Keeping an eye on Sarbanes-Oxley: the Sarbanes-Oxley Act is creating an ever-evolving new landscape for corporate governance, making it critical organizations worldwide to pay attention.

• Author: Moore, Frank
• Position: Capital edge: legislative & regulatory update

July 30 marked the one-year anniversary of the enactment of the Sarbanes-Oxley Act (SOx). A the central focus of SOx is to improve the integrity of the audit process for publicly traded companies and the reliability of audit reports on corporate financial statements. With the act, Congress gave prosecutors and the Securities and Exchange Commission (SEC) new tools to oversee the financial reporting of publicly traded companies. It also created the Public Company Accounting Oversight Board (PCAOB) to specifically oversee the accounting industry's role in the auditing and reporting of the financial soundness of publicly traded companies.

In testimony presented September 17 to the Committee on Banking, Housing, and Urban Affairs of the U.S. Senate, SEC Chairman William H. Donaldson said, "The act represents the most important securities legislation since the original federal securities laws of the 1930s."

The full impact of SOx has yet to be felt. However, this important legislation is constantly evolving, making it critical for organizations' top executives and records and information management (RIM) professionals to keep a close eye on it.

Several rules have been adopted recently that affect organizations and their RIM programs. In the coming year, the PCAOB will make several more key decisions concerning SOx registration by foreign firms, auditing, and inspection processes--all of which will ultimately affect RIM programs.

Internal Controls Rules

Section 404 of SOx became effective August 14. This section requires publicly traded companies to implement "internal controls over the financial reporting process" and to include a report of these controls in their corporate reports. As a practical matter, as discussed by the SEC, internal controls over financial reporting are considered a subset of "disdosure controls and procedures." The internal controls report will address management's responsibility to establish controls over financial reporting and will require it to evaluate the controls' effectiveness.

Depending on their filing status, publicly traded companies must begin to comply with the manage merit report on internal controls over financial reporting disclosure requirements either on June 15, 2004, or April 15, 2005. According to Donaldson, "For many companies, the new rules on internal controls reports will represent the most significant single requirement associated with the Sarbanes-Oxley Act." Perhaps because, as part of an organization's evaluation of its internal controls, it is expected that certain controls and procedures will be tested and that this evaluation process may trigger a review of the company's document retention program.

In its final rule implementing this requirement, the SEC slates that management's assessment must include: (1) "controls over initiating, recording, processing, and reconciling account balances, classes of transactions and disclosure, and related assertions included in the financial statements"; (2) "controls related to the initiation, processing of non-routine and non-systematic transactions"; (3) "controls related to the selection and application of appropriate accounting policies"; and (4) "controls related to the prevention, identification, and detection of fraud." The SEC further states: "An assessment of the effectiveness of internal...