Companies that must comply with the Sarbanes-Oxley Act include:
There are a few exceptions for certain public companies that do not need to comply with the SOX audit requirements: 1) “non-accelerated filers,” which as of March 2020 includes companies with annual revenues of less than $100 million and public float of less than $700 million; 2) emerging growth companies for five years. Show Privately held companies and nonprofits do not generally need to comply with SOX, although many of the SOX requirements are “best practices” that would be beneficial to adopt regardless of whether the firm is legally obligated to do so. The corporate CEOs and CFOs are directly responsible to ensure compliance. The law has real teeth: failure to comply can result in hefty fines and possibly even jail time. Overview of SOX ProvisionsCEOs and CFOs are obligated under Sarbanes Oxley to assure that financial records are accurate, and that reports submitted to the SEC are accurate. They are penalized for non-compliance even if the non-compliance was accidental. SOX covers not only financial records and reporting, it also has provisions relating to data security and IT that must be complied with. Covered companies must maintain records proving they comply with SOX, and they must complete an annual audit, the results of which must be easily available to all stakeholders. SOX contains 11 sections, called “Titles” in the legislation, as follows:
Clearly not all of the Titles are relevant to a company concerned with SOX compliance. The relevant titles from a compliance perspective are Titles 3, 4, 8, and 9. Specific Sections of SOX Relevant to ComplianceEach of the Titles of SOX are further broken down into “Sections.” There are eight sections that are especially relevant from a compliance perspective. A summary of each follows: Section 302: Corporate Responsibility for Financial Reports Section 401: Disclosures in Periodic Reports Section 404: Management Assessment of Internal Controls Section 409: Real Time Issuer Disclosures Section 802: Criminal Penalties for Altering Documents Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud Section 902: Attempts & Conspiracies to Commit Fraud Offenses Section 906: Corporate Responsibility for Financial Reports Complying with SOXModern corporations run on computers. Everything from recognizing revenue to tracking expenses to generating reports to internal and external communications all happens on a company’s IT network. Therefore, a lot of the internal controls companies are required to have in place to verify the integrity of their financial reports have to do with the company’s IT policies and controls. Who has access to data? Is data secure from tampering? Companies that have recently gone public (“emerging growth companies”) have a window of a few years before they must be fully SOX-compliant. Given the severe penalties for failing to comply with SOX, and given the complexity of the task, companies are advised to start on the process of SOX compliance as early as possible. Since many of the SOX requirements are good business practices whether or not the company is subject to mandatory compliance, there’s little downside to getting a head start. Here are some suggested steps in getting on the road to SOX compliance:
In addition to the above, it’s worth considering the use of Sarbanes Oxley software. SOX compliance software can help with tracking data, flagging potential problem areas, and generating reports. SOX AuditsPrior to SOX, financial reporting was largely self-regulated by the industry. SOX created the Public Company Accounting Oversight Board (PCAOB) whose mission is as follows: (to oversee) the audits of public companies and SEC-registered brokers and dealers in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports. Companies subject to SOX must have a SOX compliant audit every year. The PCAOB oversees firms that conduct audits and sets standards and advises on procedures. The following are some of the steps in a SOX audit:
ConclusionThe Sarbanes-Oxley Act has been widely praised as having helped improve corporate governance, transparency, and accountability in corporate America. Back in 2005, only a few years after SOX was enacted, former Federal Reserve Chairman Alan Greenspan said, I am surprised that the Sarbanes–Oxley Act, so rapidly developed and enacted, has functioned as well as it has … the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use. There are those who have criticized Sarbanes Oxley, pointing to the fact that very few CEOs or CFOs have been charged with criminal violations of the SOX Act. On the other hand, many take the lack of criminal charges as a sign of the success of the SOX Act. Being aware of the stiff penalties that can be imposed for willful violation of SOX, CEOs and CFOs have become very cautious about making sure they comply with SOX provisions. Being aware of the penalties, many CEOs insist on “sub-certifications.” They will refuse to sign the corporate certification until lower-level executives sign off on certifications for their areas of responsibility. This has the effect of making executives throughout the organization more aware of SOX, more aware of the penalties, and more cautious in their financial reporting. This is exactly what the law was intended to do: get executives to be more accountable, and less likely to engage in fraud. There are a lot of different pieces involved in getting your organization “SOX audit ready.” With proper planning and preparation and a methodical approach it doesn’t have to be an overwhelming task, and it can help your company put in place the controls that will allow it to operate more effectively and efficiently. What type of company is required by the Sarbanes?Most people assume that the requirements of the Sarbanes-Oxley Act apply to public companies only, but this is not the case. The act forbids all businesses, including private companies and nonprofits, from illegal destruction of financial records and retaliation or other infringement on the rights of whistleblowers.
Which companies are affected by the SarbanesAll publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected.
What type of company is required by the SarbanesThe law applies to all domestic public companies, as well as non-public companies with publicly traded debt securities. Some sections of Sarbanes-Oxley apply to companies that do business with publicly traded companies, even if they aren't publicly traded themselves.
|