Sarbanes-Oxley Requirements

Written By heathergilx

The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), is a U.S. federal law that might affect records storage requirements for your business. Read more about SOX and the requirements it enacts.

The Sarbanes-Oxley Act contains requirements that might affect your business by requiring offsite storage of business records. Here are some frequently asked questions and their answers:

Q: What is the Sarbanes-Oxley Act of 2002?

A: Effective in 2004, all public companies will be required (for the first time) to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company’s financial statements.

Q: Why was the Sarbanes-Oxley Act passed?

A: The Sarbanes-Oxley Act of 2002, also known as SOX, was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

Q: What companies need to comply with Sarbanes-Oxley?

A: All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing business in the US are affected. In addition, any private companies that are preparing for their initial public offering (IPO) may also need to comply with certain provisions of Sarbanes-Oxley.

Q: When did Sarbanes-Oxley compliance take effect?

A: All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalisation over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2004, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15.

Q: What is the Sarbanes-Oxley Act comprised of?

A: The Sarbanes-Oxley Act itself is organised into eleven sections, but sections 302, 404, 401, 409, 802 and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. More specifically, Sarbanes-Oxley established new accountability standards for corporate boards and auditors, established a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), and specified civil and criminal penalties for non-compliance.

Q: What does Sarbanes-Oxley compliance require?

A: All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

Q: What are the penalties for non-compliance with Sarbanes-Oxley?

A: Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

SARBANES-OXLEY PROVISIONS THAT AFFECT OFFSITE DATA STORAGE

Sec. 404 Management Assessment of Internal Controls

(a) RULES REQUIRED 

The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall: 

1 - State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and 

2 - Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. 

(b) INTERNAL CONTROL EVALUATION AND REPORTING

With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Sec. 802 Criminal Penalties for Altering Documents

(a) IN GENERAL 

Chapter 73 of title 18, United States Code, is amended by adding at the end the following: 
Sec. 1519 Destruction, alteration, or falsification of records in Federal investigations and bankruptcy 
Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Sec. 1520 Destruction of corporate audit records 

(a) 

1 - Any accountant who conducts an audit of an issuer of securities to which section 10A (a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies, shall maintain all audit or review work papers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded. 

2 - The Securities and Exchange Commission shall promulgate, within 180 days, after adequate notice and an opportunity for comment, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as work papers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review, which is conducted by any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies. 

(b) Whoever knowingly and wilfully violates subsection (a)(1), or any rule or regulation promulgated by the Securities and Exchange Commission under subsection (a)(2), shall be fined under this title, imprisoned not more than 5 years, or both. 

(c) Nothing in this section shall be deemed to diminish or relieve any person of any other duty or obligation, imposed by Federal or State law or regulation, to maintain, or refrain from destroying, any document. 

(d) CLERICAL AMENDMENT The table of sections at the beginning of chapter 73 of title 18, United States Code, is amended by adding at the end the following new items: 

Sec. 1519: Destruction, alteration, or falsification of records in Federal investigations and bankruptcy.

Sec. 1520: Destruction of corporate audit records.

FURTHER READING

For more information, visit Wikipedia and the Vendor-Neutral Sarbanes-Oxley Site.

DISCLAIMER

The information contained on this site is not intended as legal advice. Please consult a legal and/or tax professional to resolve any questions or concerns you may have regarding personal or professional financial matters.

heathergilx
Previous

Don’t Let a Disaster Sideline Your Business
Next

The IRS & Record Preservation