T h e S a r b a n e s O x le y A c t a t 1 5
Principal components of the SarbanesOxley Act of 2002
Strengthened audit committees and
Enhanced transparency, executive
accountability and investor protection
Internal controls over financial reporting
Enhanced auditor independence
Auditor oversight around the world
Looking ahead: the next 15 years
Withstanding the test of time
As the 15th anniversary of the Sarbanes-Oxley Act of 2002 (SOX or the Act) approaches,
we at EY believe it is important to reflect on the dramatic, positive change in the accuracy
of financial reporting and quality of auditing in the United States since its enactment.
On 30 July 2002, in the wake of a series of financial reporting scandals on a scale that
rocked the financial markets, the Sarbanes-Oxley Act was signed into law — following
passage by an overwhelming majority in the US Senate and House of Representatives — in
an effort to restore public confidence in the reliability of financial reporting.
The law set out to accomplish this daunting goal by establishing a
new accountability framework for financial reporting. Perhaps the
most dramatic change brought about by the law was with respect
to the audit profession: by calling for the establishment of the
Public Company Accounting Oversight Board (PCAOB or Board),
Congress brought an end to self-regulation of the audit profession.
In addition, the law put in place a requirement for independent
audit committees to oversee the financial reporting process, thus
aligning their goals with those of investors and auditors. SOX also
established the requirement for corporate executives to certify the
contents of financial reports and significantly increased penalties
for persons participating in financial fraud, among numerous other
changes. We believe that the Act has been successful — financial
reporting and audit quality have improved, to the benefit of
investors and other stakeholders.
It is important to recognize that the Act’s success is due in part
to a willingness by Congress and other stakeholders to allow this
regulatory framework to evolve. This flexibility is critical because
certain elements of the Act have been criticized over the years
and implementation has not always been smooth. In particular,
Section 404(b) relating to internal control over financial reporting
attestations has drawn criticism. Concerns about this provision
continue to lead to regulatory and legislative actions to address
them, including legislative changes enacted in 2012 through the
Jumpstart Our Business Startups (JOBS) Act to lower regulatory
costs for small and newly public companies. At the same time, it is
Stephen R. Howe, Jr.
US Chairman and Managing Partner
EY Americas Managing Partner
important to recognize the benefits that Section 404 and the rest
of SOX have brought investors and public companies, including
decreased severity of financial restatements and increased investor
confidence. Importantly, auditors, companies and regulators have
shown that they can continue to innovate to address new challenges
and opportunities within the SOX framework.
After 15 years, the events leading up to the passage of SOX are
somewhat removed from current discourse and may even seem
remote to some, having been overshadowed by more recent
turbulence in the capital markets, including the 2008–09 financial
crisis and the subsequent slow but steady recovery of the US and
global economies. Over this time, investor confidence in the US
public capital markets has continued to grow. We believe that this
confidence is due in large part to the reforms put in place by SOX
that continue to produce benefits in the US capital market. For this
reason, as a new administration settles into office and begins to
consider regulatory reform with Congress, EY believes it is important
to keep in mind how SOX bolstered the landscape of financial
reporting and public company auditing for the better, and in ways that
have been replicated in other markets. This document is intended
to provide an overview of key elements of SOX, changes that have
occurred since its passage and new possibilities on the horizon.
We look forward to working with investors, the PCAOB and other
stakeholders to build upon the strong foundation laid by SOX and
meet the challenges of the next 15 years.
Francis C. Mahoney
EY Americas Vice Chair
The Sarbanes-Oxley Act at 15 |
Principal components of the
Sarbanes-Oxley Act of 2002
1. Established independent oversight of public
company audits, funded via fees paid by public
companies and SEC-registered broker-dealers
• Established the PCAOB, an independent regulator of auditors
of public companies and broker-dealers
• Provided the PCAOB with inspection, enforcement and
2. Strengthened audit committees and
• Required audit committees, independent of management,
for all listed companies
• Instituted clawback provisions for CEO and CFO pay after
• Established protection for whistleblowers employed by public
companies who report accounting, auditing and internal
• Required public company management to assess the
effectiveness of internal controls over financial reporting
(Section 404(a)) and auditors to attest to management’s
assessments (Section 404(b))
• Established the “Fair Funds” program at the U.S. Securities
and Exchange Commission (the SEC or the Commission)
to augment the funds available to compensate victims of
• Required the independent audit committee, rather than
management, to be directly responsible for the appointment,
compensation and oversight of the external auditor
• Required disclosure of whether at least one “financial
expert” is on the audit committee
3. Enhanced transparency, executive accountability
and investor protection
• Required audit firms to report certain information about
4. Enhanced auditor independence
• Prohibited audit firms from providing certain non-audit
services to audited companies
• Required audit committee pre-approval of all audit and nonaudit services
• Required lead audit partner rotation every five years rather
than every seven years
their operations for the first time, including names of public
company audit clients, fees and quality control procedures
• Required public company CEOs and CFOs to certify
• Prohibited public company officers and directors from
fraudulently misleading auditors
The Sarbanes-Oxley Act at 15 |
P C AOB
Perhaps the most fundamental change made by SOX was the
establishment of the PCAOB, which ended more than 100 years
of self-regulation by the public company audit profession. The
PCAOB’s authority encompasses public accounting firms that audit
public companies or play a substantial role in such audits and those
that audit SEC-registered broker-dealers. The PCAOB regulates
these firms by:1
Requiring that they register with it
Establishing auditing and certain ethics standards
Conducting audit quality inspections to assess firms’ compliance
with standards, SEC and PCAOB rules and identify audit quality
Investigating allegations of wrongdoing
Disciplining auditors of public companies and broker-dealers
“ As a statutorily established institution,
the PCAOB has an overriding
responsibility to serve the investing
public by setting auditing and related
professional practice standards,
inspecting engagements and quality
control systems against those standards,
and, when necessary, disciplining
auditors that fail to comply.”
P C A O B C h a ir m a n J a m e s D o t y
B y t h e e n d o f 2 0 1 6 :
2,013 audit firms from 89 countries were
r e g is t e r e d w it h t h e P C A O B .
• 900 firms were domiciled outside the
T h e P C A O B h a d c o o p e r a t iv e a r r a n g e m e n t s
w it h a u d it o v e r s ig h t b o d ie s in 2 2 o t h e r
ju r is d ic t io n s t o fa c ilit a t e in s p e c t io n s o f n o n US firms.
D u r in g 2 0 1 6 :
T h e P C A O B c o n d u c t e d in s p e c t io n s o f
198 firms as well as portions of more
t h a n 7 8 0 a u d it s . 3
• This included inspections of the 10 annually
inspected firms and portions of 320 of
audits conducted by these firms.
• It also included inspections of 56 non-US
firms located in 27 jurisdictions.
A s p a r t o f it s in t e r im in s p e c t io n p r o g r a m fo r
a u d it o r s o f b r o k e r - d e a le r s r e g is t e r e d w it h
t h e S E C , t h e P C A O B c o n d u c t e d in s p e c t io n s
of 75 audit firms and 115 audits of brokerd e a le r s in 2 0 1 6 . 4
1. Under Section 982 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the PCAOB now has authority over the auditors of broker-dealers. This publication focuses on the PCAOB’s regulation
of public company auditors.
2. “Protecting the Investing Public’s Interest in Informative, Accurate, and Independent Audit Reports,” 9 December 2015, PCAOB website, https://pcaobus.org/News/Speech/Pages/Doty-AICPCA-2015keynote.aspx, accessed May 2017.
3. PCAOB 2016 Annual Report, PCAOB website, https://pcaobus.org/About/Administration/Documents/Annual%20Reports/2016.pdf, accessed May 2017.
The Sarbanes-Oxley Act at 15 |
S E C o v e r s ig h t o f t h e P C A O B : T h e C o m m is s io n h a s g e n e r a l o v e r s ig h t a u t h o r it y o v e r t h e
P C A O B , in c lu d in g in t h e fo llo w in g a r e a s :
Appointment of PCAOB members: The Commission has the authority to appoint PCAOB board members, in consultation with the
Secretary of the Treasury and the Chair of the Federal Reserve. Two seats are to be occupied by individuals who are or have been
certified public accountants.
Opportunity to review rules and standards: The SEC has the opportunity to vote on PCAOB rules and standards before they take
effect.5 The SEC can vote to approve or disapprove PCAOB rules and standards but cannot amend them.
Budget approval: The SEC must approve the PCAOB budget.
Hear appeals: The SEC has the authority to review and modify final disciplinary sanctions imposed by the Board.
S t a n d a r d s e t t in g
The P C AOB has the au tho ri ty to set stand ard s g o v erni ng :
How auditors conduct audits of public companies and broker-dealers
Auditor ethics and independence
Audit firm system of quality control
To develop its standard-setting agenda, the PCAOB has the ability to utilize information obtained from inspections as well as input received
from stakeholders such as its Standing Advisory Group, which includes representatives from investor groups, the audit profession, public
company board members and academics. 6
S t a k e h o ld e r o u t r e a c h
The Sarbanes-Oxley Act co ntem p lates the P C AOB eng ag i ng w i th stak eho ld ers, i nclu d i ng the au d i t p ro f essi o n and ad v i so ry g ro u p s,
reg ard i ng i ts stand ard setti ng . 7 Acco rd i ng ly, the P C AOB establi shed the Stand i ng Ad v i so ry G ro u p ( SAG ) 8 i n 2 0 0 4 to assi st the B o ard i n
carryi ng o u t i ts stand ard -setti ng resp o nsi bi li ti es. I t establi shed the I nv esto r Ad v i so ry G ro u p 9 ( I AG ) i n 2 0 0 9 to ad v i se the B o ard o n
bro ad p o li cy i ssu es and o ther m atters related to the w o rk o f the P C AOB . R ecently, the P C AOB also has eng ag ed d i rectly w i th au d i t
co m m i ttees, i nclu d i ng thro u g h au d i t co m m i ttee-f o cu sed p u bli cati o ns. 10 The P C AOB has i nd i cated that i ts o bj ecti v e i n d o i ng so i s
to help p ro m o te hi g h-q u ali ty i nteracti o ns betw een au d i t co m m i ttees and au d i to rs as w ell as help au d i t co m m i ttees i nterp ret P C AOB
i nsp ecti o n f i nd i ng s and u se them i n su p erv i si ng the external au d i to r.
