Sarbanes-Oxley Act of 2002

(Public Company Accounting Reform

& Investor Protection Act)
It is an act passed by U.S. Congress on July 30, 2002 to protect
investors from the possibility of fraudulent accounting activities by
corporations. The SOX Act was created in response to accounting
malpractice in the early 2000s, when public scandals such as Enron
& WorldCom shook investor confidence in financial statements and
demanded an overhaul of regulatory standards.
SOX expanded the rules for corporate governance, disclosure, and
reporting. SOX was designed to not only strengthen internal controls
but also to regulate the accounting profession. Also, changes
touched boards of directors, senior management practices, lawyers,
accountants, and the adequacy of the internal controls used to
support financial and other processes. SOX has had a major impact
on the activities and responsibilities of auditors:
-external auditors, who now review the adequacy of reported
standards following the PCAOBs auditing standards;
-internal auditors, who provide support and assurance to
management and the audit committee on the adequacy of internal
controls;
-quality auditors, who assess the adequacy of other supporting
processes.
SOX changed many of the processes that public companies had
used for their own governance and to report their financial results to
SEC in the United States and to the investing public. SOX created a
new regulatory authority to set public accounting auditing
standards, the Public Company Accounting Oversight Board
(PCAOB), which essentially replaced the American Institute of
Certified Public Accountants (AICPA) self-regulated auditing rulesetting authority, the Auditing Standards Board (ASB).
1

Business entities affected by SOX are:

Although most of SOXs provisions are mandatory only for public
companies that file a form 10-K with the SEC, many private &
nonprofit companies are facing market pressures to conform to the
SOX standards.
Benefits obtained by the proper implementation of SOX are:
Improved corporate governance.
Enhanced quality, reliability & transparency of financial
information.
Improved audit objectivity & effectiveness in lending credibility to
published financial statements.
Eliminate conflicts of interest
Instill confidence in investors & the public that management will
run public companies in the best interests of all constituents
Critics of SOX
-the costs for small businesses (ex: auditing & certifying their
internal controls annually) could ultimately drive them out of
business.
-Despite its enactment, SOX was still unable to prevent the financial
crisis of 2008, which was precipitated by the Lehman Brothers
Holdings financial scandal.
The Sarbanes Oxley Act (SOX) in Titles
SOX is organized into eleven titles, each of them covering specific
areas of corporate accountability & responsibility. The most
important sections within these are often considered to be 302, 401,
404, 409, 802 and 906.
SOX Title I Public Company Accounting Oversight Board
(PCAOB)

SOX Title II Ensuring Auditor Independence

addresses new auditor approval & auditor reporting requirement as
well as deals with strengthening the independence of external
auditors.
To protect against conflicts of interest arising from close
relationships between audit firms & their clients, they:
Prohibits auditors from performing certain non-audit services to
audit clients
Audit partners must be rotated
A partner is prevented from being the lead or reviewing auditor
for more than 5 consecutive years
Requires auditors to report to the audit committee on accounting
policies used in the audit and document communications with
management.
SOX Title III Corporate Responsibility
governs how public company audit committees review, certify, and
sign off on audit reports. Certifying officers of public companies
must personally attest to the fact that they are satisfied with the
organizations internal controls.
SOX Title IX White-Collar Crime Penalty Enhancements
Prior to Sarbanes-Oxley, corporate executives were not required to
personally assure the accuracy & completeness of disclosures.
However, SOX places a huge personal burden on CEOs & CFOs, who
must certify that the information in financial reports accurately
represents the company's status. They can face jail or penalties &
may also be banned from holding executive office at public
companies, if found negligible.
Summary of Section 404 Management Assessment of Internal
Control
Requires management of a public company & independent auditor
to establish internal controls & to report material weaknesses in
internal control over financial reporting existing at an issuers fiscal
3

year-end. This means that the management and the auditor issue
two new reports in its annual report filed with the Securities and
Exchange Commission (SEC).
Section 404 has very costly implications for publicly traded
companies as it is expensive to establish and maintain the required
internal controls.
Summary of Section 302 Corporate Responsibility for Financial
Report
Requires the CEO and CFO, who are responsible for financial
information and the system of internal controls, to evaluate the
system of internal controls every 90 days and report on their
conclusions and any changes.
Sarbanes-Oxley Audits
SOX requires all financial reports to include an internal control
report. This to show that not only are the company's financial data
accurate, but the company has confidence in them because
adequate controls are in place to safeguard financial data.
Year-end financial reports must contain an assessment of the
effectiveness of the internal controls. The auditor is required to
attest to that assessment. He does this after reviewing controls,
policies, and procedures conducted along with a traditional financial
audit.
Internal control over financial reporting
It is a process designed & maintained by management to provide
reasonable assurance about the reliability of financial reporting &
the preparation of the financial statements for external purposes in
accordance GAAP.
Effective internal control over financial reporting is vital to the
proper recording of transactions & the preparation of reliable
4

financial reports. An effective internal control process is

comprehensive & involves people at all levels, including those who
keep accounting records, prepare & disseminate policies, and
monitor systems, as well as people in a variety of operating roles.
Responsibilities of management & independent auditor with
respect to internal control over financial reporting
Managements role and responsibility.
-Designing & implementing the system of internal control over
financial reporting,
-Evaluating the effectiveness of internal control. Support it with
sufficient documented evidence & base its assessment on a suitable
control framework, such as the committee of sponsoring
organizations of the tread way commission (COSO).
-Issuing a public report on that assessment.
Audit Committee
Responsible for oversight of the companys financial reporting
process.
Auditors role.
Before SOX, if material weaknesses were identified, they were
reported only to management and the audit committee. Section 404
now requires the auditor to perform an independent audit of internal
control & to issue a report including 2 opinions: one on
managements assessment & one on the effectiveness of internal
control over financial reporting.

