Several large accounting scandals in the early 2000s spurred the need for additional regulation of public companies. In response to these scandals, the Sarbanes-Oxley Act Of 2002 (“SOX”) was signed into law July 30, 2002 in an effort to provide greater investor confidence and reduce accounting fraud and malpractice. This article will 1) briefly explain what SOX is and why it should matter to you, 2) cover the provisions of SOX, 3) discuss the steps to becoming SOX compliant, and 4) finish by addressing some of the challenges of becoming compliant.
What is SOX?
The Sarbanes-Oxley Act contains 11 titles that create additional responsibility for public company management, as well as auditors and boards of directors. The act provides specific instruction on the creation and maintenance of internal controls (“IC”) and corporate governance and lays out the fines and penalties for non-compliance. The stated purpose of the act is “to protect investors by improving the accuracy and reliability of corporate disclosures.”
Though Sarbanes-Oxley is sometimes viewed as an overly burdensome obligation placed on public companies, it is important to recognize the value that compliance with SOX adds to a company. A CNBC article cites a study conducted by Statistic Brain Research Institute finding that fraudulent employee activities are costing American businesses $50 billion annually. A SOX compliant company is well suited to mitigate this risk, along with the risk of loss via mistake or error, because it has the tools and procedures in place to prevent, or detect and correct, fraud or errors. In addition to lowering fraud and error in reporting, SOX compliance can result in improvements in efficiency and in the consistency and standardization of processes throughout a company. Becoming SOX compliant should not be seen as just another burden placed on budding companies. Rather, it should be viewed as an opportunity to make important improvements that can add real and significant value to your company in the long run. An example of this value is demonstrated in an article by Julia Hanna, a contributor at Harvard Business School Working Knowledge. In an article published by Forbes, Hanna explains that the pricing of IPOs has become less uncertain since the enforcement of SOX. Companies that are SOX compliant create greater market trust, which may in turn engender better IPO pricing. Said differently, markets reward good corporate governance.
By treating SOX as a purely regulatory requirement, you will still face the costs and downsides of compliance without capturing all of the upsides that can come with SOX compliance.
The 11 titles and their successive sections, or provisions, are as follows:
- TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
- Sec. 101. Establishment; administrative provisions.
- Sec. 102. Registration with the Board.
- Sec. 103. Auditing, quality control, and independence standards and rules.
- Sec. 104. Inspections of registered public accounting firms.
- Sec. 105. Investigations and disciplinary proceedings.
- Sec. 106. Foreign public accounting firms.
- Sec. 107. Commission oversight of the Board.
- Sec. 108. Accounting standards.
- Sec. 109. Funding.
- TITLE II—AUDITOR INDEPENDENCE
- Sec. 201. Services outside the scope of practice of auditors.
- Sec. 202. Preapproval requirements.
- Sec. 203. Audit partner rotation.
- Sec. 204. Auditor reports to audit committees.
- Sec. 205. Conforming amendments.
- Sec. 206. Conflicts of interest.
- Sec. 207. Study of mandatory rotation of registered public accounting firms.
- Sec. 208. Commission authority.
- Sec. 209. Considerations by appropriate State regulatory authorities.
- TITLE III—CORPORATE RESPONSIBILITY
- Sec. 301. Public company audit committees.
- Sec. 302. Corporate responsibility for financial reports.
- Sec. 303. Improper influence on conduct of audits.
- Sec. 304. Forfeiture of certain bonuses and profits.
- Sec. 305. Officer and director bars and penalties.
- Sec. 306. Insider trades during pension fund blackout periods.
- Sec. 307. Rules of professional responsibility for attorneys.
- Sec. 308. Fair funds for investors.
- TITLE IV—ENHANCED FINANCIAL DISCLOSURES
- Sec. 401. Disclosures in periodic reports.
- Sec. 402. Enhanced conflict of interest provisions.
- Sec. 403. Disclosures of transactions involving management and principal stockholders.
- Sec. 404. Management assessment of internal controls.
- Sec. 405. Exemption.
- Sec. 406. Code of ethics for senior financial officers.
- Sec. 407. Disclosure of audit committee financial expert.
- Sec. 408. Enhanced review of periodic disclosures by issuers.
- Sec. 409. Real time issuer disclosures.
