Thursday, April 15th, 2021 

Sarbanes-Oxley Act of 2002

Sarbanes-Oxley Picture “Sarbanes-Oxley raises a noble challenge for companies and auditors to make the system work to regain the investing public's trust.”
The Sarbanes-Oxley Act of 2002 has precipitated the most prevalent changes to financial reporting, corporate governance, and regulatory environment for public companies since the Securities Acts of 1933 and 1934. Section 404 of the Sarbanes-Oxley Act requires public companies to include with their annual report to the Securities and Exchange Commission ("SEC") a separate report by management on the assessment of the effectiveness of the entity's internal control. The entity's external auditors must attest to and report on the assessment made by management.

The external auditor's overall objective is to form an opinion about management's assessment of the effectiveness of internal control. Several key provisions of the reporting requirement that impact the external audit include:

  • "As of" reporting. Management assesses the effectiveness of internal control as of the end of the fiscal year, rather than throughout the reporting period.

  • Material weakness in internal control. Management is required to disclose any material weakness in the company's internal control. The existence of one or more material weaknesses precludes management from concluding that its internal control is effective.

Management's overall assessment is limited to internal control over only financial reporting. The SEC rules clarify that management is not required to consider other aspects of control, such as control pertaining to operating efficiencies. The rules only pertain to controls over financial reporting. The SEC's definition of internal control encompasses the integrated framework internal control definition developed and published by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO").

The COSO framework is not a fixed, prescriptive approach to internal control. Consequently, the approach recognizes that internal control cannot be evaluated against a detailed set of fixed, required procedures. The SEC has frowned on checklist, canned approaches used by certain companies. Management needs to exercise a great deal of judgment, customized to the needs of the entity, to determine the nature of the controls in place and whether they are functioning effectively. Public Accounting Oversight Board ("PCAOB") auditing standards and interpretations have modified both the level of and the manner in which procedures are performed.

Key provisions of the proposed standard are: (1) that inadequate documentation is a control deficiency that may rise to the level of a material weakness; (2) in certain areas of testing the outside auditors are prohibited from using management's tests. The auditor's non-reliance does not relieve management of its responsibilities to perform tests; and (3) entities that lack sufficient resources or expertise may look to third parties for assistance; however, management remains ultimately responsible for evaluating and reporting on the effectiveness of the entity's internal control.

The Sarbanes-Oxley Act has also changed the relationship between management and the audit committee of the Board of Directors. Previously, both sides worked as a team with the audit committee following the company's lead, but the Sarbanes-Oxley Act clarifies that the Audit Committee has direct oversight responsibility for hiring and firing of the external auditor. This was intended to motivate audit committees to identify and understand audit risks, as well as to make sure that audit scopes are designed to address those risks.

Sarbanes-Oxley raises a noble challenge for companies and auditors to make the system work to regain the investing public's trust. An important aspect of Sarbanes-Oxley is the Section 404 Managements Assessment of Internal Controls. The Sarbanes-Oxley Act formalizes the approach to evaluating and testing the internal control structure while limiting the involvement of the external auditor. Also, the "Experienced Auditor Test" is the proposed measure for sufficient documentation.

© 2006-2021 HRMSI - Sarbanes-Oxley Act of 2002