Sarbanes-Oxley Act (SOX)

Overview

The Sarbanes-Oxley Act of 2002 (SOX) is the most significant federal legislation governing public company financial reporting and corporate governance since the Securities Exchange Act of 1934. Enacted in response to major corporate accounting scandals (Enron, WorldCom, Tyco International, Adelphia), SOX fundamentally reformed corporate accountability, financial disclosures, and the accounting profession.

Key Purposes:

• Protect investors from fraudulent accounting practices


• Improve accuracy and reliability of corporate disclosures


• Establish independent oversight of public company auditors


• Strengthen corporate governance and accountability

Legislative Authority

• Statute: Pub. L. 107-204 (July 30, 2002)


• Codification: 15 USC 7201-7266 (Chapter 98 - Public Company Accounting Reform and Investor Protection)


• Enforcement: Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), Department of Justice (criminal enforcement)


• Effective Date: July 30, 2002

Applicability

Covered Entities

SOX applies to:

1. Public Companies (Issuers):

- Companies with securities registered under Section 12 of Securities Exchange Act of 1934
- Companies required to file reports under Section 15(d) of Securities Exchange Act
- Includes foreign issuers with ADRs (American Depositary Receipts) trading in U.S.

1. Accounting Firms:

- Public accounting firms auditing public companies
- Must register with PCAOB

1. Officers and Directors:

- CEOs and CFOs (Section 302, 906)
- Audit committee members
- Board of directors

1. Employees and Contractors:

- Whistleblower protections (Section 806)

Exemptions and Relief

Emerging Growth Companies (EGCs): Under JOBS Act of 2012:

• Exempt from Section 404(b) auditor attestation


• Must still comply with Section 404(a) management assessment


• Exemption available for up to 5 years after IPO

Non-Accelerated Filers (market cap < $75M):

• Exempt from Section 404(b) auditor attestation (permanent exemption since 2010)


• Must comply with Section 404(a) management assessment

Smaller Reporting Companies (SRCs): Additional scaled disclosure options

Key Sections

Title I - Public Company Accounting Oversight Board (PCAOB)

Section 101: Establishment of PCAOB

• Independent board overseeing auditors of public companies


• Five members appointed by SEC


• Two must be or have been CPAs

PCAOB Authority:

1. Registration: All public company auditors must register with PCAOB


2. Inspection: Regular inspections of registered public accounting firms

- Annual inspections for firms auditing >100 issuers
- Triennial inspections for smaller firms

1. Standards: Issue auditing, quality control, ethics, independence standards


2. Investigation and Discipline: Investigate and sanction auditors for violations

Key PCAOB Standards:

• AS 2201: Audit of Internal Control Over Financial Reporting (ICFR)


• AS 1015: Due Professional Care


• AS 2301: Auditor's Responses to Risks of Material Misstatement

Title II - Auditor Independence

Section 201: Prohibited Non-Audit Services
Audit firms CANNOT provide these services to audit clients:

1. Bookkeeping or other services related to accounting records or financial statements


2. Financial information systems design and implementation


3. Appraisal or valuation services, fairness opinions, contribution-in-kind reports


4. Actuarial services


5. Internal audit outsourcing services


6. Management functions or human resources


7. Broker-dealer, investment adviser, or investment banking services


8. Legal services and expert services unrelated to the audit


9. Any other service that the PCAOB determines is impermissible

Section 203: Audit Partner Rotation

• Lead audit partner must rotate off engagement every 5 years


• Concurring review partner must rotate every 5 years


• 5-year time-out period before returning to engagement

Section 206: Conflicts of Interest

• Audit firm CANNOT audit company if CEO, CFO, CAO, Controller, or equivalent was employed by audit firm and participated in audit during 1-year period before audit

Title III - Corporate Responsibility

Section 301: Audit Committee Requirements

All public company audit committees must:

• Be composed entirely of independent directors


• Establish procedures for receipt, retention, and treatment of complaints regarding accounting, internal controls, or auditing


• Establish procedures for confidential, anonymous submission of concerns by employees


• Have authority to engage independent counsel and advisors


• Receive adequate funding from company to compensate advisors

Audit Committee Financial Expert: SEC rules require disclosure of whether audit committee has "financial expert" (or why not)

Section 302: Corporate Responsibility for Financial Reports

CEO and CFO Certification Requirements:

CEOs and CFOs must certify in each quarterly (10-Q) and annual (10-K) report that:

1. Reviewed Report: Signing officer has reviewed the report


2. No Misstatements: Report does not contain untrue statement of material fact or omit material fact


3. Fair Presentation: Financial statements fairly present financial condition and results of operations


4. Disclosure Controls: Signing officers are responsible for establishing and maintaining disclosure controls and procedures (DC&P)


