a peer-reviewed article 


The Sarbanes-Oxley Act of 2002: An Overview, Analysis, and Caveats

by Rizvana Zameeruddin





Rizvana Zameeruddin R-Zameeruddin@NEIU.edu  is a Visiting Lecturer of Accounting, Business Law, and Finance at Northeastern Illinois University   



This article provides an overview of the Sarbanes-Oxley Act of 2002, which is perhaps the most far-reaching set of government-enforced rules since the SEC Act. It provides both an overview of its requirements and advice on appropriate areas that are either unclear or may prove troublesome for reporting entities. After providing a brief perspective of this Act, this article highlights some of its major provisions as well as areas that are either nebulous or could be troublesome for reporting entities.

Hailed as the most significant change to securities laws since the 1934 Securities Exchange Act, a new penal law, 18 U.S.C. §§1348, an act commonly known as the Sarbanes-Oxley Act of 2002, was signed into law by George W. Bush and became effective on July 30, 2002.The Act contains sweeping reforms for issuers of publicly traded securities, auditors, corporate board members, and lawyers. It adopts tough new provisions intended to deter and punish corporate and accounting fraud and corruption, threatening severe penalties for wrongdoers, and protecting the interests of workers and shareholders (White House, 2002). Designed to improve the overall quality of financial reporting, independent audits, and accounting services for public companies, as noted in the White House’s release, A New Ethic of Corporate Responsibility, (p.1), The Act:

Although the majority of The Act became effective immediately, certain sections will not become effective until the Securities and Exchange Commission (SEC) adopts the relevant rules.  The provisions of The Act apply both to United States (U.S.) companies that are required to file annual reports with the SEC and  foreign companies that are listed in the U.S. or otherwise must file periodic reports with the SEC.

Public Company Accounting Oversight Board

Title I of the Act creates an regulatory Public Company Accounting Oversights Board (The Board). The Board is funded by fees to be paid by all public companies, and is granted investigative and enforcement powers to oversee the accounting industry and discipline auditors (Section 109). The Board will also have the authority to regulate auditors of public companies, set auditing standards, and investigate violations of accounting practices. Annual quality reviews will be conducted for firms that audit more than 100 issues, and all other firms will be audited at least once every three years (Section 104).Furthermore, the Act directs the SEC to organize the Board within 270 days of its enactment, and although its decisions are subject to review by the SEC, the Board will coordinate its efforts with the SEC in its investigations. The Board will consist of five members, and only two of the five members may be present or former certified public accountants (CPAs). If one of the two potential CPAs serving on the Board is its chairperson, that individual may not have been a practicing CPA for at least five years prior to his or her appointment. Members are required to serve exclusively on a full-time basis; and they may not be engaged in any other professional or business activity while serving on The Board. The SEC will appoint the chairperson and other members of the Board. No member will be permitted to serve more than two terms, and each term of service will be for a period of five years. Initial members, however, will be required to serve staggered terms of one or two years, as determined by the SEC. A member may be expelled from The Board prior to completion of his or her term for good cause". The Board will have various duties, including, but not limited to the following:

Auditing and Accounting Standards

The Board will be required to “cooperate on an ongoing basis” with designated professional groups of accountants in connection with auditing and accounting standard-setting. In the area of auditing, each registered pubic accounting firm is required to:

For purposes of the securities laws, the SEC is permitted to recognize generally accepted accounting standards established by a standard-setting body that meets predetermined criteria, including that its members serve in the public interest and are not associated with a registered public accounting firm, which in the current case is the Financial Accounting Standards Board (FASB). It should be noted that although The Board is empowered to establish auditing and accounting standards, it will most likely subcontract these functions to the Auditing Standards Board (ASB) and the FASB, especially since there would be at most two accountants serving on the Board.In this capacity, the Board will probably give guidance to the ASB and FASB in areas in which it perceives deficiencies to exist in accounting principles or auditing standards.

Generally, foreign public accounting firms that prepare or furnish audit reports with respect to any issuer are subject to the same rules and regulations that are imposed on domestic public accounting firms under the Act. [1] However, in certain instances, the SEC or the Board (with the SEC’s prior approval) may exempt a foreign public accounting firm from such rules.

