FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > Sarbanes-Oxley Act (SOX) | US

Sarbanes-Oxley Act (SOX) | US     Print

US Sarbanes-Oxley Act of 2002 commonly called Sarbanes-Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, and WorldCom.

A summary of the Sarbanes-0xley requirements:


The Sarbanes-Oxley Act has been issued by the US Congress in the wake of Enron, Worldcom, etc scandals. The US senators Sarbanes and Oxley combined existing draft legislation with new legislation and rushed it through the senate in an election period. Among the Act's most extensive requirements are those included in section 404, which establishes requirements for both management and auditors of public companies with respect to reporting on internal control over financial reporting.
Go to top

Issues covered

The Sarbanes-Oxley Act (SOX) covers the following topics:

  • Section 100: Public Company Accounting Oversight Board (PCAOB) setting out responsibilities, status, composition and relationship to the SEC ; sets out registration requirements for Public Accounting Firms ; acts as standard setter for audit, quality control, ethic standards governing audits;
  • Section 200: Auditor independence defining (201) services outside the scope of auditors; (202) pre-approval requirements; (203) audit partner rotation; (204) audit reports to audit committees; (206) and conflicts of interests;
  • Section 300: Corporate Responsibility for (301) Public Company Audit Committees; (302) certification requirements
  • Section 400: Enhanced Financial Disclosures covering (401) disclosures; (402) enhanced conflict of interest provisions; (404) internal controls & procedures for financial reporting; (406) code of ethics; (407) disclosure of audit committee financial expert
  • Section 500: Analyst conflicts of interests
  • Section 600: Commission resources and authority
  • Section 700: Studies and reports
  • Section 800: Corporate and criminal fraud accountability
  • Section 900: White collar crime penalty enhancements
  • Section 1000: Corporate tax returns
  • Section 1100: Corporate fraud and accountability.

The proposed rule becomes effective on year-end ending on or after 15 June 2004 for US registrants and on year-end ending on or after 15 June 2005 for foreign registrants.

Go to top

Section 404 - Reporting requirements

The purpose of internal controls and procedures for financial reporting is to ensure that companies have processes designed to provide reasonable assurance that:

  • The company's transactions are properly authorised;
  • The company's assets are safeguarded against unauthorized or improper use;
  • The company's transactions are properly recorded and reported.

The section 404 on reporting contains the following requirements:

  • A statement of management's responsibilities for establishing and maintaining adequate internal control over financial reporting.
  • A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting.
  • Management's assessment of the effectiveness of the company's internal control over financial reporting. A statement as to whether or not the company's internal control over financial reporting is effective must be included. The assessment must disclose any material weakness in the company's internal control over financial reporting.
  • External auditors have to attest to management's assertions in the annual report, and report on management's evaluation of the company's internal control over financial reporting.

The proposed rule becomes effective on year-end ending on or after 15 June 2004 for US registrants and on year-end ending on or after 15 June 2005 for foreign registrants.

Sources : Ernst & Young; KPMG

Go to top

Framework for Management Evaluation

The new rules require companies to identify the evaluation framework used by management to assess the effectiveness of the company's internal control over financial reporting. According to the SEC, the framework must satisfy the following criteria :

  • be free from bias;
  • permit reasonably consistent qualitative and quantitative measurements of a company's internal control;
  • be complete so that relevant factors altering a conclusion about the effectiveness of a company's internal control are not omitted; and
  • be relevant to an evaluation of internal control.