5. Internal Controls: Signing officers are responsible for establishing and maintaining internal control over financial reporting (ICFR)


6. Evaluation: Signing officers have evaluated effectiveness of DC&P within 90 days prior to report


7. Deficiencies Disclosed: Presented in report conclusions about effectiveness of DC&P


8. Auditor and Audit Committee Notification: Disclosed to auditors and audit committee:

- All significant deficiencies and material weaknesses in ICFR
- Any fraud involving management or other employees with significant role in ICFR

1. Changes: Indicated in report whether there were significant changes in ICFR or other factors affecting ICFR after evaluation

Criminal Penalties (Section 906):

• Knowing Violation: Up to $1,000,000 fine and 10 years imprisonment


• Willful Violation: Up to $5,000,000 fine and 20 years imprisonment

Section 303: Improper Influence on Audits

Officers and directors CANNOT fraudulently influence, coerce, manipulate, or mislead auditor engaged in audit for purpose of rendering financial statements materially misleading.

Prohibited Actions:

• Issuing or reissuing document knowing it contains untrue statement


• Providing materially false or misleading information


• Omitting material fact necessary to make statements not misleading

Section 304: Forfeiture of Bonuses and Profits

If company required to restate financials due to material noncompliance resulting from misconduct:

• CEO and CFO must reimburse company for:

- Bonuses or incentive/equity-based compensation received during 12 months following issuance of noncompliant financials
- Profits from sale of company securities during same period

Title IV - Enhanced Financial Disclosures

Section 401: Disclosures in Periodic Reports

Enhanced Disclosure Requirements:

1. Off-Balance Sheet Arrangements: Disclose material off-balance sheet transactions, arrangements, obligations


2. Pro Forma Financials: If presented, must reconcile to GAAP and not be misleading


3. Material Correcting Adjustments: Disclose whether audit identified material correcting adjustments

Section 404: Management Assessment of Internal Controls

Section 404(a) - Management Assessment (ALL public companies except EGCs):

Annual report (10-K) must contain:

1. Internal Control Report: Statement of management's responsibility for establishing and maintaining adequate ICFR


2. Framework: Identification of framework used to evaluate effectiveness (e.g., COSO 2013 Internal Control - Integrated Framework)


3. Assessment: Management's assessment of effectiveness of ICFR as of end of fiscal year

Section 404(b) - Auditor Attestation (Accelerated filers and large accelerated filers ONLY):

Registered public accounting firm must attest to and report on management's assessment of ICFR.

Auditor Attestation Requirements (PCAOB AS 2201):

• Express opinion on whether company maintained effective ICFR


• Integrated audit approach (combine with financial statement audit)


• Test design and operating effectiveness of controls


• Identify and report material weaknesses and significant deficiencies

Filer Categories:

• Large Accelerated Filer: Market cap ≥ $700M → Must comply with 404(a) and 404(b)


• Accelerated Filer: $75M ≤ Market cap < $700M → Must comply with 404(a) and 404(b)


• Non-Accelerated Filer: Market cap < $75M → Must comply with 404(a) ONLY (exempt from 404(b))


• Emerging Growth Company (EGC): Exempt from 404(b) for up to 5 years after IPO

Section 409: Real-Time Issuer Disclosures

Companies must disclose on rapid and current basis material changes in financial condition or operations (via Form 8-K).

Title VIII - Corporate and Criminal Fraud Accountability

Section 802: Criminal Penalties for Document Destruction

Document Retention Requirements:

• Audit Workpapers: 7 years retention


• Electronic Records: Prohibition on destruction during federal investigation

Criminal Penalties:

• Destruction of Audit Documents: Up to $250,000 fine (individuals), $500,000 fine (organizations), 10 years imprisonment


• Destruction of Documents in Federal Investigation: Up to 20 years imprisonment

Title IX - White Collar Crime Penalty Enhancements

Section 906: Corporate Responsibility for Financial Reports (Criminal)

Criminal Certification Requirements: CEO and CFO criminal liability for certifying financial statements that do not comply with SEC requirements.

Penalties:

• Knowing Violation: Up to $1,000,000 fine and 10 years imprisonment


• Willful Violation: Up to $5,000,000 fine and 20 years imprisonment

Title XI - Corporate Fraud and Accountability

Section 1102: Tampering with Record or Impeding Investigation

Criminal Penalties:

• Knowingly altering, destroying, or falsifying records with intent to obstruct investigation: Up to 20 years imprisonment

Section 1105: Authority of SEC to Prohibit Persons from Serving as Officers or Directors

SEC may prohibit persons from serving as officer or director if person violated securities fraud laws.

Section 1107: Retaliation Against Whistleblowers

Whistleblower Protection: Protects employees of public companies who report fraud.

