top of page

   Corporate Governance (Sarbanes-Oxley – SOx – Act)

 

  • The eleven (11) sections of the Sarbanes-Oxley Act of 2002 (SOx) (a/k/a Public Company Accounting Reform and Investor Protection Act, and, Corporate and Auditing Accountability, Responsibility, and Transparency Act) are called “Titles” in the sixty-six (66) pages of SOx, which are listed below, with some insights into the most-prominent Sections of each Title, as follows:

    • Title I: Public Company Accounting Oversight Board – established the non-profit Public Company Accounting Oversight Board (PCAOB), the purpose of which is ostensibly to manage the auditing of all publicly-traded corporations (although SOx is also applicable to many activities of private corporations), by promulgating guidelines, rules and standards for corporate auditing, training auditors to generate accurate, independent reports, as well as for enforcing compliance with such guidelines, rules and standards, through oversight of all independent accounting firms that may provide any auditing services that may be required pursuant to SOx;

    • Title II: Auditor Independence – provides nine (9) subsections with very clear guidelines for determining whether any auditor performing SOx services may be considered as acting “independently” – meaning, acting without having any business or personal that might have the appearance of impropriety by conflicting in any way with the business entity (or any key personnel thereof) upon which such auditor may be performing a SOx-related audit; under Section 201, external auditor accounting firms must be independent of any company they audit (and so such external auditor accounting firms cannot provide favors or free services for their clients – such as for example: banking, bookkeeping, business valuation, consulting, design and implementation of record-keeping systems, investment advice, investment management – any or all of which would have the appearance of impropriety; however, Section 201 may allow such external auditor accounting firms to provide bookkeeping and stock valuation services to their clients after prior approval from the PCAOB; under Section 203, individual auditors must not work on the same project for more than five (5) years and then must avoid working on that project for another five (5) years;

    • Title III: Corporate Responsibility – In general, Section 302 imposes responsibility upon whomever may be the executives designated by the business entity to sign off on the accuracy of all reports required pursuant to either Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, and to make a series of very clear written representations as to the accuracy of such reports;

      • Section 301 requires auditors to report on all critical accounting policies and practices used by the enterprise and in the audit;

      • Section 302 is one of the most-important Sections of SOx from a compliance standpoint, and specifies that:

      • any enterprise subject to SOx regulation must establish an internal but independent audit committee;

      • CEOs and CFOs must certify that they have reviewed the financial statements and to the best of their knowledge, they have verified that:

      • such financial statements contain only true statements;

      • such financial statements fairly represent the financial condition of the enterprise;

      • there are no untrue statements of material facts or omissions of material facts, or other misleading statements or omissions in the financial statements;

      • they are responsible for establishing and maintaining effective internal controls;

      • they have evaluated the internal controls within the previous ninety (90) days;

      • they have reported any problems with the internal controls of which they are aware;

      • they have reported any fraud of which they are aware;

      • they have reported any changes in internal controls subsequent to their last report;

    • executives who violate Section 302 may be required to forfeit bonuses and profits made through fraudulent revised statements, and may face significant jail time;

    • Title IX Section 906 imposes extremely strong penalties for willful violations of Section 302;

    • any enterprise subject to SOx regulation is required to file annual reports with the SEC (with the first certification of compliance with Section 302 for newly-filed public entities subject to SOx regulation due in the first quarter after completion of the filing);

    • any enterprise subject to SOx regulation is required to implement an internal control system for tracking and auditing financial processes;

    • any enterprise subject to SOx regulation is required to implement verifiable controls to prevent data tampering, track user logins, track access to all computers that contain sensitive data, detect cracking attempts to computers, databases, fixed and removable storage, and websites. (Section 302.2);

    • any enterprise subject to SOx regulation is required to implement verifiable controls to establish timelines through timestamping all data as it is received by the enterprise in real-time, and should be then immediately be stored at a remote secure location to hopefully prevent data alteration or loss, and all log information should also be moved to a remote secure location and then encrypted and have an associated MD5 checksum (Section 302.3);

    • any enterprise subject to SOx regulation is required to implement verifiable controls to track data access and can receive data messages from an unlimited number of sources collection of data should be supported through implementation of file queues, FTP transfers and databases independent of the framework utilized (such as such as COBIT or ISO/IEC 27000) (Section 302.4.B);

    • any enterprise subject to SOx regulation is required to ensure that the verifiable controls are continuously operational and can issue daily reports to e-mail addresses and distribute reports through RSS feed, for easy verification from any location that the system fully-operational (Section 302.4.C);

    • any enterprise subject to SOx regulation is required to periodically report the effectiveness of the verifiable controls by generating multiple types of reports, such as reports on all messages, issues alerts and uses a ticketing system that archives what security problems and activities have occurred (Section 302.4.D);

