Sarbanes – Oxley Act: FAQs

1. What is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (SarbOx or SOx for short), was legislation passed in the wake of the Enron and WorldCom financial scandals to protect stockholders and the public from fraudulent accounting practices. SarbOx sets forth what accounting records should be kept and for how long.

The act is named after its two sponsors, Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH).

2. Who has to comply with the provisions of the Sarbanes-Oxley Act (SarbOx)?

Every publicly traded company in the United States as well as every publicly traded foreign company doing business in the United States is subject to the provisions of SarbOx. SarbOx also applies to private companies that are preparing to go public through an initial public offering (IPO)..

3. What does Sarbanes-Oxley compliance require?

All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom, and when.

An applicable company is required to disclose to the public, in immediate fashion, material changes in its financial conditions or operations. These disclosures are to be made in a way that is easily understood.

It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the document’s integrity for use in an official proceeding.

4. How long does the Sarbanes-Oxley Act (SarbOx) require a company to retain its electronic records?

SarbOx requires that all business records, including digital records and electronic messages, be maintained for at least five years.

5. Who exactly is responsible for maintaining the records required by the Sarbanes-Oxley Act (SarbOx)?

A company’s CEO and CFO are directly responsible for the accuracy, documentation, and submission of all financial reports to the Securities and Exchange Commission. Reincorporating outside the United States does not lessen the legal effect of this act.

6. What does Sarbanes-Oxley require in a financial report?

Section 404 of the Sarbanes-Oxley acts requires that all annual financial reports include something called an internal control report.

An internal control report is (1) a statement of management’s responsibility for establishing and maintaining adequate internal control over the company’s financial reporting; (2) management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year; (3) a statement that identifies the framework that management uses to evaluate the effectiveness of the company’s internal control over financial reporting; and (4) a statement whether the registered public accounting firm responsible for auditing the company’s financial statements in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.

7. Who administers the provisions of the Sarbanes-Oxley Act (SarbOx)?

The Securities and Exchange Commission (SEC) administers the provisions of SarbOx and sets deadlines for compliance in addition to publishing rules for compliance. In addition to SEC’s basic implementation of SarbOx, the act also created a new quasi-public agency called the Public Company Accounting Oversight Board (PCAOB).

8. What is the mission of the Public Company Accounting Oversight Board (PCAOB)?

The stated mission of the PCAOB is “to oversee the auditors of public companies in order to protect the interests of investors and further public interest in the preparation of informative, fair, and independent audit reports.”

In order to carry out its mission, the Sarbanes-Oxley Act vests the PCAOB with certain powers such as setting auditing and quality control standards for the preparation of an issuer’s audit reports, conducting inspection of registered public accounting firms, and conducting disciplinary proceedings and imposing fines related to the conduct of registered accounting firms and their employees.

9. How does the Public Company Accounting Oversight Board (PCAOB) ensure compliance?

In addition to its investigative powers, the PCAOB has the power to compel audit firms, and any person associated with an audit firm, to testify or produce documents. If a firm or individual refuses to comply with such a request, the PCAOB has the power to suspend or debar that firm or person from the public audit industry.

If the PCAOB finds its own teeth are not big enough, it can turn to the Securities and Exchange Commission for help in obtaining subpoenas.

10. So who oversees the Public Company Accounting Oversight Board (PCAOB)?

The Securities and Exchange Commission (SEC) oversees the PCAOB. Any individual or audit firm subject to the PCAOB’s oversight may appeal any decision or disciplinary action to the SEC, which has the power to modify or overturn any such decision.

The Sarbanes-Oxley Act gives the SEC the power to inspect the PCAOB and to censure or remove PCAOB board members for cause.

11. What are the penalties for noncompliance with Sarbanes-Oxley?

Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

12. What is the origin the Sarbanes-Oxley Act passed?

The Sarbanes-Oxley Act of 2002, also known as SOX, was passed after the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen. This scandal resulted in billions of dollars in corporate and investor losses which negatively impacted the financial markets and general investor trust.

