Sarbanes-Oxley Act of 2002

Introduction
The Sarbanes-Oxley Act of 2002 also known as the Public Company Accounting Reform and
Investor Protection Act of 2002 and commonly called Sarbanes-Oxley or SOX, is a United States
federal law enacted on July 30, 2002. Corporate scandals (Enron, Tyco International, Adelphia,
peregrine Systems and WorldCom) provided impetus for Congress to act quickly. These scandals
resulted in a decline of public trust in accounting and reporting practices. The Act introduced stringent
new rules with the stated objective ‘’to protect investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws’’.

The act is named after its main architects, Senator Paul Sarbanes and Representative Michael G. Oxley
and President George W. Bush signed it into law, stating it included "the most far-reaching reforms of
American business practices since the time of Franklin D. Roosevelt.

As a result of the Act, major changes were introduced to the regulation of financial practice and
corporate governance, impacting Corporate Governance and Conduct, Financial Reporting and the
Public Accounting profession. The new or enhanced standards were introduced for all U.S. Public
Company Boards, management and public accounting firms. It does not apply to privately held
companies.

Authorities under the Act

Securities and Exchange Commission (SEC): The U.S. Securities and Exchange
Commission (commonly known as the SEC) is an independent agency of the United States government
which holds primary responsibility for enforcing the federal securities laws and regulating the securities
industry, the nation's stock and options exchanges, and other electronic securities markets.

The SEC is responsible for setting the standards for public companies and overseeing compliance. The
act contains 11 titles, each containing several sections ranging from additional corporate board
responsibilities to criminal penalties, and requires SEC to implement rulings on the requirements to
comply with the new law.

Each of the powers given to Company Accounting Oversight Board (PCAOB) are subject to approval
and oversight by SEC. Individuals and audit firms subject to PCAOB oversight may appeal PCAOB
decisions to the SEC and the SEC has the power to modify or overturn PCAOB rules. The PCAOB is
subject to SEC inspections and enforcement and the Sarbanes Oxley Act gives the SEC the power to
censure or remove PCAOB members for cause.
Public Company Accounting Oversight Board (PCAOB): A new, quasi-public
agency, the Public Company Accounting Oversight Board (PCAOB) was created with the
responsibilities of overseeing, regulating, inspecting and disciplining accounting firms in their roles as
auditors of public companies that are subject to the securities laws, and related matters. The purpose is
to protect the interests of investors and further the public interest in the preparation of informative,
accurate, and independent audit reports for companies the securities of which are sold to, and held by
and for, public investors.

The Board shall be a body corporate, operate as a nonprofit corporation, and have succession until
dissolved by an Act of Congress.

All public accounting firms that prepare or issue, or who participate in the preparation or issuance of,
any audit report with respect to an issuer, must register with the Board. The responsibilities of the board
include:

(1) Register public accounting firms that prepare audit reports for issuers, in accordance with section
102;

(2) Establish or adopt, or both, by rule, auditing, quality control, ethics, independence, and other
standards relating to the preparation of audit reports for issuers, in accordance with section 103;

(3) Conduct inspections of registered public accounting firms, in accordance with section 104 and
the rules of the Board;

(4) Conduct investigations and disciplinary proceedings concerning, and impose appropriate
sanctions where justified upon, registered public accounting firms and associated persons of such
firms, in accordance with section 105;

(5) Perform such other duties or functions as the Board (or the Commission, by rule or order)
determines are necessary or appropriate to promote high professional standards among, and improve
the quality of audit services offered by, registered public accounting firms and associated persons
thereof, or otherwise to carry out this Act, in order to protect investors, or to further the public
interest;

(6) Enforce compliance with this Act, the rules of the Board, professional standards, and the
securities laws relating to the preparation and issuance of audit reports and the obligations and
liabilities of accountants with respect thereto, by registered public accounting firms and associated
persons thereof; and

(7) Set the budget and manage the operations of the Board and the staff of the Board.