Prohibited Retaliation:

• Discharge, demote, suspend, threaten, harass, or discriminate against employee who lawfully provides information or assists in investigation of conduct that employee reasonably believes constitutes violation of securities fraud laws

Criminal Penalties: Up to 10 years imprisonment for retaliating against whistleblower

Internal Control Over Financial Reporting (ICFR)

COSO Framework

Most public companies use COSO 2013 Internal Control - Integrated Framework as evaluation framework for ICFR.

Five Components of Internal Control (COSO):

1. Control Environment: Tone at the top, integrity, ethics, competence


2. Risk Assessment: Identify and analyze risks to achievement of objectives


3. Control Activities: Policies and procedures ensuring management directives carried out


4. Information and Communication: Capture and communicate relevant information


5. Monitoring Activities: Ongoing evaluations ensuring internal controls operating as intended

Seventeen Principles supporting five components

Material Weakness vs. Significant Deficiency

Material Weakness: Deficiency or combination of deficiencies in ICFR such that there is reasonable possibility that material misstatement of company's annual or interim financial statements will not be prevented or detected on timely basis.

Significant Deficiency: Deficiency or combination of deficiencies in ICFR that is less severe than material weakness, yet important enough to merit attention by those responsible for oversight of company's financial reporting.

Disclosure Requirements:

• Material weaknesses MUST be disclosed in 10-K and 10-Q


• Significant deficiencies MUST be communicated to audit committee (not required to be disclosed publicly)

PCAOB Auditing Standard AS 2201

AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

Key Requirements

1. Integrated Audit: Audit of ICFR must be integrated with financial statement audit


2. Top-Down Approach:

- Start with financial statements and understanding of overall risks
- Focus on entity-level controls
- Focus on accounts, disclosures, and assertions with reasonable possibility of material misstatement
- Verify company selected appropriate controls

1. Test Design and Operating Effectiveness:

- Test design: Evaluate whether control designed appropriately
- Test operating effectiveness: Determine whether control operating as designed

1. Use of Work of Others: May use work of internal auditors and others (with limitations)


2. Form Opinion: Express opinion on whether company maintained effective ICFR


3. Report Material Weaknesses: Identify and report material weaknesses in auditor's report

Compliance Timeline

Date	Requirement
------	------------
July 30, 2002	SOX enacted into law
August 29, 2002	CEO/CFO certifications (Section 302) effective
November 15, 2004	Section 404(a) effective for accelerated filers
November 15, 2004	Section 404(b) effective for large accelerated filers
July 2007	Section 404(b) effective for accelerated filers
June 2010	Non-accelerated filers permanently exempt from Section 404(b)
April 2012	JOBS Act: EGCs exempt from Section 404(b) for up to 5 years

Enforcement

SEC Enforcement

SEC Division of Enforcement investigates and prosecutes violations:

• Section 302 certification violations


• Section 404 internal control violations


• Auditor independence violations


• Financial fraud and misstatements

SEC Remedies:

• Cease and desist orders


• Civil monetary penalties


• Disgorgement of ill-gotten gains


• Officer and director bars (Section 1105)


• Injunctions

PCAOB Enforcement

PCAOB Division of Enforcement and Investigations:

• Investigates registered public accounting firms for violations


• Sanctions include: censure, temporary or permanent suspension, revocation of registration, civil money penalties

Criminal Enforcement

Department of Justice (DOJ):

• Prosecutes criminal violations (Sections 802, 906, 1102, 1107)


• Wire fraud, securities fraud, conspiracy charges

Massachusetts Public Companies - Examples

Massachusetts-headquartered public companies subject to SOX include:

Technology:

• Thermo Fisher Scientific (TMO) - Large Cap


• Akamai Technologies (AKAM)


• Cognex Corporation (CGNX)

Biotechnology/Pharmaceuticals:

• Biogen (BIIB) - Large Cap


• Moderna (MRNA)


• Vertex Pharmaceuticals (VRTX)


• Takeda Pharmaceutical (TAK) - Foreign issuer

Financial Services:

• State Street Corporation (STT) - Large Cap


• Berkshire Hills Bancorp (BHLB)


• Independent Bank Corp. (INDB)

Retail:

• TJX Companies (TJX) - Large Cap


• BJ's Wholesale Club (BJ)


• Wayfair (W)

Industrial/Aerospace:

• Raytheon Technologies (RTX) - Large Cap (now merged)


• Boston Scientific (BSX) - Large Cap

Other:

• General Electric (GE) - Large Cap (historically MA-based)


• Eversource Energy (ES)

All these companies must comply with Section 302, 404(a), and (if accelerated filers) 404(b).

