SOX Overview

https://www.youtube.com/watch?v=SMT5v5zT5KQ
Enron scam
• Enron was involved in transmitting and distributing electricity and
natural gas throughout the United States.
• Highlights about when this scandal had been exposed were:
1. $30 million of self dealings by the chief financial officer
2. $700 million of net earnings disappeared
3. $1.2 billion shareholders equity disappeared
4. Over $4 billion in hidden liabilities
• Many of Enron's recorded assets and profits were inflated or even
wholly fraudulent and Nonexistent
• Debts and losses were put into entities formed "offshore" that were not
included in the company's financial statements.
Sarbanes-Oxley Act
• The Sarbanes –Oxley Act or more popularly know as the SOX act was
passed in 2002 in the wake of number of notable corporate accounting
scandals including Enron and Worldcom.
• It is also known as the 'Public Company Accounting Reform and
Investor Protection Act and 'Corporate and Auditing Accountability and
Responsibility Act
• This law set new or enhanced standards for all U.S. public company
boards, management and public accounting firms.
• It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and
U.S. Representative Michael G. Oxley.
• The main intent of this law is for the top management must now
individually certify the accuracy of financial information.
Enactment:

• This act was enacted/passed by 107th U.S congress on 30th July 2002.
• House: “Corporate and auditing responsibility Act” passed in 24 April 2002.
• Senate – “Public Company accounting reform and investor protection act”
15 July, 2002
• Signed by President: George W. Bush on 30th July, 2002
• Also known as Sarbox, SOX, SOA
• It has new rules for publicly traded companies
• New rules for auditing firms
• Created the PCAOB
What is SOX?
• Purpose – to protect investors or stakeholders interest by
improving the accuracy and reliability of corporate and
financial disclosures.
• Applicability – All publicly traded companies in the US as well
as foreign companies that are publicly traded and do
business in the US.
• Requirement – Top management (CEO and CFO) must
individually certify the accuracy of financial information on
annual and quarterly reports.
SEC- Securities and Exchange
Commission
• Is a U.S. government oversight agency responsible for regulating the
securities markets and protecting investors.
• To achieve this, the SEC requires public companies to disclose
meaningful financial information to the public. This provides a
common pool of knowledge for all investors, to use to judge for
themselves whether to buy, sell or hold a particular security.
• Securities market in US–NYSE, NASDAQ and American Stock
Exchange.
 Public Company Accounting Oversight Board

• PCAOB Non profit cooperate created by congress in 2002. It is part of SOX Act.
• To serve as watch dog or regulator for auditing industry.
• Auditing firms previously were self regulated but with major failure with Enron lead to
PCAOB, to ensure audit industry is doing a good job, auditors maintain the independence.
• Government agency SEC appoints 5 board members (1 serves as a chair person and other
members). Even if it is non profit cooperation, independent group its tied to this
governmental agency.
• SEC will oversee the activities of PCAOB, it will approve their budgets, there activities.
• PCAOB gets money/funded by fees paid by public companies. Companies that are publicly
traded. It audits these companies, which you can buy stock of.
Role of the PCAOB

• All companies that are doing audits of publicly traded companies they
have to register with PCAOB.
• It is standard setter auditing industry GAAS- Generally Accepted
Auditing Standards, how to properly do an audit.
• Registered firms have to follow these standards sets by PCAOB.
• PCAOB is going to monitor these auditing firms on an on-going basis.
They sample audit some of the registered companies audit.
Quiz

• 1) Which body regulates Indian market?

• 2) How many national level securities markets in India?

• 3) Which body monitors performance of audit firms in India?

Sarbanes-Oxley Act
The act contains 11 titles, or sections, ranging from additional corporate board
responsibilities to criminal penalties, and requires the Securities and Exchange Commission
(SEC) to implement rulings on requirements to comply with the law.
• Title I—Public Company Accounting Oversight Board
• Title II: Auditor Independence
• Title III: Corporate Responsibility
• Title IV: Enhanced Financial Disclosures
• Title V: Analyst Conflicts Of Interest
• Title VI: Commission Resources And Authority
• Title VII: Studies & Reports
• Title VIII: Corporate and Criminal Fraud Accountability
• Title IX: White Collar Crime Penalty Enhancement
• Title X: Corporate Tax Returns
• Title XI: Corporate Fraud Accountability
SOX -Section 302

