CHAPTER- 01

Introduction
The SarbanesOxley Act of 2002, also known as the 'Public Company Accounting
Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and
Responsibility Act' and commonly called SarbanesOxley, Sarbon or SOX.
It is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S.
Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. The bill was enacted
as a reaction to a number of major corporate and accounting scandals including those
affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These
scandals, which cost investors billions of dollars when the share prices of affected
companies collapsed, shook public confidence in the nation's securities markets. The act
is regarded as the most sweeping securities legislation since the securities and exchange
act of 1934.
The legislation set new or enhanced standards for all U.S. public company boards,
management and public accounting firms. It does not apply to privately held companies.
The act contains 11 titles, or sections, ranging from additional corporate board
responsibilities to criminal penalties, and requires the Securities and Exchange
Commission (SEC) to implement rulings on requirements to comply with the new law.
Harvey Pitt, the 26th chairman of the Securities and Exchange Commission (SEC), led
the SEC in the adoption of dozens of rules to implement the SarbanesOxley Act. It
created a new, quasi-public agency, the Public Company Accounting Oversight Board, or
PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting
firms in their roles as auditors of public companies. The act also covers issues such as
auditor independence, corporate governance, internal control assessment, and enhanced
financial disclosure.

History and context of SOX

The Enron scandal deeply influenced the development of new regulations to improve the
reliability of financial reporting, and increased public awareness about the importance of
having accounting standards that show the financial reality of companies and the
objectivity and independence of auditing firms. One consequence of these events was the
passage of SarbanesOxley Act in 2002, as a result of the first admissions of fraudulent
behavior made by Enron. The act significantly raises criminal penalties for securities
fraud, for destroying, altering or fabricating records in federal investigations or any
scheme or attempt to defraud shareholders. The act expanded criminal penalties for
destroying, altering, or fabricating records in federal investigations or for any attempt to
defraud shareholders.
A variety of complex factors created the conditions and culture in which a series of large
corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds
at Enron, WorldCom, and Tyco exposed significant problems with conflicts of interest
and incentive compensation practices. The analysis of their complex and contentious root
causes contributed to the passage of SOX in 2002. In a 2004 interview, Senator Paul
Sarbanes stated:

The Senate Banking Committee undertook a series of hearings on the problems in the
markets that had led to a loss of hundreds and hundreds of billions, indeed trillions of
dollars in market value. The hearings set out to lay the foundation for legislation. We
scheduled 10 hearings over a six-week period, during which we brought in some of the
best people in the country to testify...The hearings produced remarkable consensus on the
nature of the problems: inadequate oversight of accountants, lack of auditor
independence, weak corporate governance procedures, stock analysts' conflict of
interests, inadequate disclosure provisions, and grossly inadequate funding of the
Securities and Exchange Commission.

Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial
"watchdogs" for investors, were self-regulated. They also performed significant
2

non-audit or consulting work for the companies they audited. Many of these
consulting agreements were far more lucrative than the auditing engagement. This
presented at least the appearance of a conflict of interest. For example,
challenging the company's accounting approach might damage a client
relationship, conceivably placing a significant consulting arrangement at risk,
damaging the auditing firm's bottom line.

Boardroom failures: Boards of Directors, specifically Audit Committees, are

charged with establishing oversight mechanisms for financial reporting in U.S.
corporations on the behalf of investors. These scandals identified Board members
who either did not exercise their responsibilities or did not have the expertise to
understand the complexities of the businesses. In many cases, Audit Committee
members were not truly independent of management.

Securities analysts' conflicts of interest: The roles of securities analysts, who

make buy and sell recommendations on company stocks and bonds, and
investment bankers, who help provide companies loans or handle mergers and
acquisitions, provide opportunities for conflicts. Similar to the auditor conflict,
issuing a buy or sell recommendation on a stock while providing lucrative
investment banking services creates at least the appearance of a conflict of
interest.

Inadequate funding of the SEC: The SEC budget has steadily increased to
nearly double the pre-SOX level. In the interview cited above, Sarbanes indicated
that enforcement and rule-making are more effective post-SOX.

CHAPTER- 02

Overview : SarbanesOxley Act

Sarbanes-Oxley act, federal law enacted in 2002 that introduced major reforms in
corporate governance and financial reporting. The act (also called the Corporate
Responsibility Act) is regarded as the most sweeping securities legislation since the
securities and exchange act of 1934, which established the Securities and Exchange
Commission and federal regulation of the securities industry. Among its provisions,
Sarbanes-Oxley established an independent five-member watchdog agency, the Public
Company Accounting Oversight Board (PCOAB), to oversee audits of public company
financial statements; required corporate financial officers to certify accuracy of financial
statements; required public companies to certify in annual reports the effectiveness of
internal controls on financial reporting; banned corporate loans to executives and
directors; and required companies to have procedures for handling whistleblower
complaints concerning questionable accounting or auditing practices.
The Sarbanes-Oxley Act came to introduce major coming changes to the regulation of
corporate governance and financial practice. It is named after Senator Paul Sarbanes and
Representative Michael Oxley, who were its main architects, and it set a number of nonnegotiable deadlines for compliance.
The Sarbanes-Oxley Act is arranged into eleven 'titles'. As far as compliance is
concerned, the most important sections within these eleven titles are usually considered
to be 302, 401, 404, 409, 802 and 906.
This Acts 11 titles describe specific mandates and requirements for financial reporting.
Each title consists of several sections, summarized below1. Public Company Accounting Oversight Board (PCAOB)
Title I consists of nine sections and establishes the Public Company Accounting
Oversight Board, to provide independent oversight of public accounting firms
providing audit services ("auditors"). It also creates a central oversight board
tasked with registering auditors, defining the specific processes and procedures

for compliance audits, inspecting and policing conduct and quality control, and
enforcing compliance with the specific mandates of SOX.
2. Auditor Independence
Title II consists of nine sections and establishes standards for external auditor
independence, to limit conflicts of interest. It also addresses new auditor approval
requirements, audit partner rotation, and auditor reporting requirements. It
restricts auditing companies from providing non-audit services (e.g., consulting)
for the same clients.
3. Corporate Responsibility
Title III consists of eight sections and mandates that senior executives take
individual responsibility for the accuracy and completeness of corporate financial
reports. It defines the interaction of external auditors and corporate audit
committees, and specifies the responsibility of corporate officers for the accuracy
and validity of corporate financial reports. It enumerates specific limits on the
behaviors of corporate officers and describes specific forfeitures of benefits and
civil penalties for non-compliance.
4. Enhanced Financial Disclosures
Title IV consists of nine sections. It describes enhanced reporting requirements
for financial transactions, including off-balance-sheet transactions, pro-forma
figures and stock transactions of corporate officers. It requires internal controls
for assuring the accuracy of financial reports and disclosures, and mandates both
audits and reports on those controls. It also requires timely reporting of material
changes in financial condition and specific enhanced reviews by the SEC or its
agents of corporate reports.
5. Analyst Conflicts of Interest

Title V consists of only one section, which includes measures designed to help
restore investor confidence in the reporting of securities analysts. It defines the
codes of conduct for securities analysts and requires disclosure of knowable
conflicts of interest.
6. Commission Resources and Authority
Title VI consists of four sections and defines practices to restore investor
confidence in securities analysts. It also defines the SECs authority to censure or
bar securities professionals from practice and defines conditions under which a
person can be barred from practicing as a broker, advisor, or dealer.
7. Studies and Reports
Title VII consists of five sections and requires the Comptroller General and the
SEC to perform various studies and report their findings. Studies and reports
include the effects of consolidation of public accounting firms, the role of credit
rating agencies in the operation of securities markets, securities violations and
enforcement actions, and whether investment banks assisted Enron, Global
Crossing and others to manipulate earnings and obfuscate true financial
conditions.
8. Corporate and Criminal Fraud Accountability
Title VIII consists of seven sections and is also referred to as the Corporate and
Criminal Fraud Act of 2002. It describes specific criminal penalties for
manipulation, destruction or alteration of financial records or other interference
with investigations, while providing certain protections for whistle-blowers.