The evaluation framework published by COSO (Committee of Sponsoring Organizations of the Treadway Commission) satisfies to the above criteria. Under the COSO schema, Internal Control is a process:

  • effected by an entity's board of directors, management and other personnel
  • designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
    • reliability of financial reporting
    • effectiveness and efficiency of operations
    • compliance with applicable laws and regulations

The five internal control components are:

  • Control Environment: Reflects the tone set by top management and the overall governance, incentives, organisation and actions of the board of directors and management concerning the importance of internal control and influencing the control consciousness of its people..
  • Risk Assessment : Process that manages business risk by identification, analysis and treatment of relevant risks to the achievement of the control objectives.
  • Control Activities : Policies and procedures that assist in ensuring that management's directives are carried out. Activities that help to mitigate identified risks.
  • Information & Communication : Methods and processes by which the company captures and provides the right information to the right people in a form and a timeframe for those individuals to manage and control the business, i.e. to take appropriate action and carry out their responsibilities.
  • Monitoring : Process that assesses the quality of internal control performance over time in order to determine whether all components operate as intended.

Although internal control cover the financial reporting dimension, section 404 compliance leads companies to review their entire risk framework.

Disclosure controls and procedures, and internal controls over financial reporting are part of the risk framework.

Sources: AICPA; COSO;Ernst & Young; IIA

Go to top

Establishing the Evaluation Process

The management must prepare for the evaluation process:

Plan and scope the evaluation Establish the internal control evaluation process by determining significant controls and business units to be included and defining the project milestones, timeline and resources.

- Organise a project team to conduct the evaluation process
- Understand the definition of Internal Control (cf COSO report)
- Understand management's process to determine significant controls

Document controls Document design of significant controls for all significant locations and business units.

- Evaluate internal control at entity level (covering the 5 internal control components)

Analyse: Evaluate design & operating effectiveness Evaluate design and operating effectiveness of internal control over financial reporting and document results of the evaluation. Identify, accumulate, and evaluate design and operating control deficiencies.

- Understand and evaluate controls at process, transaction and application level
- Evaluate overall design and operating effectiveness

Revise: Correct deficiencies Communicate findings and correct deficiencies.

- Identify matters for improvement
- Establish monitoring systems

Report on internal control Prepare management's written assertion on the effectiveness of internal control over financial reporting.
Audit of internal control Prepare for independent auditor to conduct the internal control audit.

The project team should establish policies and procedures for its evaluation process as well as develop plans for appropriate internal communication.

Management establishes controls to achieve certain objectives, which are called "control objectives". Financial reporting control objectives address financial statement assertions :

  • Valuation and allocation;
  • Completeness;
  • Rights (assets) and obligations (liabilities); and
  • Presentation and disclosure.

Controls that are significant for purposes of evaluating the effectiveness of internal control over financial reporting include:

  • Controls related to initiating, recording, processing, and reporting significant account balances, transactions and disclosures;
  • Anti-fraud programs and controls;
  • Controls on which other significant controls are dependent. Computer controls include data center, netwerk, application an systems controls;
  • Controls in a group of controls that function together to achieve a control objective;
  • Controls over significant non-routine, non-systematic transactions; and
  • Controls over period-end financial reporting.

Source: KPMG

Go to top

Document Controls

Documentation of the company's internal control over financial reporting is an essential element of management's evaluation process. It provides evidence that controls related to management's assertion have been identified and can be monitored by the company.

Internal control documentation should address all significant controls that are designed to prevent or detect misstatement or fraud in significant financial statement account balances, transactions, and disclosures. The documentation should include all relevant financial statements and each of the five COSO internal control components.

Management will need to evaluate the completeness of its control documentation. To support its assertion regarding the effectiveness of internal control, management should evaluate whether significant controls are designed effectively (suitably designed to prevent or detect misstatements) and operating effectively (control is functioning as designed) and can be objectively tested by an independent auditor.

Source: KPMG; IIA

Go to top

Identify and Correct Deficiencies

Management should establish a process by which deficiencies are identified and accumulate across the entire company. The severity of all identified deficiencies should be evaluated. An internal control deficiency may be either a design or an operating deficiency. A design deficiency exists when a necessary control is missing or an existing control is not properly designed. A operating deficiency exists when a properly designed control is not operating as designed or the person performing the control doesn't possess the necessary authority or qualifications to perform the control effectively.

