Term: Sarbanes-Oxley Act

Description: The Sarbanes-Oxley Act signed into law by George W. Bush on July 30, 2002 was overwhelmingly approved by House (423-3) and Senate (99-0) to combat white collar financial crimes such as those like Enron and WorldCom. This act is comprised of 11 titles that describe specific mandates and requirements for accounting and financial reporting standards for all U.S. public company boards, management, and public accounting firms. This Act covers specific responsibilities and criminal penalties, and requires the Securities and Exchange Commission (SEC) to enforce the new law.

One of the nations largest health care providers, HealthSouth, was the first to fall prey to the SOX act on March, 20 2003. The SEC accused CEO Richard Scrushy of accounting fraud and in violation of the SOX act signed into law less than one year prior. Richard was later acquitted of all 36 charges filed by the SEC which cast doubts on the acts enforceability.

"With the advent of SOX, capabilities like web access management have become almost the de facto technology that you use to enforce some of the SOX requirements, such as section 404. Access control and identity management systems can enable organizations to enforce access and provide a detailed audit trail to show auditors exactly what's happening." - William Barnes, Pfizer's Manager of Identity Services

History of SOX

After the highly publicized frauds at Enron, WorldCom, and Tyco, there was an outcry for changes to be made in the accountability of firms
to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. The bill was passed into law on July 30, 2002.

What does the SOX Act do?
"The Sarbanes-Oxley Act created new standards for corporate accountability as well as new penalties for acts of wrongdoing. It changes how corporate boards and executives must interact with each other and with corporate auditors. It removes the defense of "I wasn't aware of financial issues" from CEOs and CFOs, holding them accountable for the accuracy of financial statements. The Act specifies new financial reporting responsibilities, including adherance to new internal controls and procedures designed to ensure the validity of their financial records."

SOX Act & Healthcare

Directors & high-level personnel shall be required to establish, exercise reasonable oversight and take an active leadership role for the content and operation of compliance and ethics programs.

Such governing authority will be responsible for (i) identifying as assessing areas of risk, (ii) training high-level officials (on an ongoing basis), and (iii) providing compliance officers with sufficient authority to carry out their responsibilities.

Specific individual(s) within the organization shall be assigned day-to-day operational responsibility for the compliance and ethics program and be given adequate resources to carry out the associated duties, with high-level personnel assigned ultimate responsibiltiy for the program's effectiveness.

Small organizations (fewer than 200 employees) shall demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations, albeit with less formality and fewer resources than would be expected of large organizations, and will be eligbile for compliance program credit.

The organization will be precluded from mitigation of its sentence if it fails to self-report criminal misconduct in a timely manner and if management-level officials tolerated or were involved in illegal activities.

Failure to adhere to industry regulations and standards weighs against an organization's eligibility for compliance credit under the guidelines.

Although the failure to prevent or detect the instant offense will not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct, recurrence of similar misconduct creates the rebuttable presumption the the organization failed to take reasonable steps to meet the requirements of the guidelines.

The guidelines mandate large fines for organizations that have ineffective programs to prevent and detect criminal conduct.

Applications: In some industries, the Information Technology enterprise has to comply with the SOX Act, in particular with Section 404: Management Assessment of Internal Control, which requires a framework that can identify factors that lead to fraudulent financial reporting and also provides recommendations to fix the incidence. There are several framework's that support the SOX 404 mandate such as Committee of Sponsoring Organizations of the Treadway Commissions (COSO) and Control Objectives for Information and related Technology (COBIT).

Web Resources:

Related Terminology:
Public Company Accounting Reform and Investor Protection Act of 2002