9. White Collar Crime Penalty Enhancement

Title IX consists of six sections. This section is also called the White Collar
Crime Penalty Enhancement Act of 2002. This section increases the criminal
penalties associated with white-collar crimes and conspiracies. It recommends
stronger sentencing guidelines and specifically adds failure to certify corporate
financial reports as a criminal offense.
10. Corporate Tax Returns
Title X consists of one section. Section 1001 states that the Chief Executive
Officer should sign the company tax return.
11. Corporate Fraud Accountability
Title XI consists of seven sections. Section 1101 recommends a name for this title
as Corporate Fraud Accountability Act of 2002. It identifies corporate fraud
and records tampering as criminal offenses and joins those offenses to specific
penalties. It also revises sentencing guidelines and strengthens their penalties.
This enables the SEC the resort to temporarily freeze transactions or payments
that have been deemed "large" or "unusual".

Major Provisions Of SarbanesOxley Act

Here are the major provisions of the act:

CEOs and CFOs are held responsible for their companies financial reports

Executive officers and directors may not solicit or accept loans from their
companies

Insider trades are reported more quickly

Insider trades are prohibited during pension-fund blackout periods

Mandatory disclosure of CEO and CFO compensation and profits

Mandatory internal audits and review and certification of those audits by outside
auditors

Criminal and civil penalties for securities violations

Longer jail sentences and larger fines for executives who intentionally misstate
financial statements

Audit firms may no longer provide actuarial, legal, or consulting services to

firms they audit

Publicly traded companies must establish internal financial controls and have
those controls audited annually

This last provision is of concern primarily for large companies, and is commonly referred
to as SOX 404 compliance. It requires publicly traded companies to institute
comprehensive internal controls on their finances, as well as have their policies regularly
reviewed by outside firms. While this might not affect your small business, it is having a
significant impact on big ones: Companies with revenues of more than $5 billion are
spending an average of $4.3 million just to achieve SOX 404 compliance!

CHAPTER- 03

The Purpose of Sarbanes Oxley-Act

The Sarbanes Oxley Act, passed by the U.S. House of Representatives in 2002, attempts
to bring in improved principles and accountability in the operations of companies in the
U.S. It has been considered as a major comprehensive legislation in recent years in US
business security affairs. Non-compliance of the law attracts major penalties on company
boards.
The purpose of Sarbanes Oxley is to keep away large businesses from financial deception
and misleading their investors and shareholders. Basically this act is for protecting the
investors from public companies. It acts as a shield for investors from losing their asset
unfairly. The investors are also prevented from being misguided into investing in
business.
The Sarbanes Oxley Act, as we discussed earlier, contains eleven major sections, ranging
from extra corporate board duties to punishment. SEC looks after the implementation of
the Sarbanes Oxley Act. It always checks that the issuers report and file records properly
and timely. This activity again prevents companies from misleading or inaccurate
financial standing.
Three important points of the SOX influence the management of company records. The
first point restricts the destruction, alteration, and falsification of records or documents. If
a person attempts these activities, he will face severe penalties and imprisonment. Second
point is that the businesses must follow a set of guidelines concerning communications
recording, audits, records etc. Though Sarbon Act keeps large corporations from

fraudulent behavior, it has made certain accidental burdens on smaller businesses, making
it difficult for them to grow and flourish. Compliance with this act is not a heavy task.

CHAPTER- 04

Economic Impact of Sarbanes-Oxley: Size Does Matter

An event study analysis to examine the market reaction to congressional agreement on
the passage of the Sarbanes-Oxley Act of 2002 was employed and then the finding was
that as firm size increases, the negative impact of Sarbanes-Oxley's passage decreases.
The results show that the difference in abnormal returns between the smallest and largest
firms is 3.91 %.

The Corporate Context of Sarbanes-Oxley

In a volatile world, burdened by corporate scandals and a decline in investors' confidence,

lawmakers crafted the Sarbanes-Oxley Act of 2002 (hereafter abbreviated as SOX) with
an enthusiastic desire for corrective action. Passed by Congress as a reaction to financial
scandals such as Enron, WorldCom, Adelphia, Global Crossing, and Tyco, SOX enhanced
standards for corporate accountability and penalties for corporate wrongdoing. SOX
contains 11 extensive titles, ranging from extra responsibilities for audit committees to
tougher criminal penalties for white-collar crimes such as securities fraud. In plain
English, the objective of the law was to make financial reporting more transparent and
executives more accountable, changes that were ultimately planned to restore investors'
confidence in financial markets and enhance corporate governance.
SOX requires executives, boards of directors, and independent auditors to take specific
actions that are intended to produce more reliable, timely, and useful financial
information to the public. Greater transparency and more reliability in corporate reporting
means that companies function in a moral and ethical environment that enhances their
credibility. This is a key benefit that should lower the firm's cost of capital, which may

10

improve growth. Thus, at least theoretically, SOX could provide a win-win situation for
both companies and investors.
Although many agreed that the changes to the corporate governance system in the U.S.
were necessary, some now believe that SOX has imposed an unnecessary burden on
companies because of its high compliance costs. A challenging issue is Section 404 of
SOX, Management Assessment of Internal Controls, which requires publicly held firms
to identify financial reporting risks, establish related controls, assess their effectiveness,
fix any material control deficiencies, and then re-test and re-document all of the above. A
March 2005 survey by Financial Executives International shows that the first year
compliance costs on Section 404 of SOX alone averaged $4.36 million per company, and
large companies with more than $5 billion in revenues spent more than $10 million per
company.
Critics argue that for many firms, the costs of complying with SOX outweigh the
benefits. For example, these costs are unreasonably high for small firms. If the
compliance costs are at least in part fixed, small firms may bear a disproportionate
burden. The American Electronics Association (AEA) claims that Section 404
compliance costs serve as a " regressive tax on small business. " The purpose of this
study is to examine the market impact of the enactment of SOX, in an effort to determine
the market's reaction to the passage of this regulation with respect to firm size.
While the true costs of SOX compliance are not easy to measure, the benefits are even
more difficult to estimate. The promised benefits of SOX, which include more
transparent disclosure, improved corporate governance, and enhanced investor
confidence, are difficult to measure in the short run. Thus, to investigate the impact of
SOX on firms of different sizes, we use an event study analysis. Using an event study
methodology allows us to gauge, in a single framework, the market's perspective of the
benefits versus the costs of SOX. In particular, we find that small firms experienced a
much larger negative abnormal return on the day that Congress agreed on the passage of
SOX than did large firms. We find an almost monotony relationship between firm size
and adverse impact of SOX. In the next section, we discuss the major provisions of SOX,
and we detail some of the provisions that have resulted in the highest compliance costs.
In addition, we discuss how these costs are disproportionately burdensome to small firms.
11

Firm Size and the Impact of the Passage of SOX

Firms in the smallest market capitalization quintile have market capitalizations less than
$22.14 million, and firms in the largest quintile have market capitalizations over $2.45
billion. As a reference, firms in quintile 3 have market capitalizations between $70.9
million and $227 million. As can be seen in Exhibit 3, firms in the two smallest market
capitalization quintiles experienced the largest negative abnormal returns (i.e., the largest
adverse economic impact), while firms in the largest-volume quintile experienced slightly
positive abnormal returns. This indicates that small firms lost 3% of their value, while
large firms actually experienced a very small increase in value, while controlling for
general market movements on the day that the House and Senate agreed on the final SOX
legislation. These negative abnormal returns for small firms are both economically and
statistically significant, and provide evidence of an uneven burden borne by small firms.

