What types of information must be protected by internal controls according to Sarbanes

History and why the Act was created

The legislation sought to both improve the reliability of public companies' financial reporting as well as restore investor confidence in the wake of high-profile cases of corporate crime. The act was named for its sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael Oxley, (R-Ohio). Former U.S. President George W. Bush, who signed the act into law on July 30, 2002, called the act "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt."

Federal lawmakers enacted the Sarbanes-Oxley Act in large part due to corporate scandals at the start of the 21st century. One such scandal involved energy firm Enron Corp. Enron was considered one of the largest, most successful and innovative companies in the United States.

• Around 2000, Enron unraveled in less than two years as both the company's fraudulent practices and its executives' criminal activities came to light.
• Similarly, the telecommunications giant WorldCom became embroiled in scandal as its own fraudulent accounting practices made the news. After filing for bankruptcy in 2002, the company was hit with a $750 million SEC fine. Its chief executive officer (CEO) was sentenced to 25 years in prison, and the chief financial officer (CFO) received a five-year jail sentence as a result of criminal charges in the case.
• The financial scandal at Tyco International also preceded the Act. In this case, the company's former CEO and CFO were convicted of stealing hundreds of millions of dollars from the company, falsifying business records and violating other business laws. The Act enhanced accounting compliance regulations to keep such a scandal from occurring again.

Key provisions and requirements

The Sarbanes-Oxley Act is arranged into 11 sections, or titles. Two sections of particular note are Section 302 and Section 404.

Section 302 pertains to "Corporate Responsibility for Financial Reports." It established, in part, that CEOs and CFOs must review all financial reports and that the reports are "fairly presented" and don't contain misrepresentations. This section also established that CEOs and CFOs are responsible for internal accounting controls. The Act requires year-end financial disclosure reports and that all financial reports come with an Internal Controls Report. Financial disclosures must contain reporting of material changes in financial condition.

Section 404 deals with "Management Assessment of Internal Controls" and requires companies to publish details about their internal accounting controls and their procedures for financial reporting as part of their annual financial reports. Section 404 requires corporate executives to personally certify the accuracy of their company's financial statements and makes them individually liable if the SEC finds violations.

The Whistleblower Protection Act under the Sarbanes-Oxley Act mandates protection for whistleblowers, stating that employees and contractors who report fraud and/or testify about fraud to the Department of Labor are protected against retaliation, including dismissal and discrimination

Other key provisions and requirements under the Act include:

• mandated disclosure in periodic reports of transactions and relationships that are off-balance sheet that could impact financial status;
• near-ubiquitous prohibition of personal loans from a corporation to executives;
• establishment of fines and terms of imprisonment for tampering or destroying documents in events of investigations or court action; and
• requirements for attorneys who represent public companies before the SEC to report security violations to the CEO.

Auditing under the Sarbanes-Oxley Act

The Sarbanes-Oxley Act also created new requirements for corporate auditing practices.

Among its many requirements, the Act requires public corporations to hire independent auditors to review their accounting practices and defines the rules of engagement for corporate audit committees and external auditors.

It also created rules for separation of duties by detailing a number of non-audit services that a company's auditor cannot perform during audits. These rules are designed to further guard against fraudulent financial practices and conflicts of interest.

Furthermore, the Act led to the creation of the Public Company Accounting Oversight Board (PCAOB), which sets standards and rules for audit reports. Under the Act, all accounting firms that audit public companies are required to register with the PCAOB. The PCAOB investigates and enforces compliance at the registered accounting firms.

Criticism of the Sarbanes-Oxley Act

The Act had critics from the start, including many executives who felt they were unfairly burdened by new regulations due to the dishonest and negligent acts of a few others. In 2008, Newt Gingrich blamed the financial crisis on the Act, citing it as the reason for a low number of initial public offerings, and asked Congress to repeal the Act.

Critics also charged that the Act was a politically motivated reaction to a few, albeit high-profile, corporate financial scandals and that the law would hinder competition and business growth.

Corporate leaders also voiced concerns that meeting the regulations laid out in the Sarbanes-Oxley Act would take too much executive time and that compliance costs would amount to an exorbitant amount of money. Many complained about Section 404 in particular and said it was overly burdensome.

Benefits of the Sarbanes-Oxley Act

On the other hand, some business leaders acknowledged the need for improvements and felt the Act could spur better financial practices that would benefit companies and their stakeholders.

Indeed, even some of those skeptical of the Act when it was first passed later acknowledged its benefits as the law was fully implemented in subsequent years.

Specifically, proponents of the law acknowledged that the Act helped businesses improve their financial management by strengthening controls, standardizing processes, improving documentation and creating stronger board oversight.

Studies also have found that the Act increased investor confidence.

Updates since its inception

Despite early and ongoing criticism, the Sarbanes-Oxley Act remains in place, essentially unchanged from when it was first enacted in 2002, with studies showing that the law improves financial reporting.

However, many business leaders continue to believe that the resources required to meet the law's mandates are burdensome, noting that research has found that smaller companies are disproportionately burdened by the Act.

Although proponents and critics continue to assess the overall impact of the law, it is seen as the most significant piece of security legislation since the Securities Exchange Act of 1934.