Executive Officers and Directors of Public Companies

The Act places a series of requirements and restrictions on executive officers and directors of companies, the most significant of which is the personal certification by the company’s CEO and CFO of periodic reports filed with the SEC. This certification requirement contains two provisions, one civil and one criminal. The civil certification is subject to civil enforcement by the SEC and is immediately effective once the SEC establishes the appropriate rules (Section 302). The SEC was directed to develop and adopt such rules within 30 days from July 30, 2002. The criminal certification was effective immediately and imposes criminal penalties if a company’s officer signs the certification knowing that it does not comply with the criminal certification requirements of Section 906.

These two new certification requirements apply to all public companies, including foreign private issuers that file reports under Section 13(a) or 15(d) of the SEC Act of 1934 (SEC Act), and they are separate and distinct from the certifications under the SEC Order (proposed in June 2002), which are applicable to only the largest 1,000 reporting firms. If a company was previously subject to the SEC Order, it will now be subject to the criminal certification requirement as well. Therefore, with respect to future SEC filings, a company’s CEO and CFO will be required to file a criminal certification in addition to the annual (Form 10-K) and quarterly (Form 10-Q) reports. If a company was not previously subject to the SEC Order, it will now become subject to the criminal certification requirement since it is a permanent, continuing requirement applicable to all periodic reports and all public companies regardless of size (Section 906).

The civil certification was to become effective no later than August 29, 2002. It requires CEOs and CFOs to certify in each annual (10-K) and each quarterly (10-Q) report that:

The civil certification is very similar to the SEC’s proposed regulations of June 2002, and it is likely that the latter will be revised to conform to The Act. It is anticipated that the SEC will provide interpretative guidelines to help better understand this certification.

The criminal certification which is effective immediately, requires CEOs and CFOs to certify in each annual (10-K) and each quarterly (10-Q) report that:

Since the requirement that the financial information be presented fairly is no longer qualified by the phrase in accordance with GAAP, it is conceivable that even if a company’s financial statements are in compliance with GAAP, they may still violate the fair presentation requirement; leaving both the CEO and CFO open to criminal liability.

Prohibition on Personal Loans to Executive Officers and Directors

Effective immediately, it will be unlawful for an issuer to extend credit directly or indirectly, including through a subsidiary to any director or executive officer. This includes extending, modifying, or renewing any personal loan to a director or officer (Section 402). Consumer credit companies will be permitted to make home improvement and consumer credit loans and issue an extension of credit under an open-end credit plan or charge card as long as it is done in the ordinary course of business and on the same terms and conditions made to the general public. Provided that the terms are not materially modified, loans already outstanding as of July 30, 2002, are not subject to the terms of the Act. Violation of Section 402 may subject a company to criminal penalties.

The term “executive officer is not specifically defined in the Act; however, unless the SEC indicates otherwise, Exchange Act Rule 3b-7 provides an applicable definition:

"...an executive officer of a registrant includes its president, vice president of the registrant in charge of a principal business unit, division or function (such as sales administration or finance), any other officer who performs a policy making function, or any other person who performs similar policy making functions for the registrant. Executive officers of subsidiaries may be deemed executive officers of the registrant if they perform such policy making functions for the registrant."

The prohibition on personal loans is not applicable to personal loans made to non executive officers and directors, but it is not presently clear whether the rules will be applicable if an employee becomes an executive officer or a director at a later date. Although Section 402 applies to personal loans, it does not apply to business loans. Since the Act does not provide a definition of personal loans, however, it is not apparent how one would distinguish between a personal loan and a loan for business purposes. For example, advances for business travel are arguably business loans made in the ordinary course of business, but they may also be considered personal advances, thereby characterizing them as personal loans. Due to the lack of guidance in this area, it may be advisable to maintain detailed records of all business loans, making sure that any advances made are reasonable.