- TITLE V—ANALYST CONFLICTS OF INTEREST
- Sec. 501. Treatment of securities analysts by registered securities associations and national securities exchanges.
- TITLE VI—COMMISSION RESOURCES AND AUTHORITY
- Sec. 601. Authorization of appropriations.
- Sec. 602. Appearance and practice before the Commission.
- Sec. 603. Federal court authority to impose penny stock bars.
- Sec. 604. Qualifications of associated persons of brokers and dealers.
- TITLE VII—STUDIES AND REPORTS
- Sec. 701. GAO study and report regarding consolidation of public accounting firms.
- Sec. 702. Commission study and report regarding credit rating agencies.
- Sec. 703. Study and report on violators and violations
- Sec. 704. Study of enforcement actions.
- Sec. 705. Study of investment banks.
- TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY
- Sec. 801. Short title.
- Sec. 802. Criminal penalties for altering documents.
- Sec. 803. Debts nondischargeable if incurred in violation of securities fraud laws.
- Sec. 804. Statute of limitations for securities fraud.
- Sec. 805. Review of Federal Sentencing Guidelines for obstruction of justice and extensive criminal fraud.
- Sec. 806. Protection for employees of publicly traded companies who provide evidence of fraud.
- Sec. 807. Criminal penalties for defrauding shareholders of publicly traded companies.
- IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
- Sec. 901. Short title.
- Sec. 902. Attempts and conspiracies to commit criminal fraud offenses.
- Sec. 903. Criminal penalties for mail and wire fraud.
- Sec. 904. Criminal penalties for violations of the Employee Retirement Income Security Act of 1974.
- Sec. 905. Amendment to sentencing guidelines relating to certain white-collar offenses.
- Sec. 906. Corporate responsibility for financial reports.
- TITLE X—CORPORATE TAX RETURNS
- Sec. 1001. Sense of the Senate regarding the signing of corporate tax returns by chief executive officers.
- TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY
- Sec. 1101. Short title.
- Sec. 1102. Tampering with a record or otherwise impeding an official proceeding.
- Sec. 1103. Temporary freeze authority for the Securities and Exchange Commission.
- Sec. 1104. Amendment to the Federal Sentencing Guidelines.
- Sec. 1105. Authority of the Commission to prohibit persons from serving as officers or directors.
- Sec. 1106. Increased criminal penalties under Securities Exchange Act of 1934.
- Sec. 1107. Retaliation against informants
The six bolded provisions in the above list (201, 302, 401, 404, 409, and 906) are the key compliance provisions and will likely require the most time and effort as you seek to become SOX compliant. The rest of the article will be written in the context of these six provisions. The following paragraphs will explain each of these provisions in further detail:
Section 201: This section focuses on auditor independence, prohibiting external auditors from providing any non-audit services to public clients at the same time that they are providing audit services. This means that a firm must forgo an audit engagement with a public company in order to provide ICFR advisory services, and vice versa.
Section 302: This section requires the CEO and CFO to (a) certify the financial statements’ accuracy in yearly and quarterly reports, and (b) provide additional assurances. These additional assurances, or certifications, relate to the presentation of the financial statements, the design of disclosure controls and procedures, significant changes in the internal controls, and management’s transparency regarding fraud and internal control weaknesses.
401: This section requires companies to include all material adjustments made to the financial statements by a public accounting firm during an audit. This section also requires companies to disclose transactions, agreements, or relationships that do not appear in the financial statements but are material to the company. This means that if a transaction, agreement, or relationship would have a significant impact on the company (through changes in financial condition, liquidity, other resource availability, etc.), and it doesn’t currently appear in the financial statements, then it needs to be disclosed in annual and quarterly filings.
404: This section requires management to report on the internal controls over financial reporting. It is the most significant section in the act as far as time and effort. The majority of the time and money spent on becoming SOX compliant will go toward the design and implementation of internal controls. Section 404 is broken up into three subsections: a, b, and c. 404(a) requires management to both report on the effectiveness of the internal controls on an annual basis and include a statement that establishes the responsibility of management over internal controls. 404(b) requires independent auditors to provide an opinion on management’s assessment of internal controls. 404(c) provides a permanent exclusion for non-accelerated1 filers from 404(b) requirements. This subsection was meant to ease the burden SOX placed on smaller public companies.