Compliance Checklist

Section 302 - CEO/CFO Certification

• [ ] Quarterly and Annual Certifications:

- [ ] CEO signs Section 302 certification for each 10-Q and 10-K
- [ ] CFO signs Section 302 certification for each 10-Q and 10-K
- [ ] Certifications include all required statements (9 elements)

• [ ] Disclosure Controls and Procedures (DC&P):

- [ ] Establish and maintain DC&P
- [ ] Evaluate effectiveness of DC&P within 90 days before each report
- [ ] Disclose conclusions about DC&P effectiveness in report

• [ ] Deficiency Disclosure:

- [ ] Disclose all significant deficiencies and material weaknesses to auditors and audit committee
- [ ] Disclose fraud involving management or employees with significant ICFR role

Section 404(a) - Management Assessment

• [ ] Internal Control Framework:

- [ ] Select recognized framework (e.g., COSO 2013)
- [ ] Document framework in 10-K

• [ ] Management's Report:

- [ ] Include in annual 10-K
- [ ] State management's responsibility for ICFR
- [ ] Identify framework used
- [ ] Provide assessment of ICFR effectiveness as of fiscal year-end

• [ ] Internal Control Documentation:

- [ ] Document key processes and controls
- [ ] Identify significant accounts and disclosures
- [ ] Document control design
- [ ] Perform walkthroughs

• [ ] Testing:

- [ ] Test design effectiveness of controls
- [ ] Test operating effectiveness of controls
- [ ] Remediate deficiencies before year-end

Section 404(b) - Auditor Attestation (Accelerated Filers Only)

• [ ] Auditor Engagement:

- [ ] Engage registered public accounting firm (PCAOB-registered)
- [ ] Auditor performs integrated audit (ICFR + financial statements)

• [ ] Auditor Report on ICFR:

- [ ] Auditor issues opinion on effectiveness of ICFR per AS 2201
- [ ] Opinion included in 10-K

Section 802 - Document Retention

• [ ] Audit Workpaper Retention:

- [ ] Retain audit workpapers for 7 years
- [ ] Retain supporting documentation for financial statements

• [ ] Litigation Hold:

- [ ] Do NOT destroy documents during federal investigation
- [ ] Implement litigation hold procedures

Audit Committee Requirements (Section 301)

• [ ] Independence:

- [ ] All audit committee members are independent directors

• [ ] Financial Expert:

- [ ] Designate at least one "audit committee financial expert" (or disclose why not)

• [ ] Whistleblower Procedures:

- [ ] Establish procedures for receipt, retention, treatment of complaints
- [ ] Establish procedures for confidential, anonymous employee submissions
- [ ] Communicate procedures to employees

• [ ] Authority and Funding:

- [ ] Authority to engage independent counsel and advisors
- [ ] Adequate funding for advisors

Auditor Independence (Title II)

• [ ] Prohibited Services:

- [ ] Do NOT engage audit firm for prohibited non-audit services (bookkeeping, valuation, actuarial, internal audit outsourcing, etc.)

• [ ] Audit Partner Rotation:

- [ ] Lead audit partner rotates every 5 years
- [ ] Concurring review partner rotates every 5 years

• [ ] Cooling-Off Period:

- [ ] Do NOT hire CEO, CFO, CAO, Controller from audit firm if they worked on audit within prior year

Related Frameworks

• COSO 2013 Internal Control - Integrated Framework: Widely used framework for evaluating ICFR


• COSO ERM Framework: Enterprise Risk Management framework


• PCAOB Auditing Standards: AS 2201, AS 1015, AS 2301, and others


• SEC Reporting Requirements: Regulation S-K, Regulation S-X


• GLBA: Financial institutions that are also public companies must comply with both SOX and GLBA


• HIPAA: Healthcare public companies must comply with both SOX and HIPAA


• FCPA: Foreign Corrupt Practices Act (internal controls requirements overlap with SOX)

Resources

Official Sources

• SEC Sarbanes-Oxley Page: https://www.sec.gov/spotlight/sarbanes-oxley.htm


• Full Text of Law (Congress.gov): https://www.congress.gov/107/plaws/publ204/PLAW-107publ204.pdf


• 15 USC Chapter 98 (SOX Codification): https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter98&edition=prelim


• PCAOB Website: https://pcaobus.org


• PCAOB AS 2201: https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201


• SEC Final Rule - Section 404: https://www.sec.gov/rules/final/33-8238.htm


• GPO Official Text: https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm

Guidance Documents

• COSO 2013 Framework: https://www.coso.org/guidance-on-internal-control


• SEC Staff Guidance: https://www.sec.gov/info/accountants/about.shtml


• PCAOB Staff Guidance: https://pcaobus.org/oversight/standards/staff-guidance