Sarbanes-Oxley

(SOX) Act
 Sarbanes-Oxley Act
• The Sarbanes-Oxley Act of 2002 is a law the U.S.
Congress passed on July 30, 2002 to help and protect
investors from fraudulent financial reporting by
corporations.
• The Sarbanes-Oxley Act of 2002 is a federal law that
established strictly enforced auditing and financial
regulations for publicly traded corporations.
• This legislation was enacted to protect shareholders,
employees, and the general public from accounting errors
and fraudulent financial practises.
• Auditors, accountants, and corporate executives were
held responsible for the new set of rules.
• These rules were added to and changed several securities
and exchange commission (SEC) enforced laws,
including the Securities and Exchange Act of 1934 and the
Investment Advisers Act of 1940.
• The main areas that the Act is focused on are:
Increasing criminal punishment
Accounting regulation
New protections
Corporate responsibility
 History and why the Act was created
• Former U.S. President George W. Bush, who signed the
act into law on July 30, 2002, called the act "the most far-
reaching reforms of American business practices since the
time of Franklin Delano Roosevelt.“
• The act took its name from its two sponsors—Sen. Paul S.
Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio).
• The Sarbanes-Oxley Act of 2002 came in response to
financial scandals in the early 2000s involving publicly
traded companies such as Enron Corporation, Tyco
International plc, and WorldCom.
 Publicly Traded Companies
• A public company is one that issues shares that are
publicly traded, meaning the shares are available for
anyone to buy on the open market and can be sold,
usually very easily.
• Note that publicly traded companies are not publicly
owned -- they are not owned or controlled by any
government.
• Every share available for purchase in the stock market is
issued by a publicly traded company.
• A company becomes publicly traded by making an initial
public offering (IPO) of shares in the company, which
helps it to raise capital and gives both investors and the
company a powerful way to create wealth.
• Enron was considered one of the largest, most
successful and innovative companies in the United
States. Enron collapsed in less than two years around
the year 2000, as both the company's fraudulent
practises and the criminal activities of its executives
were exposed.
• WorldCom became embroiled in a scandal after its own
fraudulent accounting practises were revealed. The
company was fined $750 million by the SEC after
declaring bankruptcy in 2002. As a result of criminal
charges in the case, its CEO was sentenced to 25 years
in prison, and its chief financial officer (CFO) was
sentenced to five years in prison.
• The Act was also initiated by the Tyco International
financial scandal. The company's former CEO and CFO
were arrested and charged in this case of stealing
hundreds of millions of dollars from the company,
falsifying business records, and violating other business
laws. The Act strengthened accounting compliance
regulations in order to prevent a repeat of the scandal.
• These high-profile frauds shook investor trust in the
reliability of corporate financial statements and led many
to demand for an makeover of decades-old regulatory
standards.
• The legislation aimed to improve the reliability of public
companies' financial reporting while also restoring
investor confidence.
 Key provisions and Requirements
• The Sarbanes-Oxley Act is divided into 11 titles or
sections. Section 302 and Section 404 are especially
notable.
• Section 302 is about "Corporate Ethics for Financial
Reports." It established, along with other things, that
CEOs and CFOs must review all financial reports and
ensure that they are "fairly presented" and free of
misrepresentations. This section also established that
internal accounting controls are the responsibility of
CEOs and CFOs. The Act requires year-end financial
disclosure reports, along with a Internal Controls Report
with all financial reports. Material changes in financial
condition must be reported in financial disclosures.
• Section 404 addresses "Management Assessment of
Internal Controls" and requires companies to include
information about their internal accounting controls and
financial reporting procedures in their annual financial
reports.
• Section 404 of the Act requires corporate executives to
personally certify the accuracy of their company's
financial statements and holds them personally liable if
the SEC finds violations.
• The Whistle-blower Protection Act mandates whistle-
blower protection under the Sarbanes-Oxley Act, stating
that employees and contractors who report fraud and/or
testify about fraud to the Department of Labor are
protected from retaliation, including dismissal and
discrimination.
Other key provisions and requirements under the Act
include:
• mandated disclosure in periodic reports of transactions
and relationships that are off-balance sheet that could
impact financial status;
• near-ubiquitous prohibition of personal loans from a
corporation to executives;
• establishment of fines and terms of imprisonment for
tampering or destroying documents in events of
investigations or court action; and
• requirements for attorneys who represent public
companies before the SEC to report security violations
to the CEO.
 Criticism of the Sarbanes-Oxley Act
• From the beginning, reviewers of the Act included many
executives who felt they were particularly affected by
new regulations as a result of the dishonest and
extremely careless actions of a few others. In 2008, Newt
Gingrich blamed the financial crisis on the Act,
mentioning it as the reason for a low number of IPOs,
and asked Congress to revoke it.
• Reviewers also claimed that the Act was a politically
motivated response to a few high-profile corporate
financial scandals, and that it would obstruct competition
and business growth.
• Corporate leaders also expressed concern that
complying with the Sarbanes-Oxley Act's regulations
would consume too much executive time and cost a
significant amount of money. Many people criticised
Section 404 in particular, claiming it was overly
burdensome.
 Benefits of the Sarbanes-Oxley Act
• Some business leaders, on the other hand, recognised the
need for improvement and believed the Act could help spur
better financial practises that would benefit companies and
their stakeholders.
• Indeed, even those who were initially sceptical of the Act
later recognised its benefits as the law was fully
implemented in subsequent years.
• Promoters of the Act specifically acknowledged that the Act
assisted businesses in improving their financial
management by strengthening controls, standardising
processes, improving documentation, and establishing
stronger board oversight.
• According to studies, the Act increased investor confidence.
 Updates Since Its Inception
• Despite early and on-going criticism, the Sarbanes-
Oxley Act is still in effect, largely unchanged from when
it was first enacted in 2002, with studies showing that
the law improves financial reporting.
• However, Many business leaders, continue to believe
that the resources required to meet the law's mandates
are burdensome, noting that research has found that
smaller companies are massively burdened by the Act.
Sarbanes-Oxley Compliance 9-Step Checklist