    • any enterprise subject to SOx regulation is required to implement verifiable controls that may assist in detecting security breaches through the semantic analysis of messages in real-time, as well as alerts, correlation threads, counters, and triggers, that translate suspicious incoming messages into high-level alerts, which then generate tickets that list the security breach, send out emails to relevant security personnel, or automatically update a chain of related alerts in an incident management system (Section 302.5.A/B);

    • Title IV: Enhanced Financial Disclosures:

      • Section 401:

        • increases reporting transparency;

        • provides filing deadlines for many categories and types of reports that must be made public;

        • specifies that financial information provided to the public in any reports provided to the SEC must not contain any untrue statements or omissions of material facts, must comply with Generally-Accepted Accounting Principles (GAAP), must include all material off-balance sheet transactions (such as liabilities, loans or private agreements with members of the enterprise), and must be materially-correct;

      • Section 402 prohibits any enterprise subject to SOx regulation from making loans to their executives or to members of their boards of directors;

      • Section 403 requires principal stockholders and management to disclose their involvement in any company-related transactions;

      • Section 404 may be the most bothersome SOx Section because Section 404 requires annual assessments by management (verified by and attested by independent external auditors) of the “internal controls” – basic checks and balances on the internal operations of a company, intended to ensure SOx compliance – of an enterprise, with complete disclosure in the event such internal controls are found to be defective in any way; Section 404 is perhaps the most information technology (IT) intensive of the SOx Sections, since Section 404 requires much data to be available for verification by the auditors, and thus much of the IT effort will involve various complicated and expensive logging and tracking platforms; in general, Section 404 requires that:

        • any enterprise subject to SOx regulation is required to implement technical systems set up to maintain data integrity and protection, and that management and outside auditors must regularly assess and document the effectiveness of such systems;

        • such systems must be capable of functions essential to the proper functioning of financial reporting and internal controls, such as – real-time access control, communications, continuous monitoring information exchange, risk assessment;

        • to pass a Section 404 compliance audit, any enterprise subject to SOx regulation is required to prove to the auditors that for at least ninety (90) days prior to the audit, all data subject to Section 404 was both available for access and secure, which perhaps might be easily-accomplished through the use of a security information and event management (SIEM) platform;

        • any enterprise subject to SOx regulation is required to disclose security safeguards to the auditors, for example through the implementation of systems that provide complete access to specific reports and facilities for auditors, using role-based permissions, even though such such permissions would not necessarily grant such auditors any ability to make any changes to such reports or facilities, or to reconfigure any aspect of the systems (Section 404.A.1.1);

        • any enterprise subject to SOx regulation is required to disclose security breaches to the auditors, for example through the implementation of systems that are capable of detecting and logging security breaches, notifying security personnel in real-time, and permitting resolution of security incidents to be entered and stored in a remote secure location, and in which all input messages are continuously-correlated to create tickets that record security breaches and other events;

        • any enterprise subject to SOx regulation is required to disclose failures of security controls to the auditors, for example through the implementation of systems that periodically test network and file integrity, and verify that messages are logged, and interface with common security test software and port scanners to verify that the systems are continuously-monitoring enterprise security;

        • the 2010 Dodd-Frank Act exempted entities with public floats (meaning that portion of the shares of the entity that are held by public investors) less than $75 million from the Section 404 requirement that auditors must attest to the efficacy of such entities’ internal controls, and in 2020, the SEC adopted rules that exempted entities with less than $100 million in annual revenue from that same Section 404 requirement that auditors must attest to the efficacy of such entities’ internal controls;

      • Section 409 requires further reporting any time there may be any material changes to a company (even including IT events, such as a data breach or denial-of-service attack, resulting in a ransom demand); all financial reports must be accurate and must not be deceptive or incorrect in the way information is presented; personal company loans to members of the C-suite are prohibited; business entities regulated under SOx must report on internal controls; auditing firms must comment on comprehensiveness of internal control structures; information on material changes in the financial condition of the company must be disclosed without delay.

    • Title V: Analyst Conflicts Of Interest – amends the Securities Exchange Act of 1934, by adding a new Subsection 15D, entitled “Securities Analysts and Research Reports”, which concentrates on providing codes of conduct (including further conflicts of interests guidelines) and other operational reporting requirements for securities analysts; protects analysts who prepare non-malicious and truthful but negative reports about business entities; prohibits conflicts of interest that could result in biased reports.

