SOX Compliance

- CA. Ramya U R
-

Background
SOX is a United States federal law enacted on July 30, 2002, The act was named for its
sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael Oxley, (R-Ohio).
It mandates and improves corporate responsibility and financial disclosure, combats corporate
and accounting fraud, and restores investor confidence.
SOX established the Public Company Accounting Oversight Board (PCAOB),

• strengthened penalties for corporate fraud,

• established certain internal control requirements for management, and
• established certain requirements for independent auditors to attest to management’s
assessment of internal controls.

Reason for the birth of the SOX Act

Below are the cases which made the US believe it needed SOX Act

1) The energy firm Enron Corporation was considered one of the largest, most successful,
and innovative companies in the United States. Around 2000, Enron unraveled in less
than two years as both the company's fraudulent practices and its executives' criminal
activities came to light. Enron’s leadership fooled regulators with fake holdings and off-
the-books accounting practices. Enron used special purpose vehicles or special purpose
entities to hide its mountain of debt and toxic assets from investors and creditors.

2) The telecommunications giant WorldCom became embroiled in scandal as its own

fraudulent accounting practices made the news. It was in financial trouble and used
questionable accounting techniques to hide its losses from investors and others. It
 inflated net income and cash flow by recording expenses as investments.
By capitalizing expenses, it exaggerated profits by $3.8 billion in 2001 and $797 million
in the first quarter of 2002, reporting a profit of $1.4 billion instead of a net loss. After
filing for bankruptcy in 2002, the company was hit with a $750 million SEC fine. Its
chief executive officer (CEO) was sentenced to 25 years in prison and the chief financial
officer (CFO) received a five-year jail sentence as a result of criminal charges in the case.

3) The security systems company Tyco International's financial scandal also preceded the
Act. The company's former CEO and CFO were convicted of stealing hundreds of
millions of dollars from the company, falsifying business records and violating other
business laws by commingling of assets (mixing of personal assets and company assets).

Applicability of Act
1) All public companies
2) Private companies who are going for IPO’s and Special Purpose Acquisition Company
(listed on a stock exchange with the purpose of acquiring a private company, thus
making the private company public without going through the initial public offering
process)
3) Foreign companies that are publicly traded and do business in the United States.

Important sections
1) Section 302 "Corporate Responsibility for Financial Reports”
Signing officers (CEO and CFO) to make specific certifications on the end of each
quarterly and annual reporting period. Report which contains
• no untrue statements
• fairly presented in all material respects
• Responsibility for design and maintenance of disclosure controls and procedures
as well as internal controls over financial reporting
• Not based on a specific criterion (approach based on risk).

2) Section 404 “Management Assessment of Internal Controls”

a) Annual Assessment of internal control over financial reporting (ICFR) using
suitable control framework by Management.
• Accept responsibility for establishing and maintaining ICFR.
• Prepare written assessment about the effectiveness of ICFR as of the end
of the fiscal year.
b) Internal control evaluation and reporting: Independent auditor to issue a report on
the effectiveness of the company’s ICFR (Management is required to file the
registered public accounting firm's report as part of the annual report)

Non-Compliance of SOX Act

Criminal penalties stated under section 906.
 Sl.no Non-compliance Penalties

1 Knowingly submitting a report that does $1 million or serve up to ten years in

not meet requirements prison

2 Willfully certifying a report that does not $5 million or serve up to 20 years in

meet requirements prison

3 Companies that fail to comply Delisted from the public stock exchange

PCAOB relevant standard for auditors

AS 2110: For obtaining an understanding of ICFR.
1) The auditor should obtain a sufficient understanding of each component of ICFR to
• Identify the types of potential misstatements,
• Assess the factors that affect the risks of material misstatement, and
• Design further audit procedures.

2) The nature, timing, and extent of procedures that are necessary to obtain an
understanding of internal control depend on the size and complexity of the company
• The auditor's existing knowledge of the company's ICFR
• The nature of the company's controls, including the company's use of IT
• The nature and extent of changes in systems and operations and
• The nature of the company's documentation of its ICFR.
3) Obtaining an understanding of internal control includes evaluating the design of
controls. Procedures to obtain evidence about design effectiveness of controls are
• Inquiry
• Observation
• Inspection
• Walkthroughs
4) ICFR can be described as consisting of the following components(Internal control
framework)
• Control environment
• Risk assessment process
• Information and communication
• Control activities and
• Monitoring

FAQ
Question: Whether SOX is applicable for India?
Answer: Yes If Indian company is listed and traded in US market. If not “Clause 49” of listing
agreement which came into effect from 31st December 2005 and mandatory for all listed
companies. CEO or CFO to certify for the acceptance and responsibility for establishing and
maintaining ICFR.