Sarbanes-Oxley

The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act, is a development in US law that affects both US and non-US firms seeking to comply with corporate governance initiatives. Often known under the abbreviation SOX, the act is so named after the architects of the Act, Senator Paul Sarbanes and Representative Michael Oxley. As legislation it was passed in 2002, with implementation of its sections and clauses coming into force in stages from 2004 onwards.

The history of the scandals and corporate misdemeanors of the early years of the twentieth twenty-first century is now well known. By 2003, the spectacular financial failures of high-profile public companies, management and auditors indulging in “creative accounting” brought the level of SEC enforcement activity to record levels. Multi-billion dollar restatements and resulting bankruptcies of companies such as Enron and WorldCom led directly to the Act. The latter provided tools for the SEC to deter repetitions of these corporate frauds and to punish those who abuse public trust.

Generally, even when regulation appears to be global and uniform, financial service firms tend to be conservative in their approach. Compliance is organized at departmental level, around the software tools and resources to hand. A concerted enterprise-wide response involving all departments is unusual.¹ Despite the time frames built into regulation, the sector has a history of taking its time over responding. However, the US government has not always led by example: US 1441 NRA Regulations, of fundamental impact to every financial intermediary outside the United States, were first mooted in Congress over 25 years ago, yet only came to fruition in the year 2000.

This section does not seek to replicate the text of the Act, which is widely available from a number of sources.¹ Nor does it intend to be a complete commentary on the history and development of the legislative process. It does, however, intend to emphasize those parts of the Act that are most relevant to the compliance effort. It also summarizes sections and indicates their “compliance scope.” This references the individuals, functions, and types of organizations affected by the sections.

A main concern for financial services is the preservation of the structure of trust that results from good governance and transparency in the operation of markets. Regulatory compliance is a demonstration of this desire to engender trust. If we consider the financial sector as a whole and sketch some of its main features, the significance of compliance becomes clear. One of the main sectors of an economy is that covered by the financial sector. Any economy has a number of interrelated but separable sectors that dominate its activities. These consist of “households and non-profit institutions and serving households,” “non-financial corporations,” “financial corporations,” “general government,” and “rest of the world.” The financial sector is largely represented by financial corporations, which in turn can be subdivided into:

Financial statements or reports are at the heart of compliance activities. As evidence of an organization’s business activities and state of health, they are key record of its presence and value in the market. From this all other evaluations flow, especially the valuation of its capitalization and its suitability as an investment. A good financial report can increase the value of the company, and a bad financial repot can adversely affect the same value. The simplicity of this also summarizes the significance of the Sarbanes-Oxley Act. A company that can demonstrate its compliance demonstrates its likely financial integrity. This demonstration underpins its trustworthiness. The figures may dip and the actual value might drop, but the perception of being a sound operation may be enough to ensure that it remains a good investment.

Whenever any project is implemented in any organization, the cost of the activity is a primary consideration. All financial organizations exist to make a profit. Certainly listed companies have this as a core objective. Given this and the way risk is interpreted as financial loss, any legislation that implies risk has to be considered as a cost issue.

Initially the Enron scandal was about a lack of clarity and accuracy in the financial statements on the organization. Investigations looked at the activities of the company as a whole, and its officers were deemed part of this. As the investigation moved forward, more and more emphasis was placed on the roles and responsibilities of the company’s senior executives. The investigators found that although the company was at fault, with apparent systemic weaknesses in transparency, it was the specific personal misdeeds of individuals in positions which gave them power and control over the resources of the organization that were doing the most damage. From this has developed a sharp focus within the Sarbanes-Oxley Act on specific roles within the organization, notable the CEO, the chief financial officer (CFO), and others whose roles approximate to these functions. The novelty in this legislation is its insistence on the culpability of these individuals and the responsibility they bear for a publicly listed company. This responsibility translates, in the worst case, to heavy fines and long periods of imprisonment. Here, if ever there was, are instances of incentive to ensure the compliance process works. To spell out this incentive, if it can be called such, is the purpose of much of the Act.