Cost-benefits of SarbanesOxley through an analysis

A significant body of academic research and opinion exists regarding the costs and
benefits of SOX, with significant differences in conclusions. This is due in part to the
difficulty of isolating the impact of SOX from other variables affecting the stock market
and corporate earnings.
Conclusions from several of these studies and related criticism are summarized below:
Compliance costs

FEI Survey (Annual): Finance Executives International (FEI) provides an annual

survey on SOX Section 404 costs. These costs have continued to decline relative
to revenues since 2004. The 2007 study indicated that, for 168 companies with
average revenues of $4.7 billion, the average compliance costs were $1.7 million
(0.036% of revenue). The 2006 study indicated that, for 200 companies with
average revenues of $6.8 billion, the average compliance costs were $2.9 million
(0.043% of revenue), down 23% from 2005. Cost for decentralized companies
(i.e., those with multiple segments or divisions) were considerably more than
12

centralized companies. Survey scores related to the positive effect of SOX on

investor confidence, reliability of financial statements, and fraud prevention
continue to rise. However, when asked in 2006 whether the benefits of
compliance with Section 404 have exceeded costs in 2006, only 22 percent
agreed.

Foley & Lardner Survey (2007): This annual study focused on changes in the total
costs of being a U.S. public company, which were significantly affected by SOX.
Such costs include external auditor fees, directors and officers (D&O) insurance,
board compensation, lost productivity, and legal costs. Each of these cost
categories increased significantly between FY2001-FY2006. Nearly 70% of
survey respondents indicated public companies with revenues under $251 million
should be exempt from SOX Section 404.

Zhang (2005): This research paper estimated SOX compliance costs as high as
$1.4 trillion, by measuring changes in market value around key SOX legislative
"events." This number is based on the assumption that SOX was the cause of
related short-duration market value changes, which the author acknowledges as a
drawback of the study.

Benefits to firms and investors

This research paper indicated that SOX 404 indeed led to conservative reported
earnings, but also reducedrightly or wronglystock valuations of small firms.
Lower earnings often cause the share price to decrease(2007).

Their book proposed a comprehensive overhaul or repeal of SOX and a variety of

other reforms. For example, they indicate that investors could diversify their stock
investments, efficiently managing the risk of a few catastrophic corporate failures,
whether due to fraud or competition. However, if each company is required to
spend a significant amount of money and resources on SOX compliance, this cost
is borne across all publicly traded companies and therefore cannot be diversified
away by the investor(2006)
13

This research paper indicates that borrowing costs are lower for companies that
improved their internal control, by between 50 and 150 basis points (.5 to 1.5
percentage points) (2006).

A study of a population of nearly 2,500 companies indicated that those with no

material weaknesses in their internal controls, or companies that corrected them in
a timely manner, experienced much greater increases in share prices than
companies that did not.[20][21] The report indicated that the benefits to a compliant
company in share price (10% above Russell 3000 index) were greater than their
SOX Section 404 costs.

The research paper indicates that corporations have improved their internal
controls and that financial statements are perceived to be more reliable.

Sarbanes Oxley (SOX) Compliance Requirements from AMR (Assets

Management Resources)
Sarbanes-Oxley has overwhelmed organizations financially as well as imposing a
significant demand on human resources. Initially the compliance burden has focused on
financial areas such as cash, revenue recognition, and stockholder equity. Compliance
requires documenting the "internal controls" and "business processes" used within an
organization for any financial matter considered material.

After identification of a

material item, the issue is evaluated to determine if it constitutes a material weakness. If

the internal controls are properly defined and enforced, it is expected that the checks and
balances will ensure accurate financial reporting
Consequently, what is considered material within an organization; i.e., what level of
materiality would concern an investor and give cause for further evaluation? According
to the AICPA:
"Materiality is based on the assumption a reasonable investor would not be influenced in
investment decisions by a fluctuation in net income less than or equal to 5%. This "5%
rule" remains the fundamental basis for working materiality estimates."

14

This 5% rule is one of the quantitative tests performed by auditors to identify potential
areas of materiality that may require further evaluation. If an area is identified, it
prompts the need for further qualitative analysis.
Up until now a quantitative measure has not been available specifically for fixed assets.
However, AMR has accumulated actual statistics from the past sixteen years of client
engagements and has documented that the average unrecorded disposals are 1.5% of the
Net Book Value of Property, Plant and Equipment. Thus, applying the 5% rule, if the
value of the fixed asset calculation is greater than the 5% EBITA value, a materiality
issue may exist. The formula can be expressed as follows:
1.5 percent times the Net Book Value of Property, Plant and Equipment
5 percent of stabilized earnings before interest, taxes and allowances (EBITA)
After performing this calculation, if the ratio is greater than one (1), fixed assets is a
material consideration. This alone does not constitute a material weakness, but it does
suggest that a qualitative evaluation is warranted. This is the first step in determining if a
material weakness may exist.
The qualitative analysis evaluates whether the internal controls and business processes
are sound enough to ensure a material weakness does not exist. If the fixed asset
materiality ratio was greater than one (1) the relevance of this ratio takes into
consideration several qualitative possibilities:
1. A high property value due to large holdings of real estate, common in retail chains
and banks.
2. A highly capital intensive industry with extensive investment in machinery and
equipment.
3. Unrecorded disposals overstating the fixed asset balance.
4. And many others.
It should be noted that a material weakness may still exist even after the qualitative
analysis concludes that past practices and/or newly defined controls are not deficient.
One must answer the following:

Are internal controls and defined business processes sufficient to ensure the
published financial reports are accurate?
15

Are past business practices immune from further scrutiny after new procedures

are put into place?

Has sufficient attention been given to the corporate fixed assets since they are a
substantial portion of the balance sheet?

These are important questions.

A prudent auditor would undoubtedly pursue answers to these questions and determine
whether a material weakness may still exist. This verification process comes at a cost
whether it is done with internal or external resources. This usually entails extensive
interviews, process flow diagrams, validating documentation, following the process to
ensure proper implementation, and sufficient separation of duties to provide necessary
checks and balances.

But what if the quality of the data in the supporting financial systems is simply

poor?
Do the fixed asset financial records reflect what actually exists?
Are there unrecorded disposals or additions?

For fixed assets, the only definitive method to validate the quality of data in the system is
a physical inventory. An organization can institute documented business processes for
fixed asset management that meet or exceed Sarbanes-Oxley requirements, but until an
accurate baseline is established there may still be a material weakness. Validation of
fixed assets is the only definitive method to ensure that the improved business processes
and internal controls will deliver on the promise of accurate financial reporting.
By comparing the cost and benefit of a baseline physical inventory versus an evaluation
of internal controls; we can determine which gets the organization closer to SarbanesOxley compliance.
It is possible that an evaluation of internal controls will meet Sarbanes-Oxley compliance
requirements, but it does not mend bad legacy data from previous reporting periods. In
short, evaluating and instituting process improvements of internal controls alone does not
ensure a material weakness has been repaired. Conducting a baseline physical inventory
and instituting improved business processes, if needed, more effectively accomplishes the
quantitative and qualitative requirements to meet Sarbanes-Oxley compliance.

16

Effects on exchange listing choice of Non-US companies

Some have asserted that SarbanesOxley legislation has helped displace business from
New York to London, where the Financial Services Authority regulates the financial
sector with a lighter touch. In the UK, the non-statutory Combined Code of Corporate
Governance plays a somewhat similar role to SOX. See Howell E. Jackson & Mark J.
Roe, Public Enforcement of Securities Laws: Preliminary Evidence (Working Paper
January 16, 2007). The Alternative Investment Market claims that its spectacular growth
in listings almost entirely coincided with the Sarbanes Oxley legislation. In December
2006 Michael Bloomberg, New York's mayor, and Charles Schumer, a US senator,
expressed their concern.
The SarbanesOxley Act's effect on non-US companies cross-listed in the US is different
on firms from developed and well regulated countries than on firms from less developed
countries according to Kate Litvak. Companies from badly regulated countries benefit
from better credit ratings by complying to regulations in a highly regulated country
(USA) that is higher than the cost, but companies from developed countries only incur
the cost, since transparency is adequate in their home countries as well. On the other
hand, the benefit of better credit rating also comes with listing on other stock exchanges
such as the London Stock Exchange.
Piotroski and Srinivasan (2008) examine a comprehensive sample of international
companies that list onto U.S. and U.K. stock exchanges before and after the enactment of
the Act in 2002. Using a sample of all listing events onto U.S. and U.K. exchanges from
1995-2006, they find that the listing preferences of large foreign firms choosing between
U.S. exchanges and the LSE's Main Market did not change following SOX. In contrast,
they find that the likelihood of a U.S. listing among small foreign firms choosing between
the Nasdaq and LSE's Alternative Investment Market decreased following SOX. The
17

negative effect among small firms is consistent with these companies being less able to
absorb the incremental costs associated with SOX compliance. The screening of smaller
firms with weaker governance attributes from U.S. exchanges is consistent with the
heightened governance costs imposed by the Act increasing the bonding-related benefits
of a U.S. listing.