The New Reports

Section 404 require managements assessment of internal control

over financial reporting & the related auditors report on internal
control over financial reporting to be included in a companys annual
report filed with the SEC. The new reports that investors will see are
the following:
A) Managements report.
Management will state its responsibility for maintaining adequate
internal control and give its assessment of whether or not internal
control is effective. According to the rules, management cannot
state that internal control is effective if even one material weakness
exists at year-end.
Under the SEC rules, managements report on internal control
include the following information:
1. Statement of managements responsibility for establishing &
maintaining adequate internal control over financial reporting.
2. Statement identifying the framework used by management to
evaluate the effectiveness of internal control over financial
reporting.
3. Managements assessment of the effectiveness of the companys
internal control (whether that control is effective & disclosing any
material weakness)
4. Statement that the registered public accounting firm that audited
the financial statements included in the annual report has issued
an attestation report on managements internal control
assessment.
B) Auditors report.
The independent auditor will
Evaluate & report on the fairness of managements assessment.

 Perform an independent audit of internal control over financial

reporting
Issue an opinion on whether internal control is operating
effectively as of the assessment date (the companys fiscal yearend)
Issue also an opinion on whether the published financial
statements are presented fairly in all material respects in
accordance with GAAP.
(This report may be combined with the auditors report on
internal control, or it may be presented separately)
If one or more material weaknesses exist at the companys fiscal
year-end, the auditor cannot conclude that internal control over
financial reporting is effective.
The most common opinions on the effectiveness of internal
control will be:
-Unqualified Opinion - the internal control over financial reporting
is effective: no material weaknesses in internal control exist as of
the fiscal year-end assessment date.
-Adverse Opinion - the internal control over financial reporting is
not effective: one or more material weaknesses exist as of the fiscal
year-end assessment date.
-Disclaimer of Opinion - state that restrictions on the scope of the
auditors work prevent the auditor from expressing an opinion on the
companys internal control.
Public Company Accounting Oversight Board (PCAOB)
It is a private, non-profit entity created by the SOX, under the
oversight of the SEC, which will act as an independent body to
supervise the auditors & to oversee the audit of public companies. It
was created to protect the interests of shareholders & public as well
7

as to restore investor confidence in auditor reporting. It must

establish auditing, quality control, ethics, and independence
standards related to audit reports, and enforce compliance with
rules pertaining to audit reports.
All accounting firms that perform public company audits must
register with, & be regulated by, the PCAOB. It must conduct a
continuing program of inspections to assess the degree to which
each registered public accounting firm complies with SOX & other
applicable rules & professional standards. The PCAOB will submit an
annual report to the SEC.
The PCAOB responsibilities are:
-to oversee the audit of public companies: the accounting profession
used to regulate itself through a voluntary organization known as
AICPA but Enron proved that the old system didnt work well.
-to establish audit report standards and rules to aid auditors in
performing their duties under SOX
-To register audit firms: any public accounting firm that participates
in any audit for a company covered by SOX is required to register
with the PCAOB.
-Sanctions both firms and individuals for violations of laws,
regulations, and rules
AS 1 : Reference in Auditor reports to the
standard of the public company
accounting oversight board
AS 3: Audit documentation

AS 10: Supervision of audit engagement

AS 4: Reporting on whether previously

reported material weakness continuous
to exit
AS 5 : An Audit of internal control over
financial reporting
AS6: Evaluating consistency of financial
statement
AS 7: Engagement Quality Review
AS 8 : Audit Risk

AS 11: Consideration of materiality in

planning and performing audit
AS 12: Identifying and assessing Risks of
material misstatement
AS 13 : Auditors response to the risks of
material misstatement
AS 14: Evaluating Edit results
AS: 15 : Audit evidence
8

AS 9: Audit planning
PCAOB AS 2 clearly stated:
The auditor should evaluate all controls specifically intended to
address the risks of fraud that have at least a reasonably possible
likelihood of having a material effect on the companys financial
statements.
AS 5 contains similar language:
the auditor should evaluate whether the companys controls
sufficiently address identified risks of material misstatement due to
fraud.
Has SOX thus far had a positive, negative, or neutral effect on
public companies?
SOX has had an overall positive effect on public companies. Within the
areas of financial reporting and corporate accountability, SOX has
encouraged management to effectively formulate and implement a strong
system of internal control and financial reporting such that errors and
fraud are materially prevented, detected, and corrected. SOX has
increased the cost of compliance with federal regulations, particularly
with Section 404, but these costs are outweighed by the benefits of
robust financial reporting, increased scrutiny of managements dealings
within the organization, and increased investor confidence. Additionally,
measures are being taken to decrease the costs of SOX, such as proposed
Auditing Standard No. 5 by the PCAOB