This article is included in our IT & E-commerce Law Bulletin. To view the whole bulletin, please click .
Sarbanes-Oxley: what is it?
Wheredid it come from?
What are its main provisions?
To whom does SOX apply?
By when must it be complied with?
What are the sanctions for non-compliance?
How does it relate to the UK and Europe?
How does it relate to the UK IT industry?
How does it relate to IT security?
What should you do?
Suggested further reading
Appendix – selected text of the Sarbanes-Oxley Act 2002
1. Sarbanes-Oxley: what is it?
The Sarbanes-Oxley Act of 2002 (sometimes referred to as “SOX”) requires all public companies doing business in the US to follow a comprehensive accounting framework. SOX means that companies will be required to disclose certain financial information publicly in a standard and transparent manner.
Sarbanes-Oxley is not merely a US problem, it has relevance for many organisations, particularly for subsidiaries of US corporations. And it is far from being the end of the story; similar legislation is appearing within Europe and it is likely that the principles of Sarbanes-Oxley will be taken up by regulatory authorities outside of the US as guidelines for good corporate governance.
Nor is SOX just an issue for a company’s internal accounting professionals and external auditors. Compliance with the new regime which it imposes can have significant implications for its IT systems and IT providers (internal and external) as explained further below.
SOX was enacted in the US in July 2002 as a response to high-profile accounting and document-tampering scandals which cast an unwelcome shadow over the credibility of US company financial information and so became a risk to US company investment. It is named after its two authors Paul Sarbanes (Democratic Senator) and Michael Oxley (Republican Congressman).
The key element of the new SOX regulations is the requirement that companies must establish, and then maintain, accounting procedures that eliminate any possibility of so-called “creative” accounting. Any hint of creative accounting should be eliminated from the financial reports, removing any possibility of interpretation. Additionally, financial reports must be capable of withstanding close scrutiny; they should be auditable and supported by all relevant data. Further, such reports should be tamper-proof. Systems will need to be in place which will identify who has accessed data, and when, such that a full audit stream can be identified.
It has been said that the Sarbanes-Oxley Act is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s.
According to a recent article, IT directors in many of the UK’s financial services and other firms are likely to be caught on the hop by the implications of recent international compliance initiatives, such as the Sarbanes-Oxley legislation, the updated International Accounting Standards, and (for banks at least) the Basel II revised framework for capital adequacy regulation.
Regulatory change and compliance with such changes is a matter of your perspective: either it’s a major headache, prompted by alarmist headlines such as “Get IT wrong and go to jail!”, or it’s an opportunity to get your house in order and take advantage of the efficiency savings that can flow from the creation of better business practices. Whatever your view, it seems likely that, as noted above, similar legislation will be shortly appearing in the EU. On 16 March 2004, the European Commission published a proposed directive on auditing rules. The intention, once again, is to improve investor confidence in the accuracy of company accounts and as such covers much of the same ground as SOX.
2. Where did it come from?
SOX followed a series of high profile scandals. The US Sarbanes-Oxley Act was passed in the wake of a number of corporate scandals all relating in some way to creative accounting practices. In fairly quick succession it became apparent that major companies such as Enron, WorldCom and Tyco had accounted in an overly-optimistic fashion for certain income streams or had entered into elaborate and deceptive transaction structures, in each case with the effect of grossly distorting their financial statements. The revelation of their true position provoked the financial collapse of the companies concerned with huge losses to share and bondholders and an inevitably wider and disturbing effect on investor confidence in general.
When Enron filed for bankruptcy in December 2001 it was one of the biggest bankruptcies in corporate history. As the investigations wore on, it transpired that behind the headlines sat a myriad of accounting irregularities, off-balance-sheet and transactions special purpose vehicles created specifically to hide debt. Worse still, documents discovered during the investigations showed that the Arthur Andersen team in charge of the Enron audit had actively engaged in document destructions in an attempt to obfuscate the true picture.
More recently, the Parmalat debacle and the misstatement by Shell of its proven oil reserves have once again thrown corporate accounting practices into the spotlight. Indeed, it has been suggested that had SOX already applied to Shell, the problems with Shell’s figures would have come to light far earlier.
3. What are its main provisions?
The objective of SOX is to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws and accounting requirements.
The Act sets out to:
- increase the rigour of financial disclosure and thereby improve the information provided to and held by the Securities and Exchange Commission
- create a Public Company Accounting Oversight Board
- promote standard setting for accounting practices
- increase the independence of public company auditors
SOX aims to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. SOX requires companies to perform a risk assessment of current information security policies to establish the extent to which such policies need updating so as to support the integrity of corporate financial information.
The Act is intended to address the problems that generated it by instituting various new levels of control and sign-off such that financial reporting provides full and accurate disclosure and corporate governance is completely transparent.
