Two key components of SOX are 1) a requirement to develop a Code of Ethics for senior financial officers, including enforcement mechanisms and 2) a requirement that outside auditors be rotated every five years (Orin, 2008). Other key components are criteria for director independence, composition and responsibility of the audit, compensation and nominating committees, code of conduct and ethics, disclosures pertinent to controls and procedures, internal control over financial reporting, and whistle-blowing (Kessel, 2011).
In regards to internal control over financial reporting, the Audit Committee has assumed more responsibility for financial accuracy in post-SOX years. The Audit Committee now chooses the company’s independent auditor rather than the CEO. Post-SOX, the Board of Directors appoints the Audit Committee whereas pre-SOX, it would have been the CEO who chose the members of the Audit Committee. This prevents the situation of conflict-of-interest. For example, with the Tyco case, the company’s CEO, Dennis Kozlowski also became Chairman of the Board of Directors. This gave Mr. Kozlowski too much power in the company and he was able to use that power to his advantage while he actually embezzled funds from the company. In this case, the Board of Directors was criticized for not taking an active role in the oversight of financial operations. Post-SOX, the Audit Committee assists the Board of Directors with the oversight of financial operations. In addition, the Audit Committee’s primary duties and responsibilities are to monitor the integrity of financial reporting, monitor the independence and reporting of the company’s independent auditors, and to facilitate communication between the management, the independent auditors, and the Board of Directors.
In meetings with the Board of Directors, both internal and external auditors discuss how well they are complying with the requirements of SOX. In particular, they must be sure the company complies with Sections 302 and 404 of SOX. Section 302 requires the CEO to sign off on the reliability of its internal auditing controls and the accuracy of its financial statements. Section 404 contains the detailed requirements for how management must conduct its assessment of internal controls. It also contains the standards external auditors must use in deciding whether they can sign off on that assessment. SOX created a new organization responsible for the oversight of these external auditing firms called the Public Company Accounting Oversight Board (PCAOB). Section 404 of SOX is one of the most expensive and time-consuming parts of the SOX legislation.
To comply with Section 404, companies have had to re-evaluate system processes having to do with financial data and with information technology. They must ensure the integrity of financial data and the security of the data. Internal controls to ensure the integrity and security must be well-established, documented and maintained. Also they must considered employees’ rights to such data. Employees’ rights and permissions must not be sufficient to allow material fraud or misrepresentation of financial data. They also have had to make sure that accounting procedures are followed consistently throughout the organization. In order to attest to these controls, management has to ensure that they can identify a problem, determine its severity, and communicate the scope of the problem to others (Sarbanes-Oxley, 2004)
Kessel, M. (2011). Sarbanes-Oxley overburdens biotech companies. Nature Biotechnology,
Orin, R. M. (2008). Ethical guidance and constraint under the Sarbanes-Oxley Act of 2002. Journal of Accounting, Auditing & Finance, 23(1), 141-171.
Sarbanes-Oxley. (2004). A guide to Sarbanes-Oxley section 404. Retrieved from