This paper examines Section 404 of the Sarbanes-Oxley Act of 2002, situating it within the broader legislative response to corporate scandals such as Enron and WorldCom. The paper traces the Act's background, outlines the internal control requirements mandated under Section 404, and analyzes the implications for public companies, auditors, and information technology infrastructure. It also addresses unanticipated compliance challenges β including mergers, acquisitions, and transfer pricing β and reviews key criticisms of the legislation. The paper concludes that Section 404 represents a significant turning point in corporate governance, while acknowledging that additional time and refinement may be necessary for full and effective compliance.
The Sarbanes-Oxley Act emerged in the wake of widespread corporate scandals and significant media pressure, most notably following the collapse of Enron. The Act provides stiff penalties for executives at the helm of companies, including fines of over $5 million for violations (Snedaker, 2006). It is named after Senator Sarbanes and Representative Oxley, its principal architects. The Sarbanes-Oxley Act was designed to introduce regulation to corporate governance and financial accounting, bringing in mandatory rules regarding internal financial controls (Romano, 2005).
The Sarbanes-Oxley Act of 2002 was signed into law by the President on July 30, 2002. It principally applies to matters covered under the Securities Act β that is, public offerings and companies whose shares and securities are subscribed to by the public. All companies with assets exceeding $10 million and more than 500 security holders fall within its purview. Public companies, investment firms, securities traders, foreign companies, and others that trade securities on national securities exchanges are bound by the law (Sonnelitter, 2005).
Even before the Act was passed, there was a prevailing opinion that auditing standards at U.S. public companies were insufficiently rigorous. This concern led to reform accounting measures, including the Investor Protection Act of 2002 and the Public Company Accounting Reform. The impact of the Sarbanes-Oxley Act was most significantly felt in the creation of the Public Company Accounting Oversight Board (PCAOB), which was tasked with enforcing these earlier accounting measures. An additional key requirement was mandatory disclosure (Coates, 2007).
The Act has long-term and far-reaching consequences, not only for the governance of public companies but also for the nature of auditing and the roles of auditors and financial controllers. Compliance requires skilled professionals from accounting, auditing, and information technology working in concert. The Act established deadlines and mandated timelines for compliance, making the provisions of Section 404 β which ordered significant structural changes β central to the reform effort (Romano, 2005).
The Sarbanes-Oxley Act contains eleven titles, and the orders for compliance fall under Sections 302, 401, 404, 409, 802, and 906. Of these, Section 404 addresses an important aspect of internal controls within corporate structures (Romano, 2005). Section 404 is located under Title IV (Sonnelitter, 2005). Although the provisions of corporate governance under SOX 404 were not subject to extensive legislative debate, there is an ongoing argument that making SOX mandatory is inappropriate (Romano, 2005).
Section 404 makes it mandatory for companies to establish and maintain a system capable of controlling internal activities and financial reporting. This requirement applies specifically to public companies (Snedaker, 2006). The federal regulation of financial markets has historically been a response to market failures. Some scholars argue that the disclosures required under the Act could be made optional rather than mandatory (Romano, 2005).
The new requirements effectively verify whether corporate procedures exist to create financial accountability and prevent fraud of the type seen at Enron. The need to ensure the transparency of financial transactions and the accountability of financial controls resulted in the Act requiring companies to publish information about their financial compliance. These requirements concern the processes operating within a corporate entity, the controls in place, and the evaluation of financial performance. The law represents a shift in how corporate performance is understood and assessed. It now involves expertise from a wide range of specialized agencies β including information technology professionals, risk managers, and business analysts β all of whom contribute to internal control evaluation. The Act also modified financial reporting to include disclosures in both quarterly and annual statements regarding the perceived effectiveness of the internal control mechanism for financial reporting (Ramos, 2004).
The key features of Section 404 of the SOX Act relate to internal controls within corporate structures (Shanley, 2004). Internal control is defined in the Act at Rule 13a-15(f) as the procedure formulated by, or based on the assessment of, the company's executive and financial officers, with the aim of providing accurate financial reporting and financial statements for external publication. The Act further specifies that internal control should maintain proper records of all transactions and the issuer's assets, ensure compliance with generally accepted accounting principles, and establish a system to prevent the unauthorized disposal or acquisition of funds that could adversely affect the company's finances (Chew, 1993).
The term "internal control" thus carries a broad meaning, covering all activities of the company. Section 404 makes it mandatory for the Chief Executive Officer and the Chief Financial Officer to submit a report evaluating the company's internal control over financial reporting. This report is to be filed on Form 10-K and submitted to the SEC on the annual filing date (Ramos, 2004).
