5 Key but Lesser-Known Requirements of Sarbanes-Oxley Compliance

The basic requirements of the Sarbanes-Oxley Act are relatively well-known, having been in effect for more than a decade now. Section 302, which requires that the CEO and CFO personally attest to and sign quarterly and annual financial statements, subject to criminal prosecution for false attestation, has received significant media coverage. Moreover, the relatively stringent requirements for maintaining controls over financial reporting promulgated under Section 404, and the requirement to produce an independent auditor-verified annual internal control report detailing these controls, have also been thoroughly discussed in professional publications and the media.

A number of other requirements mandated by Sarbanes-Oxley, however, remain less familiar and deserve further elaboration. Here are five examples:

1. Private Companies and Nonprofits

Most people assume that the requirements of the Sarbanes-Oxley Act apply to public companies only, but this is not the case. The act forbids all businesses, including private companies and nonprofits, from illegal destruction of financial records and retaliation or other infringement on the rights of whistleblowers.

2. Public Company Accounting Oversight Board Exclusivity

You probably know that Sarbanes-Oxley also created the Public Company Accounting Oversight Board (PCAOB). What’s less commonly discussed is that, to assure objectivity and avoid conflicts of interest, the act also specifies that PCAOB members must not engage in any other professional or business activities while serving on the board. The PCAOB code of ethics details the embargo on outside professional activities and also forbids investments in public accounting companies.

3. Audit Committee Independence and Auditor Prohibitions

The job of the audit committee of a board of directors is to set up robust internal audit systems to review the financial controls of the enterprise. Sarbanes-Oxley requires that all members of the audit committee be independent of the company. It also sets standards that restrict the compensation audit committee members can receive from the company for service on the board.

In addition, the accounting firm performing an independent audit of a company is prohibited from providing other accounting services to the company it is auditing. These scope-of-service restrictions are broad and include internal audit outsourcing, investment advice, management or human resources functions, financial-information-system design, implementation services and legal or other expert consultation.

4. Publishing Code of Ethics

The Sarbanes-Oxley Act also mandated that the SEC issue a rule requiring a public company to disclose whether it has adopted a code of ethics for its senior financial officers and, if so, to make the code of ethics available to the public. Now, virtually all public companies publish a code of ethics on their website.

5. Extent of Increased Whistleblower Protections

In addition to increased protections for whistleblowers, Sarbanes-Oxley also requires that an audit committee must set up systems for employees to file internal whistleblower complaints while protecting their confidentiality. According to the National Whistleblowers Center, the obstruction of justice statute was also revised to criminalize retaliation against whistleblowers providing “truthful information” to law enforcement personnel regarding the “commission or possible commission of any federal offense.” Furthermore, this provision applies to all employers, not just public companies.

More than a decade has passed since the enactment of Sarbanes-Oxley. Its key components, some well-known, some such as these five less so, have, by and large, created the increased transparency and accountability the public demanded at the time of its passage.