Sarbanes Oxley Act (SOx)

The Sarbanes-Oxley Act of 2002 was enacted on 30 July, 2002.

InvestmentsIt is also known as the ‘Public Company Accounting Reform and Investor Protection Act’ and the ‘Corporate and Auditing Accountability and Responsibility Act’ and is commonly called Sarbanes-Oxley, Sarbox or SOX. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley.

The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation’s securities markets.

The legislation set new or enhanced standards for all U.S.public company boards, management and public accounting firms.

It does not apply to privately held companies.

The act contains 11 titles, or sections, that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below:

  • Public Company Accounting Oversight Board (PCAOB) – Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services (“auditors”). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX;
  • Auditor Independence – Title II consists of nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients;
  • Corporate Responsibility – Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviour of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance;
  • Enhanced Financial Disclosures – Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.
  • Analyst Conflicts of Interest – Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest;
  • Commission Resources and Authority – Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer;
  • Studies and Reports – Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions;
  • Corporate and Criminal Fraud Accountability – Title VIII consists of seven sections and is also referred to as the “Corporate and Criminal Fraud Act of 2002”. It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers;
  • White Collar Crime Penalty Enhancement – Title IX consists of six sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offence;
  • Corporate Tax Returns – Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
  • Corporate Fraud Accountability – Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offences and joins those offences to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC the resort to temporarily freeze transactions or payments that have been deemed “large” or “unusual.

SOx has created a whole new world of risks and mandatory requirements for Top Management of public companies listed on the Securities and Exchange Commission (SEC) in the US. SOx also applies to subsidiaries of US companies outside the US.Compliance administration can be complex and costly – stretching your already stretched resources even more.The risks of non-compliance can be colossal for the CEO and CFO who are responsible for certifying the accuracy of financial data.SOx was passed in response to a number of devastating accounting scandals, to ensure accurate financial reporting for public companies. It requires regulated companies to:

  • maintain internal controls that ensure accurate financial reporting;
  • identify material weaknesses and significant deficiencies.

SOx primarily covers the areas of:

  • corporate governance; financial reporting; executive conduct;
  • internal controls.

Section 404,deals with internal controls, inthis section the executive management is obliged to:

  • document internal controls; assess the effectiveness of internal controls;
  • prepare a report on internal controls.

Professional Services

SIRM recommends the use of: COSOISO 27001ITIL and CobIT. These are four compatible frameworks, operating at different levels of detail and scope, that provide a set of controls and governance for IT:

  • COSO defines organization wide controls; CobIT satisfies and extends COSO controls relating to IT; ITIL can satisfy and extend CobIT controls relating to IT Service Management (Problem Management, Change Control, Release Control, etc.);
  • ISO 27001 provides information security controls to meet and extend CobIT Security.

When combined with SIRM ‘s workflow and governance product (WFD) it can be used to aid the CFO and CEO obtain certification that internal controls have been implemented and are used effectively.When combined with the SIRM recommended Identity Management process, to can provide complete traceability, transparency and personal accountability of all actions undertaken within your organisation.


We approach each project in the same manner:

  • definition of the scope of the project; define and agree the relevant sections of SOx (and other legislation and regulation) that is applicable; understand your business; undertake a detailed gap analysis; undertake a risk assessment; present findings in form of a Gap Analysis report; agree remedial work to be performed and delivery format; produce remedial work in association with your employees; implement awareness training;
  • ad hoc advice as required;


The benefits of using a SIRM for SOx compliance is that they are able to:

  • create an organisational structure to ensure that roles and responsibilities for SOx compliance are established; define and implement relevant documented procedures to meet the SOx requirements; design processes and procedures specific to your business; develop and delivering relevant training for all your employees to meet their SOx obligations; develop innovative solutions to address your compliance issues; ensure that processes and procedures for SOx compliance are documented and tested; ensure that there is an ongoing compliance and monitoring mechanism in place. identify and objectively assess your risks; identify risk and evaluate risks to your organisation; manage and treat significant risks to reduce them to an acceptable level in line with risk appetite; protect the CEO and CFO; provide employees with regulatory and governance experience; provide governance, risk and compliance (GRC) experts; provide information security and assurance experts; provide pragmatic and relevant, as well as innovative, solutions to solve your SOx issues; provide traceability, transparency and personal accountability for all actions if combining WFD and SIRM ‘s identity management solution; taking some of the burden off your overstretched Compliance Department;
  • validate the adequacy of IT controls to meet Section 404