The Sarbanes-Oxley Act (also known as SARBOX or SOX) was passed in 2002 after the Enron scandal to try and prevent financial disasters of a similar nature. Though it is an American law, its reach is global and has affected the way that large companies and audit firms do business.
All companies who are SEC registered in the USA and have branches outside the USA must also make sure that all worldwide branches are Sarbanes-Oxley compliant.
Sarbanes-Oxley has many different facets, however the most significant changes affect internal controls of SEC registered companies and the way they are audited.
Firms who are Sarbanes-Oxley compliant must now document all their internal control processes, which will then be tested by the external auditors. This means that every single business process must be formalised, written down, and then tested. The process of testing is carried out by both internal and external audit to ensure that processes work the way they have been documented.
The purpose of the legislation is to help mitigate the risk of fraud by companies and employees.
The Sarbanes-Oxley requirement for companies is formally known as SOX 302 ‘Internal Control Certifications’. The requirement for Auditing firms is known as SOX 404 ‘Assessment of Internal Control’.
How Sarbanes-Oxley has affected companies
Sarbanes-Oxley has been successful in achieving its primary aim, improving the levels of internal control within SEC registered companies.
Sarbanes-Oxley has been strongly criticised for being too exhaustive, resulting in too much red tape. Creating full documentation and refining internal controls has been extremely expensive for all SOX certified companies. Some argue that such a high level of internal control is extremely inflexible and unnecessary.
How Sarbanes-Oxley has affected audit firms
SOX 404, the ‘assessment of internal control’ requirement, has significantly increased the work load of audit firms. As work is charged on an hourly rate, it is commonly said that it has effectively given audit firms a “license to print money”.
A typical audit fee for a large company that may have been £250,000 could now be as much as £750,000 with Sarbanes-Oxley certification included. This is largely a result of its exhaustive and meticulous nature which requires auditors perform substantially more work.
The future of Sarbanes-Oxley
It is commonly argued that Sarbanes-Oxley has gone too far. It is likely to be reviewed in forthcoming years and the requirement may be reduced. Many countries, including the UK, have as yet had no need to implement their own versions of SOX, as the requirement is sufficiently covered by existing legislation.