• Section 302 focuses on disclosure controls and procedures, and

accountability of signing officers (CEO and CFO), they personally attest
that financial information is accurate and reliable within the quarterly 10-
Q and annual 10-K reports filed with the SEC.
• Mainly signing-off by them signifies that they are:
• Confirming they reviewed the report.
• Stating that, based on their knowledge, the report does not contain
false or misleading statements or omit necessary material information.
• Affirmation on accuracy of reports with respect to financial condition
and results of operations for their company during the periods covered
in the report.
SOX -Section 302
To prepare for quarterly certification, companies typically send a questionnaire to people
who have significant responsibility for financial results. These include –
• Operating officers
• Controllers
• Accounting managers
• Head of internal audit
The number of individuals or survey questionnaire involved with this certification may vary
from organization to organization. The survey serves 2 main purposes:
• Determine if there have been any significant changes to the internal controls of
financial reporting that haven’t already been reported.
• Inquire if the recipient is aware of any fraudulent activities.
SOX -Section 302
Requirements:
• Certify financial reports quarterly
• Disclosure of all controllable committees
• Disclosure of all fraudulent works.
SOX Section 302 - Corporate Responsibility for Financial Reports
• CEO and CFO must review all financial reports.
• Financial report does not contain any misrepresentations.
• Information in the financial report is "fairly presented".
• CEO and CFO are responsible for the internal accounting controls.
• CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the
management of the audit committee.
• CEO and CFO must indicate any material changes in internal accounting controls.
Accountable:
• In case of failure CEO and CFO accountable.
Section 404: Management Assessment of Internal Controls
All annual financial reports must include an Internal Control Report stating that management is
responsible for an "adequate" internal control structure, and an assessment by management of the
effectiveness of the control structure. Any shortcomings in these controls must also be reported. In
addition, registered external auditors must attest to the accuracy of the company management’s
assertion that internal accounting controls are in place, operational and effective.
• Section 404 requires that companies to annually assess and report on the effectiveness of their internal
controls and procedures for financial reporting. All controls are evaluated and reported in 2 phases -
• Design of internal controls
• Operating effectiveness of the controls
The results of the testing must be:
• Reviewed by management
• All control testing failures to be categorized as a deficiency, significant deficiency, or material
weakness
• The company needs to report deficiencies to the Audit Committee, Board of Directors
• Material weaknesses must be disclosed in the company’s annual 10-K financial report
• SOX requirements mandate that public companies have an independent external auditor inspect
internal controls
Section 404

Requirements:
• This act requires management to produce an "internal control report" as
part of each annual Exchange Act report.
• The report must affirm "the responsibility of management for establishing
and maintaining an adequate internal control structure and procedures for
financial reporting. Certification by quarterly review and annual review

Responsible
• Management
• Independent auditor
Section 302 and 404 of the Sarbanes-Oxley Act of 2002

• Section 302 of the SOX Act of 2002 is a mandate that requires senior
management to certify the accuracy of the reported financial statement.
• Section 404 of the SOX Act of 2002 is a requirement that management and
auditors establish internal controls and reporting methods on the
adequacy of those controls.
• A statement of management’s responsibility for establishing and maintaining
adequate internal control over financial reporting;
• A statement identifying the framework used by management to evaluate the
effectiveness of internal control;
• Management’s assessment of the effectiveness of internal control as of the end of
the company’s most recent fiscal year end; and
• A statement that the company’s external auditor has issued an attestation report
on management’s assessment
 Section 302 v/s 404

Comparions Section 302 Section 404

Activities Involved Quarterly Survey Ongoing testing of all internal controls

Applicability Applies to each signing officer Applies only to the company

Effort Minimal effort due to quarterly Greater due to no. of controls to be evaluated
occurrence

Frequency Quarterly Daily / Ongoing

Reports 10-Q and 10-K 10-K financial report

SOX Section 401
• Disclosures in Periodic Reports : All financial statements and their
requirement to be accurate and presented in a manner that does not
contain incorrect statements or admit to state material information.
Such financial statements should also include all material off-balance
sheet liabilities, obligations, and transactions.
SOX Section 802 and 806
• SOX Section 802 - Criminal Penalties for Altering Documents : This
section specifies the penalties for knowingly altering documents in an
ongoing legal investigation, audit, or bankruptcy proceeding.
• SOX Section 806 - Protection for Employees of Publicly Traded
Companies Who Provide Evidence of Fraud : This section deals with
whistleblower protection.
Management of Electronic Records

IT departments are responsible for creating and maintaining an archive

of corporate records. Three rules in Section 802 of SOX affect the
management of electronic records.
• First rule: This rule concerns the destruction, alteration, or
falsification of records and the resulting penalties.
• Second rule: A rule that defines the retention period for records
storage
• Third rule: This rule outlines the type of business records that need to
be stored, including all business records, communications, and
electronic communications.
SOX Section - Penalties

• Sarbanes-Oxley makes it a crime to defraud shareholders of publicly

traded companies through the filing of misleading financial reports.
• 1)Executives face fines of up to $1-million and 10-years imprisonment
for ‘knowingly’ certifying financial reports that don't comply with the
SOX's requirements.
• 2)Penalties are enhanced for executives who ‘willfully’ certify
noncompliant financial reports, they face fines of up to $5 million and
up to 20 years imprisonment.
• 3)Sarbanes-Oxley also criminalizes the ‘falsification’ and ‘destruction’
of records to impede or influence an investigation.
SOX Section 902 and 906
• SOX Section 902 - Attempts & Conspiracies to Commit Fraud
Offenses : It is a crime for any person to corruptly alter, destroy,
mutilate, or conceal any document with the intent to impair the
object's integrity or availability for use in an official proceeding.
• SOX Section 906 - Corporate Responsibility for Financial Reports :
Section 906 addresses criminal penalties for certifying a misleading or
fraudulent financial report. Under SOX 906, penalties can be upwards
of $5 million in fines and 20 years in prison.
Summary
• SOX – Signed into law on July 30, 2002 as a result of various accounting scandals.
• Section 404 requires public companies to attest to the effectiveness of their internal controls
over financial reporting and Compliance with SOX 404 has 4 steps
1. Identify Key Internal Controls
2. Document the identified Internal Controls
3. Management Test of Internal Controls
4. Auditor Test of Internal Controls
• When Internal Controls aren’t met…
1. Deficiency (No requirement to report it)
2. Significant Deficiency (Must be reported to the audit committee, but not to the public)
3. Material Weakness (Needs to be disclosed publicly, in company financial statements)
• Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial statements
• Most companies have software applications that impact Financial Reporting
• Therefore, most IT Applications would need to be regulated as per SOX
requirements!