Internal auditing is an activity that examines and reviews the reliability and integrity of financial and operational information, and compares compliance with company policies and procedures as well as external regulations. The Sarbanes-Oxley Act is about risk management and the processes within an organization that shape its governance. Internal auditing is in a position to provide objective assurance for management responsible for developing the processes essential for compliance with the Act. The internal auditing role should ideally be one of support through consultation and assurance. Internal audit is the eyes and ears of senior management, who want to know, in a formal and verifiable way, the operational state of play for their organization. As such it assists financial and operational management and highlights weaknesses, the potential for loss and business irregularities, and provides, as part of its function, practical guidance on remediation.

External auditing is crunch time for the organization. The compliance audit is likely to be a “special” audit variant on the routine audits that lead to financial reports. The Sarbanes-Oxley Act has put an edge on the process. The assessment of internal controls, processes, and documentation is oriented more to a certification process than a standard audit. This is all the more reason to ensure that the organization is fully prepared for the auditing experience, and that the compliance process works well and is successful. The external auditor, under the terms of the Act, has a place of importance marginally behind that of the executive management of a listed company. The obligations and requirements are considerable, though not tightly defined in the Act.

Before we do anything else we need to establish that compliance is a strategic concern with considerable tactical implications. By this we mean that decisions about compliance are made at the highest level, the responsibility of the success of the compliance effort rests at the highest level, and the interests of the organization are affected directly by the outcome of the compliance process. In that all these considerations shape the direction and future of the organization, the compliance process can be seen to be strategic. Much of what follows addresses tactical mechanisms that deliver the strategic objectives.

To become compliant, an organization must undergo a process. This process might be fairly simple and familiar, or represent a range of challenges based on a lack of familiarity. It will involve varying levels of cost and resources. However well prepared an organization is, it is more than likely to prove a challenge that involves time and resources and the uncovering of unforeseen weaknesses in the way the organization operates. Such a process can be viewed as a business overhead, an unnecessary endangerment of vital interests, or a beneficial opportunity to improve business activities.

Section 302, more than any other, sets the bar for regulatory response for affected companies. It was the first point of focus for these companies, and the area where the first substantial efforts were made to ensure compliance. Section 302 became effective on August 29, 2002. It establishes the accountability of senior executives (for most companies these are the CEO and CFO) for the certification of financial reports, and the system of internal controls over the process that supports those reports. This section applies to companies filing quarterly and annual reports with the SEC under Section 13(a) or 15(d) of the Securities Exchange Act. It has two main requirements:

Section 404 of the Act is a challenge for any organization. It centers on the importance of senior management attesting to the accuracy and reliability of systems that produce the information for the financial reports. Not surprisingly, the Act provides a number of specific compliancy requirements, and these have been analyzed for implementation by affected organizations, agencies, consultancies, and any body responsible for assisting in the process of ensuring that financial reports are up to scratch. Section 404 is a driver for much of the work that deals with the practicalities of compliance. Table 14.1 is a summary of the section and its associated activities.

The Sarbanes-Oxley Act consists of a number of sections which have specific compliance requirements. Sections 302 and 304 have received most of the effort from companies. However, there are a number of other sections that require a practical response to ensure the overall compliance process achieves its objectives. This chapter does not detail the activities of the PCAOB except where they are strictly relevant.

The nature of financial services is that any organization is positioned in a complex supply chain. By this we mean there are a set of dependencies and obligations built into any transaction that extends beyond one company or entity to others, equally linked and dependent on the actions of others. This chain of dependency and obligation extends from the end-user or customer through a service chain to an end-point where the objective of the transaction or activity is satisfied. An example is the chain considered earlier, based on broker exchanges across borders. How far does compliance extend through the chain? This is akin to the responsibility cascade, in that, although it is the senior executives who are ultimately responsible, accountability does extend throughout the organization.

What are the “internal controls over financial reporting” that Section 404 of the Sarbanes-Oxley Act talks of? It is worth noting that there is a distinction between the disclosure controls and procedures referred to in Section 302 and the internal controls over financial reporting specifically addressed in Section 404. The management responsibility mapping varies from section to section, although all sections relate to public, periodic financial reporting. (See Figure 17.1.)

