The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law. Section 404 governs management assessment of internal controls, meaning that a corporation must state what internal controls are in place to protect the integrity of the financial reporting mechanism and what the quality of those controls are. External auditors must then attest to the accuracy of these statements which have been signed by officers of the company.
What is meant by internal control?
An internal control for Sarbanes-Oxley is a process designed to provide reasonable assurance that financial reporting and the preparation of financial statements for external purposes are in accordance with generally accepted accounting principles. They include the maintenance of records of transactions, the recording of transactions, and the aquisition, use or disposition of assets that could be considered "material" to reporting.
These controls include specific controls that directly affect these actions but also include what is known as "pervasive" controls. Pervasive controls include such controls as IT security. IT security is a general function and control that is not specific to financial reporting but acts as a control to ensure the integrity of infrormation.
Who is affected by Sarbanes-Oxley?
Sarbanes-Oxley affects companies that are required to file with the SEC. This will include public companies over a certain market capitalization and other companies, such as banks and savings associations.
What does Section 404 of Sarbanes-Oxley require?
Section 404 requires two basic elements that are related:
The reporting of internal controls, signed by management and attested to by external auditors.
The establishment of a framework for internal controls. Section 404, as published by the SEC, states that this framework must be suitable and recognized, having been established through public due process. It goes on to point out that COSO Internal Control - Integrated Framework is one framework that meets the criteria. Other frameworks may meet the requirement as well.
Two control frameworks have been widely adopted by public companies subject to the requirements of the U.S. Sarbanes-Oxley Act of 2002: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework, released in 1992, and the IT Governance Institute's Control Objectives for Information and Related Technology (CobiT). Although the U.S. Securities and Exchange Commission (SEC) suggests that public companies consider the control components of COSO when seeking Sarbanes-Oxley compliance, neither the SEC nor the U.S. Public Company Accounting Oversight Board has openly endorsed a specific information technology control framework.