Business governance: Sarbanes-Oxley Act (SOA) Compliance

According to International Journal of Business Governance and Ethics, company
directors and executive officers are being made increasingly responsible for the successes
and failures of their companies, as well as their own conduct. Actions of business have
become a concern not just for shareholders, but also to the wider community at large,
affecting individuals' investments and savings.
Business and financial governance is no longer just about running the company as
efficiently as possible in narrow cost and profit terms, but about managing the wider
responsibilities, compliance, ethics, honesty, integrity and transparency.
Sarbanes-Oxley Act (SOA) compliance is one of these critical instruments that force
large international and local companies to enhance and extend their accountability,
integrity, transparency and honesty in business conduct and financial reporting.

18

CHAPTER- 05

Sarbanes-Oxley raises red flag for not-for-profits Organizations

Criminal fraud, CEO greed, Lax corporate governance, Questionable accounting
practices; these were familiar phrases in the public discourse this years, accompanied by
mounting outcry for congressional action. On July 30, Congress responded by signing
into law the Sarbanes-Oxley Act of 2002, the most far-reaching accounting reform and
corporate accountability legislation in decades. Sarbanes-Oxley will subject public
companies in the United States to a host of new governance and other requirements.
Although not-for-profit corporations, including hospitals and healthcare systems, are not
literally subject to Sarbanes-Oxley, they soon may feel its effects--especially of the
governance provisions:

States may emulate Sarbanes-Oxley provisions in legislation targeting not-forprofit organizations--especially states that have experienced notorious not-for-

profit bankruptcies and other scandals;

Bond markets and state attorneys general may require similar governance
provisions to regulate financing transactions and not-for-profit and charitable

entity reporting;
Insurers may penalize entities that don't comply with Sarbanes-Oxley provisions;

and
Management and boards may institute some of these reforms as a type of "bestpractice" standards for not-for-profit governance.

Effect on Not-for-Profit Organizations

19

The Sarbanes-Oxley governance provisions most likely to migrate to the not-for-profit

arena are those dealing with the enhanced role of the board's audit committee, the
certification of financial statements, compensation of senior executives, a CFO's code of
conduct, and enhanced enforcement powers to remove unfit directors.
Role of the board's audit committee. Sarbanes-Oxley requires affected public
corporations to create audit committees "directly responsible" for retaining and
supervising outside auditors. Audit-committee members must be independent, which
means the CEO, CFO, and other management executives cannot be members. As part of
the "independence" standard, committee members must not be paid for consulting or
other services provided to the corporation outside of their service as directors. The
corporation also must disclose whether the audit committee includes one or more
members who are financial experts, and if not, why not. Finally, the committee must
establish procedures for receiving whistle-blower complaints about the company's
accounting practices.
Certification of financial statements. In a far-reaching provision going beyond the SEC's
recently proposed rule on financial-statement certification, Sarbanes-Oxley requires that a
public corporation's CEO and CFO certify in each annual report the following:

That they have reviewed the report;

That the report "does not contain any untrue statement of a material fact" or a

material omission;
That the financial statements fairly present the financial condition of the

corporation;
That the certifying individuals have designed and evaluated systems of internal
controls to ensure that they are aware of material information concerning the

corporation's operations; and

That the signers have disclosed to the company's auditors and audit committee all
deficiencies in the controls and any fraud involving management or other key
employees.

Full disclosure and, more importantly, implementation of procedures to ensure accurate

reporting have become the "gold standard" against which all corporations will be
measured. Although not-for-profit organizations are not required to meet the certification
requirements under Sarbanes-Oxley, they would be wise to create effective internal
20

controls to ensure accurate reporting. Indeed, not-for-profit providers considering major

transactions such as bond issuances, mergers, acquisitions, and affiliations should
anticipate that underwriters, bond insurers, and opposing parties will insist on
certification and related reporting requirements similar to Sarbanes-Oxley as part of the
preclosing representations and warranties and postclosing obligations
Compensation of senior executives. The new legislation also prohibits, with certain
exceptions, personal loans from the corporation to "any director or executive officer."
Existing loans are grandfathered. Although existing tax-exemption principles address the
terms of such loans where the state not-for-profit code allows them (and not all states do),
this provision goes further and prohibits them entirely Senior-executive compensation
packages involving such loans (such as a package developed to recruit a new CEO to an
area with high housing costs) should be avoided because they are harder to justify in light
of the new restrictions on the for-profit sector.
Code of conduct for CFOs. Sarbanes-Oxley also directs the SEC to promulgate rules
requiring that corporations subject to the act disclose whether they have adopted a code
of ethics for senior financial executives, and if not, why not. Like the certification
provision, this provision may become the "gold standard." As a result, not-for-profit
corporations that choose not to comply with the standard may be seen in a negative light
by their constituencies, the media, their directors' and officers' liability insurers, and,
possibly credit-rating agencies.
Powers to remove unfit directors. Sarbanes-Oxley gives the SEC power to remove
directors for "unfitness" (as opposed to the previous standard of "substantial unfitness").
In the past, states' attorneys general occasionally have sought the removal of certain
directors of a not-for-profit corporation in proceedings brought to enforce charitable
trusts. The Sarbanes-Oxley provision may influence them to scrutinize not-for-profit
boards more closely and, thus, seek this remedy more frequently.
Finally to say, Boards of not-for-profit hospitals and health systems should become
familiar with the governance provisions of Sarbanes-Oxley and consider voluntarily
complying with some or all of these provisions. It may not be long before they are forced
to do so by the marketplace, regulators, insurers, or negative publicity directed at
noncompliant not-for-profit organizations. Not-for-profit providers that do not hold
21

themselves to the same standard as their for-profit peers risk being perceived as having
betrayed the trust of their communities.

Requirement of the Sarbanes-Oxley Act in small business

The Sarbanes-Oxley Act of 2002 focuses on enterprise and public companies, and the
majority of small business do not have to heed the new rules. The exceptions are small
businesses that expect to become acquired by a publicly held company and small
businesses that provide products or services to large corporations. In the latter case, the
large corporations must work with their small business suppliers on compliance.
Even if youre not on the SOX radar, you can still benefit from initiating your own
version of the security requirements of SOX. A lot of SOX regulations make good
security sense that can protect your company regardless of its SOX status.
1. Determine whos in charge of security. Even a small company can designate a
chief security officer -- perhaps the most tech-savvy senior manager -- who will
be responsible for reports and recommendations to be shared with management,
investors, employees, consultants, and contractors.
2. Create policies for the full scope of security. Policy statements and guidelines
should influence the way you conduct your everyday business. Consider these
questions as you develop your very own security policy:
Do our security policies, such as business conduct guidelines for Web usage,

apply to everyone in our supply chain?

Do policies extend to contractors, suppliers, customers, and business partners?
Are all parties connecting into our network conforming to the same security

policies?
3. Will a natural disaster affect our security and IT assets? Take the time to write out
a few worst-case scenarios and the response your IT manager should take. If you
live in Bangladesh, for example, build IT security into your earthquake plan as
this time, earthquake risk is growing higher scale in Dhaka city. Make plans to
have this available to the next person in charge if youre away when disaster
strikes.
4. Be prepared for the unseen costs of a security breach. Discuss with your lawyer
how damages to your company from a security breach can show up as a
restatement. Some recompensable damages include:
22

5.

