Documents comprising SOx laws and rules 367



  • I am just beginning the effort of understanding SOx laws and rules, from the bottom up. I was approached about a job overseeing SOx compliance for a small public company. I have spent the past five years starting, growing, and selling a private software company. Therefore, have been a wee bit out of the corporate public company loop.
    My goal is to identify all laws, rules, and any other documents that dictate the requirements to be SOx compliant. I understand that Congress passed the Sarbanes Oxley Act on 7/30/02. This is just the law, and the SEC needs to implement this law by making rules for companies to follow. The SEC subsequently has passed rules on this Act. I have found these rules on PwC’s website.
    My question is this: If I print out all of the ‘Final Rules’ that the SEC has passed with respect to SOx, will I have a comprehensive set of the requirements to be SOx compliant? If not, how do I identify the entire body of work that encompasses the requirements for SOx compliance? What other rules, laws, or documents are necessary, and what resource is available to help someone understand the full scope of required guidelines (assuming it’s not just the ‘Final Rules’ of the SEC)?
    For example, I just found a document on the PwC site called ‘PCAOB Final Auditing Standard An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements’. Does this supercede, supplement, or amend the SEC rules? Do I need to understand it in order to fully understand Sox compliance? (It won’t let me download it right now, so I can’t get a feel for it).



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You have started in the right places, but do not expect to find a checklist that will tell you everything you need to do. These documents, along with the Act, will tell you the rules you have to comply with, but will not tell you how.
    There are several good sources of information on teh net, but I would also suggest that you:

    1. need to get up to speed on what has happened in your company already - if nothing yet then be concerned.
    2. have a discussion with your auditors as they can provide you with a lot of technical information, but more importantly they are integral to the SOX process - esp sections 302 and 404, where the bulk of the work is
    3. engage your corporate counsel so that you don’t lose sight of the other requirements.


  • I suggest you also spend the PCAOB’s and ISACA’s website a visit.



  • You have started in the right places, but do not expect to find a checklist that will tell you everything you need to do. These documents, along with the Act, will tell you the rules you have to comply with, but will not tell you how.
    Just so I’m clear, it’s a true statement that the complete set of ‘Final Rules’ issued by the SEC responding to the Sarbanes Oxley laws is the complete set of requirements to be SOx compliant? I realize that there are other resources that discuss, illuminate, and aid in comprehending these rules, but those rules comprise ALL requirements? Or are there additional requirements issued by the PCOAB or another governing body of which I should be aware?
    To respond to your observation, I’m not necessarily looking for a checklist of everything I need to do. However, I was hoping there would be a checklist or reference in the public domain of all governing documents concerning SOx compliance.
    Because this is a SOx forum, I’d like to be able to find a resource somewhere on this site that tells me what documents define the scope and framework of SOx compliance. I just want to be able to identify the body of work that must be used to understand SOx compliance. I’ll digest it myself, and will use other resources such as a SOx compliance guide and this website to digest it.
    Thanks for your feedback. This forum is really useful, and Denis and many other posters here seem very knowledgeable. Thanks for sharing what you know.



  • That last post was mine. I just forgot to log in before posting. Sorry.
    I have another, more specific, question. I have seen discussion about the requirements of spreadsheet controls. SOx laws require spreadsheets to be documented, processes set up to authorize change, etc. Where is this specifically discussed? I assume it is in one of the Final Rules published by the SEC, but is there an easy way to determine which Final Rules publication it’s in, or do I just have to go to every one and look at the table of contents or read through the whole document to find it?
    If there’s an easy way to reference subjects in the Final Rules, I’d love to know.



  • Taking a step back from the final rule. The need for compliance comes principally from the Sarbaes-Oxley Act 2002 itself. There are a number of sections in this act, but the key ones that you might want to conisder are:
    Section 201 outlines Prohibited Auditor Activities.
    Section 302 describes the CEO’s and CFO’s new responsibilities regarding corporate reports.
    Section 404 addresses the Management Assessment of Internal Controls.
    Section 409 outlines Real Time Disclosure.
    Section 802 describes criminal penalties for altering documents.
    Section 806 describes whistleblower protection.
    Section 807 describes criminal penalities for fraud.
    The bulk of the compliance effort is typically in relation to section 404 which, in its entirety is as follows:
    SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
    (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall–
    (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
    (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
    (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
    The SEC has more than one final rule, but the key one ‘Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports’ gives guidance on how to implement S404, notably it requires management to evaluate the company’s internal control over financial reporting using a suitable framework, such as the COSO Framework . ANd this is what directs much of the work.
    In relation to spreadsheets the procedures you describe results from the control principles in COSO. The best discussion I have seen on the subject is from PwC - this is referenced elsewhere on this forum under a thread referring to spreadsheets.



  • Additionally, to help you link everything up… the act was created, the SEC adopted it. The act created the PCAOB, which now governs the conduct of the public accounting firms. The PCAOB created standard #2, which outlined the auditor’s responsibility under the act, it also expands on and interprets many areas, this is where the COSO framework is mentioned ( You can also download the actual framework ). It is always good to know what will be required of the auditors, as they are an integral part of this process. The firms then started interpreting various aspects of the requirements. PwC and KPMG have published whitepapers related to Management’s responsibility to help their clients and PwC has published the whitepaper related to spreadhsheets and fraud controls. If you want to know WHAT you have to do… go to the regulations. If you want to know HOW you do it… you have to go to the subsequent sources of information. Hope that helps… but if this company hasn’t started…Beware…even if they have a 9/30 year end.


Log in to reply