What is SOX?
The Sarbanes-Oxley Act of 2002 (SOX) protects U.S. investors from public companies indulging in fraudulent accounting activities by improving the accuracy and reliability of corporate disclosures. SOX is named after the two U.S. Congressmen who drafted it: Senator Paul Sarbanes and Representative Michael G. Oxley.
Between the 1990s and 2000s, several companies, notably, Enron, Arthur Andersen, Tyco and WorldCom, were involved in several accounting frauds and financial scandals.The SOX Act was the result of lawmakers’ efforts to curb such activities through reforms to improve financial disclosures, corporate governance, internal control assessment, and auditor independence. SOX also set criminal penalties for non-compliant companies.
Common Internal Controls Under SOX
SOX requires public companies (and some private companies) to implement internal controls to ensure the accuracy and reliability of financial reporting. These controls must be applied and internally verified in all cycles leading to financial results.
SOX does not provide guidance on all possible financial or security controls, since there is no “one size fits all” approach. Every organization must design its own controls to meet its control objectives.
Some important SOX controls are:
Section 302: Corporate Responsibility for Financial Reports
Public companies must file periodic financial reports. The principal officers must certify that these reports do not contain any untrue statements or omit any material information.
Section 409: Real-time Issuer Disclosures
Companies must publicly disclose any material changes in financial conditions to protect investors and the public.
Section 802: Criminal Penalties for Altering Documents
Altering, destroying, or concealing financial records to impede, obstruct or influence an SEC (Securities and Exchange Commission) investigation can result in fines, imprisonment, or both.
Section 806: Whistleblower Protection
Whistleblowers who provide concrete evidence of corporate fraud in a public company are protected from reprisals, e.g., termination, demotion, denial of benefits, intimidation, etc.
Section 906: Corporate Responsibility for Financial Reports
Certifying misleading or fraudulent financial reports can attract harsh fines and prison time.
In addition, Section 404 controls are also crucial for achieving SOX compliance. These are discussed next.
What Are SOX 404 Controls?
Section 404 refers to “management assessment of internal controls.” These rules can help companies detect and prevent errors in their financial reporting process.
Public companies must include their risk assessment of internal controls within their annual reports. This assessment report must state that management is responsible for an “adequate” internal control structure. Any shortcomings should also be reported.
Registered external auditors must attest to this assessment, particularly the accuracy of the management’s assertion about the existence and effectiveness of internal accounting and financial reporting controls.
Reasons and Consequences of SOX Audit Failure
An external SOX compliance audit verifies the company’s financial statements and determines if everything is up to code. SOX auditors also confirm that the organization has implemented the proper compliance controls to maintain SOX compliance standards and that personnel know how to safely access financial data.
If the company doesn’t have adequate controls, it may fail the SOX audit. This can create serious concerns about the accuracy, reliability, and accountability of its disclosures, which in turn can threaten investor confidence.
Penalties For SOX Compliance Violations
Penalties for SOX non-compliance can include fines and/or imprisonment. Depending on the egregiousness of non-compliance, fines can be as high as $25,000,000. The organization may be delisted from public stock exchanges, and the insurance policies of its directors and officers may be invalidated.
In addition to the financial impact of non-compliance, the reputational impact can also be catastrophic and long-standing.
Is COSO Required by SOX?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a dominant control framework to improve periodic accounting and financial results reporting. Five organizations jointly developed it:
- Institute of Internal Auditors (IIA)
- American Institute of Certified Public Accountants (AICPA)
- Financial Executives International (FEI)
- Association of Accountants and Financial Professionals in Business (IMA)
- American Accounting Association (AAA)
Like SOX, COSO also addresses the need for more robust internal accounting controls to prevent fraudulent financial reporting. However, COSO and SOX address this need from different angles.
SOX does not provide guidance related to internal controls. Instead, it implements an effective and legally enforceable control environment for publicly traded companies.
It also includes a legal mandate to hold CEOs and CFOs criminally liable for failure to control the risks related to financial reporting.
COSO, however, provides a solid framework to design internal controls over financial reporting. By following COSO’s trusted guidelines, corporations can see any gaps in their SOX compliance program that they must address with new or different controls.
Thus, COSO enables companies to meet their SOX compliance goals.
Although COSO was designed with SOX and financial reporting controls in mind, it goes beyond SOX since it also applies to operations, compliance, and internal/external reporting.
- SOX protects U.S. investors and stakeholders from fraudulent accounting activities in public companies
- It aims to improve the accuracy and reliability of corporate disclosures
- Public companies must have multiple internal controls to ensure the accuracy and reliability of financial reporting
- SOX Section 404 controls address management assessment of internal controls
- Penalties for non-compliance can include fines and/or imprisonment
- COSO enables organizations to design and evaluate their control environment and achieve SOX compliance