Loss of electrical power

Cost of rebooting critical locations
Cost of labor to handle damage from blended malicious attacks
Integrate Internet security with physical security. Include the chief security officer
visibility in your companys overall security planning. In the event of a physical
security threat, such as a fire or impending flood, make sure the person

responsible for the building understands the requirements of the IT manager.

6. Dont wait until you see a security problem. External consultants can help with
Internet security planning and perform both internal audits to redefine cybersecurity objectives. Its hard to imagine, but many companies dont even know
theyve had a security breach until long after they've been attacked.
7. Raise security awareness through education, publicity, and training. Use preexisting internal channels to increase preparedness, compliance, and overall
education. Create an email alias that goes to a response team focused on business
continuity in the event of a major security incident.
8. Prioritize your company's IT assets and protect them. Scrutinize the essential
business services that are critical to the company and the IT resources that support
them. Areas will include electrical power, telecommunications, banking,

9.

transactions, and communications mobility.

What are the companys core services?
Are they adequately protected?
Are they adequately secured in a legally compliant way?
Work with legal counsel to address compliance and liability issues. Threats to an
enterprises security are changing so quickly that its a challenge to stay secure
and stay legally compliant. Go the extra mile and build in hardened layers of
security at every connection edge of the IT network, especially if you are a small
business that someday hopes to work with larger, publicly traded corporations.

Sarbanes-Oxley regulations send a hard blow to public companies

The Sarbanes-Oxley Act of 2002 had a curious, unexpected effect: it spawned a brand
new industry of software companies, consultants and accountants dedicated to helping
23

public companies implement the act's numerous requirements. This entrepreneurial

activity is testament to the complexity and - let's face it - pure misery of Sarbanes-Oxley.
The act, otherwise known as SOX, has been a bitter pill for public companies to swallow.
It was notoriously expensive and time consuming to implement and, in many cases,
forced companies to recruit new board members - just to name of few of the oft-heard
complaints.
But large and mid-sized companies can look back, more than five years later, with a sense
of accomplishment. Most public companies have met the deadlines for compliance with
all of the act's requirements. However, small public companies (those with less than $75
million in publicly traded shares) are facing imminent deadlines for filing their first
audited internal control reports with the Security and Exchange Commission (SEC).
Before we delve into these infamous internal control reports, it is important to note that
Christopher Cox, chairman of the SEC, has proposed giving these small companies one
more year to comply with Section 404 (b) of SOX.
So, with a little extra breathing room, small companies can take a lesson from those who
have gone before.

Effective internal control: Satisfying Sarbanes-Oxley while building

good corporate governance
The Sarbanes-Oxley Act of 2002 has literally rewritten the rules for corporate
governance, disclosure, and reporting. Yet beneath the Act's hundreds of pages of legalese
lies a simple premise: Good corporate governance and ethical business practices are no
longer niceties they are the law.
Recent business scandals have found executives testifying that they were 'unaware' of
dubious activities - off-the-book partnerships, improper revenue recognition, etc. - carried
on by their companies. Sarbanes-Oxley aims to discourage such claims through a number
of measures to strengthen internal checks and balances and enhance accountability.
For public companies, compliance under Sarbanes-Oxley is non-negotiable. For audit
committees and senior management of public companies, particularly CEOs and CFOs,

24

the definitions of financial stewardship and personal accountability have been made more
explicit and the stakes significantly higher.
Private companies as well, although not legally obligated to comply with the Act, may
choose to adopt certain components as part of an overall plan to improve business
operations.

Keeping the SOX On: A Managing Compliance

The Public Company Accounting Reform and Investor Protection Act (PL 170-204) was
passed in the wake of the corporate malfeasance of individuals at the top of large, highly
visible companies including Enron, World Com and Adelphia. The bill-known by the
names of its initial sponsors, Senator Paul
Sarbanes (D, MD) and Representative Mike Oxley (R, OH), as either Sarbanes-Oxley, or
simply as "SOX"-has had a major impact on the way that all publicly traded companies
conduct and document their businesses in the U.S. And it's not just U.S.-based firmsforeign business entities that operate in U.S. markets and have tax filing obligations here
must also comply with SarbanesOxley.
Sarbanes-Oxley sets strict rules requiring verifying, documenting and reporting internal
financial information, and it imposes personal liability on senior executives who sign the
corporate tax returns (generally CEO and CFO). These stringent and absolute obligations
have forced every subject company-regardless of size and revenue-to closely examine,
document, and quite often, modify its practices in order to comply.

CHAPTER- 06

Sarbanes-Oxley Act : Several sections in details

25

Section 302
This section is of course listed under Title III of the act, and pertains to 'Corporate
Responsibility for Financial Reports'.
Summary:
Periodic statutory financial reports are to include certifications that:
The signing officers have reviewed the report
The report does not contain any material untrue statements or material omission
or be considered misleading
The financial statements and related information fairly present the financial
condition and the results in all material respects
The signing officers are responsible for internal controls and have evaluated
these internal controls within the previous ninety days and have reported on their
findings
A list of all deficiencies in the internal controls and information on any fraud
that involves employees who are involved with internal activities
Any significant changes in internal controls or related factors that could have a
negative impact on the internal controls
Organizations may not attempt to avoid these requirements by reincorporating their
activities or transferring their activities outside of the United States

Section 401
This section is of course listed under Title IV of the act (Enhanced Financial
Disclosures), and pertains to 'Disclosures in Periodic Reports'.
Summary:
Financial statements are published by issuers are required to be accurate and presented in
a manner that does not contain incorrect statements or admit to state material information.
These financial statements shall also include all material off-balance sheet liabilities,
obligations or transactions. The Commission was required to study and report on the
extent of off-balance transactions resulting transparent reporting. The Commission is also
required to determine whether generally accepted accounting principles or other
regulations result in open and meaningful reporting by issuers.

26

Section 404
This section is listed under Title IV of the act (Enhanced Financial Disclosures), and
pertains to 'Management Assessment of Internal Controls'.
Summary
Issuers are required to publish information in their annual reports concerning the scope
and adequacy of the internal control structure and procedures for financial reporting. This
statement shall also assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to and report on the
assessment on the effectiveness of the internal control structure and procedures for
financial reporting.

Section 409
This section is listed within Title IV of the act (Enhanced Financial Disclosures), and
pertains to 'Real Time Issuer Disclosures'.
Summary
Issuers are required to disclose to the public, on an urgent basis, information on material
changes in their financial condition or operations. These disclosures are to be presented in
terms that are easy to understand supported by trend and qualitative information of
graphic presentations as appropriate.

Section 802
This section is listed within Title VIII of the act (Corporate and Criminal Fraud
Accountability), and pertains to 'Criminal Penalties for Altering Documents'.
Summary
This section imposes penalties of fines and/or up to 20 years imprisonment for altering,
destroying, mutilating, concealing, falsifying records, documents or tangible objects with
the intent to obstruct, impede or influence a legal investigation.

27

This section also imposes penalties of fines and/or imprisonment up to 10 years on any
accountant who knowingly and willfully violates the requirements of maintenance of all
audit or review papers for a period of 5 years operations and determine if they are
significant to the organization as a whole. Significant business units can include financial
business units or IT business units. The assessment of whether an IT business unit is
significant can be impacted by the materiality of transactions processed by the IT
business unit, the potential impact on financial reporting if an IT business unit fails and
other qualitative risk factors. The issue is that there are financial materiality and
significant risk considerations, quantitative and qualitative, and both aspects provide
focus.