Its major provisions include:
- certification of financial reports by CEOs and CFOs
- ban on personal loans to Executive Officers and Directors
- accelerated reporting of trades by insiders
- prohibition on insider trades during pension fund blackout periods
- civil penalties added to disgorgement funds for the relief of victims
- additional disclosure
- auditor independence, including outright bans on certain types of work and pre-certification by the company's Audit Committee of all other non-audit work
- criminal and civil penalties for securities violations
There are three areas of particular concern to those involved in IT audit and control. Section 302 requires the CEO and CFO to personally sign off on the appropriateness of the firm’s financial statements (see also section 1102 regarding tampering with records). Section 404 covers attestation of the adequacy of financial reporting controls. Section 404 means that organisations must not only introduce adequate systems in the first place but must also assess the adequacy of those systems on an annual basis. The third section of direct relevance is section 409 which calls for real-time reporting.
For the full text of sections 302, 404, 409 and 1102, see the Appendix to this paper.
4. To whom does SOX apply?
For any large organisation, there is a significant risk that, by one route or another, SOX may apply to it.
SOX applies to all issuers that:
- have registered securities under the U.S. Securities Exchange Act of 1934
- are required to file reports under Section 15(d) of the Exchange Act
- have filed a registration statement under the U.S. Securities Act of 1933 that has not yet become effective
It also applies to non-US subsidiaries of US parent companies where the parent is required to produce consolidated accounts for the group as a whole.
SOX applies standards of conduct for all public companies and as such does not differentiate in its application between US companies and non-US companies to which the US-investing public is likely to have an exposure. As such SOX will catch European companies that have securities publicly traded in the US on national securities exchanges or NASDAQ as well as companies that are required to file reports with the SEC.
Recent figures suggest that this means a rather wide application. There are approximately 469 non-US companies listed on the NYSE including 185 that are based in the EU and 451 non-US companies listed on NASDAQ including 149 based in the EU.
It follows that the SOX rules apply irrespective of location of company headquarters. This in turn suggests the possibility of conflict of governing law and as one would expect, this issue has been adopted so that, where a conflict between the provisions of SOX and national rules of a country outside of the US, those national rules will take precedence.
Note that there are exemptions. For example, a foreign issuer that (1) has not sold securities to the public in the United States, or (2) has fewer than 300 US shareholders, or (3) is exempt from Exchange Act registration by virtue of Exchange Act Rule 12g3-2(b) is not subject to the requirements of SOX.
Various checklists abound to help you identify whether SOX will apply to your organisation or may do so in the near future. The following diagram is an aide memoire, listing the sorts of questions that you should ask.
5. By when must it be complied with?
SOX is not a “big bang” piece of legislation. Certain parts of SOX are being phased in over time. However, Sections 302and 1102 are effective now (respectively the provisions regarding chief officer certification of Annual and Quarterly Reports, and the provisions regarding tampering with reports).
Section 409 (real-time reporting) has yet to be announced, a delay which is welcome given the operational challenges that real time reporting is likely to present.
15 November 2004 is the magic date for Section 404. Under this section, public companies with a market capitalisation of over US $75 million must have their reporting frameworks in place and operational for their first fiscal year-end reports after 15 November 2004 and for all quarterly reports thereafter.
6. What are the sanctions for non-compliance?
The sanctions are stiff in the first instance, and get stiffer still if wilfulness or intent to deceive can be shown. A CEO or CFO who submits an inaccurate certification is subject to a fine up to US $1 million and imprisonment for up to ten years. However, if the inaccurate certification was submitted "wilfully", the fine can be increased to as much as US $5 million and the maximum prison term can be raised to twenty years. This sort of personal liability will be sure to concentrate the minds of those in the firing line and (as was found with Y2K) can come to the assistance of the IT Director if he fears that any warnings regarding SOX are not being taken sufficiently seriously at a senior level.
A further penalty is applied in respect of the requirement for auditors to maintain and preserve audit work papers for five years, a requirement which raises significant document-management issues. Non-compliance with this can result in a fine and/or imprisonment for up to 10 years.
7. How does it relate to the UK and Europe?
The introduction of SOX is already having a huge impact on hundreds of companies operating in the UK who need to be compliant with the legislation or face heavy penalties. This impact is neatly demonstrated by the increasing instance of job opportunities being advertised for those with experience in SOX (often in combination with experience of International Financial Reporting Standards – the adoption of which next year for European listed companies is another major accounting change).
Provided that the requirements for application highlighted above are met (essentially where a UK or mainland European company is, or securities issued by it are, registered on a US exchange), an organisation will be covered and will need to take action, regardless of that organisation’s domicile.