A significant deficiency is an internal control deficiency that could adversely affect the company's ability to initiate, record, process, and report on financial data consistent with the assertions of management in the financial statements. Following factors allow to determine the significance of a deficiency :

  • Likelihood of a misstatement of the financial statements
  • Magnitude of potential misstatements
  • Importance of the deficient control
  • Nature of account balances, transactions and disclosures affected
  • Frequency of exceptions in case of operating deficiency

A material weakness is a significant deficiency in one or more of the internal control components that alone or in the aggregate precludes the company's internal control from reducing the risk that material misstatements in financial statements will not be prevented or detected on a timely basis. Uncorrected material weaknesses in internal control precludes the independent auditor from issuing an unqualified opinion that internal controls over financial reporting is effective.

When management takes corrective action to remedy a control deficiency, the corrected control should be in place and operating for a sufficient period of time prior to the assertion date for management to evaluate the corrected control and conclude that the control is operating effectively as of the assertion date.

Source: KPMG

Go to top

Report and Audit on Internal Control

Each annual report filed with the SEC should contain an internal control report that states the responsibility of management for establishing and maintaining adequate internal control over financial reporting. The internal report would include management's assessment of the effectiveness of its internal control over financial reporting. Management has the responsibility to report significant deficiencies and material weaknesses to both the audit committee and the company's independent auditors. The company's independent auditor must attest to, and report on, management's assessment.

Each annual report filed with the SEC should include a statement that the company's independent auditors have attested to, and reported on, management's assessment of the company's internal controls over financial reporting.

The Public Company Audit consists of:

  • An audit of the financial statements, which refers to procedures performed to audit and issue an opinion on the company's financial statements.
  • An audit of internal control, which refers to procedures to examine and issue and opinion on the company's internal controls.

The independent auditor is required to plan the audit, obtain an understanding of internal control, evaluate the design effectiveness of controls, test the operating effectiveness of controls and form an opinion. All five COSO components will be considered when performing these procedures.

The independent auditor cannot rely on the results of internal audit's procedures when forming his conclusions. He determines to what extent internal audit monitors the effectiveness of internal control. The independent auditor will consider the implications of deficiencies identified in forming his opinion on the operating effectiveness of a company's internal control over financial reporting. Depending on the nature of the material weakness, the auditor may issue a qualified opinion ("except for...") or an adverse opinion ("internal control was not effective").

Sources: Ernst & Young; KPMG

Go to top

SOX and the COSO and CobiT framework

Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt CobiT and/or the COSO “Internal Control - Integrated Framework.” In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission (SEC) suggests that companies follow the COSO framework.

Go to top

Sarbanes-Oxley Backlash Outside the U.S.

Financial firms headquartered in the United States may be subject to European Union (EU) regulations in retaliation against provisions in the Sarbanes-Oxley Act that cover foreign companies in the United States. The EU could require U.S. banks and insurance companies that operate in the EU to comply with EU oversight -- unless the U.S. Securities and Exchange Commission (SEC) exempts auditors from disclosure requirements under Section 404 of the Act.

Foreign companies outside of the EU that operate in the United States have also filed official requests for Section 404 exception with the SEC. Under mounting pressure, the SEC amended provisions under Section 404 allowing registered foreign companies in the U.S. until April 15, 2005 to begin reporting their internal financial controls.

This raises the question of regulatory jurisdictions and reciprocity. Consensus around corporate oversight, financial reporting and enforcement authority in major markets will become necessary beyond the Sarbanes-Oxley Act as regulators in each market determine domestic applicability. This would particularly apply to the EU, the Association of Southeast Asian Nations (ASEAN) and G-10 members.

In the meantime, multinational companies shouldn't be distracted by debating regulators; they should focus on strategic performance management and assume increased governance standards in the markets in which they operate. By 2005, thorough understanding and management of all financial information will be the minimum criteria to stay listed on any major stock exchange.

Source: Gartner - Lane Leskela - 7 July 2003

Go to top

Website: SOX

QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright