The Introduction of the Sarbanes Oxley Act

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The recent dramatic financial scandals in America involving major international corporations have resulted in swathe of legislative changes. The foremost piece of legislation to emerge has been the 2002 Sarbanes Oxley Act. Critically evaluate this piece of legislation with respect to the management of the internal controls of a corporate Information System. Include in your discussion as to how such legislation has impacted on firms operating in the City of London.

Keywords: Internal control, Sarbanes-Oxley, Material Weakness, SOX


Due to recent high-profile accounting scandals, regulators and investors have become more concerned with the timeliness as well as quality of financial reporting (Elttredge, et al. 2006). Section 404 of the SOX act requires management and external auditors to report on the adequacy of an organisation's internal control over financial reporting. The implementation of the SOX act is very important for any organisations who want to operate a seamless business processes and also have their financial statements audited. Since the SOX legislation came into effect, SMEs will need to be equipped for their statements to be audited. According to Jim DeLoach, managing director with Protiviti, "Smaller public companies need to prepare now for their Section 404 audits in order to prevent a 'fire drill' prior to the December 15 deadline.

The passage of the Sarbanes-Oxley Act (SOX) in 2002 has made documentation skills even more important and also has changed the daily work of the financial accountants, auditors and others (, 2004). Essentially SOX requires strategic decisions to be undertaken to establish, maintain and evaluate the effectiveness of the internal control over financial reporting. Weakness in a firm internal control means their financial statements are exposed to audit checks and a combination of deficiencies. With respect to the legislation, we cannot discuss SOX without taking a closure look at a company's internal control systems. Internal control helps auditors to detect faults of a corporate information system and also questions the firm integrity with regards to their financial records and sign offs. Internal control over financial reporting can be defined as " a process designed by, or under the supervision of, the company's principal executive and principal financial offers, or a person's performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles" (PCAOB 2004,). With the help of internal control in SOX, the board of directors and management are able to safe guard the company's assets and record accurate and reliable financial information.

Such legislation (SOX) is used widely in the public sectors mainly to protect the shareholders and also to safeguard company's assets but some firms are yet to implement SOX. Public companies are reporting the effectiveness of their Internal Control over financial reporting as required by the Sarbanes -Oxley Act of 2002(, 2005). Further in this review, we will focus on 2 questions raised. First we evaluate the Sarbanes -Oxley legislation with respect to internal controls of a corporate information system. Next, will look at internal controls and SOX in detail and discuss how this legislation can help impact on a firm operating in the city of London.

Internal Control

The Sarbanes-Oxley Act of 2002 applied significant changes on how financial reporting is processed (Ramos, 2004). As part of the process, management are required to provide a detailed report detailing financial information and operation within their firm's aspect of the entity internal control. The importance of internal control and the need for internal control standards is long standing (Kinney et al. 1990; Hermanson 2000; Kinney 2001). An effective system of internal control must exist within all organisations to help them achieve their mission as well as their goals for long term sustainability. One of the primary objectives of AIS (Accounting Information Systems) is to control a business organisation. This is achieved by understand the information system implemented within an organisation and also by achieving adequate security control over information resources. The term internal control can be defined in various ways. Romney and Steinbart, (2006) defines internal control as "the process implemented by the board of directors, management and those under their direction to provide reasonable assurance that objected is achieved". Some of these objectives are:

Assets are safeguarded, including preventing or detecting

Maintain records in sufficient detail to accurately and fairly reflect company assets

Accurate and reliable information is provided

Complying with applicable laws and regulations

Encouraging adherence to prescribe managerial polices.

Trenerry (1999) also defines internal control as "a system of checks and controls instituted by the various levels of management and are integrated into financial and non financial Activities to ensure all aspects of the business are conducted effectively and efficiently". Internal control comprises polices, practices, and procedures employed by an organization to achieve four broad objectives as explained above (Hall, 2007). Some of the attribute leading to inadequate accounting resources comes from the lack of material weaknesses.

Previous literatures by Bagranoff et al 2007, advocate that a strong system of internal control is crucial to effective enterprise risk management and is of great interest to top management, auditors and external stakeholders. Hall (2007) states that weakness in an internal control system may expose the firm or organisation to one or more of the following types of risks:

Destruction of assets

Theft of assets

Corruption of information or the information systems

Disruption of the information system

Public outcry surrounding ethical misconducts and fraudulent Acts by executives of Enron, Global Crossing, Adelphia, WorldCom and many more in the business world over the past decade has caused many questions to be asked whether the existing federal securities laws were adequate to assure full and fair financial disclosure by public companies (Hall, 2007).

