Q. What is Sarbanes-Oxley?

A. The Sarbanes-Oxley Act of 2002 (also known as the Public Company Accounting Reform and
Investor Protection Act of 2002 and commonly called SOX, S-Ox or Sarbox; July 30, 2002) is
a controversial United States federal law named after sponsors Senator Paul Sarbanes (D-
Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a
vote of 423-3 and by the Senate 99-0. The legislation establishes new or enhanced standards
for all U.S. public company boards, management, and public accounting firms. The Act
contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to
criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement
rulings on requirements to comply with the new law. The first part of the Act establishes a
new quasi-public agency, the Public Company Accounting Oversight Board, which is charged
with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as
auditors of public companies. The Act also covers issues such as auditor independence,
corporate governance, internal control assessment, and enhanced financial disclosure.

Q. What companies does SOX apply to?

A. Any company governed by the Securities and Exchange Commission (SEC) which includes
all publicly traded companies; including all divisions, and their wholly owned subsidiaries,
must comply with Sarbanes-Oxley. In addition Sarbanes-Oxley also applies to any non-US
public multinational company engaging in business in the US.

Q. Why was SOX implemented?

A. The law was passed in response to a number of major corporate and accounting scandals
including those affecting Enron, Tyco International and WorldCom. These scandals resulted in
a decline of public trust in accounting and financial reporting practices. quisitions of
companies into a larger public entity.

Q. What are the penalties for noncompliance to SOX?

A. Corporate noncompliance to earlier government regulations, such as occupational health and

safety rules in the work place (OSHA requirements), resulted in corporate fines, lawsuits and
negative publicity. Noncompliance to Sarbanes-Oxley regulations is harsher. A CEO or CFO
who submits a wrong certification is subject to a fine of up to $1 million and imprisonment
for up to 10 years. If the wrong certification is submitted “willfully,” the fine can be increased
up to $5 million and the prison term can be increased up to 20 years.

Q. What is S-Ox 404?

A. Section 404 of the Sarbanes-Oxley Act relates to Management's assessment of internal control
over financial reporting. Both management and the external auditor are responsible for
performing their assessment in the context of a top-down risk assessment, which requires
management to base both the scope of its assessment and evidence gathered on risk.
Acquisitions of companies into a larger public entity.
Q. What does SOX 404 have to do with information technology?

A. The financial reporting processes of most organizations are driven by IT systems. Few
companies manage their data manually and most companies rely on electronic management of
data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital
role in internal control. Chief information officers are responsible for the security, accuracy
and the reliability of the systems that manage and report the financial data. Systems such as
ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing,
processing, and reporting of financial data. As such, they are inextricably linked to the overall
financial reporting process and need to be assessed, along with other important process for
compliance with Sarbanes-Oxley Act. So, although S-Ox signals a fundamental change in
business operations and financial reporting, and places responsibility in corporate financial
reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief
information officer (CIO) plays a significant role in management's assessment of internal
control under Section 404 and in supporting the financial statement certification process.

Q. When do companies have to be compliant with S-Ox?

A. For non-accelerated filers (registered companies with a market cap of $75 million or less), the
implementation date for complying with the reporting requirements regarding management's
evaluation of internal controls has changed several times. In December 2006, the Securities
and Exchange Commission (SEC) issued its most recent final regulation which states:
• a non-accelerated filer must include its management report on internal control over financial
reporting for fiscal years ending on or after December 15, 2007
• a non-accelerated filer is required to file its auditor's attestation report on internal control
over financial reporting when it files its annual report for fiscal years ending on or after
December 15, 2008.
In addition, the SEC has amended its filing requirements regarding the reporting on internal
control for newly public companies. Under the new amendments, a company will not be
required to include its report on internal controls until the year following its first annual
report.

Q. What is the SEC?

A. The United States Securities and Exchange Commission (commonly known as the SEC) is a
United States government agency having primary responsibility for enforcing the federal
securities laws and regulating the securities industry/stock market. The SEC was created by
section 4 of the Securities Exchange Act of 1934 (now commonly referred to as the 1934
Act). In addition to the 1934 Act that created it, the SEC enforces the Securities Act of 1933,
the Trust Indenture Act of 1939, the Investment Company Act of 1940, the Investment
Advisers Act of 1940, the Sarbanes-Oxley Act of 2002 and other statutes. Christopher Cox is
the current chairman of the SEC.

Q. What is GAAP?

A. Generally Accepted Accounting Principles (GAAP) is the standard framework of guidelines

for financial accounting. It includes the standards, conventions, and rules accountants follow
in recording and summarizing transactions, and in the preparation of financial statements.
Q. What is FASB?

A. The Financial Accounting Standards Board (FASB) is a private, not-for-profit organization

whose primary purpose is to develop generally accepted accounting principles (GAAP) within
the United States in the public's interest. The Securities and Exchange Commission (SEC)
designated the FASB as the organization responsible for setting accounting standards for
public companies in the U.S. It was created in 1973, replacing the Accounting Principles
Board and the Committee on Accounting Procedure of the American Institute of Certified
Public Accountants. The FASB's mission is "to establish and improve standards of financial
accounting and reporting for the guidance and education of the public, including issuers,
auditors, and users of financial information."

Q. What is COSO?

A. Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S.

private-sector initiative, formed in 1985. Its major objective is to identify the factors that
cause fraudulent financial reporting and to make recommendations to reduce its incidence.
COSO has established a common definition of internal controls, standards, and criteria
against which companies and organizations can assess their control systems. COSO is
sponsored and funded by 5 main professional accounting associations and institutes;
American Institute of Certified Public Accountants (AICPA), American Accounting
Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors
(IIA) and The Institute of Management Accountants (IMA).

Q. What is the PCAOB?

A. The Public Company Accounting Oversight Board (or PCAOB) (sometimes called
"Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a
2002 United States federal law, to oversee the auditors of public companies. Its stated purpose
is to 'protect the interests of investors and further the public interest in the preparation of
informative, fair, and independent audit reports.

Q. What is AS5?

A. The recently released Auditing Standard No. 5 of the Public Company Accounting Oversight
Board (PCAOB), which superseded Auditing Standard No 2, has the following key
requirements for the external auditor:
• Assess both the design and operating effectiveness of selected internal controls related to
significant accounts and relevant assertions, in the context of material misstatement risks;
•Understand the flow of transactions, including IT aspects, sufficiently to identify points at
which a misstatement could arise;
• Evaluate company-level (entity-level) controls, which correspond to the components of the
COSO framework;
• Perform a fraud risk assessment;
• Evaluate controls designed to prevent or detect fraud, including management override of
controls;
• Evaluate controls over the period-end financial reporting process;
• Scale the assessment based on the size and complexity of the company;
• Rely on management's work based on factors such as competency, objectivity, and risk;
• Evaluate controls over the safeguarding of assets; and
• Conclude on the adequacy of internal control over financial reporting.