Main Menu

Login Form

Sarbanes-Oxley: The Boring Bits that You Need to Know

  • Print
Details
Published on Monday, 28 May 2012 17:28
Written by Jonathan Story
Hits: 294

In the wake of corporate scandals of the late 1990s and early 2000s, Sarbanes-Oxley (also known as the Public Company Accounting Reform and Investor Protection Act of 2002) was created to try to restore public and investor confidence in publicly traded companies in the United States. Among its provisions are personal executive responsibility for the accuracy and completeness of financial statements, and disclosure of the controls in place that ensure such accuracy. In his book, Essentials of Sarbanes-Oxley, Sanjay Anand highlights five sections: 103, 201, 302, 404, and 406.

Section 103: Auditing, Quality Control, and Independence Standards and Rules

This section pertains specifically to the certified public accountants (CPAs). In the event that the conclusions of an auditor's report need to be verified, all information that pertains to these reports must now be maintained for at least seven years. The kind of data needing to be retained includes not only financial records, but documentation of any changes to those records.

Section 201: Services Outside Auditors' Scope

One of the factors contributing to the corporate scandals was that the firms doing the auditing were also involved in providing services beyond auditing. This entangling of interests drew the auditors into the fallout. Section 201 attempts to address this conflict of interest, and temptation to overlook irregularities, by limiting the tasks and services that auditing firms can perform for those companies which they audit.

Overall, these prohibited services encompass everything that is not related to the actual audit. These include:

  • Bookkeeping
  • Financial statement services
  • Appraisal services
  • Actuarial services
  • Internal audit outsourcing services
  • Management functions
  • Broker, investment advisor, or investment banking services
  • Legal services

One of the visible impacts of Section 210 is that an auditor cannot express concerns about whether the company will fail the audit, because it would constitute a form of consulting, which is a forbidden activity under the section. Companies have been able to adapt to requirements of this section by dividing the auditing and consulting tasks between two separate firms.

Section 302: Corporate Responsibility for Financial Reports

One of the irritants from the scandals of the 1990s was that it seemed that no one was willing to take responsibility for the actions that corporations took. Sarbanes-Oxley looked to redress this by establishing a clear line of responsibility for the chief executive officer (CEO) and the chief financial officer (CFO). Responsibility for the accuracy of financial statements was placed on the company's executive officers, and both the CEO and CFO are required to give a statement certifying the accuracy of financial statements and related disclosure.

In particular, the CEO and CFO of a public company must certify that:

    • Controls have been implemented to ensure the integrity of financial and related information.
    • They are responsible for devising, maintaining, and evaluating internal controls. This means that they can be held accountable if internal controls are found insufficient.
    • All information regarding the effectiveness of the controls has been presented, along with any significant changes that are made.

Section 404: Management Assessment of Internal Controls

This section can, for the first year of compliance, take up most of the effort and cost. It requires that all financial reports include an Internal Control Report, which certifies and explains what has been done to ensure the integrity and accuracy of the financial information. Not only must this report include a statement by executive officers acknowledging their responsibility for the internal controls related to financial reporting, but it must also include an assessment of the efficacy of the internal controls, including significant deficiencies that could result in misstatement of financial information.

In attaining compliance with Section 404, avoid these pitfalls:

  • Do not defer system implementations. Although this may avoid short-term costs of having to report on changes made, it could be achieving Section 404 compliance at the risk of compromising the business's ability to conduct its core, revenue-generating, functions.
  • Do not compromise efficiency by relying on manual controls instead of automated controls. Automated controls not only allow the business to increase efficiency, but they also limit human error.
  • Do not fail to carefully review and evaluate control designs before creating compliancy tests. Deficiencies that are caught and corrected at the design phase can save significant costs.

Section 406: Code of Ethics for Senior Financial Officers

This section requires that all senior financial officers are bound by a company-specific code of ethics, so that these officers understand from the outset what ethical conduct is expected. In general, this code of ethics must: promote an ethical environment; prohibit activity causing conflicts of interest; incorporate a code of confidentiality; and mandate compliance with regulations affecting financial records.

Additional information