A SOX compliance checklist should include the following

items that draw heavily from Sarbanes-Oxley Sections 302
and 404. For each item, the signing officer(s) must attest to
the validity of all reported information.

• 1. Establish safeguards to prevent data

tampering (Section 302.2).
Implement a ERP system or GRC software that tracks
user logins access to all computers that contain sensitive
data and detects break-in attempts to computers,
databases, fixed and removable storage, and websites.
• 2. Establish safeguards to establish timelines.
(Section 302.3)
Implement an ERP system or GRC software that timestamps
all data as it is received in real-time. This data should be
stored at a remote location as soon as it is received, thereby
preventing data alteration or loss. In addition, log information
should be moved to a secure location and an encryped MD5
checksum created, thereby preventing any tampering.
• 3. Establish verifiable controls to track data access.
(Section 302.4.B)
Implement an ERP system or GRC software that can receive
data messages from virtually an unlimited number of sources.
Collection of data should be supported from file queues, FTP
transfers, and databases, independent of the actual framework
used, such as COBIT and ISO/IEC 27000.
• 4. Ensure that safeguards are operational.
(Section 302.4.C)
Implement an ERP system or GRC software that can
issue daily reports to e-mail addresses and distribute
reports via RSS, making it easy to verify that the system
is up and running from any location.
• 5. Periodically report the effectiveness of safeguards.
(Section 302.4.D)
Implement an ERP system or GRC software that
generates multiple types of reports, including a report on
all messages, critical messages, alerts and uses a
ticketing system that archives what security problems
and activities have occurred.
• 6. Detect Security Breaches. (Section 302.5.A/B)
Implement an ERP system or GRC software that
performs semantic analysis of messages in real-time and
uses correlation threads, counters, alerts, and triggers
that refine and reduce incoming messages into high-level
alerts. These alert then generate tickets that list the
security breach, send out email, or update an incident
management system.
• 7. Disclose security safeguards to SOX auditors.
(Section 404.A.1.1)
Implement an ERP system or GRC software that
provides access to auditors using role-based permissions.
Auditors may be permitted complete access to specific
reports and facilities without the ability to actually make
changes to these components, or reconfigure the system.
• 8. Disclose security breaches to SOX auditors.
(Section 404.A.2)
Implement an ERP system or GRC software capable of
detecting and logging security breaches, notifying security
personnel in real-time, and permitting resolution to
security incidents to be entered and stored. All input
messages are continuously correlated to create tickets that
record security breaches and other events.
• 9. Disclose failures of security safeguards to SOX
auditors. (Section 404.B)
Implement an ERP system or GRC software that
periodically tests network and file integrity, and verifies
that messages are logged. Ideally the system interfaces
with common security test software and port scanners to
verify that the system is successfully monitoring IT