The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law signed into law on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom. These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. President George W. Bush signed it into law, stating it included “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt.”
The legislation is wide-ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Supporters of these reforms believe the legislation was necessary and useful while critics believe it does more economic damage than it prevents.
The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.
Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. Both the PCAOB and SEC recently issued guidance on this topic to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas.
The recently released Auditing Standard No. 5 of the Public Company Accounting Oversight Board (PCAOB), which superseded Auditing Standard No 2., has the following key requirements for the external auditor:
- Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
- Understand the flow of transactions, including IT aspects, sufficiently to identify points at which a misstatement could arise;
- Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
Perform a fraud risk assessment;
- Evaluate controls designed to prevent or detect fraud, including management override of controls;
- Evaluate controls over the period-end financial reporting process;
- Scale the assessment based on the size and complexity of the company;
- Rely on management’s work based on factors such as competency, objectivity, and risk;
- Evaluate controls over the safeguarding of assets; and
- Conclude on the adequacy of internal control over financial reporting.
Source: http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act