The regulations and methods governing financial accounting responsibility were established long before SOX. The Committee of Sponsoring Organizations (COSO) issued regulations on internal controls as far back as 1992. Under those guidelines, internal control encompasses well-defined policies, procedures, and rules that are mandatory for management, and is expected to ensure reliable financial reporting, efficient operations, and legal compliance. The COSO framework aims to improve data analysis and storage methods, financial reporting, and the efficiency of company operations. In traditional management models, the absence of such internal controls has long been viewed as a fundamental weakness. One significant benefit of Section 404 is that the effectiveness of internal controls in relation to company risk becomes visible to investors and forms part of the company's financial report. Enterprise reporting must therefore be grounded in a rigorous assessment of enterprise risk (Lin & Wu, 2006).
Companies are now obligated to create corporate procedures that promote financial accountability and prevent fraud. The law has introduced more complex requirements, drawing on expertise from a wide range of specialized agencies (Shanley, 2004). Public companies must comply with all directives of the PCAOB and the SEC, and criminal liability applies in cases of default. The risks of noncompliance are substantial and can significantly affect a company's financial and operational structure (Lin & Wu, 2006). This rule applies to all public companies except issuers of asset-backed securities and registered investment companies. In final form, the guidelines require management to provide a statement demonstrating adequate internal control over financial reporting, a framework for assessing the effect of financial controls, an assessment of the most recent fiscal year, and a management evaluation of the effectiveness of the registrant's internal controls (Shanley, 2004).
Although the procedures imposed by Section 404 are costly for companies, investors stand to gain significantly. Management must provide a statement of adequate internal control over financial reporting, and the framework used to assess financial controls β along with the most recent fiscal year's assessment β is made available to investors. This enables investors to make informed decisions and to optimize risk rather than rely on hearsay. For companies, the Act has ushered in improved accounting practices and management upgrades in technology and competence. Staff training and management development will be required to meet the demands of the proposed systems and controls. Section 404 also offers companies a competitive advantage by providing investors with high-quality, timely information (Shanley, 2004).
For officers, shareholders, and other stakeholders, the Act ensures that financially literate directors are in charge and that internal controls make the company relatively safe. It should be noted, however, that the Act applies only to public companies, and some companies have restructured to avoid its provisions. Auditing firms and auditing processes have also undergone substantial changes as a result of the Act. Auditors now carry a primary and specific responsibility when presenting audit reports. To comply with the regulation, auditors must first understand the internal framework of the company, making them more deeply involved in corporate decision-making and bearing greater responsibility. The Act has created a demand for restructuring information systems, including IT infrastructure and personnel training. Since data manipulation is the primary method of committing financial deception, establishing security and data integrity in systems processing large volumes of data has necessitated the creation of comprehensive IT policies and procedures (Lin & Wu, 2006).
IT controls are critically important for regulatory compliance in the digital age. This in turn requires competent IT personnel and management training in IT and management information systems (MIS). Since most companies already have an internal reporting system in place, compliance often means reworking an existing framework rather than building one from scratch. Controls over IT systems β including access restrictions, data security and integrity, and governance of system usage β must all be taken into account when redesigning the system (Fox, 2006).
The guidelines thus require companies to build a structure within the existing financial system, incur associated costs, recruit or train competent personnel, and achieve a higher standard of corporate management. Compliance with the Act helps companies avoid risk, and the annual financial report must now also contain an attested internal control report. This makes the company's affairs more transparent, and the Act may therefore have genuinely benefited companies as a long-term solution to corporate governance needs (Shanley, 2004).
Section 404 is a mandatory provision for the annual review of internal procedures and the evaluation of controls for financial reporting. The annual report must include a statement from the CEO or CFO affirming their responsibility for maintaining and evaluating internal financial controls, as well as a declaration that the company's internal auditor has attested to management's evaluation. All public companies must comply (Shanley, 2004).
"Changed auditor duties and compliance reporting obligations"
"Mergers, acquisitions, and transfer pricing complications"
"IT infrastructure needs for SOX compliance"
"Cost concerns and critiques of Section 404"
We must take into account both the criticism and the merits of the Act to arrive at a valid conclusion. One important fact that cannot be overlooked is that the Act has left unaddressed the problem of unanticipated business transactions such as mergers and acquisitions, which pose major compliance challenges. Those previously involved in mergers and acquisitions were not focused on internal controls. This shift in paradigm may make mergers and acquisitions more costly propositions and could introduce certain inequalities β a concern that extends to the area of transfer pricing as well.
You’re 35% through this paper. Sign up to read the remaining 4 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.