Understanding the Sarbanes-Oxley Act
Section 307 sets forth some professional obligations for any attorneys who represent
a company with the SEC. For example, they are required to report to the company's
chief legal counsel or the CEO any evidence of a material violation of securities law or
breach of fiduciary duty. If those two individuals do not appropriately respond to the
evidence, then the attorney is required to report to the board of directors.
Section 308 discusses that any civil penalties that are obtained from a person be
added to any disgorgement of profits in a fund that is for the benefit of the victims of
the underlying violation.
Title IV: Enhanced Financial Disclosures
Title IV covers disclosures in periodic reports, and it includes the famous Section 404,
which impacts IT departments to a large extent.
Section 401 requires that financial statements include any material correcting
adjustments, that all material off-balance-sheet transactions be disclosed (Enron had a
number of very material off-balance-sheet transactions that were not disclosed), and
that any pro forma financial tables be presented in a way that is not misleading.
Section 402 prohibits public companies from making personal loans that are not a
routine part of the company's business to any director or executive officer of a public
company. A bank, for instance, can make normal credit card, home, or auto loans to its
executives, provided that the terms are the same as it makes available to the general
Section 403 requires that all directors, officers, and principal stockholders report
any transactions in the company's stock promptly.
Section 404, despite it being one of the shorter sections of SOX, has caused a lot of
headaches for accounting and IT departments. Because of its importance in these areas,
following is the entirety of Section 404.
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
.--The Commission shall prescribe rules requiring each annual report
required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C.
78m or 78o(d)) to contain an internal control report, which shall--
(1) state the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of
the effectiveness of the internal control structure and procedures of the issuer for
.--With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that prepares
or issues the audit report for the issuer shall attest to, and report on, the assessment made
by the management of the issuer. An attestation made under this subsection shall be made
in accordance with standards for attestation engagements issued or adopted by the Board.
Any such attestation shall not be the subject of a separate engagement.