Sarbanes-Oxley (SOX) Detailed Analysis
Sarbanes-Oxley (SOX) is a federal law that aims to ensure accurate information is provided to investors. To understand how to comply with SOX, we have to drill through multiple layers:
- The Federal Law (SOX)
- The SEC regulation
- The compliance framework
- Practical Oracle database auditing
This article shows our analysis of SOX and the different layers from the federal law to practical requirements as they relate to Oracle database auditing.
United States Code Title 15 is Commerce and Trade. Chapter 98 (§7201 – §7266) is Public Company Accounting Reform and Corporate Responsibility, better known as the Sarbanes-Oxley act, or SOX for short.
SOX aims to ensure accurate information is provided to investors. To do that, SOX created a method for controlling the accounting and auditing practices of publicly traded companies.
There are two sections that might be of particular interest to you:
- §7241 – Corporate responsibility for financial reports
- §7262 – Management assessment of internal controls
Section 7241 deals with for company’s responsibility:
§7241 – Corporate responsibility for financial reports(a) ...require, for each company filing periodic reports... that the principal executive officer... certify in each annual or quarterly report... that—(1) the signing officer has reviewed the report;(2) based on the officer’s knowledge, the report does not contain any untrue statement... or omit to state a material fact...(3) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present... the financial condition and results of operations...(4) the signing officers—(A) are responsible for establishing and maintaining internal controls;(B) have designed such internal controls to ensure that material information... is made known to such officers...(C) have evaluated the effectiveness of the issuer’s internal controls...(D) have presented in the report their conclusions about the effectiveness of their internal controls...(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors...(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and(B) any fraud...(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls... including any corrective actions...
Section 7262 expands on what the annual report should contain:
§7262 – Management assessment of internal controls(a) Rules requiredThe Commission shall prescribe rules requiring each annual report... to contain an internal control report, which shall—(1) state the responsibility of management...(2) contain an assessment... of the effectiveness of the internal control structure and procedures...(b) Internal control evaluation and reporting...each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer...(c) ...
The Law in a Nutshell
What this is saying in a nutshell is that the CEO certifies that:
- The financial reports are true, complete, and represent the situation of the company
- The company has internal controls to ensure the information is accurate
- The controls have been evaluated by a public accounting firm
- Any problems with the controls, or any fraud, is disclosed to the auditors
- The financial reports include any changes in the controls and the audit report
Next we need to see the implementation of the law in the regulation