The purpose of the act
There is a great deal of interest by the quality community in the Sarbanes-Oxley act of 2002 (H. R. 3763). Senator Paul S. Sarbanes and Congressman Michael G. Oxley, created this act to set rules for CEO’s, CFO’s, their attorneys, and their auditors for the creation of financial reports used by investors (e.g. Annual Reports). What prompted this act was the disclosure of major wrong doings in large corporations and major auditing firms. The purpose of the act is to give investors the truth, the whole truth and nothing but the truth.
The alphabet soup
The act spawned a whole set of acronyms which refer to its implementation and interpretation. One hears of SOX, PCAOB, COSO, COBIT and similar acronyms. We will try to clarify some of these terms and show how they fit in.
The act’s requirements and the PCAOB
SOX refers to the Sarbanes-Oxley act itself. One can find the 66 pages of the act at http://www.law.uc.edu/CCL/SOact/soact.pdf. It is worth reading but be warned that it is not light reading.
Title I, the first real chapter of the act, sets up a non-profit corporation called the Public Company Accounting Oversight Board (PCAOB). It is the function of the PCAOB “to oversee the audit of public …, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for companies the securities of which are sold to, and held by and for, public investors.”
The act requires the PCAOB to set standards and register public accounting firms. Your editor was told that over 1200 firms have applied and that, to-date, over 800 are registered. You see can full details at the PCAOB’s web site http://www.pcaobus.org/index.aspx under “Registration”.
The act uses the words “quality control” 15 times with four additional mentions of the word “quality”. In all cases, this refers to the auditing firm. The use of the word “quality” relates solely to the financial integrity of the audit report issued by the external auditors.
Sections 302 and 404 require that management establish and maintain internal controls. In both cases, these controls are for assuring that the financial reports are accurate and true. Welytok (2006, p. 156) distinguishes the way the term “internal Control” is used in the two sections. She indicates that in Section 302, the act refers to “disclosure controls and procedures. In Section 404 the act refers to “internal control over financial reporting”. Nowhere does the act require quality control of the audited company.
Since companies collect most financial data these days on computers, the IT Governing Institute (ITGI) established a standard for information technology (IT). This set of standards they call, “Control Objectives for Information and Related Technology”. This standard results in the acronym COBIT. You can access the standard at http://www.isaca.org/ . The organization developed a subset that specifically addresses the financial aspects required by Sarbanes-Oxley. The organization places the subset standard on its web site at http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. “The SEC specifically refers to [COSO] as an acceptable framework for management’s internal control assessment.” (Welytok, 2006, p. 159) Again, the issue is financial reporting not quality control in the sense in which we apply it.
Sarbanes-Oxley and Quality
The Sarbanes-Oxley act has some similarities with ISO 9000. Both are inspection or audit oriented. Both are procedure driven. Both maintain the status quo as far as quality is concerned. In this writer’s opinion, the Sarbanes-Oxley act is valuable for the financial and investing sector. It does not advance quality in its present state. The only group required to look at quality control is the public auditing profession of 800 to 1200 firms. One can read their quality control methods at http://registrationapplications.pcaobus.org/ by going to the bottom of the page and entering the name of an Audit Firm. The PCAOB has set some interim standards for the control of quality of the auditors. One can view these standards at http://www.pcaobus.org/Standards/Interim_Standards/Quality_Control_Standards/index.aspx.
Welytok, J. G. (2006). Sarbanes-Oxley for Dummies.