In these circumstances, the provisions listed above will apply to the directors and officers of such organisations. For example, a UK CFO, CIO or CEO will need to ensure that he or she obtains the right level of audit certification, in a demonstrably compliant way and in time.
8. How does it relate to the UK IT industry?
By now it should be readily apparent that SOX compliance is a major issue for large parts of the UK (and indeed global) IT industry. It takes time to turn the wheels within large organisations in order to implement a large change process, and as such, affected organisations should be acting now. It’s a long time since IT was merely seen as a support function within an organisation. IT is central and, as such, attention must be given to the IT implications of SOX compliance, with particular reference to how business processes and systems will need to change for this purpose. SOX does not require the imposition or use of new IT, but many believe that SOX could spark other process-oriented IT projects. The relationship between SOX compliance, process design and business technology is crucial.
A detailed roadmap for SOX IT compliance (and enhancing internal control generally through IT) is set out in the Control Objectives for Information and related Technology (CobiT) a product of the IT Governance Institute (ITGI). ITGI draw an interesting distinction between the SOX compliance and the work required for other compliance projects (such as Y2K, electromagnetic compatibility requirements etc). It is clear that SOX compliance is not a one-off exercise after which all concerned can breathe a sigh of relief and forget all about it. Instead, the activity required for SOX compliance will become and continue to be a routine part of doing business together with similar compliance requirements for UK businesses, including data protection, health and safety, environmental requirements (such as the restrictions on the use of hazardous substances and the requirements to dispose of IT equipment in an ethical manner), freedom of information and the ongoing review of the appropriateness of the Turnbull guidance on internal control and risk management currently being undertaken by the Financial Reporting Council.
As stated above, SOX does not mandate new IT, and even the CobiT framework and the suggested internal control framework (as developed by the Committee of Sponsoring Organisations of the Treadway Commission or “COSO”) is merely a suggested framework. Yet the ITGI has been keen to ensure that their proposed framework is consistent with ISO17799, the Information Technology Infrastructure Library (ITIL) and the Common Criteria to ensure that compliance with SOX (from a systems perspective) also means following IT best practice.
A proactive approach to compliance may produce tangible benefits for an organisation such as improved security systems, better decision making processes due to better data and decreases in insurance premiums due to the ability to demonstrate far tighter process and anti-money laundering controls. For a bank it may result in a lower allocation of capital towards operational risks in accordance with the Basel II revised framework for capital adequacy regulation.
SOX could, therefore, be an opportunity for the UK IT industry to help organisations become more process-based, delivering better information to more people. SOX will require greater visibility of compliance and the records and processes for creation and storage of data, together with a review of the existing rights to access and adapt corporate data. This will increase the centrality of IT within organisations as the IT department assumes increased responsibility for all data within an organisation and not merely for the systems that process that data.
9. How does SOX relate to IT security?
Integral to the determination of compliance will be the ability of an organisation to produce and retain secure data for audit, accounting and (if things go wrong) legal purposes. In the UK, from the viewpoint of the courts, a document can be in any format, not merely paper and as such it is possible to adduce digital data before a court. The weight that will be given to such evidence in court will depend upon the way in which the data has been created and held. This, in turn, highlights the importance of commensurate security policies. SOX means being able to prove the authenticity of data, the correct running of systems and being able to clearly set out and enforce rights of data access and modification.
Organisations will need to establish a team to assess their readiness for SOX. Using an appropriate process methodology, that team will need to assess the current state of an organisation’s IT and its compliance status, and then decide steps to move to compliance.
This may not be the huge task that it might at first appear. Your existing systems may already be compliant or may be capable of being adapted to comply. Some reports saying that this is not possible may (of course) be promulgated by those offering new SOX-compliant packages.
SOX obliges affected organisations to retain information for seven years from the end of the relevant fiscal period. This means that organisations will need to assess whether their systems can retrieve the necessary data, such as email, and this, in turn, may have implications for the way in which email is stored. Is all your data backed up and held off-site? Can it be accessed and searched? In more detail, it seems likely that Section 302 (chief officer certification) will require strong authentication controls such as encryption and user level logging of access and data amendment.
Section 404 (attestation of controls) will require access controls which are consistent with existing enterprise controls, and those of your auditors.
Section 409 (real time disclosure) will require processes to ensure against denial of service, together with recording and mirroring of data.
As referred to above, in broad terms, compliance with ISO17799 will mean that you should meet the requirements of SOX. In summary, ISO17799 means:
i. business continuity planning
ii. system access controls
iii. system development and maintenance
iv. physical and environmental security
vi. personnel security
vii. security organisation
viii. computer and operations management
ix. asset classification and control
x. security policy
SOX focuses on financial reporting and disclosure but an existing ISO17799 project may be the way to pick up SOX with your other compliance projects.