Most importantly is the Enron scandal. The Enron scandal as revealed in October 2001, involved the energy company Enron and the accounting and auditing and consultancy partnership Arthur Anderson. The corporate scandal in this instant led to the downfall of Enron and resulting in one of the largest bankruptcy on the American History. The Enron scandal is vital because of the money and jobs that were lost and also because so much of it appears to be directly related to the skilful manipulation of accounting records. Due to the complexity of the scandal, the results were to understate the liabilities of the company as well as inflating its earnings and net worth. In the aftermath of the scandal, many of the top players at Enron were indicted for a diversity of charges and were later sentenced to prison.

Adelphia, cable television provider on the other hand used off-balance sheet financing to hide billions of dollars in debt from the eyes of shareholders and creditors. It also fraudulently increased earnings by inflating cable subscriptions. The founders of Adelphia where charged with securities violations on August 2007. In contrast to WorldCom, the telecommunication company were also under investigation for improper accounting practices. WorldCom, one of the biggest telecommunication companies was also thrown into turmoil when "it came to light that the company had steadily overstated its revenues by $9 billion to meet Wall Street earnings expectations. In April 2001, WorldCom management decided to transfer transmission line costs from current expense accounts to capital accounts. Investors lost huge amounts of capital and thousands of workers were laid off" (Bagranoff et. al. 2007). Due to the corporate scandals with the listed organisations above and others, Sarbanes-Oxley Act of 2002 was passed on to clean-up on firms and executives responsible for committing corporate fraud.

Sarbanes-Oxley Act and Impact on UK City firms

The SOX legislation was preceded by a protracted and contentious debate over the benefits and ramifications of disclosures concerning management's responsibilities for financial reporting (El-Gazzar, S et al). In 1977, a Foreign Corrupt Practices Act (FCPA) was put in place to Act upon the way corruption and bribery within accounting profession. The primary purpose of this Act was to prevent the bribery of foreign officials in order to maintain business. As this Act did not prevent corporate scandals in the US, these resulted in decline of public trust in accounting and reporting practices. According to Romney and Steinbart , (2006 p.193), "the airways and print media in the late 1990s and early 2000s were full of accounting frauds and problems at major firms such as Enrons, WorldCom, Xerox, and other companies." The SOX Act legislation was written to deal with problems related to capital markets, corporate governance and the auditing profession and has fundamentally changed the way public companies do business. According to Baltzan (2008), SOX states that all business records, including electronic records and electronic messages, "must be saved for not less than five years." The consequences for noncompliance are fines, imprisonment, or both.

For a firm to operate within the accounting sectors in the UK, they must comply with the SOX Act 404. The most contentious aspect of SOX is Section 404 Act; aimed at Management assessment of internal control. Section 404(a) requires each annual report to contain an internal control report which shall "state the responsibility of management for establishing and maintaining an adequate internal control structure and procedure for financial reporting (Sarbanes-Oxley Act of 2002, Public Law 107-204). The basics of this Act are designed for management which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort (, 2008). The researcher agree to some extent that this piece of legislation can help a firm within the UK but certain measures needs to be address before firms in the UK commit to Sarbanes Oxley Act. Evidence from published journals shows that a great amount of money are spent on the Sarbanes Oxley Act but success does not happen instantly. Such legislation introduced can affect the impact of firms in the UK. The greatest concern being is the valuable time major organisations will spend with their clients, they will instead spend time adhering to strict tight laws instead of getting the job done as required by their clients. There is some evidence Nixon (2005), as cited by Brown that in 2004, the Big Four firms lost six hundred and nine clients, while only taking on two hundred and one for that year. 40% of these departures were because the firm resigned due to the over burdensome workload of SOX provisions. Ernst & Young, for example, lost 208 clients in 2004, while gaining only 30 (, 2005). This is also supported by Bagranoff, et. al 2007, who stated section 404 in contrast requires "management to implement and assess internal controls and then the independent auditors must evaluate management's assessment".