The ban on loans to executive officers and directors has an immediate effect on executive compensation and the term personal loan may extend to the following:

In most situations, an exception will probably be made for compensation arrangements made prior to July 30, 2002, but until further clarification is provided it may be best to suspend or terminate these types of compensation packages. It is unlikely that executives and directors will be prohibited from borrowing from their respective 401(k) plans.

Accelerated Reporting of Trades by Insiders

The deadline for insiders to file a Form 4 to report any trading in their company’s securities has been drastically cut under Section 403 of the Act, which was effective August 29, 2002. Insiders include executive officers, directors, and 10% shareholders. There is no stipulated minimum number of insiders; however, the president, principal financial officer, and the principal accounting officer or controller are all considered insiders. SEC spokesman John Heine stated that the agency’s definition “is specifically designed to ensure that company officials intended to be subject to reporting requirements are included regardless of title. The SEC stated that the focus should be on whether the person performed important executive duties of such character that he or she would be likely to obtain confidential information about the company’s affairs that would aid him if he engaged in personal market transactions (The Wall Street Journal, 2002).

Section 403 amends Section 16(a) of the SEC Act to require that any Form 4 be filed before the end of the second business day following a change in stock ownership. Previously, Form 4 was due the tenth day of the month following the transaction. [3] Additionally, all transactions between officers, directors, and the issuer that were previously exempt from short-swing profit recovery under the 16b-3 rule of the SEC Act and were eligible for deferred reporting on Form 5 must now be reported on Form 4 within two days of the execution date of the transaction (SEC Release, 2002).

The SEC has the authority to extend the two-day period for narrowly defined transactions where the reporting person does not control the timing of the transaction. Certain transactions under Rule 10b5-1 plans and some transactions within employee benefit plans may qualify under this exemption. Subject to these exemptions, all transactions executed on or after August 29, 2002 must be reported on Form 4, within two days, unless Section 16(a) of the SEC Act states otherwise.

It is unlikely that Form 5 will be affected by the new reporting requirements. Previously reportable exempt transactions such as gifts would still be reported on Form 5 unless the SEC provides further guidance. The SEC has broad authority “to seek any equitable relief it finds appropriate or necessary to benefit investors for any violations of the two-day filing deadline (Section 403).” The SEC Act rules are still in effect, however, and any late Form 4 filings must be reported by checking the proxy statement box on the cover page of the Form 10-K indicating that late Section 16 filings were made.

Insiders will be required to file Form 4 electronically with the SEC no later than July 30, 2003, exactly one year after the enactment of The Act. Additionally, a company must make the reports available on its website the first business day after filing with the SEC. The SEC will be required to make the Form 4 filing available electronically within this same time period. Even though it is not presently required, the SEC strongly suggests that insiders begin filing all Section 16 reports immediately.

Prohibition on Insider Trades During Pension Fund Blackout Periods

Subject to certain exceptions, trading by directors or executive officers of an issuer of any equity security (other than an exempted security) during any pension fund blackout period, is prohibited (Section 306). Trading includes purchasing, selling, or otherwise acquiring or transferring any equity security of the issuer (other than an exempted security), obtained as compensation for services to the company. A blackout period is usually imposed under a company’s 401(k) plan or other profit sharing or retirement plan. It is defined as a period of more than three consecutive business days during which fifty percent or more of the beneficiaries or participants in a pension plan are suspended from trading in the company’s securities under the plan.

A blackout period does not include:

The blackout provision would prohibit officers and directors from trading in the issuer’s securities while employees of the issuer are prohibited from trading in issuer’s securities in their 401(k) accounts. Any profits realized by an officer and director in violation of Section 306, regardless of that person’s intent, shall inure to and be recoverable by the issuer. If the issuer fails to bring suit, a suit to recover damages can be instituted by the owner of any security of the issue, including through a shareholder’s derivative suit. It is anticipated that both the SEC and the Secretary of Labor will provide further guidance on the prohibition on insider trade requirements, which become effective 180 days following enactment of The Act.

