The Sarbanes Oxley Act
Responding to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors, Congress passed the Sarbanes Oxley Act in 2002.
The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.
Title I of the Sarbanes Oxley Act establishes the PCAOB as a nonprofit organization, that oversees the audits of public companies that are subject to the securities laws.
The Sarbanes Oxley Act gives to the PCAOB four primary responsibilities:
- registration of accounting firms that audit public companies in the U.S. securities markets;
- inspections of registered accounting firms;
- establishment of auditing, quality control, and ethics standards for registered accounting firms; and
- investigation and discipline of registered accounting firms for violations of law or professional standards.
Title II of the Sarbanes Oxley Act addresses auditor independence.
It prohibits the registered external auditor of a public company from providing certain nonaudit services to that public company audit client.
Title II also specifies communication that is required between the auditors and the public company's audit committee (or board of directors), and requires periodic rotation of the audit partners managing a public company's audits.
Titles III and IV of the Sarbanes Oxley Act focus on corporate responsibility and enhanced financial disclosures.
Title III asks for certifications by corporate officers in annual and quarterly reports.
Title IV addresses disclosures in financial reporting and transactions involving management and principal stockholders, and other provisions such as internal control over financial reporting.
More specifically, section 404 of the Sarbanes Oxley Act establishes requirements for companies to publicly report on management’s responsibility for establishing and maintaining an adequate internal control structure, including controls over financial reporting, and the results of management's assessment of the effectiveness of internal control over financial reporting.
External auditors must report if they agree with management’s assessment of the company’s internal control over financial reporting.
SEC and PCAOB have issued regulations, standards, and guidance to implement the Sarbanes-Oxley Act.
For instance, both SEC's regulations and PCAOB’s Auditing Standards state that management is required to base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due process procedures, including the broad distribution of the framework for public comment.
Both the SEC's guidance and PCAOB's auditing standard cite the COSO principles as providing a suitable framework for purposes of section 404 compliance.
In 1992, COSO issued its “Internal Control—Integrated Framework” (the COSO Framework), to help businesses and other entities assess and enhance their internal control.
Since that time, the COSO framework (including the updated framework) has been recognized by regulatory standards setters and others, as a comprehensive framework for evaluating internal control, including internal control over financial reporting.
The COSO framework includes a common definition of internal control and criteria against which companies could evaluate the effectiveness of their internal control systems.
The framework consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring.
While SEC and PCAOB do not mandate the use of any particular framework, PCAOB states that the framework used by a company should have elements that encompass the five COSO components on internal control.
Internal control generally serves as a first line of defense in safeguarding assets and preventing and detecting errors and fraud.
Internal control is defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following objectives:
(1) effectiveness and efficiency of operations;
(2) reliability of financial reporting; and
(3) compliance with laws and regulations.
Internal control over financial reporting is further defined in the SEC regulations implementing section 404.
These regulations define internal control over financial reporting as providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements, including those policies and procedures that:
- pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.