Sarbanes-Oxley Act (SOX)

What is the Sarbanes-Oxley Act 2002?

The Sarbanes-Oxley Act (Sox) of 2002 was enacted by the US Federal Law for increased corporate governance, strengthening the financial and capital markets at its core and boost the confidence of general users of financial reporting information and protect investors from scandals like that of Enron, WorldCom, and Tyco.

Background to the Sarbanes-Oxley Act

• The Act is mandatory for any company with a US stock exchange listing.
• The Act created a Public Company Accounting Oversight Board (PCAOB), enhanced the scope of Corporate responsibilities and the role of auditors and audit committee as well.
• Further, this act recommended complete and accurate disclosures in financial statements and stipulated various penalties in the corporate sector for wrong or fraudulent financial information.

Components of Section 404 of the Sox Act, 2002

Section 404 of the Act requires that annual financial statements must include:

• A statement, asserting management’s responsibility for the effectiveness of internal controls over financial reporting.
• Management conclusion on the effectiveness of internal controls over financial reporting
• Disclosure of any material weakness.
• An attestation by our external auditors, on the effectiveness of internal controls over financial reporting

Consequences

• Criminal penalties – whoever:
  • certifies an inaccurate statement in the annual report will be fined up to US$1,000,000 or 10 years imprisonment OR BOTH
  • wilfully certifies an inaccurate statement in the annual report will be fined up to US$5,000,000 or 20 years imprisonment OR BOTH
• Reputational damage
• Fines/Penalties
• Share value diminution

Six Steps of Annual Sarbanes Oxley Sox Act

The Sarbanes Oxley requires that the internal controls over financial reporting (ICOFR) be assessed annually. The SOX audits, therefore, follows an annual testing cycle covering the areas below. The cycle is generally concluded each year before the issue of the Annual Report.

#1 – Scoping

To meet S404 requirements, management must identify the scope of internal controls over financial reporting and the activities required to achieve compliance. This involves defining the materiality thresholds and identifying those processes and controls that must be tested to provide evidence of the effectiveness of the ICOFR. For Example, for a Bank key Sox processes include credit risk disclosures, liquidity and segment reporting, Fair Value Disclosures, etc.

#2 – Documentation

Documentation should cover identified critical financial reporting risks and key controls and evidence to support the effective operation of critical controls.

#3 – Testing

To support and opinion over the effectiveness of ICOFR, management must perform design effectiveness assessment (DEA) of in-scope processes and operating effectiveness tests (OET) of SOX Controls.

#4 – Issue Evaluation

All open issues impacting ICOFR must be assessed to determine their potential impact and probability of causing a material misstatement in the financial statements.

#5 – Remediation

Issue owners must prioritize control issues for remediation based upon the classification of the problem. They must devise a remediation plan and manage the implementation, and once an issue is remediated, the controls must be retested to ensure the underlying issue has been successfully addressed.

#6 – Evaluation of the Effectiveness of the ICOFR

Management’s review of S404 Control issues supports the annual conclusion on the effectiveness of the ICOFR. This review is completed throughout the year, and the same is disclosed through an annual attestation, in the director’s report section of the Annual Report.

How do we do Operating Effectiveness Testing of Sox Controls?

1. Evaluating whether the control addresses the risks of material misstatement to the relevant assertions as intended;
2. Evaluating whether the use of prior year and forecast information is an appropriate basis for Establishing expectations to identify potential misstatements;
3. Evaluating whether the criteria used for identifying differences for investigation are set at an appropriate level to enable the control operator to detect misstatements that could be material to the financial statements, individually or in combination with other misstatements;
4. Evaluating the competencies of the control operator;
5. Evaluating whether the control operates often enough to prevent or detect misstatements before they have a material effect on the financial statements;
6. For selected operations of the control, obtaining the information used by the control operator in the analysis, understanding the steps performed by the control operator to investigate significant differences, reperforming the analysis;

Advantages

• The most significant advantage of this act is that Sox covered companies can’t hide anything material from the shareholders and various stakeholders because the financial statements are being verified by a third party.
• The second most significant advantage is increased emphasis on internal controls within an organization with proper design effectiveness assessment and operating effectiveness testing of each control.

Disadvantages/Limitations

• The most significant disadvantage if additional cost burden to smaller companies because the Sox act doesn’t prescribe any kind of thresholds for smaller and larger companies, while larger companies might have various resources to be Sox compliant at no additional cost, smaller companies bear the brunt of additional compliance costs.
• Another disadvantage is the increased compliance fee being paid to external auditors appointed by the company due to additional compliance procedures performed by them during the course of Sox audits.

Essential Points to Note about Change in Sarbanes Oxley Act

Sarbanes Oxley Act of 2002 (SOX) laws have undergone many changes in the last 15 years for plugging all the loopholes and improved compliance by companies. While we look ahead for the next 15 years, there is a need for auditors, companies, regulators, and various stakeholders to keep with the changes in the market scenarios, which is very dynamic. There are numerous new areas to ponder over, such as technology in audits, financial reporting standards, and smoother reporting at all levels.

Conclusion

By reading the above, we can conclude that Sarbanes Oxley (SOX) Act promotes improved compliance,  complete and accurate financial statement disclosures, puts additional responsibility on management for the authenticity of financial statements, though the compliance involves additional cost burdens for smaller companies and increased governance by the regulators but helps in achieving the ultimate goal of increased investor confidence in financial reporting information and reduced potential for management frauds.

Recommended Articles

This has been a guide to What is the Sarbanes Oxley Act 2002 (SOX) and its Definition. Here we six steps of the annual Sarbanes Oxley Act (SOX), and components along with the examples, advantages, and disadvantages. You can learn more about accounting from the following articles –

• Compliance Audit
• Adverse Opinion
• Proxy Fight
• Generally Accepted Accounting Principles