Forfeiture of Certain Bonuses and Profits

If an issuer is required to restate its financial statements due to material noncompliance with any financial reporting requirement resulting from misconduct, then under Section 304, the CEO and CFO must reimburse the issuer for the following:

  • any bonus or other incentive-based or equity-based compensation received by that person from the issuer during the twelve month period following the first public issuance or filing with the SEC (whichever occurs first) of the financial document embodying such financial reporting requirement, and;

  • font face="Arial">any profits realized from the sale of securities of the issuer during that twelve month period.

It should be noted that noted that the SEC does not actually define material non-compliance, misconduct, or other incentive-based or equity-based compensation; further, the Act does not identify whose misconduct will be relevant, or whether the conduct would need to be negligent, knowing, or willful, for the penalty to be imposed. In certain situations, the SEC may make exceptions to these requirements, and again, it is likely that the SEC will issue further guidance regarding this requirement.

Public Company Disclosures

Disclosure requirements on public companies have become more stringent under the Act. Effective immediately public companies must promptly disclose information on material changes in their financial conditions or operations on a rapid and current basis (Section 409). Companies will also be required to disclose other information that the SEC deems necessary or useful to the investors, including trend and qualitative information. Financial reports required to be prepared in accordance with GAAP must include all material correcting adjustments that have been identified by a public accounting firm, and in its annual and quarterly reports, a company will have to disclose, all material off-balance transactions, arrangements and obligations, and other relationships" [4] with unconsolidated entities that may have a material current, or future effect on the financial condition of the issuer (Section 401).

The SEC will issue rules providing that pro forma financial information contained in a periodic report filed with the SEC, or in a press release or other public disclosure, will be required to be presented so as not to “contain an untrue statement” or omit the statement of a material fact necessary to make the pro forma financial statement not misleading. A public company must also disclose in its periodic reports information on the code of ethics that has been adopted for its executives and directors. If no code of ethics has been adopted, an explanation as to why is required, any changes in the company’s code of ethics must be disclosed immediately.

Management of a public company is required to include in its annual report a statement indicating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures of the issuer for financial reporting and an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting (Section 404). Management’s public accountants will be required to attest to and report on the assessments made by company’s management. The Committee’s report, which accompanies the bill, explains that its intent is not for the attestation engagement to be a separate one.

Audit Committees and Outside Audit Firms

The Act provides for a strong public company audit committee to be directly responsible for the appointment, compensation, and oversight of the work of the public company auditors (Section 301). The audit committee’s primary duty is to the company’s board of directors and the investing public as a group. Each member of the audit committee is required to be independent. To maintain independence, an audit committee member “may not accept any consulting, advisory, or other compensatory fee from the company, except in his or her capacity as a board or board committee member. Additionally, an audit committee member may not own five percent or more of the voting securities of the company, or be an officer, director, partner, or employee of the company. The SEC may make exceptions to these requirements if it deems fit.

The audit committee has the power to engage independent counsel or other advisors outside the firm as it determines is necessary to carry out its duties, and it is to establish procedures for the “receipt, retention, and treatment” of complaints regarding accounting, internal accounting controls, or auditing matters. Furthermore, the audit committee is to provide for the anonymous submission by employees of concerns regarding questionable accounting or auditing matters. The SEC is to issue rules regarding the audit committee’s “financial experts.” The rules, which are to be in place no later than January 26, 2003, will require that companies disclose in their periodic reports whether or not at least one member of the audit committee is a “financial expert,” as defined by the SEC. If a member of the audit committee is not a “financial expert,” then an explanation as to why not will have to be provided (Section 407).

Outside Audit Firms

The Act directs the securities exchanges and NASDAQ to effect certain listing standards that impose additional requirements on the role of audit committee functions. Those additional requirements include:

  • auditing committees must be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by the company (including resolution of disagreements between management and the auditor regarding financial reporting) for the purpose of preparing or issuing an audit report or related work;

  • the accounting firm must report directly to the audit committee.