Part of the PCAOB’s power to set rules of the auditing industry includes the power to regulate the non-
audit services that audit firms may offer their audit clients (such as consulting or tax services). This
power was given to the PCAOB as a result of allegations, in cases such as Enron and Worldcom, that
auditor’s independence from their client’s managers had been compromised because of the large fees
that audit firms were earning from these ancillary services.
The 11 Titles under the Act:
Sarbanes Oxley contains 11 titles that describe specific mandates and requirements for financial
reporting.

Although the act has 11 titles each containing several sections, the most significant of those are:

Section 103: Your auditor (and therefore, you should) maintain all audit related records,
including electronic ones, for seven years.

Section 301: You must provide systems or procedures that allow employees to communicate
effectively with the audit committee.

Section 302: Your CEO and CFO must sign statements verifying the completeness and accuracy
of financial reports.

Sections 404: CEO’s,, CFO’s and outside auditors must attest to the effectiveness and accuracy
of financial reports.

Section 409: Companies must report material changes in their financial conditions “on a rapid
and current basis.” The act calls it “real
“real-time” disclosure but
ut is unclear on what it means.

Section 906 (Criminal): CEO/CFO Must Certify that Periodic Financial Reports; Failure of
which results in Fine and / or Imprisonment.
Section 103 - Auditing, Quality Control, and Independence Standards and Rules:

This section is listed under Title I of the Act (Public Company Oversight Board).

The Board shall, establish/amend or otherwise alter or modify such auditing and related attestation
standards, such quality control standards, and such ethics standards to be used by registered public
accounting firms in the preparation and issuance of audit reports, as required by this Act or the rules of
the Commission, or as may be necessary or appropriate in the public interest or for the protection of
investors.

The key auditing rules established by the board under this section are for every registered public
accounting firm;

a) The public accounting firm has to prepare, and maintain for a period of not less than 7 years,
audit work papers, and other information related to any audit report, in sufficient detail to
support the conclusions reached in such report;

b) Provide a concurring or second partner review and approval of such audit report including other
related information, and concurring approval in its issuance, by a qualified person (as prescribed
by the Board) associated with the public accounting firm, other than the person in charge of the
audit, or by an independent reviewer (as prescribed by the Board); and

c) Describe in each audit report the scope of the auditor's testing of the internal control structure and
procedures adopted by the issuer including:

• The findings of the auditor from such testing;

• An evaluation of whether the internal control structure and procedures of the issuer
company ensure maintenance of financial records in reasonable detail; accurately and fairly
reflect the transactions and dispositions of the assets of the issuer;
• The internal control structure and procedures of the issuer company provides reasonable
assurance that transactions are recorded in accordance with generally accepted accounting
principles (US GAAP), and that receipts and expenditures of the issuer are being made only
in accordance with authorizations of management and directors of the issuer;
• A description, at a minimum, of material weaknesses in such internal controls, and of any
material noncompliance found on the basis of such testing.

With respect to quality control standards, the board specifies requirements for each public accounting
firm relating to i) monitoring of professional ethics and independence from issuers on behalf of which
the firm issues audit reports; (ii) consultation within such firm on accounting and auditing questions;
(iii) supervision of audit work; (iv) hiring, professional development, and advancement of personnel; (v)
the acceptance and continuation of engagements; (vi) internal inspection; and (vii) such other
requirements as the Board may prescribe.
Section 301 – Public company audit committees:

This section is listed under Title III of the Act (Corporate Responsibilities).

The audit committee of each issuer, shall be directly responsible for the appointment, compensation, and
oversight of the work of any registered public accounting firm employed by that issuer (including
resolution of disagreements between management and the auditor regarding financial reporting) for the
purpose of preparing or issuing an audit report or related work, and each such registered public
accounting firm shall report directly to the audit committee.

Each member of the audit committee shall be a member of the board of directors of the issuer, and shall
otherwise be independent. "Independent" is defined as not receiving, other than for service on the board,
any consulting, advisory, or other compensatory fee from the issuer, and as not being an affiliated
person of the issuer, or any subsidiary thereof.

The SEC may make exemptions for certain individuals on a case-by-case basis.