Implementation of key provisions

SarbanesOxley Section 302: Disclosure controls
Under SarbanesOxley, two separate sections came into effectone civil and the other
criminal. 15 U.S.C. 7241 (Section 302) (civil provision); 18 U.S.C. 1350 (Section
906) (criminal provision).
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate
financial disclosure. The signing officers must certify that they are responsible for
establishing and maintaining internal controls and have designed such internal controls
to ensure that material information relating to the company and its consolidated
subsidiaries is made known to such officers by others within those entities, particularly
during the period in which the periodic reports are being prepared. 15 U.S.C. 7241(a)
(4). The officers must have evaluated the effectiveness of the companys internal
controls as of a date within 90 days prior to the report and have presented in the report
their conclusions about the effectiveness of their internal controls based on their
evaluation as of that date. Id..
The SEC interpreted the intention of Sec. 302 in Final Rule 33-8124. In it, the SEC
defines the new term "disclosure controls and procedures", which are distinct from

28

"internal controls over financial reporting". Under both Section 302 and Section 404,
Congress directed the SEC to promulgate regulations enforcing these provisions.
External auditors are required to issue an opinion on whether effective internal control
over financial reporting was maintained in all material respects by management. This is
in addition to the financial statement opinion regarding the accuracy of the financial
statements. The requirement to issue a third opinion regarding management's assessment
was removed in 2007.
SarbanesOxley Section 404: Assessment of internal control
The most contentious aspect of SOX is Section 404, which requires management and the
external auditor to report on the adequacy of the company's internal control over financial
reporting (ICFR). This is the most costly aspect of the legislation for companies to
implement, as documenting and testing important financial manual and automated
controls requires enormous effort.
Under Section 404 of the Act, management is required to produce an internal control
report as part of each annual Exchange Act report. See 15 U.S.C. 7262. The report
must affirm the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting. 15
U.S.C. 7262(a). The report must also contain an assessment, as of the end of the most
recent fiscal year of the Company, of the effectiveness of the internal control structure
and procedures of the issuer for financial reporting. To do this, managers are generally
adopting an internal control framework such as that described in COSO.
To help alleviate the high costs of compliance, guidance and practice have continued to
evolve. The Public Company Accounting Oversight Board (PCAOB) approved Auditing
Standard No. 5 for public accounting firms on July 25, 2007. This standard superseded
Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its
interpretive guidance on June 27, 2007. It is generally consistent with the PCAOB's
guidance, but intended to provide guidance for management. Both management and the
external auditor are responsible for performing their assessment in the context of a top-

29

down risk assessment, which requires management to base both the scope of its
assessment and evidence gathered on risk. This gives management wider discretion in its
assessment approach. These two standards together require management to:

Assess both the design and operating effectiveness of selected internal controls
related to significant accounts and relevant assertions, in the context of material
misstatement risks;

Understand the flow of transactions, including IT aspects, sufficient enough to

identify points at which a misstatement could arise;

Evaluate company-level (entity-level) controls, which correspond to the

components of the COSO framework;

Perform a fraud risk assessment;

Evaluate controls designed to prevent or detect fraud, including management

override of controls;

Evaluate controls over the period-end financial reporting process;

Scale the assessment based on the size and complexity of the company;

Rely on management's work based on factors such as competency, objectivity, and

risk;

Conclude on the adequacy of internal control over financial reporting.

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to

centralize and automate their financial reporting systems. This is apparent in the
comparative costs of companies with decentralized operations and systems, versus those
with centralized, more efficient systems. For example, the 2007 FEI survey indicated
average compliance costs for decentralized companies were $1.9 million, while

30

centralized company costs were $1.3 million. Costs of evaluating manual control
procedures are dramatically reduced through automation.
SarbanesOxley 404 and smaller public companies
The cost of complying with SOX 404 impacts smaller companies disproportionately, as
there is a significant fixed cost involved in completing the assessment. For example,
during 2004 U.S. companies with revenues exceeding $5 billion spent 0.06% of revenue
on SOX compliance, while companies with less than $100 million in revenue spent
2.55%.
This disparity is a focal point of 2007 SEC and U.S. Senate action. The PCAOB intends
to issue further guidance to help companies scale their assessment based on company size
and complexity during 2007. The SEC issued their guidance to management in June,
2007.
After the SEC and PCAOB issued their guidance, the SEC required smaller public
companies (non-accelerated filers) with fiscal years ending after December 15, 2007 to
document a Management Assessment of their Internal Controls over Financial Reporting
(ICFR). Outside auditors of non-accelerated filers however opine or test internal controls
under PCAOB (Public Company Accounting Oversight Board) Auditing Standards for
years ending after December 15, 2008. Another extension was granted by the SEC for the
outside auditor assessment until years ending after December 15, 2009. The reason for
the timing disparity was to address the House Committee on Small Business concern that
the cost of complying with Section 404 of the SarbanesOxley Act of 2002 was still
unknown and could therefore be disproportionately high for smaller publicly held
companies. On October 2, 2009, the SEC granted another extension for the outside
auditor assessment until fiscal years ending after June 15, 2010. The SEC stated in their
release that the extension was granted so that the SECs Office of Economic Analysis
could complete a study of whether additional guidance provided to company managers
and auditors in 2007 was effective in reducing the costs of compliance. They also stated
that there will be no further extensions in the future.

31

SarbanesOxley Section 802: Criminal penalties for violation of SOX

Section 802(a) of the SOX, 18 U.S.C. 1519 states:

Whoever knowingly alters, destroys, mutilates, conceals, cov

SarbanesOxley Section 1107: Criminal penalties for retaliation against whistleblowers

Section 1107 of the SOX 18 U.S.C. 1513(e) states:

Whoever knowingly, with the intent to retaliate, takes any ac

CHAPTER- 07

Sarbanes-Oxley Essential Information

The intent of the the Sarbanes-Oxley Act
To protect investors by improving the accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for other purposes.

32

What the Act is about

The Sarbanes-Oxley Act created new standards for corporate accountability as well as
new penalties for acts of wrongdoing. It changes how corporate boards and executives
must interact with each other and with corporate auditors. It removes the defense of "I
wasn't aware of financial issues" from CEOs and CFOs, holding them accountable for the
accuracy of financial statements. The Act specifies new financial reporting
responsibilities, including adherance to new internal controls and procedures designed to
ensure the validity of their financial records.
Who's afraid of Sarbanes-Oxley
Accountability legislation creates additional document retention requirements and
responsibilities for records managers. The Sarbanes-Oxley Act of 2002 represents the
most meaningful and consequential corporate accountability legislation passed by the
federal government since the 1930s. Signed into law July 30, 2002, by President George
W. Bush, this Act will change the way corporate America does business.
Sarbanes-Oxley is a sweeping reform aimed at protecting investors by improving the
accuracy and reliability of corporate disclosures made pursuant to securities laws. The
legislation was in large part a response to the issues of accountability raised by the Enron
and Arthur Andersen investigations and will most directly impact the accounting industry,
publicly traded companies, and investment banking firms.
Sarbanes - Oxley Audits
The Act requires all financial reports to include an internal control report. This is
designed to show that not only are the company's financial data accurate, but the
company has confidence in them because adequate controls are in place to safeguard
financial data. Year-end financial reports must contain an assessment of the effectiveness
of the internal controls. The issuer's auditing firm is required to attest to that assessment.
The auditing firm does this after reviewing controls, policies, and procedures during a
Section 4040 audit, conducted along with a traditional financial audit.
Why Congress thought the Act was needed

33

The US Sarbanes-Oxley Act was passed in the wake of a myriad of corporate scandals.
What these scandals had in common was skewed reporting of selected financial
transactions. For instance, companies such as Enron, WorldCom and Tyco covered up or
misrepresented a variety of questionable transactions, resulting in huge losses to
stakeholders and a crisis in investor confidence. How did Congress think the Act would
address the problem? Sarbanes-Oxley aims to enhance corporate governance and s
strengthen corporate accountability. It does that by:

formalizing and strengthening internal checks and balances within corporations

instituting various new levels of control and sign-off designed to

ensure that financial reporting exercises full disclosure

corporate governance is transacted with full transparency.