5. If the SEC does not vote to approve, disapprove or institute proceedings to determine whether to disapprove a PCAOB rule within specified deadlines, the rule becomes effective. 15 United States Code
(USC) § 78s(b)(2).
6. “Standing Advisory Group,” PCAOB website, http://pcaobus.org/Standards/SAG/Pages/default.aspx, accessed May 2017.
7. SOX § 103(a)(4).
8. The SAG comprises representatives of investors, preparers, audit firms, boards, academia and others. “Standing Advisory Group,” PCAOB website, http://pcaobus.org/Standards/SAG/Pages/default.aspx,
accessed May 2017.
9. The IAG provides broad policy advice to the board, including on fulfillment of its investor protection mission. “Investor Advisory Group,” PCAOB website, https://pcaobus.org/About/Advisory/Pages/IAG.aspx,
accessed May 2017.
10. See, e.g., “Audit Committee Dialogue,” May 2015, PCAOB website, https://pcaobus.org/sites/digitalpublications; and “Information for Audit Committees about the Inspection Process,” 1 August 2012,
PCAOB website, https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf, accessed May 2017.
The Sarbanes-Oxley Act at 15 |
Over the past several years, some stakeholders have raised questions about the process used to establish the PCAOB’s standard-setting
priorities, as well as the length of time it takes to finalize standards and rules.11 This has resulted in a number of changes that are currently
being implemented (see “Revised PCAOB standard-setting process”).
The PCAOB issues its standards in proposed form before they are finalized, providing a comment period for external stakeholders. Recent
and current standard-setting projects include those related to auditor transparency, revisions to the auditor’s reporting model, supervision
of other auditors, auditing accounting estimates and fair value measurements, and the auditor’s use of the work of specialists.
In addition to standard setting, PCAOB staff periodically issue practice alerts to draw attention to emerging audit issues or risks. Recent
alerts have highlighted audit risks associated with the current economic environment and certain emerging markets.
R e v is e d P C A O B s t a n d a r d - s e t t in g p r o c e s s
The P C AOB has recently u nd ertak en chang es i n an ef f o rt to
ad d ress co ncerns w i th the ef f i ci ency and ef f ecti v eness i n i ts
stand ard -setti ng p ro cess. Acco rd i ng to the P C AOB , u nd er i ts
rev i sed p ro cess, o nce i t i d enti f i es a p o tenti al area f o r a new o r
rev i sed stand ard , the P C AOB w i ll p lace i t o n a new ly created
research ag end a. F o r i tem s o n the research ag end a, the P C AOB
has i nd i cated i t w i ll seek i np u t f ro m v ari o u s P C AOB ad v i so ry
g ro u p s and o ther stak eho ld ers; co nd u ct eco no m i c analysi s o f
the co sts, benef i ts and p o tenti al u ni ntend ed co nseq u ences
o f p o tenti al P C AOB ru le-m ak i ng i n that area; and exp lo re
alternati v e reg u lato ry resp o nses. I f stand ard setti ng i s v i ew ed
as necessary, the P C AOB su g g ests i t also w i ll co nsi d er m u lti p le
ap p ro aches to achi ev i ng the reg u lato ry g o al. U nd er the
rev i sed p ro cess, research p ro j ects sho u ld o nly be ad d ed to
the P C AOB ’ s stand ard -setti ng ag end a o nce the P C AOB staf f
d eterm i nes that ru le-m ak i ng i s ap p ro p ri ate and an ef f ecti v e,
ef f i ci ent ru le-m ak i ng so lu ti o n i s i d enti f i ed .
I n ad d i ti o n to ensu ri ng enhanced i np u t f ro m stak eho ld ers early
o n, the research p ro cess i s i ntend ed to accelerate the p ace o f
p ro j ects o nce they are ad d ed to the P C AOB ’ s stand ard -setti ng
ag end a. As o f 3 1 M arch 2 0 17 , the research ag end a i nclu d es
p ro j ects related to q u ali ty co ntro l stand ard s, the u se o f d ata
and techno lo g y i n au d i ts, the au d i to r’ s ro le reg ard i ng co m p any
p erf o rm ance and no n-G AAP m easu res, and the au d i to r’ s
co nsi d erati o n o f no nco m p li ance w i th law s and reg u lati o ns.
In s p e c t io n s
Under SOX, the PCAOB is required to inspect a registered audit firm
at an interval based on the number of public companies that the firm
audits. Firms that perform annual audits of more than 100 issuers
are inspected annually, while other firms are inspected at least every
third year. During inspections, the PCAOB staff typically looks at
firmwide quality controls as well as a sample of audit engagements.
The PCAOB indicates that it uses a variety of factors to select the
audits it inspects, including its assessment of the risk that a public
company’s financial statements may contain a material misstatement.
Inspections are intended to provide an independent review of audit
quality and highlight opportunities for improvement within audit
firms, both at the individual audit level and with respect to a firm’s
system of quality control. Inspection results can be used to identify
areas in which additional audit guidance, training, practice reminders
or enhanced skills may be needed.
“ The PCAOB inspection process is rigorous
and has helped us by identifying areas
where we can continue to improve our
EY Audit Quality Report,
D e c e m b e r 2 0 1 6
11. See, e.g., “Remarks before the 2014 AICPA National Conference on Current SEC and PCAOB Developments,” speech by then-SEC Chief Accountant James Schnurr, 8 December 2014, SEC website,
https://www.sec.gov/news/speech/2014-spch120814js, accessed May 2017.
The Sarbanes-Oxley Act at 15 |
As part of each inspection, the PCAOB prepares a report, part of
which is made publicly available. The public portion of the report
cites audits where the PCAOB believes the firm failed to obtain
sufficient evidence to support its opinion. The nonpublic portion of
the inspection report includes concerns raised during inspections
related to a firm’s system of quality control. If an audit firm does not
address those concerns to the PCAOB’s satisfaction within one year,
the concerns are publicly reported.12
The PCAOB’s approach to inspections has evolved over time in
response to factors such as inspectors’ findings in the field and
emerging risks. One area of change has been with regard to how
audit engagements are identified for inspection. The PCAOB
traditionally has used a risk-based approach, focusing resources
on the most problematic audits. Recently, PCAOB board members
and PCAOB staff have indicated that they are broadening
their approach. Board Member Jeanette Franzel explained, “In
recent years, we’ve been adding some non-risk based selections
and random selections to the mix of inspected audits, while
also studying how to use inspection results to provide a more
comprehensive assessment of audit quality and to make statistically
based inferences about audit quality. We refer to these collective
efforts as our project on ‘randomization.’”13 The PCAOB also has
increasingly focused on root cause analysis of audit deficiencies
to address recurring problems (see “The PCAOB Remediation
Framework” discussion for additional information).
T h e P C A O B R e m e d ia t io n F r a m e w o r k
Ov er ti m e, the P C AOB has so u g ht to p ro v i d e ad d i ti o nal transp arency i nto i ts p ro cess f o r ev alu ati ng a f i rm ’ s acti v i ti es to ad d ress
q u ali ty co ntro l f i nd i ng s i d enti f i ed thro u g h i nsp ecti o ns. I n 2 0 13 , i t i ssu ed staf f g u i d ance related to thi s p ro cess, w hi ch hi g hli g hted f i v e
cri teri a P C AOB i nsp ecti o n staf f ap p ly w hen assessi ng a f i rm ’ s rem ed i ati o n p ro cess, o f ten ref erred to as the “ rem ed i ati o n f ram ew o rk ” :
1 . C hang e – does the remedial step represent a change to the firm’s system of quality control that was in effect at the time the quality
control concern was identified?
2 . R elev ance – is the remedial step responsive to and does it specifically address the quality control criticism described in the inspection
report? Is a root cause analysis appropriate?
3 . D esi g n – is the remedial action designed to remediate the quality control criticism?
4 . I m p lem entati o n – was the remedial step implemented within 12 months? If not, has the firm made appropriate progress?
5 . E xecu ti o n and ef f ecti v eness – has the remedial step achieved the proposed effect that it was designed to have?
While this framework has not garnered the same attention that new PCAOB audit standards would receive, we believe it has had a
significant positive impact on audit quality. The framework encourages audit firms to examine their understanding of the root causes
of the identified quality control concerns. In some cases, this has led to additional investment and focus by firms on their processes
to consider the root causes of identified deficiencies. Confronting root causes allows for the design and execution of more effective
remediation activities, resulting in more timely improvements in audit quality. We believe that such improvements have been a key driver
in the decreasing trend in inspection findings over the most recent inspection periods.
12. SOX § 104(g)(2).
13. “Innovative & Robust Audit Profession to Serve Investors and the Public Interest,” speech by PCAOB Board Member Jeanette Franzel, 16th Financial Reporting Conference, 4 May 2017, PCAOB website,
https://pcaobus.org/News/Speech/Pages/Franzel-speech-Fin-Reporting-Conference-5-4-17.aspx, accessed May 2017.
The Sarbanes-Oxley Act at 15 |
E n fo rc e m e n t
The PCAOB’s enforcement staff investigates and sanctions
individual auditors and audit firms for violations of laws, regulations
and professional standards. The PCAOB’s disciplinary powers
include the authority to impose civil monetary penalties on
individual auditors or the audit firm, temporarily or permanently
revoke an audit firm’s registration with the PCAOB (which would
prevent it from performing audits of public companies and/or
broker-dealers), place limitations on the operations of a firm or
individual auditor and bar an individual auditor from association
with registered audit firms. It also can punish firms and auditors
that do not cooperate with PCAOB investigations and inspections
and may refer matters to the SEC and other relevant authorities.
“ In the PCAOB’s 14 years, our inspectors
have examined many thousands of audits
and found numerous examples of high
quality auditing, including evidence of
auditors requiring companies to change
their accounting or improve their internal
controls over the production of financial
reports. These auditors are the unsung
heroes who avert the scandals that don’t
happen. But our inspectors have also
found and reported numerous instances in
which firms’ audit reports should not have
P C A O B C h a ir m a n J a m e s D o t y
“ The Board’s process for reviewing and
studying the remedial efforts taken by
firms in response to inspection findings is
prompting many firms to more proactively
S p e e c h b y P C A O B B o a rd M e m b e r
J e a n e t t e F r a n z e l 15
“ Enforcement gives teeth to the PCAOB’s
standard-setting and inspection activities,
and provides an important means of
making audit firms and professionals
aware of potential trouble spots that
appear more likely to trip up firms, ranging
from independence violations to improper
document alteration in connection with an
inspection or investigation.”
S p e e c h b y P C A O B B o a rd M e m b e r
L e w i s F e r g u s o n 16
14. “The Role of the Bar and the Audit in Shareholder-Director Relationships,” 7 October 2016, PCAOB website, https://pcaobus.org/News/Speech/Pages/Doty-speech-Vanderbilt-10-7-16.aspx,
accessed May 2017.
15. “Innovative & Robust Audit Profession to Serve Investors and the Public Interest,” 16th Annual Financial Reporting Conference, 4 May 2017, PCAOB website, https://pcaobus.org/News/Speech/Pages/
Franzel-speech-Fin-Reporting-Conference-5-4-17.aspx, accessed May 201
16. “Global Developments in Auditor Oversight,” Sixth Annual Conferência Brasileira de Contabilidade e Auditoria Independente, 13 June 2016, PCAOB website, https://pcaobus.org/News/Speech/Pages/
Ferguson-speech-Brazil-global-audit-oversight-06-13-2016.aspx, accessed May 2017.
The Sarbanes-Oxley Act at 15 |
Streng thened au d i t co m m i ttees
and co rp o rate g o v ernance
requirements by requiring for the first time that all listed company
audit committee members be independent, meaning they could
not be affiliated with the company or any subsidiaries, and they
could not directly or indirectly receive any compensation from the
company other than in their capacity as members of the board.
The Sarbanes-Oxley Act greatly expanded the responsibilities of
audit committees, significantly strengthening corporate governance
at many public companies.17 SOX required the boards of companies
listed on US stock exchanges to establish audit committees made up
solely of board members independent from management. Because
of SOX, audit committees, not management, are directly responsible
for the appointment, compensation and oversight of the work of
external auditors, who are charged with evaluating whether the
financial statements prepared by management are fairly presented
in accordance with the relevant financial reporting framework.
With respect to the composition of the audit committee, SOX
codified and enhanced changes that the SEC and US stock exchanges
had begun making in the late 1990s. In 1998, only about half of
all public companies had fully independent audit committees. Many
audit committees were reconstituted in order to meet independence
requirements implemented by the SEC and US stock exchanges
in late 1999. SOX went further and enhanced independence
SOX also encouraged audit committees to have at least one member
who is a “financial expert”18 to serve as a resource to help the audit
committee carry out its duties. This puts the audit committee in
a stronger position to review and challenge financial statements,
determine whether internal controls are appropriate and sufficient
and, if necessary, mandate certain accounting actions to protect
shareholder interests. Companies that do not have an audit
committee member with financial expertise must disclose this in
the annual proxy statement and explain the rationale for not having
one. In 2003, only a small proportion of audit committee members
were financial experts. Today, on average, 60% of S&P 500 audit
committee members are formally designated financial experts. 19
E v o lu t io n o f a u d it c o m m it t e e s o v e r t im e
The co m p o si ti o n o f bo ard s and au d i t co m m i ttees has chang ed si nce the p assag e o f SOX . W hi le au d i t co m m i ttee i nd ep end ence w as
m and ated by SOX , bo ard s i n g eneral hav e beco m e m o re i nd ep end ent. Ano ther chang e has been a hi g her av erag e nu m ber o f au d i t
co m m i ttee m em bers w ho are i d enti f i ed as au d i t co m m i ttee f i nanci al exp erts.
A u d it - r e la t e d b o a r d c o m p o s it io n d a t a — S & P 5 0 0 c o m p a n ie s
I nd ep end ent bo ard
m em bers
I nd ep end ent au d i t
co m m i ttee m em bers
Av erag e au d i t
co m m i ttee si z e
Av erag e nu m ber
o f au d i t co m m i ttee
f i nanci al exp erts
2 0 1 6
2 0 1 0
2 0 0 6
2 0 0 2
17. Audit committees are made up of members of the board of directors and oversee the companies’ accounting and financial reporting process. Securities Exchange Act § 3(a)(58).
18. Generally, a financial expert is a person who, through education and experience, has an understanding of and experience in applying generally accepted accounting principles and preparing financial
statements, experience with internal controls and procedures for financial reporting, and an understanding of audit committee functions. SOX § 407, 17 CFR 229.407(d)(5)(ii).
19. Data is obtained from the EY Center for Board Matters’ proprietary corporate governance database, which collects and analyzes data for more than 3,000 US public companies. EY Center for Board Matters
website, http://www.ey.com/gl/en/issues/governance-and-reporting/center-for-board-matters/, accessed May 2017.
20. The source of the 2002 data is the Investor Responsibility Research Center.
The Sarbanes-Oxley Act at 15 |
To facilitate audit committees’ oversight of a company’s financial
reporting, SOX required companies to provide audit committees
with the resources and authority to engage independent counsel
and advisors to help them carry out their duties. SOX also
required audit committees to establish procedures for receiving
whistle-blower complaints regarding accounting, auditing and
internal control irregularities and to provide for the confidential
and anonymous treatment of employee concerns regarding such
matters. In addition, SOX enhanced the external auditor’s required
communications with the audit committee to include the following:
A discussion of all critical accounting policies and practices used
by the company
All alternative accounting treatments that have been discussed
with management, the ramifications of the use of alternative
disclosures and accounting treatments, and the accounting
treatment preferred by the audit firm
Other material written communications between the auditor
These reforms significantly empowered audit committees, which
began to take a more active role to carry out their increased
responsibilities. For example, audit committees for the S&P 500
companies met five times a year on average in 2001.21 The average
number of meetings per year has nearly doubled to nine today.
Audit committees also are disclosing that they are exercising
ownership of the relationship with the auditor (see “Audit committee
disclosures” for additional information).
“ Audit committees also play a critical role
in contributing to financial statement
credibility through their oversight and
resulting impact on the integrity of a
company’s culture and internal control
over financial reporting (ICFR), the quality
of financial reporting, and the quality of
audits performed on behalf of investors.
The importance of the audit committees’
work cannot be overstated.”
W e s le y B r ic k e r,
S E C C h ie f A c c o u n t a n t
“ As audit committees serve as the
investors’ principal interface with the
auditor, investors expect audit committees
to hold auditors accountable for their
work and not to view the audit as merely a
S p e e c h b y P C A O B B o a rd M e m b e r
S t e v e n H a r r i s 23
21. Source: For data from 2005 through present, EY’s corporate governance database, Center for Board Matters website, http://www.ey.com/gl/en/issues/governance-and-reporting/center-for-board-matters/,
accessed May 2017; for prior year data, Investor Responsibility Research Center.
22. “Advancing the Role and Effectiveness of Audit Committees,” University of Tennessee’s C. Warren Neel Corporate Governance Center, 24 March 2017, SEC website, https://www.sec.gov/news/speech/
bricker-university-tennessee-032417, accessed May 2017.
23. “Earning Investor Confidence,” Canadian Public Accountability Board 2017 Audit Quality Symposium, 17 May 2017, PCAOB website, https://pcaobus.org/News/Speech/Pages/Harris-speechCPAB-5-17-17.aspx, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 10
A u d it c o m m it t e e d is c lo s u r e s
One area o f au d i t co m m i ttee ev o lu ti o n p o st-SOX i s v o lu ntary d i sclo su re reg ard i ng the au d i t co m m i ttee’ s o v ersi g ht o f the au d i to r. W hi le
the Act streng thened au d i t co m m i ttee o v ersi g ht o f f i nanci al rep o rti ng , au d i t co m m i ttee-related d i sclo su re req u i rem ents w ere lef t
u nchang ed . C u rrently, d i sclo su re req u i rem ents f o r au d i t co m m i ttees g enerally d o no t co v er the bread th o f thei r acti v i ti es, i nclu d i ng
the resp o nsi bi li ti es establi shed u nd er the Act. C u rrent d i sclo su re req u i rem ents also p ro v i d e o nly li m i ted i nsi g ht i nto the m anner i n
w hi ch au d i t co m m i ttees act o n behalf o f i nv esto r i nterests i n execu ti ng su ch d u ti es. 24
V o lu n t a r y d is c lo s u r e s in c r e a s in g
I n recent years, v ari o u s stak eho ld ers, i nclu d i ng reg u lato rs and i nv esto rs, hav e p ro m o ted g reater au d i t co m m i ttee transp arency
i n o rd er to g ai n m o re i nsi g hts i nto the co m m i ttee’ s i m p o rtant w o rk . 25 A nu m ber o f co m p ani es are resp o nd i ng to thi s d esi re f o r
m o re transp arency by v o lu ntari ly p ro v i d i ng au d i t- and au d i t co m m i ttee-related i nf o rm ati o n. 26 ( See table belo w . ) R eco g ni z i ng these
d ev elo p m ents, the SE C i ssu ed a co ncep t release i n 2 0 15, P o ssi ble R ev i si o ns to Au d i t C o m m i ttee D i sclo su res, to so li ci t v i ew s o n
w hether there w o u ld be a benef i t f ro m g reater transp arency aro u nd the w o rk o f au d i t co m m i ttees, and i f so , ho w best to achi ev e i t. 27
M o st co m m enters su p p o rted exp lo ri ng i ncreased au d i t co m m i ttee d i sclo su res, altho u g h m any p ref erred a v o lu ntary ap p ro ach, w hi ch
SE C co m m i ssi o ners and staf f at the ti m e also su p p o rted .
V o lu n t a r y a u d it - r e la t e d d is c lo s u r e s in 2 0 1 6 F o r t u n e 1 0 0 p r o x y s t a t e m e n t s
C ateg o ry o f d i sclo su re
To p i c
Au d i t co m m i ttee
resp o nsi bi li ti es reg ard i ng
external au d i to r
I d enti f i cati o n o f to p i cs
d i scu ssed
F ees p ai d to the
external au d i to r
Assessm ent o f the
external au d i to r
2 0 16
2 0 12
% of total
% of total
Explicit statement that the audit committee is responsible for
appointment, compensation and oversight of external auditor
Topics discussed by the audit committee and external auditor
Statement that the audit committee considers non-audit fees/services
when assessing auditor independence
Statement that the audit committee is responsible for fee negotiations
Explanation provided for change in fees paid to external auditor
Disclosure of factors used in the audit committee’s assessment of the
external auditor qualifications and work quality
Statement that audit committee is involved in lead audit partner
Statement that choice of external auditor is in best interest of
company and/or shareholders
24. Audit committee reports currently must include statements that the audit committee has:
• Reviewed and discussed audited financial statements with management
• Discussed with the independent auditor matters required under PCAOB Auditing Standard 1301, such as significant matters that the auditor discussed with management and an overview of the overall
25. For example, for several years, the pension fund of the United Brotherhood of Carpenters has sought enhanced disclosures from certain companies regarding the audit committee’s ownership and oversight
of the audit relationship. In addition, the Audit Committee Collaboration, comprising several US governance organizations, issued its Call to Action to urge companies to consider additional disclosures about
the audit committee to help investors and other stakeholders better understand their important work. “Enhancing the Audit Committee Report,” November 2013, CAQ website, http://thecaq.org/enhancingaudit-committee-report-call-action, accessed May 2017.
26. “Audit committee reporting to shareholders in 2016,” Ernst & Young LLP, September 2016, EY website, http://www.ey.com/Publication/vwLUAssets/ey-audit-committee-reporting-to-shareholders-in2016/$FILE/ey-audit-committee-reporting-to-shareholders-in-2016.pdf, accessed May 2017.
27. “Possible Revisions to Audit Committee Disclosures,” SEC concept release, July 2015, SEC website, https://www.sec.gov/rules/concept/2015/33-9862.pdf, accessed May 2017.
28. The data for this report was gathered through the EY Center for Board Matters’ proprietary corporate governance database, which collects and analyzes data for more than 3,000 US public companies. EY Center
for Board Matters website, http://www.ey.com/gl/en/issues/governance-and-reporting/center-for-board-matters/, accessed May 2017. This table is excerpted from the EY publication “Audit committee reporting to
shareholders in 2016,” Ernst & Young LLP, September 2016, EY website, http://www.ey.com/Publication/vwLUAssets/ey-audit-committee-reporting-to-shareholders-in-2016/$FILE/ey-audit-committee-reportingto-shareholders-in-2016.pdf, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 11
“ To be sure, the PCAOB and the audit
profession have both come a long way since
the enactment of the Sarbanes-Oxley Act.
Audit quality has improved.”
S E C C o m m is s io n e r K a r a S t e in
“ Audits and investor protection have improved
significantly, in my view.”
P C A O B C h a ir m a n J a m e s D o t y
“ 75% of investors express confidence in audited
U.S. financial reports.”
T h e C A Q ’s 1 0 t h A n n u a l M a in S t r e e t I n v e s t o r
S u r v e y : A D e c a d e o f I n v e s t o r C o n f i d e n c e 31
“ It is clear that audit quality has significantly
improved since the passage of the SarbanesOxley Act and the implementation of audit
regulatory oversight in the U.S. and around
P C A O B B o a r d M e m b e r J e a n e t t e F r a n z e l 32
“ 81% of investors express confidence in
independent public company auditors.”
T h e C A Q ’s 1 0 t h A n n u a l M a in S t r e e t I n v e s t o r
S u r v e y : A D e c a d e o f I n v e s t o r C o n f i d e n c e 33
29. “Statement on the Commission’s Consideration of the Public Company Accounting Oversight
Board’s Proposed 2016 Budget and Accounting Support Fee,” 14 March 2016, SEC website,
accessed May 2017.
30. “PCAOB 2016 Budget Presentation to the SEC,” 14 March 2016, PCAOB website, https://
31. September 2016, Center for Audit Quality website, http://www.thecaq.org/2016-main-streetinvestor-survey, accessed May 2017.
33. “Progress and Evolution in Audit Oversight to Protect Investors and the Public Interest,” 15th
Annual Financial Reporting Conference, 5 May 2016, PCAOB website, https://pcaobus.org/News/
Speech/Pages/Franzel-progress-in-audit-oversight-Baruch-5-5-16.aspx, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 12
E nhanced transp arency, execu ti v e
acco u ntabi li ty and i nv esto r p ro tecti o n
Another core element of Sarbanes-Oxley was to clearly define and
place responsibility for a company’s financial statements with its
CEO and CFO. SOX mandated that these executives certify the
following facts (among others) for each annual and quarterly report:
They have reviewed the report.
Based on their knowledge, the financial information included in
the report is fairly presented.
Based on their knowledge, the report does not contain any
untrue statement of material fact or omit a material fact that
would make the financial statements misleading.
They acknowledge their responsibility for establishing and
maintaining internal controls over financial reporting as well as
disclosure controls and procedures.
They have evaluated the effectiveness of these disclosure
controls and procedures and disclosed any material changes in
the company’s internal controls over financial reporting.
By making management executives fully accountable for their
companies’ financial statements and related controls, SarbanesOxley set a clear tone for corporate responsibility and helped
restore investors’ confidence in financial statements. To enhance
the significance of these certifications, SOX mandated stiff penalties
for executive officers who certify that financial reports comply
with the various regulatory requirements while knowing that they
do not. Such penalties include potential SEC enforcement action,
forfeiture of bonuses and profits, or criminal penalties such as
fines or imprisonment.34 As a further step to help restore investor
confidence in corporate financial statements, SOX required
companies to have an auditor attest to the effectiveness of the
company’s internal controls over financial reporting (see additional
discussion in the next section).
SOX established a number of other protections for investors,
Establishment of the SEC’s “Fair Funds” program: To supplement
the financial relief available to victims of securities fraud, this
program allows the SEC to add monetary penalties paid by
those who commit securities fraud to the funds available for
distribution to wronged investors. 35
Provision of accurate information to auditors: Public company
officers, directors and persons operating under their direction
are prohibited from manipulating, coercing, misleading or
fraudulently influencing the external auditor.36
Enhanced disclosures: Public companies are now required to
provide enhanced disclosures in annual and quarterly reports
regarding material off-balance sheet transactions, arrangements
Disclosure of material changes: Public companies are required to
report material changes in the financial condition or operations
of the company on a rapid and current basis.
34. SOX § 304 requires CEOs and CFOs to reimburse issuers for bonuses and profits on the sale of the issuer’s shares over the preceding 12 months if the issuer restates its financial statements because of
misconduct. Section 954 of the Dodd-Frank Act of 2010 requires companies to establish policies to recover incentive-based pay of any current or former executives awarded over the three years prior to
a restatement, regardless of whether there was misconduct. The SEC issued a proposed rule in July 2015 that, if finalized, would carry out this requirement. “Listing standards for erroneously awarded
compensation,” SEC proposed rule, July 2015, SEC website, https://www.sec.gov/rules/proposed/2015/33-9861.pdf, accessed May 2017.
35. Prior to SOX, these funds were paid to the US Treasury.
36. SOX § 303; the related SEC rule is 17 CFR § 240.13b2-2.
The Sarbanes-Oxley Act at 15 | 13
E s t a b lis h m e n t o f t h e S E C
W h is t le b lo w e r P r o g r a m
SOX establi shed k ey p ro tecti o ns f o r w hi stleblo w ers w ho
rep o rt su sp ected f rau d w i th resp ect to a p u bli c co m p any’ s
f i nanci al rep o rti ng . I t also req u i red p u bli c co m p any au d i t
co m m i ttees to establi sh p ro ced u res f o r recei v i ng w hi stleblo w er co m p lai nts and to ensu re that they are ad d ressed
co nf i d enti ally and ano nym o u sly. The D o d d -F rank W all Street
R ef o rm and C o nsu m er P ro tecti o n Act o f 2 0 10 ( D o d d -F rank
Act) exp and ed the i ncenti v es f o r w hi stleblo w ers to rep o rt
w ro ng d o i ng s and d i rected the SE C to create a w hi stleblo w er
p ro g ram , w hi ch led to the establi shm ent the SE C ’ s Of f i ce o f
the W hi stleblo w er ( OW B ) i n 2 0 11. 37 The m i ssi o n o f the OW B i s
to “ ad m i ni ster a v i g o ro u s w hi stleblo w er p ro g ram that w i ll help
the C o m m i ssi o n i d enti f y and halt f rau d s early and q u i ck ly to
m i ni m i z e i nv esto r lo sses. ” 38
The w hi stleblo w er p ro g ram au tho ri z es the SE C to m ak e
m o netary aw ard s to w hi stleblo w ers w ho p ro v i d e the SE C w i th
o ri g i nal i nf o rm ati o n abo u t p o ssi ble secu ri ti es law v i o lati o ns
that lead s to a su ccessf u l enf o rcem ent acti o n. 39 The p ro g ram
aw ard s am o u nts eq u al 10 % – 3 0 % o f the m o netary sancti o ns
co llected . Si nce the i ncep ti o n o f thi s p ro g ram , the SE C has
aw ard ed ap p ro xi m ately U S$ 153 m i lli o n to 4 3 i nd i v i d u als
thro u g h Ap ri l 2 0 17 . 40
U nd er the p ro g ram , w hi stleblo w ers can p ro v i d e i nf o rm ati o n
d i rectly to the SE C o r g o thro u g h thei r co m p ani es’
w hi stleblo w er rep o rti ng p ro ced u res. SE C ru les p ro hi bi t
co m p ani es f ro m blo ck i ng em p lo yees’ p arti ci p ati o n i n the OW B
p ro g ram o r f ro m retali ati ng ag ai nst em p lo yees w ho p ro v i d e
i nf o rm ati o n to the SE C . The SE C ’ s D i v i si o n o f E nf o rcem ent
has acti v ely p u rsu ed co m p ani es that try to ci rcu m v ent these
ru les. F o r i nstance, the SE C has sancti o ned sev eral co m p ani es
that i nclu d ed term s i n thei r sev erance ag reem ents p reclu d i ng
thei r em p lo yees f ro m accep ti ng any m o netary aw ard u nd er the
w hi stleblo w er p ro g ram . 41
37. 2016 Annual Report to Congress on the Dodd-Frank Whistleblower Program, SEC Office of the
Whistleblower, November 2016, SEC website, https://www.sec.gov/whistleblower/reportspubs/
annual-reports/owb-annual-report-2016.pdf, accessed May 2017.
40. “SEC awards nearly $4 million to whistleblower,” SEC press release, 25 April 2017, SEC website,
https://www.sec.gov/news/press-release/2017-84, accessed May 2017.
41. SEC website, sec.gov.
The Sarbanes-Oxley Act at 15 | 14
I nternal co ntro ls o v er
f i nanci al rep o rti ng
Sarbanes-Oxley requires public companies to assess how effective
their internal control over financial reporting (ICFR) is at preventing
misstatements that could be material to the financial statements.
While public companies have long been required to maintain
effective systems of internal controls pursuant to the Foreign
Corrupt Practices Act of 1977, SOX requires them to annually
evaluate their financial internal controls and to disclose the results
of that assessment. This includes whether there were any material
weaknesses in controls that may not prevent or detect a material
misstatement in the financial statements.
SOX Section 404(a) requires management to report on the
effectiveness of the company’s ICFR, and Section 404(b) requires
the auditor’s attestation regarding its effectiveness. SEC rulemaking and legislation subsequent to SOX (e.g., the Dodd-Frank
Act and the Jumpstart Our Business Startups (JOBS) Act of 2012)
have delayed or eliminated the requirement for certain companies,
including non-accelerated filers and emerging growth companies, to
comply with Section 404(b).42
In recent years, SEC staff have emphasized the importance of
effective ICFR in facilitating the preparation of reliable financial
statements for investors. This has included increased activity by
the SEC’s Division of Corporation Finance to prompt companies to
identify and disclose material weaknesses, as well as heightened
scrutiny by the SEC’s Division of Enforcement related to ICFR.
The SEC staff has suggested that a focus on internal control over
financial reporting will be even more critical given the pending
adoption of significant new accounting standards (i.e., revenue,
leases and credit losses) in the upcoming years.
“ Over the next several years, updating
and maintaining internal controls will
be particularly important as companies
work through the implementation of the
significant new accounting standards.”
S E C C h ie f A c c o u n t a n t W e s le y B r ic k e r
“ The ICFR audit, performed by an
independent, objective auditor, is an
important driver of trust in the integrity
of financial reporting and helps facilitate
capital formation in U.S. markets.”
L e t t
In v e
In s t
C o m
A c t
e r fro m
s t o rs , C
it u t e t o
m it t e e
2 0 1 7 , 1
t h e C o u
e n t e r fo
t h e H o u
r e g a r d in
M a y 2 0
n c il o f In
r A u d it Q
s e F in a n
g t h e F in
1 7 44
s t it u t io
u a lit y a
c ia l S e r
a n c ia l C
n a l
n d C F A
v ic e s
H O IC E
The process of evaluating the effectiveness of a company’s
internal control over financial reporting has been subject to
significant discussion during the past few years. ICFR has been
a source of significant PCAOB inspection findings, which has led
to significant remediation efforts by audit firms to address the
identified deficiencies. SEC staff have raised concerns that the
audit deficiencies may indicate issues in ICFR and/or management’s
assessment of ICFR.
42. Dodd-Frank Act, SEC website, https://www.sec.gov/about/laws/wallstreetreform-cpa.pdf; JOBS Act, SEC website, https://www.sec.gov/spotlight/jobs-act.shtml.
43. “Working Together to Advance High Quality Information in the Capital Markets,” 2016 annual American Institute of CPAs National Conference on Current SEC and PCAOB Developments, 5 December 2016,
SEC website, https://www.sec.gov/news/speech/keynote-address-2016-aicpa-conference-working-together.html, accessed May 2017.
44. CAQ website, http://www.thecaq.org/caq-cii-and-cfa-institute-submit-joint-letter-financial-choice-act, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 15
For their part, preparers have raised concerns about how the auditor’s assessment of management review controls is being executed,
including the degree of precision needed in ICFR assessments as well as the level of required documentation. Preparers have indicated that
the work that auditors require of companies with respect to ICFR appears inconsistent with the reforms developed by the SEC and PCAOB in
2007 that were intended to enhance both the effectiveness and efficiency of the assessment process.
As a result of the concerns, both the PCAOB and SEC performed outreach with preparers, auditors, audit committee members and others
to understand the concerns and consider next steps. SEC and PCAOB staff have provided additional perspective on the nature and extent
of evidence required to support ICFR assessments, and plan to monitor activities in this area to assess whether further activities would be
appropriate. They also continue to emphasize the importance of effective ICFR in providing reliable financial reporting for investors.
IC F R Im p a c t
E nhanced f o cu s o n i nternal co ntro l o v er f i nanci al rep o rti ng m ay hav e d ri v en a d ecrease i n the nu m ber and sev eri ty o f f i nanci al
statem ent restatem ents si nce the SOX I C F R req u i rem ents becam e ef f ecti v e i n 2 0 0 4 . As i llu strated belo w , the nu m ber o f rei ssu ance
restatem ents f o r accelerated f i lers d ro p p ed si g ni f i cantly si nce 2 0 0 5 and has m ai ntai ned a lo w rate i n recent years. 45
f ro m
R estatem ents f ro m
p ri o r F o rm
8 -K , I tem
R e is s u a n c e r e s t a t e m e n t s
3 8 5
R estatem ents w i th F o rm
2 2 5
2 0 0 5
2 0 0 6
accelerated f i lers
4 . 0 2 d i sclo su re ( p ri o r f i nanci als co u ld no lo ng er be reli ed u p o n)
2 0 0 7
2 0 0 8
2 0 0 9
8 -K , I tem
2 0 1 0
2 0 1 1
4 .0 2
2 0 1 2
2 0 1 3
2 0 1 4
2 0 1 5
2 0 1 6
Source: Audit Analytics (2016 Financial Restatements: A Sixteen Year Comparison)
I n ad d i ti o n, the sev eri ty o f the larg est restatem ents w i th neg ati v e i m p act o n net i nco m e has si g ni f i cantly d ecreased si nce SOX 4 0 4
w as i m p lem ented :
L a r g e s t n e g a t iv e r e s t a t e m e n t s
( U S$ i n m i lli o ns)
$ 6 ,3 3 5
$ 5, 19 3
$ 4 , 513
$ 2 ,3 7 7
$ 3 ,4 6 5
2 0 0 2
2 0 0 3
$ 6 7 1
2 0 0 4
2 0 0 5
2 0 0 6
$ 3 4 1
2 0 0 7
2 0 0 8
$ 3 57
$ 7 17
2 0 0 9
2 0 1 0
$ 1, 557
2 0 1 1
$ 4 59
$ 4 2 0
$ 2 8 6
2 0 1 2
2 0 1 3
2 0 1 4
$ 7 11
2 0 1 5
$ 1, 0 8 5
2 0 1 6
Source: Audit Analytics (2016 Financial Restatements: A Sixteen Year Comparison)
45. “Reissuance restatements” are the most severe type of restatement because they mean that a company’s past financial statements can no longer be relied upon.
The Sarbanes-Oxley Act at 15 | 16
E nhanced au d i to r i nd ep end ence
Quality audits performed objectively by independent auditors
support investor confidence in financial reporting. Sarbanes-Oxley
strengthened auditor independence in several ways, including by
restricting the types of non-audit services that audit firms can
provide to the public companies they are auditing. Two additional
ways that it reinforced auditor independence include requiring:
SOX prohibits audit firms from providing
c e r t a in s e r v ic e s t o p u b lic c o m p a n ie s
t h e y a u d it :
B o o k k eep i ng
F i nanci al i nf o rm ati o n system s d esi g n and i m p lem entati o n
Ap p rai sal o r v alu ati o n serv i ces o r f ai rness o p i ni o ns
Actu ari al serv i ces
I nternal au d i t o u tso u rci ng serv i ces
M anag em ent f u ncti o ns o r hu m an reso u rces
B ro k er, d ealer, i nv estm ent ad v i ser o r i nv estm ent
bank i ng serv i ces
L eg al and exp ert serv i ces u nrelated to the au d i t
Audit committee preapproval of all audit and non-audit services
by the auditor, enabling audit committees to assess the
cumulative impact of all services provided by the auditor on its
independence. SEC staff have emphasized that management and
audit committees need appropriate policies and procedures in
place to evaluate and monitor non-audit services provided by the
registrant’s auditor in order to mitigate the risk that deviations in
the scope of such services could impair independence.
Mandatory rotation of key partners involved in audits, to limit
overfamiliarity with a company and/or management, including:
The lead engagement partner every five years (prior to SOX,
professional standards required rotation every seven years)
Concurring audit partner every five years46
Other audit partners who have significant responsibilities on
audits every seven years
Since SOX, auditor independence has been a focus of both the
SEC and PCAOB. The Commission and Board have emphasized the
importance of auditors evaluating and applying the independence
rules carefully and ensuring that partners and staff (including those
providing non-audit services) receive training on the rules and
46. A “concurring audit partner” (or “engagement quality reviewer” as defined in PCAOB standards) is a partner, independent of the audit team, whose role is to perform an objective review of the significant
judgments made by the audit team and the related conclusions reached in forming an opinion on the financial statements. Engagement quality reviewers must provide their approval prior to issuance of an
The Sarbanes-Oxley Act at 15 | 17
Au d i to r o v ersi g ht aro u nd the w o rld
The PCAOB was one of the first independent audit oversight
bodies to be created but now has numerous counterparts around
the world. In 2006, 18 such bodies came together to establish
the International Forum of Independent Audit Regulators (IFIAR)
in order to share knowledge of the audit environment, promote
collaboration and consistency in regulatory activity and facilitate
cross-border cooperation. Today, IFIAR members span the globe,
covering 52 countries. In 2017, IFIAR achieved an important
milestone, establishing for the first time a permanent secretariat,
which is located in Tokyo, Japan.
IFIAR has undertaken several significant projects to increase
consistency and collaboration among its members as well as
improve audit quality. An early IFIAR project was to develop global
principles on independent audit oversight that its members should
strive to implement. More recently, IFIAR members concluded a
multilateral memorandum of understanding (MMOU) regarding
cooperation on inspections and enforcement matters. The MMOU
establishes a framework for members to share information with
each other confidentially, facilitating oversight of cross-border
audits and cooperation on multinational investigations. In addition,
during the past five years, IFIAR has released annual Global Surveys
of Inspection Findings, which compile inspection data from a
number of its members around the world.47
G r o w t h o f IF IA R m e m b e r s h ip :
2 0 0 6 – 1 8 o r ig in a l m e m b e r s
Au strali a, Au stri a, B raz i l, C anad a, D enm ark , F rance, G erm any,
I reland , I taly, J ap an, M exi co , the N etherland s, N o rw ay,
Si ng ap o re, So u th Af ri ca, Sp ai n, Sw ed en, the U K , p lu s the U S
( o bserv er)
2 0 1 2 – 3 9 m e m b e rs
Abu D habi , B u lg ari a, D u bai , E g
K o rea, L i thu ani a, L u xem bo u rg
P o land , P o rtu g al, Slo v ak R ep u
Tai w an, Thai land , Tu rk ey, the U
to be a m em ber)
yp t, F i nland , G reece, H u ng ary,
, M alaysi a, M alta, M au ri ti u s,
bli c, Sri L ank a, Sw i tz erland ,
S ( f u ll m em ber) ( M exi co ceased
2 0 1 7 – 5 2 m e m b e rs
Albani a, B elg i u m , B o tsw ana, C aym an I sland s, C ro ati a,
C yp ru s, the C z ech R ep u bli c, G i braltar, I nd o nesi a, J ersey,
L i echtenstei n, N ew Z ealand , R u ssi a, Slo v eni a ( M alta ceased to
be a m em ber) 49
IFIAR’s Global Audit Quality Working Group (GAQ) 48 and the large
individual audit networks meet regularly to discuss cross-border
audit quality. One output of these discussions is that in 2015, the
GAQ and the large networks set a target to reduce the number
of listed public interest entity audits with at least one inspection
finding by an aggregate 25% in the nine GAQ member countries
over four years (by 2020). The GAQ and the networks also are
engaged in dialogue on effective root cause analysis of inspection
findings and implementation of actions to address them. The
PCAOB is a member of the GAQ, and Board Member Lewis Ferguson
is its Chair.
47. IFIAR website, www.ifiar.org, accessed May 2017.
48. GAQ members are the audit regulators in Australia, Canada, France, Germany, Japan, the Netherlands, Singapore, the UK and the US.
49. IFIAR website, www.ifiar.org, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 18
L o o k i ng ahead : the next 15 years
Markets are constantly changing, and auditors, companies,
regulators and other stakeholders must keep up in order to maintain
their relevance and vitality. While we believe the Sarbanes-Oxley
Act will continue to be relevant over the next 15 years, we expect
that audit oversight and standard setting will evolve in light of the
dynamic environment. Some of the areas in which we expect to see
significant evolution are the use of technology in audits, corporate
reporting and standard setting, to name a few.
T e c h n o lo g ic a l d e v e lo p m e n t s
Advances in technology, including the use of data analytics, are
allowing businesses to track large volumes of information about
their operations. These advances also enable the audit profession to
increasingly use data and analytical tools to carry out audits, with
the potential to enhance the quality and relevance of the audit. They
may allow, for example, auditors to test entire data populations
rather than conduct sampling-based testing. Auditors are also able
to use data and statistical techniques to help identify factors that
are associated with quality audits and to further improve responses
to audit risk. As technology continues to evolve, it will be important
for the PCAOB and audit profession to engage in dialogue about the
potential impact on the audit, inspections and audit standards.
“ Today, we live in an era of increasingly
complex financial reporting, with expanded
use of estimates in financial statements,
and myriad new financial instruments
and financing techniques. Auditing as a
profession has changed accordingly, with
parallel increases by audit firms in their use
of technology, data mining, and analytics.
Moreover, we are only at the beginning of
what I believe will be a major transformation
in how auditors do their job.”
P C A O B B o a rd M e m b e r
L e w i s F e r g u s o n 50
C o r p o r a t e r e p o r t in g
Corporate reporting is another area in which evolution will likely
be a constant. Companies have begun voluntarily undertaking
innovative approaches to make their disclosures more focused
and effective. Technological changes may enable investors to
more easily find the information most critical to their investment
decisions through data tagging or other methods, and we should
expect that. Integrated reporting and sustainability reporting, in
addition to traditional disclosures provided by public companies,
likely will continue to gain traction. Companies may also begin to
report more about cybersecurity and non-GAAP measures.
50. “Global Developments in Auditor Oversight,” Sixth Annual Conferência Brasileira de Contabilidade e Auditoria Independente, 13 June 2016, PCAOB website, https://pcaobus.org/News/Speech/Pages/
Ferguson-speech-Brazil-global-audit-oversight-06-13-2016.aspx, accessed May 2017.
The Sarbanes-Oxley Act at 15 | 19
P C A O B s t a n d a r d s e t t in g
We expect PCAOB standards, as well as the standard-setting
process, to continue to evolve. Topics on the PCAOB’s research
agenda and rule-making docket include changes in the use of data
and technology in the conduct of audits, audit firm quality control
systems, auditing accounting estimates and the use of specialists in
conducting the audit. With regard to the standard-setting process,
in recent years the PCAOB has innovated its approach, including by
incorporating economic analysis in its rule-making and conducting
its first post-implementation review of a standard in 2016. As
discussed above, the PCAOB also is implementing a new process
for selecting rule-making projects that involves first conducting
research and obtaining extensive stakeholder input, setting the
stage for high-quality standard setting.
S h if t in P C A O B in s p e c t io n fo c u s
In the future, another area of potential evolution could be with
respect to inspections placing greater focus on audit firm quality
control systems. As Board Member Jeanette Franzel stated,
“Another potential future change could involve evolution in the
focus of inspection procedures between inspecting individual audits
and testing of a firm’s quality control system … In an optimistic
scenario of a large firm improving its quality control system so that
it is effective in preventing audit deficiencies — in other words if a
large firm strengthens its quality control system to the point that it
has very few or no Part I audit deficiencies in the individual audits
inspected by the PCAOB — then it may make sense to increase the
inspection focus on testing the firm’s quality control system while
potentially decreasing the number of audits inspected.” 51
51. “Progress and Evolution in Audit Oversight to Protect Investors and the Public Interest,” speech
by PCAOB Board Member Jeanette Franzel, 15th Annual Financial Reporting Conference, 5
May 2016, PCAOB website, https://pcaobus.org/News/Speech/Pages/Franzel-progress-in-auditoversight-Baruch-5-5-16.aspx.
The Sarbanes-Oxley Act at 15 | 2 0
test of time
As we look to the future, one area of focus for both investors and
policymakers is on long-term value creation. We believe this is only
possible if there is confidence in financial reporting. This means
that everyone in the financial reporting system must do their part:
companies must fully disclose material information, auditors must
exercise independence and skepticism when examining financial
statements, and audit committees must provide diligent oversight
of the financial reporting process.
We believe the foundation for investor confidence was vastly
strengthened by the Sarbanes-Oxley Act of 2002. At the same time,
we recognize the need for all market participants to continually seek
to do more to earn that trust. From our perspective as auditors,
we know that achieving and maintaining audit quality requires
constant vigilance and effort, given the dynamism and complexity
of companies, global markets, financial products and the business
environment. We look forward to working alongside investors,
companies, audit committees and regulators to use the strong
foundation built by SOX to meet the coming challenges. In our view,
its framework and key tenets continue to withstand the test of time.
The Sarbanes-Oxley Act at 15 | 21
Appendix: Key features of the
Sarbanes-Oxley Act of 2002
On 25 July 2002, Congress passed the Sarbanes-Oxley Act of 2002
by a vote of 423-3 in the House and 99-0 in the Senate. On 30 July
2002, President George W. Bush signed the measure into law (PL
The following is an outline of the major requirements of the
Act, broken into five sections: (1) consequences for issuers; (2)
audit committee requirements; (3) board and corporate officer
requirements; (4) audit firm requirements; and (5) the major
amendments to SOX since its enactment.
5. Issuers are required to fund the operations of both the PCAOB
and the Financial Accounting Standards Board (FASB): the
Act authorizes the PCAOB to fund itself by requiring issuers
to pay an “annual accounting support fee.” Issuers also are
responsible for funding FASB (§ 109).
6. An issuer may not engage its auditor for certain non-audit
services: the Act statutorily prohibits eight specifically listed
categories of non-audit services from being offered by audit
firms to their public audit clients and authorizes the PCAOB to
prohibit other non-audit services (§ 201).
The Act has the following consequences for issuers:
1. Issuers are subject to the Act: the Act defines “issuer” as
any company whose securities are registered, whether the
issuer is domiciled in the United States or elsewhere, and any
company required to file reports under § 15(d) of the Securities
Exchange Act of 1934 (§ 2).
2. Issuers must establish audit committees: the Sarbanes-Oxley
Act effectively requires all listed companies, whether US or nonUS, to have fully independent audit committees (§ 301).
3. The PCAOB can compel testimony and audit work papers
related to an issuer: the PCAOB may require testimony or the
production of documents or information in the possession of
any registered audit firm or “associated person” of the firm
relevant to an investigation. The PCAOB may also “request”
documents and testimony from other persons, including
issuers. If necessary, the PCAOB may request that the SEC
issue a subpoena to assist it in its investigation (§ 105).
4. Issuers will be held responsible for associating with suspended
or barred auditors: the Act prohibits an issuer from employing
a person who has been suspended or barred from associating
with any audit firm (§ 105).
7. An issuer’s audit committee must preapprove all audit and
non-audit services: before an auditor can provide audit services
or any non-audit service to a public audit client, the audit
committee of the client must approve (§ 202).
8. Issuers must disclose approvals of non-audit services: audit
committee approvals of non-audit services must be disclosed in
SEC periodic reports (§ 202).
9. Issuers must wait one year before hiring an audit engagement
team member to be the CEO, CFO, chief accounting officer
(CAO) or equivalent: the Act provides that an audit firm
may not provide audit services for a public company if that
company’s chief executive officer, controller, chief financial
officer, chief accounting officer or other individual serving in an
equivalent position was employed by the audit firm and worked
on the company’s audit during the one year before the start of
the audit services (§ 206).
10. Issuers must provide audit committees with adequate funding:
issuers must provide appropriate funding, as determined by the
audit committee, for payment of compensation to the auditor
and any advisors employed by the audit committee (§ 301).
11. Issuers must disclose off-balance sheet transactions: the SEC
issued rules requiring that annual and quarterly financial
reports disclose all material off-balance sheet transactions,
arrangements, obligations and other relationships of the
issuer that may have a material current or future effect on the
financial condition of the issuer (§ 401).
The Sarbanes-Oxley Act at 15 | 22
12. Issuers must reconcile pro forma information with GAAP and
not omit information that otherwise makes financial disclosures
misleading: the SEC issued rules providing that pro forma
financial information disclosures must reconcile with GAAP and
not be misleading (§ 401).
18. Issuers must disclose information about “material changes” in
real time: public companies must disclose in plain English and
“on a rapid and current basis” additional information regarding
material changes in their financial conditions or operations (§
13. Issuers may not extend loans to board members or corporate
officers: the Act makes it unlawful for an issuer to extend a loan
to a board member or executive officer that is not made in the
ordinary course of business of the issuer and is not of a type
generally made available to the public and on market terms (§
19. The Act creates criminal penalties for obstruction of justice by
destruction of documents: the Act creates criminal penalties for
obstruction of federal agency or other official proceedings by
destruction of records. The Act provides for up to 20 years in
jail for knowingly destroying or creating evidence with intent to
obstruct a federal investigation or matter in bankruptcy
(§ 802, 1102).
14. Issuers must disclose transactions involving management and
principal stockholders: Section 16 of the Securities Exchange
Act of 1934 was amended to require that changes in equity
ownership by board members, officers and 10% stockholders
must be reported within two business days after the day
of the transaction. These “Section 16 filings” must be filed
electronically and posted on the company’s website (§ 403).
15. Issuers must make annual internal control reports: issuers must
make reports that (1) state the responsibility of management
for establishing and maintaining an adequate internal control
structure and procedures for financial reporting, and (2)
contain an assessment as of the end of the most recent fiscal
year of the effectiveness of the internal control structure
procedures of the issuer for financial reporting. The auditor
must attest to, and report on, management’s assertion (§ 404).
16. Issuers must disclose whether they have adopted codes of
ethics for their senior officers: the SEC issued rules requiring
companies to disclose whether they have adopted codes of
ethics for senior officers. If not, issuers must explain their
rationale for failing to do so (§ 406).
17. Issuers must disclose the existence of a “financial expert” on
the audit committee: the SEC issued rules requiring issuers to
disclose whether or not (and if not, reasons therefore) the audit
committee has at least one member who is a “financial expert”
20. The Act changes bankruptcy law regarding obligations incurred
in violation of securities laws: the Act amends the federal
bankruptcy code so that obligations arising from securities law
violations cannot be discharged in bankruptcy (§ 803).
21. The Act creates longer statutes of limitations for securities
fraud cases: the Act lengthens the statute of limitations for
private federal securities fraud lawsuits from one year after
the date of discovery of the facts constituting the violation and
three years after the fraud to two years from discovery and five
years after the fraud (§ 804).
22. The Act creates “whistleblower” protections for employees
of issuers: the Act provides whistle-blower protection to
employees of publicly traded companies when they disclose
information or assist in detecting and stopping fraud
(§§ 806, 1107).
23. The Act creates criminal penalties for defrauding shareholders
of publicly traded companies: the Act provides that anyone
who “knowingly” defrauds shareholders of publicly traded
companies may be subject to fines and imprisonment of up to
25 years (§ 807).
24. The Act enhances penalties for white-collar crime: the Act
increases jail time for conspiracy, mail and wire fraud, violations
of the Employee Retirement Income Security Act of 1974
(ERISA), Exchange Act violations and retaliation against
informants (§§ 902–904, 1106–1107).
The Sarbanes-Oxley Act at 15 | 23
II. Audit committees
The Act requires that audit committees:
1. Preapprove all audit and non-audit services: the Act provides
that both auditing and non-audit services must be preapproved
by the audit committee. The Act makes it “unlawful” for audit
firms to perform eight specifically listed categories of nonaudit services for their public audit clients and authorizes the
PCAOB to prohibit other non-audit services. The Act specifically
indicates that the performance of any other non-audit service
by an audit firm for a public audit client is not prohibited,
provided such services are “preapproved” by the client’s audit
committee (§§ 201–202).
2. Have the ability to delegate preapproval authority: the
preapproval of non-audit services may be delegated to a
member of the audit committee. The decisions of any audit
committee member to whom preapproval authority is delegated
must be presented to the full audit committee at its next
scheduled meeting (§ 202).
3. Receive regular reports from the auditor on accounting
treatments: an auditor must report to the audit committee on
the critical accounting policies and practices to be used; all
alternative treatments of financial information within GAAP
that have been discussed with management, including the
ramifications of the use of such alternative treatments, and
the treatment preferred by the auditor; and other material
written communications between the auditor and management
(such as any management letter and schedule of unadjusted
differences) (§ 204).
4. Be responsible for oversight of the auditor: the Act provides
that auditors shall report to and be overseen by the audit
committee of a client, not management. The audit committee is
“directly responsible for the appointment, compensation, and
oversight” of the auditor’s work (§ 301).
5. Be independent of the issuer: audit committee members must
be independent. In order to be considered “independent,”
an audit committee member may not accept any consulting,
advisory or other compensatory fees from the issuer or be an
“affiliated person” of the issuer or a subsidiary thereof (§ 301).
6. Establish complaint procedures: audit committees must
establish procedures for receiving and treating complaints
regarding accounting and auditing matters, including
complaints from those who wish to remain anonymous (§ 301).
7. Be given authority to engage advisors: Audit committees must
have authority to engage lawyers and other advisors, as they
determine necessary (§ 301).
8. Receive corporate attorneys’ reports of evidence of a material
violation of securities laws or breaches of fiduciary duty: the
SEC established rules for attorneys appearing before it that
require them to report evidence of a material violation of
securities laws or breach of fiduciary duty or similar violation
by the company to the chief legal counsel or the CEO. If
management does not appropriately respond to the evidence,
the attorney must report the evidence to the audit committee
The Sarbanes-Oxley Act at 15 | 24
III. Boards of directors and corporate officers
The Act imposes the following requirements on boards of
directors and corporate officers:
1. The board of directors must either form an audit committee
or take on such responsibilities: the Act requires boards of
directors to either form an audit committee or otherwise take
on the responsibilities of one (§ 2).
2. The CEO and CFO must certify financial reports: the SEC
established rules providing that an issuer’s CEO and CFO must
certify that periodic reports filed with the SEC are materially
correct; that financial statements and disclosures “fairly
present” the company’s operations and financial condition in all
material respects; and that they are responsible for evaluating
and maintaining internal controls, have designed such controls
to ensure that material information related to the issuer and its
consolidated subsidiaries is made known to such officials and
others within such entities, have evaluated the effectiveness as
of a date within 90 days prior to the report, and have presented
in their report their conclusions about the effectiveness of
their internal controls. Further, they shall certify that they have
disclosed to the auditor and audit committee all “significant
deficiencies” in the design or operation of internal controls,
including any material weaknesses, and any fraud, whether or
not material, that involved management or other employees
who have a significant role in the issuer’s internal controls
A separate criminal provision requires the signing officer to
certify that each periodic report containing financial statements
complies with securities laws and that the information in such
report fairly presents, in all material respects, the financial
condition and results of operations of the company. Failure
to do so is a criminal felony, punishable by a fine of up to
US$1 million and/or imprisonment of up to 10 years. A willful
violation is punishable by a fine of up to US$5 million and/or
imprisonment of up to 20 years (§ 906).
3. Officers, directors and others are prohibited from fraudulently
misleading their auditors: the SEC established rules prohibiting
any officer, director or person acting under their direction from
taking any action to fraudulently influence, coerce, manipulate
or mislead an auditor (§ 303).
4. The CEO and/or CFO must disgorge bonuses and profits after
restatements due to misconduct: CEOs and CFOs must forfeit
bonuses, incentive-based compensation and profits on stock
sales if the issuer is required to issue a restatement due to
misconduct (§ 304).
5. The SEC can bar “unfit” officers and directors: the Act gives
the SEC authority to bring administrative proceedings to bar
persons who are found to be “unfit” from serving as officers
or directors of publicly traded companies. (Note: Under prior
law, the SEC had to go to court to obtain such a bar, and the
standard was “substantial unfitness.”) (§ 305, 1105)
6. Officers and directors are prohibited from trading during
pension “blackout” periods: the Act prohibits corporate officers
and directors from trading company securities during a pension
fund “blackout” period (§ 306).
7. The CEO or chief legal counsel must receive corporate
attorneys’ reports of evidence of a material violation of
securities laws or breaches of fiduciary duty: the SEC
established rules for attorneys appearing before it that require
them to report evidence of a material violation of securities
laws or breach of fiduciary duty or similar violation by the
company to the chief legal counsel or the CEO. If management
does not appropriately respond to the evidence, the attorney
must report the evidence to the audit committee (§ 307).
8. The Act gives the SEC authority to temporarily freeze the pay
of corporate officers: the Act gives the SEC authority to seek
a federal court order to temporarily freeze any “extraordinary
payments” to corporate officers pending an investigation of
securities fraud (§ 1103).
The Sarbanes-Oxley Act at 15 | 25
IV. Audit firms
The Act’s regulatory board provisions require audit firms to:
4. Pay fees to the PCAOB: audit firms must pay registration fees
and annual fees to the PCAOB to cover the costs of processing
applications and annual reports (§ 102).
1. Be subject to oversight by an accounting oversight board: the
Act established the PCAOB, which has broad powers over the
profession. The PCAOB has five full-time members, appointed
for staggered five-year terms. Two (and no more than two) of
the members must be or have been CPAs. The SEC appoints
PCAOB members (after consultation with certain other
agencies) (§ 101).
5. Comply with auditing and other professional standards: the Act
requires the PCAOB to establish, or adopt by rule, “auditing and
related attestation standards” as well as “ethics standards” to
be used by audit firms in the preparation and issuance of audit
reports. The Act indicates that the PCAOB may adopt standards
proposed by “professional groups of accountants” (§ 103).
2. Register with the PCAOB: audit firms that perform audits
of public companies must register with the PCAOB. The
registration form requires firms to disclose the names of
audit clients; annual fees received from each issuer for “audit
services, other accounting services, and non-audit services”; a
statement of the firm’s quality control policies; a list of all the
firm’s auditors and licensing information; information relating
to criminal, civil, or administrative actions or disciplinary
proceedings pending against the firm or associated persons
in connection with any audit report; copies of any SEC reports
disclosing accounting disagreements between the firm and
an issuer in connection with an audit report; any additional
information the PCAOB specifies as necessary or appropriate
in the public interest or for the protection of investors; consent
to cooperate in and comply with any testimony or document
production request made by the PCAOB; and an agreement to
secure and enforce similar consents from “associated persons”
of the firm (§ 102).
6. Comply with quality control standards: the Act requires the
PCAOB to issue standards for audit firms’ quality controls,
including monitoring of ethics and independence, internal and
external consulting on audit issues, audit supervision, hiring,
development and advancement of audit personnel, client
acceptance and continuance, and internal inspections (§ 103).
3. Submit periodic reports: audit firms must submit annual
updates of their registration to the PCAOB (or more frequently
if the PCAOB determines it necessary) (§ 102).
9. Secure the consent of foreign firms to PCAOB requests for
documents if a domestic firm relies on its opinion: a domestic
audit firm that relies upon the opinion of a foreign audit firm
must “secure” the foreign firm’s agreement to supply audit
work papers to the PCAOB (§ 106).
7. Submit to quality control inspections: the PCAOB must
regularly inspect audit firms’ audit operations (annually for
large firms) to assess the degree of compliance by those firms
with the Act, the rules of the PCAOB, the firm’s own quality
control policies, and professional standards relating to audits of
public companies (§ 104).
8. Subject foreign firms to PCAOB regulation: foreign audit firms
that “prepare or furnish” an audit report with respect to US
registrants must register with the PCAOB and are treated the
same as US audit firms for purposes of the Act (§ 106).
The Sarbanes-Oxley Act at 15 | 26
The Act’s legal and disciplinary provisions have the following
consequences for audit firms:
10. Investigations and disciplinary actions: the PCAOB investigates
potential violations of the Act, its rules, related provisions of
the securities laws (and the rules), and professional accounting
and conduct standards (§ 105).
11. Testimony and document production requests: the PCAOB
may require testimony or the production of documents or
information in the possession of any audit firm, “associated
person,” or any other person (including any client of an
audit firm) if relevant to an investigation. All confidential
information received by the PCAOB during an investigation
may be furnished to the SEC, certain other federal regulators
or (with the SEC’s approval) to the Department of Justice, state
attorneys general or state regulators (§ 105).
12. PCAOB sanctions, including suspension: the PCAOB may
impose sanctions for noncooperation or violations, including
revocation, suspension or limitations on an audit firm’s
registration, suspension from auditing public companies and
imposition of civil penalties (§ 105).
15. Members of the audit engagement team must wait one year
before accepting employment as an audit client’s CEO, CFO,
CAO or equivalent: the Act provides that an audit firm may not
provide audit services for a public company if that company’s
chief executive officer, controller, chief financial officer, chief
accounting officer, or other individual serving in an equivalent
position, was employed by the audit firm and worked on the
company’s audit during the one year before the start of the
audit services (§ 206).
16. Criminal penalties for destruction of corporate audit records:
the Act creates a felony for the willful failure to maintain “all
audit or review work papers” for five years. The SEC established
rules on the retention of other audit records (paper and
electronic) in addition to actual workpapers (§ 802).
17. Longer statutes of limitations for securities fraud cases: the Act
lengthens the statute of limitations for certain private securities
fraud actions from one year after the date of discovery of the
facts constituting the violation and three years after the fraud
to two years from discovery and five years after the fraud
13. State and federal prosecution after referral from the PCAOB:
the PCAOB may refer investigations to the SEC, certain
other federal regulators or (with the SEC’s approval) to the
Department of Justice, state attorneys general or state
regulators (§ 105).
14. Sanctions for failure to supervise: the PCAOB may also impose
sanctions upon an audit firm or its supervisory personnel for
failure reasonably to supervise a partner or employee (§ 105).
The Sarbanes-Oxley Act at 15 | 27
The Act’s internal procedure provisions require audit firms to:
18. Retain documents: pursuant to SOX, the PCAOB issued
standards compelling audit firms to maintain for seven years
“audit work papers, and other information related to an audit
report, in sufficient detail to support the conclusions reached in
such a report” (§ 103).
19. Submit audits to second partner reviews: the PCAOB issued
standards requiring audit firms to have a second partner review
and approval of each public company audit report (§ 103).
20. Rotate audit partners every five years: an audit firm must
rotate its lead partner and its review partner on audits so that
neither role is performed by the same accountant for more than
five consecutive years (§ 203).
23. Cease offering certain non-audit services to public audit clients:
the Act statutorily prohibits a number of non-audit services
from being offered to public audit clients (§ 201).
24. Obtain audit committee preapproval for services: Before an
audit firm can provide audit or non-audit services to a public
audit client, the audit committee of the client must approve (§
25. Regularly report to audit committees on accounting treatments:
audit firms must report to the audit committee on the critical
accounting policies and practices to be used, all alternative
treatments of financial information within GAAP that have been
discussed with management officials, the ramifications of the
use of such alternative treatments, the treatment preferred
by the auditor, and other material written communications
between the audit firm and management (§ 204).
With respect to their public clients, the Act requires audit firms to:
21. Comply with PCAOB-issued internal controls testing standards:
the PCAOB issued standards requiring auditors’ report on their
“findings” with respect to the audit client’s internal control
structure and the auditors’ “evaluation” of whether the internal
control structure and procedures “include a maintenance of
records that in reasonable detail accurately and fairly reflect
the transactions and dispositions of the assets of the issuer;
provide reasonable assurance that transactions are recorded
as necessary to permit preparation of financial statements in
accordance with GAAP, and that receipts and expenditures
of the issuer are being made only in accordance with
authorizations of management and directors of the issuers”
26. Be responsible to the audit committee, not management: the
Act provides that audit firms shall report to and be overseen
by the audit committee of a company being audited, not
management (§ 301).
22. Attest to management’s representations on internal
controls: the Act requires management to assess and make
representations regarding the quality of internal controls and
requires audit firms to attest to and report on management’s
assessment (§ 404).
The Sarbanes-Oxley Act at 15 | 28
V. Significant amendments to the Sarbanes-Oxley Act
The Dodd-Frank Act of 2010:
1. Exempted all public companies not classified as “accelerated
filers” or “large accelerated filers” by the SEC from complying
with § 404(b) of the Sarbanes-Oxley Act (§ 989G).
2. Expanded the requirement of domestic audit firms to secure
a foreign firm’s audit workpapers and also required the
appointment of an agent for service of process in the US
3. Authorized monetary awards to whistle-blowers providing the
SEC with information that leads to a successful enforcement
action. Confidential information supplied to the SEC by a
whistle-blower may be furnished to the appropriate regulatory
authority, the Attorney General of the United States, the
PCAOB and others, at the discretion of the SEC (§ 922).
4. Expanded the authority of the PCAOB to oversee the audits
of registered brokers and dealers, as defined by the Securities
Exchange Act of 1934 (§ 982).
The JOBS Act of 2012:
8. Exempted all companies defined within the JOBS Act as
emerging growth companies from complying with § 404(b) of
the Sarbanes-Oxley Act (§ 103).
9. Exempted all companies defined in the JOBS Act as emerging
growth companies from complying with any new accounting
standard until such date that private companies must comply, if
such standard applies to private companies at all (§ 102).
10. Exempted all companies defined within the JOBS Act as
emerging growth companies from complying with any PCAOB
rules requiring mandatory firm rotation or auditor discussion
and analysis (§ 104).
11. Exempted all companies defined within the JOBS Act as
emerging growth companies from complying with other
new auditing standards unless the SEC determines that the
application of such standard is “necessary or appropriate in the
public interest, after considering the protection of investors and
whether the action will promote efficiency, competition, and
capital formation” (§ 104).
5. Specified that civil money penalties for securities laws
violations may be used to compensate victims without
obtaining disgorgement from the defendant, as was previously
required under the Sarbanes-Oxley Act (§ 929B).
6. Expanded the definition of “person associated with an [audit]
firm” to include persons “formerly associated with an [audit]
firm” for purposes of investigative and enforcement authority
7. Authorized the PCAOB to provide foreign auditor oversight
authorities with all confidential information received from an
audit firm during a PCAOB inspection or investigation, at the
discretion of the PCAOB and pursuant to certain qualifications
The Sarbanes-Oxley Act at 15 | 29
| Assurance | Tax | Transactions | Advisory
Abo u t E Y
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital markets
and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a
better working world for our people, for our clients and for
EY refers to the global organization, and may refer to one or
more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of
Ernst & Young Global Limited operating in the US.
© 2017 Ernst & Young LLP.
All Rights Reserved.
SCORE no. 03939-171US
This material has been prepared for general informational purposes only and is
not intended to be relied upon as accounting, tax or other professional advice.
Please refer to your advisors for specific advice.
ey. co m
Purchase answer to see full