Limitation on Non-Audit Services and Auditor Independence

The list of consulting services that auditors may offer their public company audit clients has been drastically reduced. The limitation on the scope of services that are permissible strengthens auditor independence from corporate management and helps prevent auditors from controlling a company’s entire financial reporting process by both designing the internal audit system, and then theoretically offering an unbiased opinion (CCH, 2002). A registered public accounting firm must receive advance approval from the company’s audit committee before it can perform any audit and non-audit service. After completion of the service, the public accounting firm is required to adhere to detailed reporting procedures as defined in The Act.

A registered public accounting firm may not provide the following nine accounting services contemporaneously with an audit::

  • bookkeeping or other services related to the accounting records or financial statements of the audit clients;

  • financial information and design and implementation;

  • appraisal or valuation services, fairness opinions or contribution-in-kind reports;

  • actuarial services;

  • internal audit outsourcing services;

  • management functions or human resources;

  • broker or dealer, investment advisor or investment banking services;

  • legal services and expert services unrelated to the audit; and

  • any other service that the accounting oversight board determines, by regulation, is impermissible.

A company’s audit committee must pre-approve all audit and permitted non-audit services performed by a registered public accounting firm, including tax services. The audit committee’s approval of any non-audit services must be disclosed in the company’s Form 10-Ks and Form 10-Qs, and audit committees may delegate to one or more independent committee members the authority to grant advance approvals of both audit and non-audit services (Sections 201 and 202).

Audit committee pre-approval is not required in the instance that:

  • the non-audit service provided to the issuer constitutes less than five percent of the total amount of revenues paid by the issuer to its auditor; [5]

  • such services were not recognized by the company at the time of the engagement to be non-audit services;

  • and such services are promptly brought to the attention of the audit committee and approved prior to the completion of the audit.

Auditor Independence

In an attempt to make the auditor truly independent of the issue he or she is auditing, the SEC will implement several auditor independence rules by April 2, 2003. The rules will include the mandatory rotation of the lead audit or coordinating partner from the audit or review every five years (Section 203); [6] and although previously permitted, under the new auditor independence rules, a registered public accounting firm may not perform audit services if the company’s CEO, CFO, chief accounting officer, or any equivalent employee was employed by the auditing firm and participated in the audit of that issuer during the one-year period preceding initiation of the current audit (Section 206). Furthermore, it is unlawful for any officer, or director, or anyone acting under their direction, to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of a company’s financial statements for the purpose of rendering them materially misleading (Section 303).

The reporting requirements for registered public accounting firms have also become more stringent, under Section 304, registered public accounting firms are now required to make timely reports to the audit committee of:

  • all critical accounting policies used;

  • all alternative treatments of financial information within GAAP that have been discussed with management of the issuer; ramifications of the use of such alternatives, and the treatment preferred by the accounting firm; and

  • other material written communications between the auditor and management of the issuer.

Securities Laws Violations

Title VIII of the Act, which was effective immediately, outlines several new criminal penalties and civil liabilities for securities laws violations. The U.S. Sentencing Commission is directed to “adopt Federal Sentencing Guidelines that will reflect the serious nature of the offenses and the penalties set forth in the Act, the growing incidences of serious fraud offenses and the need to deter, prevent and punish offenses. If the SEC is investigating a company for an alleged securities law violation, a federal court can freeze any anticipatory extraordinary payments to a company’s executive officers or directors for a period of 45 days. [7] The SEC has further authority to ban individuals from serving as directors or officers of public companies if they have been convicted of violating the antifraud provisions of the SEC Act. The Act places an additional requirement on attorneys requiring them to report material violations of securities laws, or a breach of a fiduciary duty. 

Criminal Penalties

Several new crimes for securities laws violations have been identified and established. New rules provide penalties for the destruction of documents, the failure to maintain working papers, and schemes to defraud investors. It is now a felony to “knowingly” destroy or create documents to impede, obstruct, or influence any existing or contemplated federal investigation or bankruptcy proceeding; violations can result in up to 20 years imprisonment and/or a fine. The knowing and willful failure by an accountant to maintain all audit or review working papers for a period of five years after the end of the fiscal period in which the engagement was conducted is also prohibited, and  violations can result in a sentence of up to ten years and/or a fine (Section 802). The current securities fraud laws have also been broadened. Knowingly devising and executing a scheme to defraud investors in connection with a security is now punishable by up to 25 years in prison and/or a fine (Section 807).