The audit committee shall establish procedures for the "receipt, retention, and treatment of complaints"
received by the issuer regarding accounting, internal controls, and auditing. Each audit committee shall
have the authority to engage independent counsel or other advisors, as it determines necessary to carry
out its duties. Each issuer shall provide appropriate funding to the audit committee.

Section 302 – Corporate Responsibility for Financial Reports:

This section is listed under Title III of the Act (Corporate Responsibilities).

The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the
"appropriateness of the financial statements and disclosures contained in the periodic report, and that
those financial statements and disclosures fairly present, in all material respect, the operations and
financial condition of the issuer." A violation of this section must be knowing and intentional to give
rise to liability.

Annual or quarterly report of companies under the Securities Exchange Act should contain a
management assertion that:

• The signing officers have reviewed the report;

• The report does not contain any material untrue statements or material omission or be considered
misleading;
• The financial statements and related information fairly present the financial condition and the results in
all material respects;
• The signing officers are responsible for establishing and maintaining internal controls and have
evaluated these internal controls within the previous 90 and have reported on their findings;
• All significant deficiencies in the design and operation of internal controls and information on any
fraud whether or not material that involves employees who are involved with internal activities have
been disclosed to the Audit Committee and Auditors;
• Any significant changes in internal controls or related factors that could have a negative impact on the
internal controls;
Significant deficiency has been defined as a deficiency or a combination of deficiencies, in internal
control over financial reporting that is less severe than a material weakness, yet important enough to
merit attention be those responsible for oversight of the company’s financial reporting’’.

A Material weakness is a deficiency or a combination of deficiencies, in internal control over

financial reporting, such that there is a reasonable possibility that a material misstatement of the
company’s annual or financial statements will not be prevented or detected on a timely basis.

Section 404- Management Assessment of Internal Controls.

This section is listed under Title IV of the Act (Enhanced Financial Disclosures). Section 404 requires
management and the external auditor to report on the adequacy of the company's internal control over
financial reporting (ICFR). Under Section 404 of the Act, management is required to produce an
“internal control report” as part of each annual Exchange Act report.

1) The Commission requires the "internal control report", to:

a) State the responsibility of management for establishing and maintaining an adequate internal
control structure and procedures for financial reporting; and
b) Contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal
control structure and procedures of the issuer for financial reporting.

Managers generally adopt an internal control framework such as that described in COSO.

2) Internal Control Evaluation and Reporting.

With respect to the internal control assessment required by subsection (1), each registered public
accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the
assessment made by the management of the issuer. An attestation made under this subsection shall
be made in accordance with standards for attestation engagements issued or adopted by the Board.
Any such attestation shall not be the subject of a separate engagement.

Section 409 – Real Time issuer Disclosures:

This section is listed under Title IV of the Act (Enhanced Financial Disclosures). Section 409 is the one
place in SOX that outlines the measures that I as an investor am interested in - the protection of the
ordinary investor. Under this section, issuers are required to disclose to the public, on an urgent basis,
information on material changes in their financial condition or operations. These disclosures are to be
presented in terms that are easy to understand supported by trend and qualitative information of graphic
presentations as appropriate.

A direct excerpt from the Sarbanes-Oxley Act of 2002:

‘(l) REAL TIME ISSUER DISCLOSURES- Each issuer reporting under section 13(a) or 15(d) shall
disclose to the public on a rapid and current basis such additional information concerning material
changes in the financial condition or operations of the issuer, in plain English, which may include trend
and qualitative information and graphic presentations, as the Commission determines, by rule, is
necessary or useful for the protection of investors and in the public interest'.

Section 409 of the S-OX Act has been interpreted as meaning that when a material financial change
occurs in a publicly held company, it must be reported to regulators within 48 hours in a form that can
be understood by the public stakeholders and potential new investors of the organization. What section
409 is trying to accomplish is making available relevant, timely information that shareholders can use to
draw conclusion on the soundness of an investment using their personal criteria as a benchmark.

Section 906 -: Corporate Responsibility for Financial Reports:

This section is listed under Title IX of the Act (White Collar Crime Penalty Enhancement). A CEO and
CFO must certify financial statements filed with the SEC. A certification must state that the financial
statements and disclosures fully comply with the provisions of the Securities Exchange Act and that they
fairly present, in all material respects, the operations and financial condition of the issuer.

