Introduction to Title IV of the Sarbanes-Oxley Act (SOX)
The Title IV of SOX is comprised of 9 provisions, in which the primary focus is to improve financial disclosures.
Section 401 of the law necessitates that companies should provide financial statements that adhere to GAAP and shows “all material correcting adjustments established by the auditing firm.” In addition, financial reports produced quarterly or annually must report “all material off-balance sheet undertakings, arrangement obligations, and other relationships with unconsolidated entities that have an impact or eventual impact on the financial health of the issuer.” In so doing, the Securities and Exchange Commission (SEC) will release guidelines and regulations to ensure that the pro forma financial information will not be misrepresented, misleading, or misstated. More so, the SEC will examine the reported off-balance sheet to identify the range of off-balance sheet transactions and determine if the economics of such off-balance sheet transactions are clearly manifested on the issuers’ financial statements.
According to the provision under Section 402 of SOX, issuers are prohibited to protract, by any form and means, the credit to any executives or directors of that issuer. In section 403 of the law, officers, directors, and principal shareholders are given deadline on when to disclose specified transactions.
Of all the provisions, Section 404 is possibly the most controversial. This part of the law obliges issuers to include, on their annual report, an “internal control report.” The report will state the duty and obligation of the management in instituting and managing an effective internal control system and methods for financial reporting. As instructed, the internal control report will consist of a recent assessment of the efficacy of the internal control system and methods that the issuer utilizes in financial reporting. Under the law, the external auditor is compelled to validate and confirm the management’s attestations in relation to their examination of internal controls.
In Section 405, registered investment corporations, in reference to Section 8 of the Investment Company Act of 1940, need not to comply with the policies under Sections 401, 402, or 404.
Corporations’ Chief Executive Officers (CEO), Chief Financial Officers (CFO), Chief Accounting Officers, and people whose role is equivalent to the aforementioned executives are subjected to a code of ethics, as described in Section 406. In the event that companies do not have a code of ethics or do not compel their executives to comply with such requirements, companies must disclose this fact and justify their reasons for not doing so.
The implementation of a code of ethics aims to avert misconduct and promote a truthful and righteous conduct; complete, proper, accurate, and clear disclosures; adherence to federal laws and policies; and accountability.
Section 407 obliges corporations to employ (an) independent financial expert(s) who will be a part of the company’s audit committee. He/She should: have deep understanding of GAAP and related documents; be able to assess the main application of GAAP on different accounting functions; have know-how in preparing, accounting, assessing, or evaluating financial reports; and be knowledgeable of the roles and duties of the accounting committee and of the internal controls and methods in financial reporting.
Through Section 408, the SEC is authorized to regularly and systematically review the reports made by the issuers. Lastly, Section 409 requires issuers to report any information regarding material changes in the financial status or activities of the issuer in an expeditious and current footing.
Scope of Section 404
Section 404 of the Sarbanes-Oxley Act requires companies to include on their annual report an internal control report. In reference to Sections 13(a) and 15(b) of the Securities Exchange Act of 1934, business institutions such as banks, non-U.S. corporations, and small-business issuers are required to comply with the law.
According to the Sarbanes-Oxley Act, an “issuer” is clearly described as any entity whose securities are registered under Section 12 of the Securities Exchange Act, an entity that is compelled to provide disclosures under Section 15(d) of the Securities Exchange Act, or any entity that registers or had registered and is still ineffective under the Securities Act of 1993 and has not been pulled out.
The policies under Section 404 do not apply to private subsidiaries of public corporations. However, their parent issuers are compelled to assess the subsidiaries’ controls and procedures and determine whether the subsidiaries’ controls should be a part of the parent issuers’ analysis of their overall internal control systems.
Foreign issuers are also obliged to adhere to the policies set by Section 404. However, the rules for their compliance depend on their accelerated filing status. In addition, they are necessitated to assess and report their conclusions regarding the efficacy of their internal controls in their annual report.
Generally, all entities that submit Forms 10-K or 10-Q are required to comply with the rules set forth by Section 404.
Rules and Policies under Section 404
Through this provision, SEC had established and put out guidelines for management’s assessment of internal control over financial reporting. The agency instructs companies to conduct a formal evaluation of its controls and incorporate their assessment of the controls in the yearly report on Form 10-K. Meanwhile, according to the Global Institute of Internal Auditors, the external auditors should give their independent opinion regarding the efficacy of the system of the internal controls over financial reporting and a traditional opinion relative to their client’s financial reports.
In creating the internal control report, the management should be able to include, on their disclosures, an assertion of the management’s obligation in instituting and keeping a sufficient internal control over financial reporting, a statement that determines the structure utilized by the company in performing the necessary assessment of its internal controls, the result of the aforementioned evaluation, and an affirmation that a certified public accounting firm had audited their financial reports.
Furthermore, the issuer is liable for the structure of its internal control. It is a joint obligation of the CFO, CEO, and other executives to ensure the efficiency of its internal controls. In evaluating its effectualness, U.S. corporations can use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework or the Control Objectives for Information and Related Technology (COBIT) framework as an auxiliary to COSO.
COSO and COBIT Frameworks
In establishing the internal controls, entities follow the guidelines provided by COSO – the COSO framework. It should be noted that SOX does not require companies to utilize the framework to adhere to Section 404. Nevertheless, COSO is the favored and predominantly used framework by the issuers. The framework is comprised of five primary building blocks: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
Aside from COSO, some companies utilize COBIT as an auxiliary to COSO when evaluating IT controls. The framework was developed in 1994 by the Information Systems Audit and Control Association’s IT Governance Institute. Since then, it has been extensively used by IT audit professionals across the globe.