Seccas

Sarbanes Oxley

Congress reacted to corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom, by passing the Sarbanes-Oxley Act of 2002. This Act, often referred to as SOX or Sarbox, is designed to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."

The Act provides for new levels of auditor independence; personal accountability for CEOs and CFOs; additional accountability for corporate Boards; increased criminal and civil penalties for securities violations; increased disclosure regarding executive compensation, insider trading and financial statements; and certification of internal audit work by external auditors.

Other changes sound simple but are actually very complex. Section 302, for instance, requires that CEOS and CFOs sign an attestation to accompany each annual or quarterly report. This attestation removes any "I didn't know" defense for these officers, since they must assert that

they have reviewed the report, it is true, and it fairly represents the financial condition of the company, and
they know this to be so because they have accepted responsibility for internal controls over their financial processes, have designed controls that ensure that material information reaches them, and have personally evaluated the effectiveness of these controls.

The most expensive and time-consuming SOX effort, however, is represented in Section 404 of the Act. In this short section are the high-level requirements for management's assessment of the company's controls, referred to in Section 302. The detailed requirements for how management must conduct its assessment and what standards external auditors must use in deciding whether they can sign off on that assessment.

Today Email systems are the primary communications tools used by the majority of information workers and the most important data repository that organizations possess. Email is increasingly used to send, receive and store corporate records and conduct transactions.

To comply with Sarbox, companies must be retain these email records. Sarbox does include criminal provisions for altering or destroying certain kinds of records.

In clarifications to the Act, the SEC and the PCAOB have said that a company could "fail" Sarbanes-Oxley if controls are inadequate - even if no actual problems slipped through those controls.