409: This section requires reporting companies to report on a very nearly real-time basis any material changes that occur related to the company’s financial or operational condition.
906: This section requires the CFO and CEO to certify that their yearly and quarterly financial statements are in compliance with the Securities Exchange Act of 1934 (“Exchange Act”)2, and that these statements accurately represent the financial and operational standing of the company. Penalties for misrepresentations are laid out in this section as well.
Public companies are required by law to be in compliance with SOX, though the level of compliance required varies depending upon company size and stage of growth. In 2012, Congress passed the Jumpstart Our Business Startups Act (“JOBS Act”) to promote growth in the United States economy. Following the creation of this act, the label Emerging Growth Company (“EGC”) was placed on a specific size of company, providing Congress with the ability to create incentives for a specific group of businesses. This new class of companies was given a unique exemption from SOX, providing them with a five year on-ramp to become compliant with Section 404(b), which requires internal controls testing, as described above. In addition to this five-year compliance extension, all companies have two reporting periods to become fully compliant with Section 404. All other sections of the act require compliance at the time of IPO, and only EGCs are given five additional years to become Section 404(b) compliant. For more information on the JOBS Act, click on the following link to read our related article: The JOBS Act.
To become compliant, EY suggests using the following five steps as a guide:
- Assess internal control readiness. Find out how you are currently doing. You should perform a test of your controls to find errors.
- Establish an approach and timeline for remediation. Make a plan to fix all of the errors you have found and set a specific timeline to finish the remediation.
- Document walkthroughs of processes and controls. Performing these walkthroughs will allow you to determine the nature of your controls, and to better understand your processes. This provides a map for understanding and establishing better controls as well.
- Remediate processes and controls. You should be able to use all of the work you have completed up to this point to now fix any control deficiencies that were discovered.
- Test processes and controls. Determine how successful your efforts were, and if there are any other areas that still need to be addressed.
In addition to the steps listed above, the following tips will help you make a smooth transition toward SOX compliance:
Begin SOX preparation 18-24 months before your planned IPO filing date.
Beginning early should provide you with a good 12-month testing period to ensure the controls you have put in place are working as intended and that you have not left any areas of risk unaddressed. If you wait to begin working on your internal controls until you are also trying to complete your registration statement, you will likely struggle with a resource drought. Completing an S-1 is a difficult and time-consuming task in its own right, so it is not wise to place the additional burden of creating and implementing new internal controls on your staff while also trying to meet a looming filing deadline. Such actions will likely result in errors in both the registration statement and the implementation of controls.
Establish your controls using a risk-based approach.
When first establishing internal controls, start by looking at your financial statements and determine the areas that are at greatest risk for material misstatement. Use this knowledge to guide you as you determine the needed number and type of controls for your company. Establishing controls using this top-down approach should help to reduce the overall number of controls needed and should help reduce the risk of scope-creep3.
Hire a third-party professional services firm to help you create a SOX program that is adequate without being excessive.
The cost of hiring a professional service firm to aid in the creation of your SOX plan and the subsequent implementation of that plan may seem expensive at first. However, foregoing the help of properly trained professionals can result in even higher costs than what would be incurred from hiring professionals in the first place. To be more specific, the combined costs of the initial setup without the help of professionals, and the subsequent corrective changes, will likely exceed the costs of setting up a system correctly the first time with the assistance of third-party professionals. These subsequent changes often need to be made to fix a system that has been set up incorrectly or inefficiently.
In addition to helping you avoid duplicative work, hiring a third-party professional services firm to help with the creation of a SOX program will also ensure that your efforts will result in a fully operational and efficient internal control environment, without going overboard. Without this assistance, the likelihood of creating internal controls that operate improperly or inefficiently is much higher.
Build the right team.
As with every part of the IPO process, having the right people on the right project is a crucial part of ensuring timely success. Make certain that the SOX planning and implementation team has the adequate knowledge and skills needed to create an effective SOX compliance strategy and to follow through with that strategy. Because it is likely that some of the individuals on this team will also be key participants in the creation of the registration statement, as mentioned previously, it is important that you begin working on SOX compliance far enough in advance that there is little-to-no conflict of schedules and priorities later on.
Implement smart controls.