The emphasis placed on documentation by the Act and allied legislation is not surprising, since it is the formal expression of business activity. The flow of information throughout the enterprise is an electronic form of documentation. Text and graphics are the primary exhibits. Documentation exists in a number of forms, and all should be considered and addressed as part of the compliance process.

For financial services, perhaps more than any other industry, the concept of a “process” is essential to defining its value to itself and to the world. It is used in a general sense, as a way of loosely grouping or referring to activities that have some kind of connection in a sequence; it is also used in a specific way by analysts and traders who link lender and borrower in a web of processes that crosses companies, markets, and borders. The threads of processes are the stuff of financial activities, especially in the electronic world of the information economy, where transactions rarely become “physical” and usually remain abstract.

Risk management has always been a fundamental aspect of financial services, and the minimization of risk is an ongoing goal which involves more than just the preservation of the assets of the company. Security and the trust engendered by security are critical to the willingness to take a risk through an investment. It is this fundamental trust that was so undermined by the misdemeanors that led to the Sarbanes-Oxley Act. Keeping the organization secure, and the activities of financial services secure, are objectives that are of paramount importance.

Information is, without a doubt, the new “capital” of business. It is not an exaggeration to state that without reliable, accurate, and up-to-date information, the organization cannot operate. However, the deliberate sharing of information exposes enterprises to the risk of intellectual property (IP) loss. To protect this and gain the most from its potential, the complexity of intellectual capital must be acknowledged and its “life cycle” managed. When the Sarbanes-Oxley Act talks of documents, records, and reports, it is really referencing the information that is placed in the public domain to enable investors to make decisions. The assumption is that the better the quality of information, the more able the investor is to make a truly informed decision. This is a critical consideration.

There are many approaches to building a satisfactory reference framework when considering how best to manage compliance. A framework that is gaining wide acceptance is the ISO 17799 standard.¹ Although its focus is on information security, it has a number of synergies with the concerns raised by the Sarbanes-Oxley Act:

Although each organization is unique, culturally and operationally, and the financial sector has a great variety in the way its organizations operate and do business, nevertheless there are fundamental features that can be abstracted and considered to be common to all. The Act refers to organizations that are publicly listed on the US stock exchange. Our interest here is in financial services organizations. The PCAOB goes further in its assumptions, and establishes a key factor: any assertions on controls are no longer voluntary, but mandated by the Act, and they must be backed by evidence derived from a recognized internal control framework. It then makes specific reference to a specific framework, and insists that organizations should either adopt this control framework, or have frameworks that cover the competences through internal controls defined within that recommended framework. This is a key factor for compliance with the Act, and the reference model is that of COSO.

The support role of IT in the creation, transport, and life cycle of financial information implies that auditors must examine activities across the whole of IT. The challenge for the IT function lies in identifying where technology is vulnerable to causing material weaknesses in the financial process. IT internal auditors may have an approach that is influenced by business needs, but many IT departments have a technical focus, with hardly any awareness of the business functions they support. The department may have considerable controls over its processes, its measurement metrics, and reporting, with efficient auditing of infrastructure performance, capacity, and SLA assurance. However, there may be a very limited grasp of the content of financial data processed, transmitted, and managed through the systems.

By the end of the 1980s there were eight large firms dominating this service market. This group form the basis of today’s “Big Four.” The process towards merger and consolidation has been relentless. Economies of scale mean there are fewer skilled staff available today to work in a more complex and more heavily regulated market than there were during the 1980s. This factor reinforces the need for the compliance process to be supported as best as possible through in-house resources.

How far is an “ideal” response to the Act possible? Most legislation recognizes that corporate behavior is liable to stray from the ideal, or is at best flawed. The assumption of corporate governance is that we need to be vigilant in managing our activities so that they conform to a social ideal and operate within acceptable limits. What these limits are is often a point of considerable debate, one that is not generally resolved. Overall, such legislation is subject, like socio-political attempts at behavioral reform, to interests within society operating through pressure groups which attempt to sway legislation in one direction or another. Having recognized the pragmatic nature of regulation, the Act does however imply an ideal, as we have observed. It appears to assume a perfect organization, however impractical that concept might be. Attempts to comply must somehow be measurable against such an ideal.