What Is Sarbanes-Oxley?
Sarbanes-Oxley, or SOX, refers to a series of securities and financial regulations enacted by the Sarbanes-Oxley Act in 2002. The SOX Act added new layers of criminal penalties for anyone found guilty of breaking securities laws — both those included in SOX as well as other federal financial laws. Rules laid out by SOX required more stringent bookkeeping and added compliance obligations to corporate officers, auditors, and accounting staff.
Why Did Congress Pass Sarbanes-Oxley?
Sarbanes-Oxley was passed in response to several high-level financial scandals. One of the most notable was the Enron scandal, which involved a huge (and seemingly stable) enterprise failing and the knock-on effects across the nation's economy.
Enron's ventures included companies and investments in sectors such as oil, gas, paper, communications, electricity, and power plants. It was a global business, but it filed bankruptcy suddenly in 2001. During the financial fallout related to Enron, it became clear that earnings reports had been inflated and other fraud and embezzlement had occurred.
Enron and other scandals that involved fraud and tampered-with-reports caused Congress to rethink the necessary reporting processes for corporations and public companies. That led to the Sarbanes-Oxley Act. The goal of the act was to create additional security for investors as well as protect the financial interests of the nation overall.
Why Is It Called Sarbanes-Oxley?
Like many federal acts, SOX takes its name from its legislative sponsors. It was a bipartisan approach, and the sponsors were Senator Paul S. Sarbanes, a Democrat from Maryland, and Congressman Michael G. Oxley, a Republican from Ohio.
The Role of Corporate Financial and Compliance Departments
Sarbanes-Oxley is not a small act, making it unwieldy for individuals to understand and consider every facet of the law when creating reports or driving financial decisions. Because of this, many enterprises make SOX compliance the purview of the same departments that manage other types of regulatory compliance, including PCI or HIPAA.
Finance and compliance departments work together to:
- Understand how SOX impacts the organization
- Develop training regarding SOX compliance for all necessary departments and staff
- Oversee reporting and financial tasks to ensure compliance with SOX
- Manage in-house tip lines for those that want to report a potential SOX issue
- Respond to concerns about SOX issues
- Conduct audits of various processes to help ensure the enterprise is compliant with SOX
Sometimes these departments and procedures fall under the title of Risk Management.
Smaller businesses that don't have the ability to manage SOX compliance via an existing department may need to work with outside business partners, including attorneys, risk-management consultants, or accountants, for this purpose. This is often where the role of a compliant document management system becomes important.
Some Important Provisions of Sarbanes-Oxley
Sarbanes-Oxley provisions are typically referred to by their section numbers. For example, Section 302 holds Chief Operating and Financial Officers responsible for the accuracy of an organization's SEC report filings and internal financial controls. This section requires that a C-suite executive sign SEC filings and other related reports, indicating that he or she read the entire report and believes that everything in it is well-founded and accurate.
Other important provisions of SOX include, but aren't limited to, those below.
- Section 401 requires financial reporting to be accurate and come with certain backup documentation, such as off-balance sheet transactions and liabilities. One of the purposes of Section 401 is to ensure the publicly recorded reporting for corporations includes a fuller picture of financial health and that transactions are less likely to be hidden off the report.
- Section 404 mandates that annual financial reports come with a statement of internal control. Specifically, management has to verify that it has the right level of internal control over financial processes and report shortcomings in this regard. This section is complex and often difficult to implement, since it requires a robust, compliant documentation and audit process.
- Section 806 is the whistleblower provision. If an employee of a publicly traded company or subsidiary reports potential fraud or other illegal activity under SOX, they are protected. Section 806 defines the types of reporting that are considered protected whistleblowing, and they include reporting fraud against shareholders, breaking SEC regulations, and federal mail or bank fraud.
- Section 1107 further protects whistleblowers by making it a crime to retaliate against them.
- Section 802 sets up the potential for criminal penalties if someone is caught altering documents related to corporate financial activities or reporting. That includes falsifying records, destroying critical support documents, and influencing or impeding an investigation.
What Are the Penalties for Falling Afoul of SOX?
The penalties for not complying with Sarbanes-Oxley can be stiff. Section 906 covers the penalties should someone certify (by signing) a fraudulent or misleading financial report. If they are charged with this crime and found guilty, they could face up to 20 years in prison and be on the hook for a fine of up to $5 million. Other sections of the act cover different criminal financial acts, often listing potential penalties that are similar in scope.
A Few Best Practices for Ensuring SOX Compliance
Awareness and training are at the forefront of best practices to ensure organizations are compliant with Sarbanes-Oxley. C-suite executives must be aware of their responsibilities under the act, and accounting and financial staff obviously need to know how to remain compliant. But employees across the organization may need to understand what Sarbanes-Oxley is and whether they have any role to play in compliance.
Some other best practices might include:
- Creating strong document management processes that let you control who can access and alter documents.
- Certain types of documents must be kept within an organization for a legally mandated number of years before deletion is allowed. Using a document management system that provides the workflow tools to enact protection or destruction at predetermined times is key to being compliant.
- Keeping a log of all access and versions of documents for audit purposes.
- Automating routine tasks to reduce the likelihood that human error might lead to a SOX violation.