    • Title VI: Commission Resources And Authority – makes further modifications to the Securities Exchange Act of 1934, strengthening the authority of the Securities and Exchange Commission (SEC) to deal with bad actors in the financial industry, and to to supervise auditors and auditing firms;

    • Title VII: Studies & Reports – requires the U.S. General Accounting Office (GAO) and the SEC to perform various studies and then to make various reports based on the findings of such studies, relevant to the tumult in the financial industry at that time, regarding entities that might be able to exert undue influence against the intent of SOx for financial reporting transparency, in particular: accounting firms – which at that time began consolidating from many smaller firms into a few, huge firms (thus greatly reducing the number of available auditing firms under SOx which might not have any conflicts of interest with any prospective business entity they might audit); credit rating agencies (which can influence the values placed upon securities); the numbers and types of financial professionals who had committed violations of various securities regulations and were prosecuted under enforcement actions therefor; and, investment banks 

    • Title VIII: Corporate and Criminal Fraud Accountability – perhaps the impetus for the enactment of SOx, and the first of three (3) SOx Titles to have a unique short title (the other two are Title IX and Title XI), the “Corporate and Criminal Fraud Accountability Act of 2002”, establishes liability for various corporate and criminal violations of any activity covered by SOx, as follows:

      • Section 802 basically mandates very hefty fines and up to twenty (20) years of jail time for anyone who knowingly alters, conceals, destroys, falsifies or mutilates, or attempts to do so, documents, records  or tangible objects with the intent to impede, influence or obstruct a legal investigation; very hefty fines, plus up to ten (10) years of jail time for any records custodian who knowingly and willfully violates the requirement to maintain all SOx-related audit or review papers for a period of five (5) years from the completion of an audit or review; auditors may also be fined and jailed if they are complicit in any cover-up involving documents subject to Section 802;

      • Section 804 mandates a 5-year retention period for all audit-related documents;

      • Section 806 establishes very strong “whistleblower protection” for any employee in a publicly-traded enterprise or nationally-recognized statistical ratings organization (NRSRO) who comes forward and provides substantive evidence to the Federal government of insider fraud, leading to the prosecution of the relevant SOx violators; anyone who retaliates against a whistleblower can be subject to criminal charges

    • Title IX: White Collar Crime Penalty Enhancement – the second of the SOx Titles to have its own unique short title, the “White-Collar Crime Penalty Enhancement Act of 2002”, which focuses in particular upon various types of fraudulent criminal white-collar offenses, as follows:

      • Section 902 increases penalties for crimes such as mail and wire fraud and violations of the Employee Retirement Income Security Act (ERISA);

      • Section 906 reinforces Title III Section 302, by amending Chapter 63 of Title 18, United States Code to add a new Section 1350, entitled “Failure of corporate officers to certify financial reports”, which provides up to five million dollars ($5,000,000.00) in fines, and imprisonment of up to twenty (20) years, for willful violation by any executive of the representations required under Section 302; thus, Section 906 covers any alteration of documents in an attempt to impede any government investigation, as well as any certification of a fraudulent or misleading financial report;

    • Title X: Corporate Tax Returns – the shortest (only one sentence) and perhaps most-vague of the SOx Titles, in which the Senate has “the sense” that the corporate Federal income tax return “should” be signed by the corporate chief executive officer (CEO); and,

    • Title XI: Corporate Fraud Accountability – the third SOx Title to have its own unique short title, the “Corporate Fraud Accountability Act of 2002”, this Title is actually an extremely-detailed treatment of what may be considered corporate fraud, with unique sentencing guidelines and enhanced authority for the SEC, such as, for example:

      • Section 1102 amended Section 1512 of Title 18, United States Code to add a new Subsection (c), imposing severe fines and imprisonment of up to twenty (20) years for anyone who “corruptly” tampers with any records being used in any official proceeding, or who attempts any obstruct any official proceeding (this new offense is actually worded so broadly, that is has apparently been applied by Federal prosecutors in recent cases alleging insurrection against the government, which have no relation to any financial aspect of SOx itself);

      • Section 1103 allows the SEC to petition a Federal District Court for a temporary 45-day order freezing any transaction the SEC may suspect is extraordinary during the course of an investigation;

      • Section 1105 gives the SEC authority to prohibit certain persons from serving as directors or officers of publicly-traded companies;

      • Section 1107 reinforces the protections of Title VIII Section 806 for whistleblowers, in that it amends Section 1513 of Title 18, United States Code, to provide that anyone knowingly performing any act of retaliation against any whistleblower involving any Federal matter shall be subject to whatever fines may be applicable and/or imprisonment of up to ten (10) years, or both.

  • Drafting and negotiating all SOx-related documents and legal support for all SOx-related tasks.

  • Progress_Page_Last_Updated_221104_2237

bottom of page