Clearly then, the SOX team within an organisation will need strong representation from the IT department who will have understanding of the current systems and how to test those systems for compliance and be able to inform the design of any new systems required.
10. What should UK companies do?
What needs to be done? An impact assessment has to be the starting point. What do these new laws and regulations require your organisation to do to its existing IT systems in order to achieve compliance? In parallel, what accounting systems and practices do you currently use and what, if any, existing compliance programme’s are in progress?
Timescales: SOX compliance is time-critical. Where you rely upon third parties to achieve compliance for you, what incentives should be put in place to maximise on-time completion, and what should the contractual recourse be for delay?
Existing Contract Review:
You should carry out an audit of existing contracts relevant to the IT systems which require change. Such contracts may provide for the allocation of cost - either through one party paying all the costs or making everything subject to a negotiated “change control” arrangement. Many contracts contain ‘compliance with law’ clauses under which the original supplier of the product or service commits to ensure that it remains compliant with laws and regulations during the term of the agreement. Such clauses have massive legal repercussions, because it means that, technically, the supplier can be responsible for meeting all the costs of certain customer changes. It is important that businesses understand the contractual position as a basis for negotiation with their suppliers.
There are implications to consider in systems contracts generally because how liability is dealt with will form part of a bank’s or financial institution’s operational risk analysis. Both new and existing contracts will need to be reviewed in respect of system procurement and integration projects, maintenance and disaster recovery relationships and outsourcing arrangements. Matters such as liability, warranties, rights of termination and IPR ownership will need to be addressed.
The information management demands of SOX will require organisations to look closely at the adequacy of their current IT systems. Analysts are predicting a possible US $4.6 million spend for the largest US companies. Even mere “average” compliance costs are estimated at just under US $2 million.
Contract review might lead to the need to renegotiate key contracts. As such you will need to assess your ability to renegotiate, be familiar with any change control process, and be comfortable with your termination options should the negotiation process fail.
New contract establishment: Similarly, in new contracts for systems and services intended to achieve SOX compliance, ensure that express provision is made for compliance (i.e. that compliance is a condition of contract) and ensure that the ongoing service provider is under an obligation to maintain and update security procedures and affected systems in order to keep compliant.
Helping third parties: If a third party is going to make the changes for the company, what information and assistance does the company need to provide to ensure that the programme succeeds? Don’t underestimate this – the business ultimately responsible for compliance is yours and the third party can’t deliver a “quick fix solution” for you without your sustained input.
What happens if you are not compliant? What are the consequences for your organisation, your directors and stakeholders if the required changes are not achieved on time?
11. Suggested further reading
- CobiT 3rd Edition ©, IT Governance Institute, Rolling Meadows, Illinois, USA, July 2000.
- ISO IEC 17799, Code of Practice for Information Security Management, International Organisation for Standardisation (ISO), Switzerland, 2000.
- IT Infrastructure Library (ITIL), from the Central Computer and Telecommunications Agency (CCTA), now the Office of Government Commerce (OGC), www.ogc.gov.uk. See also British Standards Institution’s Standard for IT Service Management (BS15000).
SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.
(a) REGULATIONS REQUIRED- The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that:
(1) the signing officer has reviewed the report
(2) based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading
(3) based on such officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers
(A) are responsible for establishing and maintaining internal controls
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared
(C) have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation from that date
(5) the signing officers have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarise, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
(b) FOREIGN REINCORPORATIONS HAVE NO EFFECT – Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.
(c) DEADLINE- The rules required by subsection (a) shall be effective not later than 30 days after the date of enactment of this Act.
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED – The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING – With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
SEC. 409. REAL TIME ISSUER DISCLOSURES.
Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m), as amended by this Act, is amended by adding at the end the following:
`(l) REAL TIME ISSUER DISCLOSURES – Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.'.
SEC. 1102. TAMPERING WITH A RECORD OR OTHERWISE IMPEDING AN OFFICIAL PROCEEDING.
Section 1512 of title 18, United States Code, is amended:
(1) by redesignating subsections (c) through (i) as subsections (d) through (j), respectively
(2) by inserting after subsection (b) the following new subsection
`(c) Whoever corruptly:
`(1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object's integrity or availability for use in an official proceeding
`(2) otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so, shall be fined under this title or imprisoned not more than 20 years, or both.'
 “UK firms unprepared for technology implications of new compliance regulations” by Robin Pilgrim, LawandTax-News.com, 30 June 2004
 According to Gartner research. See “An ounce of prevention for Sarbanes-Oxley” by Dar Haddix, UPI Business Correspondent, , 30 July 2004.
 Proposal for a Directive of the European Parliament and of the Council of statutory audit of annual accounts and consolidated accounts and amending Council Directives 78/660/EEC and 83/3489/EEC