According to a recent article, Pilgrim (2004) as cited by O'Conor (2005) stated that IT directors in many of the UK's financial services and firms are likely to be caught on the hop by the implications of recent international compliance initiatives, such as the Sarbanes-Oxley legislation. The introduction of SOX is also said to be having major influence on corporations outside the US who needs to be compliant with the legislation or draw an interesting distinction between projects. The complexity and obstinacy required for preparing a business for compliance with Sarbanes Oxley Act is very high. This process of SOX is turning to be more difficult, time consuming and expensive than the originally forecast or budgeted for. It is said that the average cost of compliance with Section 404 for the first year of compliance alone for a major business in the UK is estimated to be between £10-20 million and consume approximately 20 FTE-years of internal time (, 2005). A firm operating in the City of London can financially pay this amount of money to implement SOX but in the current economy state, should the SOX legislation fail, it will cost the firm quiet a substantial amount of money. Despite this loses, it is estimated that up to 20% of companies will fail SOX in the first year and will have to report that they have materialise weakness in the financial reporting. As their statements have failed, auditors are expected to be less critical with their findings for the year.

As above, we understand SOX applies to large organisations and SOX requires companies to perform risk assessment of current information security to support the integrity of corporate financial information. However not all large organisations comply with SOX. According to O'Conor (2005), A CEO or CFO who submits an inaccurate certification is subject to a fine up to $1 million and imprisonment for up to 10 years. Should all these fines be imposed, large organisations have no reasons but to join the SOX Act. Non US countries will be given guidelines of the requirements of SOX Act. This statement has been approved by a similar quote from different studies. According to Kate Litvak (2006), "the Sarbanes-Oxley Act's effect on Non-US companies cross-listed in the US is different on firms from developed and well regulated countries than on firms from less developed countries". This proves that companies outside the US companies from badly regulated countries benefit from better credit ratings by complying with regulations in a highly regulated country (USA) that is higher than the cost, but companies from developed countries only incur the cost, since transparency is adequate in their home countries as well ( Act, 2007). Organisations in UK need to understand that SOX compliance is not easy and measures needs to be undertaken to meet deadlines and requirements. Achieving SOX in the long term benefits an organisational status and also result in better IT infrastructure and to meet the ends of business processes.

SOX implications highlight a number of risks for a number of firms in the UK. Achieving SOX can have a negative or positive impact on an organisation's status. According to Alex Cohen, a US securities partner in Latham & Watkins's London office, says: The betting is that around 20 per cent of companies will report internal control problems. Then it becomes even more costly, because they have to get it right. The good news is once they have done it, the intensity of the work required and the costs will taper off" (Coleman, 2005).


The Sarbanes -Oxley Act is designed to annually asses and report on effectiveness of internal control over financial reporting and also to protect the investor's interest. With the pass of this legislation in 2002, there have been tight internal controls and measures in place to end the high accounting scandals which dominated the US airways in the 90s. This report has opened a new direction as SOX has forced organisations to act now or face major penalties. At the strategic level, managers cannot just sign documents they need to be aware of what they are signing and have a transparent view of their financial statements. SOX compliance requires strong and secure corporate information system to avoid material weakness and set a benchmark for other management levels ranging from tactical to strategic level to adhere for better internal control purpose. I also believe SOX in a City of London is will have a greater impact as London is known for financial services it provides to the banks and other investments and with large among of transaction being conducted in the capital, a transparent statements should be as accurate as possible. In the above report, it is stated that the Big Four firms lost six hundred and nine clients, while only taking on two hundred and one for that year. 40% of these departures were because the firms had resigned due to the over burdensome workload of SOX provisions. When SOX implementation is successful, it has a good strategic impact on the organisation but when it fails, the end result can result in a financial fiasco for a firm. This study has helped me understand the importance of SOX legislation. From this review, it is very necessary for top managers to deliver as there is considerable compliancy among UK businesses about SOX (Coleman, 2005).

Good internal control requires both financial resources and company time, and may not be a priority for firms that are concerned about simply staying in business (McVay and Ge, 2005). An effective Internal Control system must exist in all organisations help minimize risk and although a number of frameworks where introduced, this was not sufficient to prevent the financial scandals which took place. In addition, the cost implications for SOX are an additional obligation to any organisation. The cost to hire external auditors and taking time off work can be very crucial and can result in loss of private assets as more time will be spend checking the extent of the documents. In the long term, SOX compliance may result in better organised organisation structure and to provide better stability for the organisation.