As you are designing and implementing your internal controls, create a control environment that adds real value to your company, rather than controls that create an additional burden. Selecting good IC software can aid in achieving this result. This software will likely be the company’s ERP tool but in some instances may be an additional layer of software. Having good software will allow you to create automated controls that can help streamline your processes and significantly decrease the burden that SOX compliance can create for a company. Another important element of smart internal controls is their actual utility; EY advises their clients to be careful not to “over-engineer” their controls. If a control is overly complicated, it will likely just become an additional burden for the staff affected by it. Furthermore, an over-engineered control is difficult to implement and test.
Common Pitfalls of SOX implementation
Over the years since the Sarbanes-Oxley Act was passed, companies have made a great number of mistakes as they have sought to become compliant. The following will cover some of the most common pitfalls to be aware of as you seek to become SOX compliant:
Waiting too long to begin the process.
Though this topic has already been addressed above, it is significant enough to merit additional coverage. Companies that wait to begin designing and implementing a SOX compliant internal control environment will likely find they don’t have the necessary manpower to accomplish the task in the needed time, resulting in over-worked staff or an underqualified and uncommitted implementation team. Starting the design and implementation process late in the game can also result in a small or altogether non-existent testing period, wherein IC gaps are normally discovered.
Failing to have a well-thought-out strategy for IC design and implementation can create redundant controls, resulting in an extended testing time and higher internal and external audit costs. Furthermore, poorly designed controls will also likely result in wasted company time and expenses spent on unnecessary and redundant processes going forward.
Shallow understanding of IC testing.
If your staff are not properly trained and experienced in the design, implementation, and testing of internal controls, not only will your controls likely be inefficient and potentially ineffective, but they may also be tested incorrectly. Each line item in the financial statements has a different level of risk attached to it, and these levels of risk require unique amounts and types of testing. Without staff that has a thorough understanding of the financial statement accounts, their related risk, and the various types of testing available, accounts with little to no risk may be over-tested and high-risk accounts may be under-tested, both of which can result in costly errors.
Taking a short-term view rather than looking to the future.
The creation of a SOX compliant IC environment can be an overwhelming, time consuming, and expensive task. Accordingly, you may be tempted to take the quick and easy route when designing and implementing your new ICs. Doing so would likely result in a significant missed opportunity, as the creation of a new IC environment is a perfect opportunity to streamline outdated and inefficient processes. Furthermore, in an effort to lower today’s costs, you may be tempted to forgo a strong IC automating software package. Though doing so would provide you with lower costs in the short run, those costs will likely be higher in the long run as a result of manual controls that require large amounts of manpower to test and maintain. A strong IC automating software package will help create fast, efficient, and effective controls that can be tested using more accurate and inexpensive methods than manual controls.
As one of the most challenging aspects of being a public company, becoming SOX compliant deserves adequate time and attention. The path to becoming fully compliant should preferably begin 18 – 24 months prior to your company’s expected registration statement filing date but should not be delayed beyond a year prior to filing. Once the SOX work begins, establish a well-qualified team that is dedicated to the project to ensure quality work and a timely completion. If it is feasible to do so, hire a third-party professional services firm to aid you in the planning and completion of your project. Lastly, strive to take the long-term view in your SOX compliance efforts to ensure that the work completed provides the greatest possible benefit to the company’s long-term success. Following these guidelines will help you avoid the pitfalls of poor-quality controls, unnecessary and excessive costs, and insufficient time to create a high-quality, compliant IC environment.
- EY, “Are you ready to go public?
- PWC, “Roadmap for an IPO”
- PwC, “SOX Performance”
- Grant Thornton, “Is going public the right answer for your company? Key regulations and reporting requirements”
- AuditBoard.com, “SOX and the Road to IPO”
- Statistic Brain, Employee Theft Statistics
- Forbes, The Costs and Benefits of Sarbanes-Oxley
- Companies with a public float of less than $75 million.
- The Securities Exchange Act of 1934 (“Exchange Act” or “SEA”) was put in place to better protect the investing public from fraud and manipulation, and to provide greater levels of financial transparency. One of the most significant changes that resulted from the SEA was the formation of the Securities Exchange Commission (“SEC”).
- Scope-creep is the unplanned expansion of a project’s reach, often due to unforeseen issues or areas of concern.