If a company isnt in compliance

What happens depends on which section of the act theyre out of compliance with. Non
compliance penalties range from the loss of exchange listing, loss of D&O insurance to
multimillion dollar fines and imprisonment. It can result in a lack of investor confidence.
A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and
imprisonment for up to ten years. If the wrong certification was submitted "willfully", the
fine can be increased up to $5 million and the prison term can be increased up to twenty
years.
Who the Act applies to
SOX applies to all public companies in the U.S. and international companies that have
registered equity or debt securities with the Securities and Exchange Commission and the
accounting firms that provide auditing services to them.
Is the Act of concern to US companies only?
Heres a great answer from ISACA: No, there are potential international implications as
well. In fact, among the many factors that must be considered in complying with
34

Sarbanes-Oxley, some will uniquely impact international organizations. Specifically,

global organizations, or non-US-based companies that are required to comply with
Sarbanes-Oxley, need to examine their ITO.

CHAPTER- 08

The limitations of the Sarbanes-Oxley Act

Poorly Designed corporate legislation can retard innovation and warp economic growth
while good policy can create confidence in the capitalist system, encourage prudent risk-

35

taking, and foster growth. Yet, even the most thoughtful and balanced legislation has its
limitations. In the wake of unprecedented corporate failures due to managerial fraud,
Congress passed the Sarbanes-Oxley Act of 2002 with the goal of rebuilding investor
confidence and protecting capital markets. The recent recovery leaves little doubt that
confidence has returned. However, whether the Act actually will protect financial markets
by efficiently providing long-term deterrents to fraud at public companies is a valid topic
of debate.
Executives who committed the numerous and exceptional frauds of 2001 and 2002
largely will be judged under laws existing prior to enactment of the Sarbanes-Oxley
legislation. Regardless, Congress, in a nod to confidence-building, properly inserted
additional governance and reporting safeguards into the Act. Certain requirements, such
as executive certification of public company financial statements, are designed to ensure
accountability for reported financial information. Congress also introduced mandates
designed to improve the independence and financial competence of public boards of
directors with a view towards better oversight of executive management. Still more
legislative changes targeted the public accountants, attorneys, banking analysts, and other
gatekeepers. The overriding goal was to provide better, more accurate information for
investors by shining enough light on these companies to make massive financial reporting
frauds harder to achieve without detection. Now the question becomes: Will this new
legislation prevent a future crisis?
To understand the limitations of the Sarbanes-Oxley Act, it is helpful to be aware of what
was in force prior to its adoption. After the stock market crash of 1929, Congress passed
the Securities Act of 1933 and the Securities Exchange Act of 1934 to address perceived
corporate abuse. A lack of transparency and fair dealing led Congress to pass these acts to
regulate the securities markets. The markets previously were regulated by a patchwork of
state laws that commonly were referred to as "blue sky" laws, many of which remain in
place today. The 1933 Act was passed to meet two basic objectives: it requires that
investors receive material information concerning securities being offered for public sale
and it prohibits deceit, misrepresentations, and other fraud in the sale of securities. This
legislation was designed to require issuers to disclose important information to investors
so that they could make informed decisions. The theory is that greater public disclosure is
36

bound to discourage bad behavior. As Supreme Court Justice Louis Brandeis stated,
"Sunlight is the best disinfectant."
Congress also passed the Banking Act of 1933 to address harm caused by banks to the
investing public. In short, the Act was designed to prevent banks from selling securities,
thereby preventing them from peddling their soured investments to the public. There were
certain sections of the Act, referred to as Glass-Steagall, which prohibited commercial
banks from owning investment hanks and vice versa. For years, this was viewed as an
overly broad approach to a specific problem, yet was not addressed until passage of the
Gramm-Leach-Bliley Act of 1999.
The Securities Exchange Act of 1934 extended regulation to trading as well as securities
already issued. The Act created the Securities and Exchange Commission (SEC) and
empowered it with extensive regulatory authority over all aspects of the securities
industry and markets. Additionally, the Act requires issuers to provide information to the
marketplace by filing annual and quarterly reports. Finally, there are provisions that
prohibit fraudulent activities that cheat investors.
In response to investment company abuses, Congress again acted to minimize conflicts of
interest that arise in the operations of these companies. In 1940, the Investment Company
Act and Investment Advisors Act were passed to regulate firms that exist primarily to
invest in securities of other companies. Mutual funds are one type of investment firm
covered. This legislation included vital anti-fraud provisions for all those who meet the
definition of an investment advisor.
Despite previous legislation and Federal oversight, the savings and loan industry
experienced a crisis in the late 1980s that led to even more regulation. The Financial
Institutions Reform, Recovery and Enforcement Act of 1989 was passed to "restore the
public's confidence in the savings and loan industry." Deposit insurance and the system of
oversight were restructured to reinforce the safety of deposits, and the Resolution Trust
Corporation was created to dispose of the assets of failed institutions. Congress later
added the Comprehensive Thrift and Bank Fraud Prosecution Act of 1990 to expand the
authority of Federal regulators to combat financial fraud.
Not all structural changes were initiated by government, however, as market pressures
also can have a positive impact on corporate governance. By example, shareholder
37

activists waged battles with corporations throughout the 1990s. They fought against
poison pills (corporate actions that prevent an unsolicited takeover) and brought about
greater transparency for boards and regulators by attacking secret executive
compensation.
All of this previous legislation and private sector action had the desired effect of restoring
confidence in companies and the financial system at a critical time, and still have some
influence today. Nonetheless, these efforts did not prevent the crises that followed.
Corporate legislation has a sort of biological clock where its impact is maximized shortly
after it is enacted. Over time, the ability of new legislation to restore and maintain
confidence in public markets will fade and deterrents will weaken as the disposed learn
new ways to sidestep the installed safeguards. When the next massive fraud surfaces,
legislation again will be considered to reassure the nation and instill confidence in
markets. This can be a virtuous cycle as long as the imposed regulations do more good
than harm. Just as good legislation can contribute to confidence-building, overly
burdensome regulation can result in a loss of American initiative and competitiveness.
The Sarbanes-Oxley Act was designed to address specific abuses relevant to the latest
generation of frauds. Its focus is on corporate financial reporting and the related
responsibilities of the nation's gatekeepers. At WorldCom, the appearance of corporate
health was accomplished by passing top-side entries that turned expenses into assets. This
is relatively simple to execute. Even less complicated is to omit the disclosure of
liabilities altogether, as was the case at Adelphia Communications. On the other hand,
Enron constructed a false picture of financial health by transferring assets through a
sophisticated network of entities that had the effect of masking tree performance and
impairment of these assets. Regardless of the specific methodology, each company
managed to present a bankrupt company as a healthy going concern through manipulation
of its financial statements.
Prosecuting executives

38

The prosecution of the executives of these firms largely is occurring under a number of
laws that existed prior to the passage of the Sarbanes-Oxley Act. Nevertheless, there
seems to be no shortage of statutes on which to base indictments. In fact, one of the first
major cases utilizing the deterrents built into the Sarbanes-Oxley Act is the muchanticipated prosecution of Richard Scrushy, the former chairman and CEO of
HealthSouth Corporation, among the nation's largest health care providers. In the original
85-count indictment brought by the Department of Justice is the prosecution's allegation
that Scrushy personally certified financial statements filed with the SEC that he knew to
be false. This count, made available by the Sarbanes-Oxley Act, together with the other
counts, means that, if convicted of all of the current charges, Scrushy could have been
sentenced to up to 650 years in jail, been required to pay $36,000,000 in fines, and have
had to forfeit over $275,000,000 of real estate, airplanes, yachts, and other property.
Interestingly, false certification under the Sarbanes-Oxley Act only counts for about 20 of
the 650 possible years of jail time. As this case goes to trial, prosecutors have refined
their charges by focusing on 45 of the strongest counts, including false certification of
financial statements under Sarbanes-Oxley.
So what did Scrushy do to run so afoul of the government? Prosecutors contend that he
devised a scheme to ensure that HealthSouth would make sufficient net income to meet
the expectations of Wall Street analysts without regard to true operating performance.