13. Who needs to comply with Sarbanes-Oxley?

Publicly-traded companies in the United States, including all wholly-owned subsidiaries and all publicly-traded non-US companies doing business in the US are affected. Also, any private companies that are preparing their initial public offering (IPO) will also need to comply with certain provisions of Sarbanes-Oxley.

14. When Sarbanes-Oxley compliance is due?

All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. An accelerated filer (a U.S. company with market capitalization over $75 million that has filed at least one annual report with the SEC) must comply with the SOX 404 requirements for its first fiscal year ending on or after November 15, 2004. A non-accelerated filer must begin to comply for its first fiscal year ending on or after July 15, 2006.

15. What is the Sarbanes-Oxley Act comprised of?

Eleven sections compose the SOX Act, but sections 302, 404, 401, 409, 802 and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. Sarbanes-Oxley Act established: – new accountability standards for corporate boards and auditors, – a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), – specified civil and criminal penalties for noncompliance

16. What penalties are applied if you are not compliant with Sarbanes-Oxley?

Additionally to lawsuits and negative publicity, a company officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If it is proved that a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

17. What does Sarbanes-Oxley compliance require?

All eligible companies must establish a financial accounting framework that can generate recurrent financial reports that are facilely verifiable with traceable source data. This source data must remain intact and cannot possess undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

18. What overall process is followed for IT risk and control evaluations?

The first step will be a management’s overall identification and prioritization of the financial reporting as well as the critical business processes that relate directly to financial reporting. The key applications are first documented. These applications are related to the critical business processes that have been linked to the priority financial reporting elements. Then, we will identify the related technology components and general controls that provide assurance of processing and data integrity for the key applications. Lastly, the associated documentation and evaluation work is mapped to the associated business processes.

19. What process does PlanetMagpie follow?

We employ best practices. We first assess your IT environment. Then we provide a project scope/plan that outlines our steps and the specific approach with timelines. Then we audit your company’s IT change management processes, physical security and firewall security and back-up and recovery plans. The next step is deliver the documentation on your policies and procedures. We then conduct remediation and testing and perform a risk matrix.

20. I have already passed SOX last year using the help of another vendor?

Why should I hand this over to PlanetMagpie? It is highly recommended that you start employing your SOX consultant for next year’s SOX review. At PlanetMagpie, we will review your organization’s existing documentation at no charge to you. We differ from many of the other companies that provide SOX compliance assistance on the IT side, in that we did not spring up just to take advantage of the SOX opportunity. PlanetMagpie has been in business for over 8 years providing IT consulting, online services and network support and our focus is not just Sarbanes Oxley. When engaged as a Sarbanes Oxley compliance partner, we create policies, tests and controls, as well as remediate any issues that have come out of our testing of the current IT environment. We are consistent in our approach and we will establish a process that is repeatable and sustainable for your company’s continued compliance.

21. I don’t have to be compliant until next year due to the extension that was provided by the government. When should I start the SOX process?

A Sarbanes-Oxley first compliance is highly time consuming and very often ends up by being a longer process than expected. The rule is simple: the earlier the better. If your compliance is late you will not only undergo huge financial penalties, but you will also have difficulties to find help as many SOX consultants will be heavily engaged in 2006 with late filers. >> back to top Should I split the IT and financial portions of SOX and work with 2 different consultants? The beauty of splitting the IT and financial portions is that you have two consulting experts for IT and accounting. PlanetMagpie has conducted a number of SOX IT engagements and has a deep and broad knowledge of IT. If you wish to seek a full service provider, PlanetMagpie can offer both IT and financial for SOX, through our exclusive partnership with a renown accounting firm.

22. Should I split the IT and financial portions of SOX and work with 2 different consultants?

The beauty of splitting the IT and financial portions is that you have two consulting experts for IT and accounting. PlanetMagpie has conducted a number of SOX IT engagements and has a deep and broad knowledge of IT. If you wish to seek a full service provider, PlanetMagpie can offer both IT and financial for SOX, through our exclusive partnership with a renown accounting firm.