Years after its enactment, the Sarbanes-Oxley Act failed to receive much attention in corporate America. However, in 2005 when R. Mike Halligan, a high-profile trade secrets lawyer, wrote in the National Law Journal, “… directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets,” this created a significant change in attitude towards the Act.
What is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act of 2002 (also referred to as SOX) was drafted by Senator Paul Sarbanes and Representative Michael Oxley. The SOX established new standards for corporate accountability and penalties for violations. The intention of the SOX was to improve the accuracy and reliability of corporate disclosures made pursuant to securities laws, along with other purposes. The two main objectives of the SOX are: 1) To restore investor confidence in light of corporate scandals and 2) To prevent further instances of corporate fraud.
The Act applies to all public companies held in the United States, as well as international companies that have registered equity or debt securities with the Securities and Exchange Commission and the accounting firms they do business with. However, the SOX does not apply to privately traded companies in the US.
The key sections of the SOX are listed below:
– Section 201: Prohibited Auditor Activities
– Section 302: CEO and CFO Responsibilities Regarding Corporate Reports
– Section 404: Management Assessment of Internal Controls
– Section 409: Real Time Disclosure
– Section 802: Criminal Penalties for Altering Documents
– Section 806: Whistleblower Protection
– Section 807: Criminal Penalties for Fraud
The US Securities and Exchange Commission (SEC) is responsible for the administration and oversight of the SOX. Although the Act listed a number of areas of reform, it was left to the SEC and other US securities exchanges to implement the changes.
Why have the Sarbanes-Oxley Act?
The SOX was passed January 23, 2002 in the aftermath of high-profile corporate financial scandals, amongst them, the Enron, Tyco and WorldCom scandals. Such events were the cause of hundreds of billions of dollars in losses, both corporate and investor, in the US alone. This resulted in a frenzy of media stories, covering issues including:
– Executive over-compensation
– Systematic management failures
– Lack of board oversight
– Criminal prosecutions of executives and senior management
The SOX requires that all financial reports include an internal control report. Under the Act, companies are required to save all documentation used to create financial reports and audits. SOX defines “documentation” as:
- Relevant records (e.g. workpapers)
- Documents that form the basis of an audit or review
- Correspondence and other communications
- Records which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review. This extends to electronic records
Sarbanes-Oxley & Information Security
The SOX requires trade secrets to be identified, classified and valued. These values also need to be publicly reported, as the subject of adequate internal controls, for instance, effective access restrictions. The majority of states have required owners of trade secrets to be able to show that they have taken reasonable measures to protect the information from disclosure. As most trade secrets are both created and stored electronically, the protection of trade secrets is inseparable from other information security measures.
Criticisms of the Sarbanes-Oxley Act
The SOX was, for the most part, slow to be adopted and its efficacy was not assessed for a number of years after its passage. While observers debate on whether the benefits of the Act can outweigh the costs of implementation, there are a number of major concerns that have been raised thus far:
– The SOX was designed and implemented too hastily. Companies were unclear on the new rules, some of which were made binding before the SEC or securities exchanges had been able to produce detailed interpretation.
– Reforms outlined in the SOX imposed an increased regulatory burden. One study had put the total compliance cost for the public sector at $1.4 trillion, while another study showed that the compliance with the internal controls requirements alone had cost US businesses over $30 billion. Critics point out that this financial burden has fallen to smaller and emerging firms disproportionately.
– Foreign companies are opting to delist or choosing not to list on American stock exchanges as a result of the SOX. Firms have also chosen not to go public, in order to avoid SOX compliance costs. Market experts argue that requirements imposed by the Act have served to discourage entrepreneurial, risk-taking behavior. This is just one example of the hidden costs of the SOX.
Canadian Responses to the Sarbanes-Oxley Act
While the SOX introduced significant changes to corporate governance and disclosure obligations in the US, Canadian lawmakers felt it necessary to adopt similar measures, in order to remain compatible and competitive with their US counterparts. As a result, Canadian rules and regulations were introduced in mid-2005 by the CSA (Canadian Securities Administrators), along with the OSC (Ontario Securities Commission).
This article takes a look at the Sarbanes-Oxley Act of 2002 (SOX), which established new standards for corporate accountability and penalties for violations. The Act applies to all public companies held in the United States, as well as international companies that have registered equity or debt securities with the US Securities and Exchange Commission. The SOX also requires trade secrets to be subject to adequate internal controls and must be protected from unauthorized disclosure. This article also explores some criticisms of the SOX.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
– Oraganizational practices (II.A.b.)
– Data governance (V.B.)
– Auditing (V.C.)