CHAPTER- 09
Criticism
Congressman Ron Paul and others contend that SOX was an unnecessary and costly
government intrusion into corporate management that places U.S. corporations at a
competitive disadvantage with foreign firms, driving businesses out of the United States.
In an April 14, 2005 speech before the U.S. House of Representatives, Paul stated, "These
regulations are damaging American capital markets by providing an incentive for small
US firms and foreign firms to deregister from US stock exchanges. According to a study
39

by Wharton Business School, the number of American companies deregistering from

public stock exchanges nearly tripled during the year after SarbanesOxley became law,
while the New York Stock Exchange had only 10 new foreign listings in all of 2004. The
reluctance of small businesses and foreign firms to register on American stock exchanges
is easily understood when one considers the costs SarbanesOxley imposes on
businesses. According to a survey by Korn/Ferry International, SarbanesOxley cost
Fortune 500 companies an average of $5.1 million in compliance expenses in 2004, while
a study by the law firm of Foley and Lardner found the Act increased costs associated
with being a publicly held company by 130 percent."
A research study published by Joseph Piotroski of Stanford University and Suraj
Srinivasan of Harvard Business School titled "Regulation and Bonding: Sarbanes Oxley
Act and the Flow of International Listings" in the Journal of Accounting Research in
2008 found that following the act's passage, smaller international companies were more
likely to list in stock exchanges in the U.K. rather than U.S. stock exchanges.
During the financial crisis, critics blamed SarbanesOxley for the low number of Initial
Public Offerings (IPOs) on American stock exchanges during 2008. In November 2008,
Newt Gingrich and co-author David W. Kralik called on Congress to repeal Sarbanes
Oxley.
A December 21, 2008 Wall St. Journal editorial stated, "The new laws and regulations
have neither prevented frauds nor instituted fairness. But they have managed to kill the
creation of new public companies in the U.S., cripple the venture capital business, and
damage entrepreneurship. According to the National Venture Capital Association, in all of
2008 there have been just six companies that have gone public. Compare that with 269
IPOs in 1999, 272 in 1996, and 365 in 1986."
Hoover's IPO Scorecard notes 31 IPOs in 2008.
The editorial concludes that: "For all of this, we can first thank SarbanesOxley. Cooked
up in the wake of accounting scandals earlier this decade, it has essentially killed the

40

creation of new public companies in America, hamstrung the NYSE and Nasdaq and cost
U.S. industry more than $200 billion by some estimates."
Previously the number of IPOs had declined to 87 in 2001, well down from the highs, but
before SarbanesOxley was passed. In 2004, IPOs were up 195% from the previous year
to 233.. There were 196 IPOs in 2005, 205 in 2006 (with a sevenfold increase in deals
over $1 billion) and 209 in 2007.

Praise
Former Federal Reserve Chairman Alan Greenspan praised the SarbanesOxley Act: "I
am surprised that the SarbanesOxley Act, so rapidly developed and enacted, has
functioned as well as it has...the act importantly reinforced the principle that shareholders
own our corporations and that corporate managers should be working on behalf of
shareholders to allocate business resources to their optimum use.
SOX has been praised by a cross-section of financial industry experts, citing improved
investor confidence and more accurate, reliable financial statements. The CEO and CFO
are now required to unequivocally take ownership for their financial statements under
Section 302, which was not the case prior to SOX. Further, auditor conflicts of interest
have been addressed, by prohibiting auditors from also having lucrative consulting
agreements with the firms they audit under Section 201. SEC Chairman Christopher Cox
stated in 2007: "SarbanesOxley helped restore trust in U.S. markets by increasing
accountability, speeding up reporting, and making audits more independent."
The FEI 2007 study and research by the Institute of Internal Auditors (IIA) also indicate
SOX has improved investor confidence in financial reporting, a primary objective of the
legislation. The IIA study also indicated improvements in board, audit committee, and
senior management engagement in financial reporting and improvements in financial
controls.
Financial restatements increased significantly in the wake of the SOX legislation and
have since dramatically declined, as companies "cleaned up" their books. Glass, Lewis &
Co. LLC is a San Francisco-based firm that tracks the volume of do-overs by public

41

companies. Its March 2006 report, "Getting It Wrong the First Time," shows 1,295
restatements of financial earnings in 2005 for companies listed on U.S. securities
markets, almost twice the number for 2004. "That's about one restatement for every 12
public companiesup from one for every 23 in 2004," says the report.

Legal challenges
A lawsuit (Free Enterprise Fund v. Public Company Accounting Oversight Board) was
filed in 2006 challenging the constitutionality (legality) of the PCAOB. The complaint
argues that because the PCAOB has regulatory powers over the accounting industry, its
officers should be appointed by the President, rather than the SEC. Further, because the
law lacks a "severability clause," if part of the law is judged unconstitutional, so is the
remainder. If the plaintiff prevails, the U.S. Congress may have to devise a different
method of officer appointment. Further, the other parts of the law may be open to
revision. The lawsuit was dismissed from a District Court; the decision was upheld by the
Court of Appeals on August 22, 2008. Judge Kavanaugh, in his dissent, argued strongly
against the constitutionality of the law. On May 18, 2009, The United States Supreme
Court agreed to hear this case. On December 7, 2009, The United States Supreme Court
heard the oral arguments for this case.

Future of Sarbanes-Oxley Act

Although the enactment of the Sarbanes-Oxley Act (SOX) received nearly unanimous
congressional support, only a few years thereafter its wisdom was increasingly
questioned and its supporters had to stave off attempts to recraft the legislation. The
financial crisis of 2008 has sidelined efforts to alter the legislation's most costly
provision, as Congress's attention has turned to overhauling the regulatory regime for
financial institutions. There is, nonetheless, much to be learned about financial regulation
and SOX's future, from an in-depth examination of the interplay of the government and
private commissions created with an eye to revising the legislation, media coverage of
those entities, and congressional responses. That interaction provides a map of political
fault lines and assists in forecasting the prospects for recreating SOX's most costly
42

provision. It also serves as a cautionary tale regarding significant regulation enacted in

the midst of a financial-market crisis. The ongoing financial crisis has sidelined SOX, but
its burdensome costs suggest that it might well, in due course, reemerge on the legislative
agenda.

CHAPTER- 10

Conclusion
The accounting industry has, as a whole, endured quite a lot of publicity in recent years.
Accounting scandals at mega-corporations likes Tyco, Enron, and WorldCom have all
made the public painfully aware of the limitations of internal accounting practices and the
apparent ease with which corporate executives can manipulate the industry and report
false financial information. In light of that limitation, the United States government

43

passed the Sarbanes-Oxley Act (SOX) in 2002, which was primarily intended to restore
the public's trust in public accounting.
However, the act has had farther-reaching implications for the industry, the policy that
was made with it spilling over into private accounting firms, implicating corporate social
responsibility, and affecting the financial bottom lines of corporations and accounting
firms. An over-arching public company accounting board was also established by the act,
which was introduced amidst a host of publicity.
So unless we are planning on taking our small company public very soon, SarbanesOxley probably won't have any repercussions for the business. However, if we are an
investor, SOX might allow us to sleep a little easier.

References
1. Sarbanes Interview.
2. SEC Annual Budget.
3. http://www.hoovers.com/ business-information.
4. http://www.allbusiness.com.
5. http://www.sarbanes-oxley.com.
6. http://www.kesdee.com/html/sarbanesoxley.html.
44

7. "Five years of SarbanesOxley". The Economist. 2007-07-26.

http://www.economist.com/displaystory.cfm?story_id=9545905.
8. FEI 2007 Survey of SOX 404 Costs.
9. FEI 2006 Survey of SOX 404 Costs.
10. Zhang-Economic Costs of SOX.
11. The Effect of the SarbanesOxley Act (Section 404) Management's Report on
Audit Fees, Accruals and Stock Returns.
12. The SarbanesOxley Debacle.
13. IIA Research SOX Looking at the Benefits.
14. SEC 2007 SOX Guidance.
15. SarbanesOxley: Progressive Punishment for Regressive Victimization.
16. Greenspan praises SOX.
17. USA Today - SOX Law Has Been a Pretty Clean Sweep.
18. NPR-Supreme Court Considers Sarbanes-Oxley Board.
19. PCAOB News Release.

45