Civil Liabilities

Three main civil liabilities have been outlined in the Act, an amendment to the bankruptcy code, an extension of the statute of limitations for a shareholder to file suit, and a statutory cause of action for a retaliatory discharge. The first of the three civil liabilities is an amendment to the bankruptcy code, which helps avoid liability incurred due to federal or state securities laws violations. Therefore, an individual who has an outstanding judgment against him or her for a securities law violation, common law fraud, or deceit or manipulation in connection with the purchase or sale of a security will not be able to discharge the obligation in a bankruptcy proceeding (Section 803).

The second of the three civil liabilities is an extension of the statute of limitations for investors to file a civil action for fraud, deceit, manipulation or contrivance in contravention of a regulatory requirement concerning the securities laws (Section 804).” Under the new statute of limitations, the time period for an investor to file a civil action for securities fraud has been extended from one year to two years after discovery of the facts, and from three years to five years after there is an actual violation (exceptions are not made for statutes with their own limitations). It is not apparent which statute of limitations is applicable to claims for manipulation under §9(e) of the SEC Act and various insider-trading claims under §20A. Furthermore, it is unclear if claims arising under §§11 and 12(a) (2) of the SEC Act which are sounding in fraud and do not require an actual showing of fraud are subject to the extended statute of limitations.

More commonly known as the whistleblower protection provision, the last of three civil liabilities provides a statutory cause of action for retaliatory discharge (Section 806). Employees, agents, or contractors who lawfully provide information or otherwise assist investigations being conducted by a federal regulatory or law enforcement agency, a congressional member or committee, or any supervisor of the employee are protected. Employees, agents, or contractors who testify in, participate in, or file securities or antifraud proceedings are also protected. A whistleblower whose rights are violated may seek the remedy of special damages, attorney fees, back pay, and reinstatement; relief is sought by filing a complaint with the Secretary of Labor or filing a complaint in federal court. Research analysts who criticize investment-banking clients of firms are also afforded protection from retaliation by Wall Street investment firms.

Attorney Professional Responsibility

The rules of professional responsibility for attorneys appearing and practicing before the SEC have also been amended. Effective January 2, 2003, attorneys, including in-house attorneys, will be required to report evidence of material violations of securities laws or a breach of a fiduciary duty or similar violation by the issuer or its agents to the general counsel or chief executive officer of the company. If neither of these parties responds appropriately, the attorney must then report any evidence obtained to the audit committee or the company’s board of directors (Section 307).In addition, the SEC has the authority to sanction any person appearing before it which it deems to be lacking in character, integrity, or has engaged in improper conduct, this may include a single instance of highly negligent conduct.


The Sarbanes-Oxley Act is perhaps the most far-reaching set of government-enforced rules since, the SEC Act. This article has provided an overview of its requirements and advice on appropriate areas that are either unclear or may prove troublesome for reporting entities. The dynamics of The Act will probably be in force over a period of several years and engender certain questions for future research. An area of suggested future research interest involves what impact the Board will have on the status and power of private sector standard-setting bodies in the foreseeable future: namely, the FASB and the ASB. Perhaps the most interesting question of all is what the impact of the Act will be on the fair presentation of financial statements of publicly traded companies and the concomitant degree of public confidence as to their reliability.


1.This includes foreign firms that perform audit work for a foreign subsidiary of a U.S. parent.   

2. This requirement is no longer qualified by the phrase in accordance with GAAP.

3. This is the current rule and will be effective until August 28, 2002.

4. Obligations include contingent obligations.

5. This figure is calculated on the basis of revenues paid by the issuer during the fiscal year when the non-audit services are performed.

6. Within one year of The Act, the Comptroller General of the United States is to conduct a study and review of the potential effects of requiring the mandatory rotation of auditors and submit a report on the same to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services.

7. This period may be extended to 90 days and funds must be maintained in an interest bearing account.


(Business Quest)

A Journal of Applied Topics in Business and Economics

All Years Index

2003 Index