The Sarbanes–Oxley Act of 2002 (nicknamed SOX) (Pub.L. 107-204, 116 Stat. 745), also known as the “Public Company Accounting Reform and Investor Protection Act” or “Corporate and Auditing Accountability and Responsibility Act,” was signed into law in 2002. It sought to deal with numerous issues about public company accountability, accounting standards, and corporate governance.
Wikipedia summarizes the main provision as follows:
- Public Company Accounting Oversight Board (PCAOB)
- Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services (“auditors”). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.
- Auditor Independence
- Title II consists of nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients.
- Corporate Responsibility
- Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 requires that the company’s “principal officers” (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly.
- Enhanced Financial Disclosures
- Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.
- Analyst Conflicts of Interest
- Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.
- Commission Resources and Authority
- Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer.
- Studies and Reports
- Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.
- Corporate and Criminal Fraud Accountability
- Title VIII consists of seven sections and is also referred to as the “Corporate and Criminal Fraud Accountability Act of 2002”. It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.
- White Collar Crime Penalty Enhancement
- Title IX consists of six sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
- Corporate Tax Returns
- Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
- Corporate Fraud Accountability
- Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to resort to temporarily freezing transactions or payments that have been deemed “large” or “unusual”.
Implementation of SOX has developed over time through SEC rulemaking and otherwise, and includes the following key provisions:
Section 302: Disclosure controls
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id..
The SEC interpreted the intention of Sec. 302 in Final Rule 33–8124. In it, the SEC defines the new term “disclosure controls and procedures”, which are distinct from “internal controls over financial reporting“. Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions.
External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management’s assessment was removed in 2007.
Section 303: Improper Influence on Conduct of Audits
a.Rules To Prohibit. It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary and appropriate in the public interest or for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.
Section 401: Disclosures in periodic reports (Off-balance sheet items)
Section 401 requires the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, 2005.
Sarbanes–Oxley Section 404: Assessment of internal control
Section 404 requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.
Section 802: Criminal penalties for influencing US Agency investigation/proper administration
|“||Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.||
Section 906: Criminal Penalties for CEO/CFO financial statement certification
§ 1350. Section 906 states: Failure of corporate officers to certify financial reports
(a) Certification of Periodic Financial Reports.— Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m (a) or 78o (d)) shall be accompanied bySection 802(a) of the SOX a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.
(b) Content.— The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of  1934 (15 U.S.C. 78m or 78o (d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.
(c) Criminal Penalties.— Whoever— (1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or
(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.
Section 1107: Criminal penalties for retaliation against whistleblowers
|“||Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both.||”|
SEC Rulemaking Final Rules:
- Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date (Release Nos. 33-8400, 34-49424; File No.: S7-22-02; March 16, 2004)
- Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Release Nos. 33-8392, 34-49313; IC-26357; File Nos.: S7-40-02; S7-06-03; February 24, 2004)
- Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Release Nos. 33-8238, 34-47986; IC-26068; File Nos.: S7-40-02; S7-06-03; June 5, 2003)
- Improper Influence on Conduct of Audits (Release Nos. 34-47890; IC-26050; FR-71; File No.: S7-39-02; May 20, 2003)
- Mandated Electronic Filing and Website Posting for Forms 3, 4 and 5 (Release Nos. 33-8230; 34-47809; 35-27674; IC-26044; File No.: S7-52-02; May 7, 2003)
- Standards Relating to Listed Company Audit Committees (Release Nos. 33-8220; 34-47654; IC-26001; File No.: S7-02-03; April 9, 2003)
- Filing Guidance Related To: Conditions for Use of Non-GAAP Financial Measures; and Insider Trades During Pension Fund Blackout Periods (Release Nos. 33-8216; 34-47583; IC-25983; FR-69; File Nos.: S7-43-02 and S7-44-02; March 27, 2003)
- Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002 (Release Nos. 33-8177A; 34-47235A; File No.: S7-40-02; March 26, 2003)
- Strengthening the Commission’s Requirements Regarding Auditor Independence (Release Nos. 33-8183A; 34-47265A; 35-27642A; IC-25915A; IA-2103A; FR-68; File No.: S7-49-02; March 26, 2003)
- Implementation of Standards of Professional Conduct for Attorneys (Release Nos. 33-8185, 34-47276, IC-25919; File No.: S7-45-02; January 29, 2003)
- Strengthening the Commission’s Requirements Regarding Auditor Independence (Release Nos. 33-8183, 34-47265, 35-27642, IC-25915, IA-2103, FR-68; File No.: S7-49-02; Jan. 28, 2003)
- Disclosure in Management’s Discussion and Analysis about Off-Balance Sheet Arrangements and Aggregate Contractual Obligations (Release Nos. 33-8182, 34-47264, FR-67, International Series No. 1266; File No.: S7-42-02; January 28, 2003)
- Certification of Management Investment Company Shareholder Reports and Designation of Certified Shareholder Reports as Exchange Act Periodic Reporting Forms; Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002 (Release Nos. 34-47262, IC-25914; File Nos.: S7-33-02 and S7-40-02; January 27, 2003)
- Retention of Records Relevant to Audits and Reviews (Release Nos. 33-8180, 34-47241, IC-25911, FR-66; File No.: S7-46-02; January 24, 2003)
- Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002 (Release Nos. 33-8177, 34-47235; File No.: S7-40-02; January 23, 2003)
- Insider Trades During Pension Fund Blackout Periods (Release Nos. 34-47225, IC-25909; File No.: S7-44-02; January 22, 2003)
- Conditions for Use of Non-GAAP Financial Measures (Release Nos. 33-8176, 34-47226, FR-65; File No.: S7-43-02; January 22, 2003)
- Certification of Disclosure in Companies’ Quarterly and Annual Reports (Release Nos. 33-8124, 34-46427, IC-25722; File No.: S7-21-02; August 29, 2002)
- Ownership Reports and Trading by Officers, Directors and Principal Security Holders (Release Nos. 34-46421, 35-27563, IC-25720; File No.: S7-31-02; August 27, 2002)