Connecting the dots with SOX

First a brief summary of the Sarbane-Oxley Act.

This law was passed by Congress in reaction to the exposed frauds at publicly traded companies that resulted in large losses for stockholders and the failures of many companies. Enron was the most visible of these cases. The purpose of the law is to mandate stricter controls over financial reporting and to make Chief Executives (the CEO and CFO) personally liable for the accuracy and truthfulness of their financial statements. Like all laws, the implications tend to cascade and today there is a vastly enhanced auditing practice (primarily the Big Four public accounting firms) put in place to demonstrate compliance with Sarbanes-Oxley.

The one section of the Act that is most often sited as impacting corporate security practices is Section 404. Yet, on initial reading there seems to be very little call for enhanced security from the language which is:

Requires each annual report of an issuer to contain an "internal control report", which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

“That’s it?