes–Oxley Section 302: Disclosure controls

Under Sarbanes–Oxley, two separate sections came into effect-one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared". 15 U.S.C. § 7241(a)(4). The officers must "have evaluated the effectiveness of the company's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date". Id..

The SEC interpreted the intention of Sec. 302 in Final Rule 33–8124. In it, the SEC defines the new term "disclosure controls and procedures," which are distinct from "internal controls over financial reporting". Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions.

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

A Lord & Benoit report, titled Bridging the Sarbanes-Oxley Disclosure Control Gap was filed with the SEC Subcommittee on internal controls which reported that those companies with ineffective internal controls, the expected rate of full and accurate disclosure under Section 302 will range between 8 and 15 percent. A full 9 out of every 10 companies with ineffective Section 404 controls self reported effective Section 302 controls in the same period end that an adverse Section 404 was reported, 90% in accurate without a Section 404 audit.

Sarbanes–Oxley Section 303: Improper influence on conduct of audits

a. Rules To Prohibit. It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary and appropriate in the public interest or for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.

b. Enforcement. In any civil proceeding, the Commission shall have exclusive authority to enforce this section and any rule or regulation issued under this section.

c. No Preemption of Other Law. The provisions of subsection (a) shall be in addition to, and shall not supersede or preempt, any other provision of law or any rule or regulation issued thereunder.

d. Deadline for Rulemaking. The Commission shall-1. propose the rules or regulations required by this section, not later than 90 days after the date of enactment of this Act; and 2. issue final rules or regulations required by this section, not later than 270 days after that date of enactment.

Sarbanes–Oxley Section 401: Disclosures in periodic reports (Off-balance sheet items)

The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During 2010, the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo 105" to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors. Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, 2005. Interim guidance was issued in May 2006, which was later finalized. Critics argued the SEC did not take adequate steps to regulate and monitor this activity.

Sarbanes–Oxley Section 404: Assessment of internal control

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.

Under Section 404 of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting". 15 U.S.C. § 7262(a). The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting". To do this, managers are generally adopting an internal control framework such as that described in COSO.

To help alleviate the high costs of compliance, guidance and practice have continued to evolve. The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, 2007. This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its interpretive guidance on June 27, 2007. It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:

• Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
• Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;
• Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
• Perform a fraud risk assessment;
• Evaluate controls designed to prevent or detect fraud, including management override of controls;
• Evaluate controls over the period-end financial reporting process;
• Scale the assessment based on the size and complexity of the company;
• Rely on management's work based on factors such as competency, objectivity, and risk;
• Conclude on the adequacy of internal control over financial reporting.
  

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. For example, the 2007 Financial Executives International (FEI) survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 million. Costs of evaluating manual control procedures are dramatically reduced through automation.

Sarbanes–Oxley 404 and smaller public companies

The cost of complying with SOX 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent 0.06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.

This disparity is a focal point of 2007 SEC and U.S. Senate action. The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007. The SEC issued their guidance to management in June, 2007.

After the SEC and PCAOB issued their guidance, the SEC required smaller public companies (non-accelerated filers) with fiscal years ending after December 15, 2007 to document a Management Assessment of their Internal Controls over Financial Reporting (ICFR). Outside auditors of non-accelerated filers however opine or test internal controls under PCAOB (Public Company Accounting Oversight Board) Auditing Standards for years ending after December 15, 2008. Another extension was granted by the SEC for the outside auditor assessment until years ending after December 15, 2009. The reason for the timing disparity was to address the House Committee on Small Business concern that the cost of complying with Section 404 of the Sarbanes–Oxley Act of 2002 was still unknown and could therefore be disproportionately high for smaller publicly held companies. On October 2, 2009, the SEC granted another extension for the outside auditor assessment until fiscal years ending after June 15, 2010. The SEC stated in their release that the extension was granted so that the SEC's Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in 2007 was effective in reducing the costs of compliance. They also stated that there will be no further extensions in the future.

On September 15, 2010 the SEC issued final rule 33–9142 the permanently exempts registrants that are neither accelerated nor large accelerated filers as defined by Rule 12b-2 of the Securities and Exchange Act of 1934 from Section 404(b) internal control audit requirement.

Sarbanes–Oxley Section 802: Criminal penalties for influencing US Agency investigation/proper administration

Section 802(a) of the SOX, 18 U.S.C. § 1519 states:

Sarbanes–Oxley Section 806: Civil action to protect against retaliation in fraud cases

Section 806 of the Sarbanes–Oxley Act, also known as the whistleblower-protection provision, prohibits any "officer, employee, contractor, subcontractor, or agent" of a publicly traded company from retaliating against "an employee" for disclosing reasonably perceived potential or actual violations of the six enumerated categories of protected conduct in Section 806 (securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud). Section 806 prohibits a broad range of retaliatory adverse employment actions, including discharging, demoting, suspending, threatening, harassing, or in any other manner discriminating against a whistleblower. Recently a federal court of appeals held that merely "outing" or disclosing the identity of a whistleblower is actionable retaliation.

Remedies under Section 806 include: