The Sarbanes-Oxley Act of 2002

Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002.¹³ More commonly known as the Sarbanes-Oxley Act of 2002, it is called SOX or Sarbox in many resources. The Act was named after its sponsors, Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio. It was passed in response to corporate scandals such as Enron, WorldCom, and Adelphia. SOX proposed extensive changes to the Securities Act of 1933 and the Securities Exchange Act of 1934.

SOX moved through both the U.S. House of Representatives and Senate at a quick pace. It was originally introduced in the U.S. House of Representatives in February 2002, just months after the Enron scandal became public. On July 25, 2002, both the House and Senate voted on the final version of SOX. President George W. Bush then signed SOX into law on July 30, 2002. As he signed it, he called SOX “the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt.”¹⁴

Purpose and Scope

Congress hoped that SOX reforms would prevent another Enron scandal. The main goal of SOX was to protect shareholders and investors from financial fraud. SOX increased corporate disclosure requirements and created strict penalties for violations of its provisions. SOX has 11 different titles. They are:

• Public Company Accounting Oversight Board (Title I)—Establishes the Public Company Accounting Oversight Board (PCAOB). The PCAOB oversees the firms that audit public companies.
• Auditor Independence (Title II)—Forbids auditors from providing some types of non-audit services to their clients.
• Corporate Responsibility (Title III)—Requires corporations to create audit committees on their board of directors. The audit committee is responsible for hiring the corporation’s outside auditors.
• Enhanced Financial Disclosures (Title IV)—Enhances the amount of information that public companies must provide on their SEC filings. This section requires companies to report on internal controls that affect their financial reports.
• Analyst Conflicts of Interest (Title V)—Establishes rules to make sure that securities analysts can give independent opinions about a public company’s stock risk.
• Commission Resources and Authority (Title VI)—Gives the SEC authority to discipline investment firms for unprofessional conduct. This section also gives the SEC additional funding to support its programs.
• Studies and Reports (Title VII)—Requires the SEC to review public accounting firms. The SEC must do this at least every 3 years. This section also requires the SEC to issue reports about how the securities market operates.
• Corporate and Criminal Fraud Accountability (Title VIII)—Imposes document retention requirements on companies and auditors. It protects whistleblowers, and also bans retaliation against employees who participate in fraud investigations. This section also imposes criminal penalties for violating SOX.
• White-Collar Crime Penalty Enhancements (Title IX)—Requires CEOs and CFOs to certify that the company’s financial reports fairly represent its financial condition. It creates criminal penalties for signing fraudulent statements.
• Corporate Tax Returns (Title X)—Is a statement from Congress that strongly suggests that a CEO sign the federal income tax return of a corporation.
• Corporate Fraud and Accountability (Title XI)—Establishes criminal liability for certain types of fraud committed by corporate officers. It also increases penalties for some types of corporate crime.

SOX supplements current federal securities laws. It applies to publicly traded companies that must register with the SEC. This includes international companies that trade stock on U.S. stock exchanges. However, SOX does not apply to privately held companies.

Main Requirements

SOX is a very detailed act with many provisions. This chapter focuses on the parts of the act that have had the most impact on information technology (IT) functions. When SOX was first enacted, many companies assumed that it did not have any IT components. Congress did not mention IT anywhere within the act.

This opinion changed as companies began to review their SOX compliance requirements. Many SOX provisions require companies to verify the accuracy of their financial information. Because IT systems hold many types of financial information, companies and auditors quickly realized that these systems were in scope for SOX compliance. That meant that how those systems are used and the controls used to safeguard those systems had to be reviewed.

The relationship between IT and SOX compliance continues to evolve. This section reviews the SOX provisions that have an IT impact. First, this section reviews the PCAOB, which creates standards that auditors must follow when reviewing the activities of public companies. These standards help auditors determine the IT controls that they must review. The creation of the PCAOB is one of the most notable SOX reforms.

Second, this section reviews SOX provisions that impact records management functions. These provisions have an impact on IT operations because of the vast amount of data that is stored electronically. These provisions are important because they affect how IT systems are configured.

Finally, SOX requires the executive management of a company to certify that there are controls in place to protect the accuracy of company information. This is the area where SOX compliance has caused the biggest challenge for companies and IT professionals.

Public Company Accounting Oversight Board

Before the creation of SOX, auditors and accountants belonged to a self-regulating profession. A profession is self-regulating when it creates and enforces its own rules of conduct. Federal and state laws place few oversight requirements on members of self-regulating professions.

An attorney is a common example of a member of a self-regulating profession. Attorneys must meet minimum state law requirements to become licensed. After that, their professional behavior is largely judged by commissions made up of other attorneys who enforce rules of professional conduct. The profession itself determines what these rules of professional conduct should be.

FYI

The Enron scandal proved that self-regulation does have some drawbacks. Enron’s accounting firm, Arthur Andersen, provided it with accounting, auditing, and consulting services. Enron was a large Andersen client that paid Andersen $52 million for auditing and consulting services in 2001.¹⁵ Even the Powers Report noted that there was a lack of critical advice from its auditors at Arthur Andersen in reviewing Enron’s publicly filed financial statements.¹⁶ This may have been because Arthur Andersen was reluctant to challenge such an important client.

Congress created the PCAOB to provide a layer of government oversight on auditing activities. The PCAOB, which oversees the audit of public companies, was created in order to ensure that audit reports for public companies are fair and independent. Under SOX, the PCAOB has several duties.¹⁷ It must:

• Register accounting firms that prepare audit reports for public companies.
• Establish standards for the preparation of audit reports.
• Conduct inspections of registered public accounting firms.
• Conduct investigations and disciplinary proceedings against registered public accounting firms.
• Perform other duties or functions necessary to carry out SOX.
• Enforce SOX compliance.
• Set a budget for the PCAOB, and manage its operations.

The PCAOB has five members. The SEC selects these members and appoints them to staggered terms. The SEC can remove PCAOB members if needed. PCAOB members are to be “individuals of integrity and reputation who have a demonstrated commitment to the interests of investors and the public.”¹⁸ They must be financially literate. This means that they must be able to understand financial statements. Only two members of the PCAOB are allowed to be certified public accountants (CPAs); the remaining three members cannot. Furthermore, members of the PCAOB are not allowed to have any financial interest in an accounting firm. FIGURE 7-1 shows the structure of the PCAOB.

FYI

One of the main functions of the PCAOB is to set standards for how auditors review public companies. It has created standards related to auditing, ethics and independence, quality control, and attestation, which must be approved by the SEC. The PCAOB bases many of its standards on GAAP, the principles established by the Financial Accounting Standards Board (FASB). The SEC has recognized GAAP as authoritative and requires financial statements to be prepared in accordance with GAAP.

The PCAOB’s Auditing Standard 2201 provides guidance on how an auditor performs an audit of a company’s internal controls over financial reporting (ICFR). This standard addresses how to audit controls applied to a company’s IT systems and processes where those systems and processes impact the production of the company’s financial reports. The standard specifies a top-down approach that might limit the scope of review of IT systems. The standard also recommends that auditors focus their review on areas of the highest risk. In 2019, the PCAOB reported that auditors need to be aware of cybersecurity incidents at the companies that they audit. This is because the integrity of the data generated by the company’s IT systems could be compromised by a cybersecurity incident. If the data generated or processed by the IT systems is not accurate, then the company’s financial statements could contain errors.²⁰

Document Retention

SOX contains some records retention provisions. It is important to know about them because companies store many of their records electronically; in fact, some studies estimate that 93 percent of all business documents are created and stored electronically.²² Companies must understand how their IT systems work in order to meet SOX retention requirements.

SOX requires auditors and public companies to maintain audit papers for 7 years.²³ Audit papers are documents used in an audit that support the conclusions made in an audit report. SOX takes a very broad view of the type of records that must be saved. This includes work papers, memoranda, and correspondence. It also includes any other records created, sent, or received in connection with the audit. SOX also includes electronic records.

SOX also requires that a public company retain the records and documentation that it uses to assess its ICFR. These controls are discussed in the next section. Guidance issued by the SEC recognizes that this documentation takes several different forms, as well as electronic data. Companies must permanently retain this information.

FYI

The penalties for failing to retain records for the right amount of time can be severe. SOX makes it a crime for a person or company to knowingly and willfully violate its records retention provisions. A person who violates this provision can face fines and serve up to 10 years in prison.

SOX also makes it a crime for any person to tamper with or destroy any record in an attempt to interfere with a federal investigation.²⁵ Unlike other parts of SOX, this provision applies to any organization. Private companies also must follow it. People who violate this section can face fines of up to $10 million, as well as up to 20 years in prison.

Companies must make sure that electronic records are stored properly so that they can satisfy SOX retention requirements. They must store the records for the right amount of time. They also must make sure that those records are destroyed properly when the retention period expires.

Certification

SOX requires companies to report accurate financial data to protect their investors from harm. To encourage a company to report accurate data, SOX requires its CEO and CFO to certify the company’s SEC filings. SOX certification provisions require executives to establish, maintain, and review certain types of internal controls for their company.

Disclosure Controls. SOX Section 302 requires CEOs and CFOs to certify a company’s SEC reports. The purpose of the certifications is to put executive management on notice of the company’s financial condition. The SEC can hold a CEO or CFO liable for submitting inaccurate financial reports. It makes sense that both the CEO and CFO would have to make these certifications as they are the officers who are most knowledgeable about the company’s finances and overall condition.

A certification attests to the truth of certain facts. The SEC requires a certification to be included on several different forms, such as a company’s Form 10-Q and Form 10-K reports. (These certifications do not need to be included on Form 8-K.) Under the law,²⁶ a CEO and CFO each must certify that:²⁷

• They have reviewed the report.
• The report does not contain untrue or misleading statements about the company.
• The financial statements fairly represent the company’s financial condition.
• The executive is responsible for creating disclosure controls and procedures that are designed to bring material information about the company to the executive’s attention, and the controls are reviewed 90 days before filing the report.
• The executive has disclosed all significant deficiencies in its internal controls to their auditor.
• Whether any significant changes in the internal controls have occurred since they were last evaluated.

The controls required under Section 302, called disclosure controls, are very broad. They are the processes and procedures that a company puts in place to make sure that it makes timely disclosures to the SEC. They are how management stays informed about the company’s operations. These controls must address any change in information that affects company resources. They bring events to the executive’s attention so that they can be reported to the SEC.

Disclosure controls are different from SOX internal controls. Internal controls are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable. The next section reviews these controls. Internal controls address only processes that protect the reliability of financial reports, whereas disclosure controls are broader. They include internal controls.²⁸ FIGURE 7-2 shows the relationship between disclosure controls and internal controls.

SOX Section 906 imposes criminal liability for fraudulent certifications. Under this section, CEOs and CFOs who knowingly certify fraudulent reports may be fined up to $1 million. They also could be imprisoned for up to 10 years. An officer who willfully makes a fraudulent certification may be fined up to $5 million and could be imprisoned up to 20 years.²⁹

Internal Controls. SOX Section 404 requires a company’s executive management to report on the effectiveness of the company’s ICFR.³⁰ They must make this report each year on their Form 10-K filing. Under this section, management must create, document, and test ICFR. After management makes its yearly report on its ICFR, outside auditors must review the report and verify that the ICFR work. This section has caused compliance headaches for IT professionals.

Under SEC rules, ICFR are processes that provide reasonable assurance that financial reports are reliable.³¹ ICFR provide management with reasonable assurance that:

• Financial reports, records, and data are accurately maintained.
• Transactions are prepared according to GAAP rules and are properly recorded.
• Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner.

SOX does not define reasonable assurance. The SEC and PCAOB recognize that reasonable assurance does not mean absolute assurance.³² However, it is a high level of assurance that satisfies management that ICFR are effective. Management must be confident that these controls protect financial reporting mechanisms.

The SEC requires that management use evaluation criteria established by recognized experts to review the company’s ICFR and help ensure that they are effective. The SEC has recognized only one specific framework that meets its requirements: the COSO Framework. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission first created its “Internal Control—Integrated Framework” in 1992. The framework, commonly called the “COSO Framework,” was revised in 2013. Many U.S. businesses use this framework to assess their internal control systems.³³

SOX Section 404 compliance is not easy. It is very general about the types of ICFR that companies must implement. It does not give a good definition for ICFR generally, and it does not address IT controls at all. In 2007, the SEC issued additional guidance to help companies assess ICFR during their Section 404 review in response to many complaints about the large scope of a Section 404 review. Many of these complaints focused on how to address IT controls.

The SEC stated two broad principles in its guidance:

• Management should assess how its internal controls prevent or detect significant deficiencies in financial statements.
• Management should perform a risk-based review of the effectiveness of these controls.

The SEC also said that management must exercise its professional judgment to limit the scope of a Section 404 review. It reminded companies that SOX applies to internal controls, including IT controls, that affect financial reporting only.³⁵

Management must review general IT controls to make sure that IT systems operate properly and consistently. The controls must provide management with reasonable assurance that IT systems operate properly to protect financial reporting. TABLE 7-1 shows how the goals of ICFR match up with information security goals.

TABLE 7-1 Internal Controls and Information Security Goals

It is clear today that management’s review of an organization’s ICFR must include a review of IT controls as well. Although the COSO Framework does not specifically address the types of IT controls that an organization should implement, it issues guidance on how to address IT risk. Organizations use many approaches to evaluate their IT controls. Some organizations follow the Guide to Assessment of IT Risk (GAIT) framework. Others use “Control Objectives for Information and Related Technology” (COBIT). Both of these frameworks appear to meet the SEC’s requirements for a suitable evaluation framework.

Some companies outsource their IT functions; however, a company cannot escape SOX Section 404 liability by outsourcing financial functions. SOX requires companies to monitor ICFR for outsourced operations as well. Many companies do this by asking their outsourcing companies to provide them with a System and Organization Controls (SOC) report.

Created by the AICPA, SOC audits review a service organization’s control activities related to the services that it provides to its customers. These audits review the IT controls on the outsourced service. A SOC audit helps a service organization show that it has proper safeguards in place to protect its customer’s data.

There are three levels of SOC reports:

• SOC 1—Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. These reports are used by auditors to assess the ICFR at one entity that does business with another entity. There are two types of SOC 1 reports that can be created. These reports are generally only shared between the organizations that are doing business with one another.
• SOC 2— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are used by an entity to demonstrate to potential customers that it has good information security practices. These reports specifically address security, availability, processing integrity, confidentiality, and privacy. They also address corporate governance and risk management processes. There are two types of SOC 2 reports that can be created. These reports may be shared with potential customers, usually under a confidentiality agreement so the information in the report is kept private.
• SOC 3—Trust Services Report for Service Organizations. These reports are similar to SOC 2 reports. However, they do not contain the same level of detail regarding information system operations. These reports only contain the auditor’s assessment of whether or not the outsourced functions meet certain control objectives. They do not contain details about those functions. These reports may be widely shared with potential customers.³⁶

Many companies may ask a service provider to share its SOC 2 or SOC 3 report before entering into an outsourcing relationship. Many service organizations have these reports prepared in advance so that they can respond quickly to a customer request.

Oversight

The SEC oversees most SOX provisions. The mission of the SEC, which was created under the Securities and Exchange Act of 1934, is to protect investors and maintain the integrity of the securities industry.

The SEC has five commissioners, all appointed by the U.S. president, who each serve for 5-year terms. No more than three of the commissioners may belong to the same political party. The SEC has 11 regional offices in the United States.³⁷

SOX gives the SEC specific duties. For example, the SEC is required to designate the members of the PCAOB. It is also required to review various operations of public companies to make sure that they are following SOX.

SOX requires the SEC to review a public company’s Form 10-K and Form 10-Q reports at least once every 3 years.³⁸ It must do this to try to detect fraud and inaccurate financial statements that could harm the investing public. The SEC has discretion in deciding how often to review companies. SOX states the factors that the SEC should consider when deciding to conduct a review. Under SOX, the SEC must consider:

• Whether a company has amended its financial reports
• Whether a company’s stock price fluctuates significantly when compared with other companies
• How much stock the company has issued
• The difference between a company’s stock price and its earnings
• Whether a company is large and affects a particular sector of the economy
• Any other factor that the SEC considers relevant

The SEC also enforces SOX compliance. It has the power to investigate and sanction public companies that do not comply with SOX.