Under Section 906 of the Act, a CEO or CFO who certifies a report "knowing" that it does not comport
with all the requirements of the Act is liable to a fine of up to US$1 million or imprisonment for up to
ten years, or both. If the CEO or CFO "willfully" certifies a report "knowing" it does not comport with
all the requirements of the Act, they may be subject to a fine of up to US$5 million or imprisonment of
up to 20 years, or both. Knowing the difference between "knowing" and "willfully knowing" could also
impact case law with the passage of time.

Behavior Consequences

a) Any CEO or CFO who “recklessly” a) Fine of up to $1,000,000 and/or up to 10

violates his or her certification of the years imprisonment.
company’s financial statements. b) Fine of up to $5 million and/or up to 20
b) If “willfully” violates. years imprisonment.

Any person who “corruptly” alters, destroys, Fine and/or up to 20 year’s imprisonment.
conceals, etc., any records or documents
with the intent of impairing the integrity of
the record or document or use in an official
proceeding.
Internal Control over Financial Reporting—Definition
A process designed by, or under the supervision of, the issuer’s principal executive and principal
financial officers, or persons performing similar functions, and effected by the issuer's board of
directors, management and other personnel, to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements for external purposes in accordance with
generally accepted accounting principles.

It includes the policies and procedures of an issuer that:

• Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the
transactions and dispositions of the assets of the issuer;
• Provide reasonable assurance that transactions are recorded as necessary to permit preparation
of financial statements in accordance with generally accepted accounting principles, and that
receipts and expenditures of the issuer are being made only in accordance with authorizations of
management and directors of the issuer; and
• Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use or disposition of the issuer's assets that could have a material effect on the
financial statements.”

Internal Control Frameworks:

The SEC ruled that the criteria on which management’s evaluation under section 404 of the Act is based
must be derived from a suitable framework. “Suitable framework” must be free from bias; permit
reasonably consistent qualitative and quantitative measurements of a company’s internal control; be
sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness
of a company’s internal controls are not omitted; and be relevant to an evaluation of internal control
over financial reporting. The three key objectives of the internal control framework are:

• Effectiveness and efficiency of operations:

• Reliability of financial reporting

• Compliance with applicable laws and regulations

The SEC points out in the final rule that the COSO Internal Control –Integrated Framework satisfies the
above mentioned requirements and hence this model has been adopted as the generally accepted
framework for internal control and is widely recognized as the definitive standard against which
organizations measure the effectiveness of their systems of internal control.

COSO (originally formed in 1985) stands for “Committee of Sponsoring Organizations” and is a voluntary
private sector organization dedicated to improving the quality of financial reporting through business ethics,
effective internal controls and corporate governance. In 1992, the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) developed the framework for evaluating internal controls.
The sponsoring organizations are the American Accounting Association (AAA), American Institute of
Certified Public Accountants (AICPA), Financial Executives Institute (FEI), Institute of Management
Accountants (IMA), and The Institute of Internal Auditors (IIA).

The original COSO framework contains five control components needed to help aassure ssure sound business
objectives (the first dimension-left
left to right across the top of the cube). The control components are:

• Control Environment.
• Risk Assessment.
• Control Activities.
• Information and Communication.
• Monitoring.

More specifically, the thought process behind these five components was that they would work together
to establish the foundation for sound internal control within the company through directed leadership,
shared values and a culture that emphasizes accountability for control
control. This in effect supports
achievement of an organization's mission, strategies and related business objectives.

• The various risks facing the company are identified and assessed routinely at all levels and
within all functions in the organization.
• Control activities and other mechanisms are proactively designed to address and mitigate the
significant risks.
• Information critical to identifying risks and meeting busi
business
ness objectives is communicated
through established channels up, down and across the company.
• The entire system of internal control is monitored continuously and problems are addressed
timely.

The second dimension (front to back, across the right side of the cube) required by COSO is an entity
level focus and an activity level focus. Internal control must be evaluated at both the level: entity as well
as activity/process level.