Table of Contents
SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
The Sarbanes-Oxley Act of 2002 — formally cited as Public Law 107-204, 116 Stat. 745, enacted July 30, 2002 — is the most sweeping federal securities legislation affecting public company corporate governance, financial disclosure, auditor independence, and executive accountability since the Securities Exchange Act of 1934.
Named after its principal sponsors, Senator Paul Sarbanes of Maryland and Representative Michael G. Oxley of Ohio, the Act was drafted and passed with extraordinary speed in response to a cascade of accounting scandals — most prominently Enron Corporation, WorldCom, Tyco International, Adelphia Communications, and HealthSouth — that had collectively destroyed hundreds of billions of dollars of investor wealth and shattered public confidence in the integrity of financial reporting by United States public companies.
The Act applies to all companies registered under Section 12 of the Securities Exchange Act of 1934 and to all companies required to file reports under Section 15(d) of that Act — meaning every company whose securities are listed on a national securities exchange or whose equity securities are held by more than a threshold number of holders of record. Sarbanes-Oxley is tested on the Series 7 and Series 65 examinations in the context of corporate governance, financial disclosure obligations, auditor independence, internal controls, executive certification, and the regulatory framework within which public companies operate.
Before Sarbanes-Oxley, the United States corporate governance framework relied heavily on self-regulation and reputational incentives — the theory that the discipline of capital markets, the professional standards of accounting firms, and the oversight of audit committees would collectively ensure the integrity of financial reporting without heavy-handed statutory intervention.
The accounting scandals of 2001 and 2002 destroyed this theory comprehensively.
Enron Corporation — once the seventh-largest company in the United States by revenue — collapsed in December 2001 after it was revealed that management had systematically concealed billions of dollars of debt and losses in off-balance-sheet special purpose vehicles, with the active assistance of its auditor, Arthur Andersen. Enron's stock price had traded above ninety dollars per share in mid-2000 and was effectively worthless by late 2001.
WorldCom — the second-largest long-distance telecommunications company in the United States — disclosed an eleven billion dollar accounting fraud in June 2002 in which capital expenditures had been fraudulently capitalised rather than expensed, artificially inflating reported earnings for years.
Arthur Andersen — one of the five largest accounting firms in the world — was convicted of obstruction of justice for shredding Enron-related documents and effectively ceased to exist as a viable audit firm. The simultaneous failure of corporate management, the independent audit function, and the board oversight structure across multiple major companies created an acute crisis of investor confidence that Congress determined required immediate and forceful statutory intervention.
President George W. Bush signed the Sarbanes-Oxley Act on July 30, 2002 — less than two months after the WorldCom disclosure — describing it as the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt. The Act was passed with bipartisan congressional support and represented a fundamental restructuring of the obligations of public company management, boards of directors, and auditors.
The Sarbanes-Oxley Act is organised into eleven titles, each addressing a distinct dimension of the corporate governance, auditor oversight, or financial reporting framework. The most examination-relevant titles and sections are as follows.
Title I of the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board — the PCAOB — as an independent, non-governmental regulatory body with authority to oversee the audits of public companies. The PCAOB was created because the pre-SOX system of auditor self-regulation — in which the accounting profession policed its own members through the American Institute of Certified Public Accountants — had demonstrably failed to prevent the systematic audit failures at Enron, WorldCom, and the other scandal companies.
The PCAOB is a non-profit corporation, not a federal agency, but it operates under the comprehensive oversight and control of the SEC under Securities Exchange Act Section 17A as amended by Sarbanes-Oxley.
The Supreme Court in Free Enterprise Fund v. Public Company Accounting Oversight Board, 561 U.S. 477 (2010), addressed constitutional challenges to the PCAOB's structure — the Court struck down the for-cause removal protection of PCAOB commissioners from removal by the SEC as unconstitutional under the Appointments Clause, but left the PCAOB intact as an institution, severing only the offending removal protection.
The PCAOB has four primary functions under SOX Title I. It registers all public accounting firms that audit public companies — no firm may audit a public company without PCAOB registration, and the register is publicly available. It establishes auditing, quality control, ethics, and independence standards for registered firms conducting public company audits — the PCAOB's Auditing Standards have progressively superseded American Institute of Certified Public Accountants standards for public company work since SOX's enactment. It conducts regular inspections of registered audit firms — annually for firms auditing more than one hundred public company issuers, and at least every three years for smaller firms. And it conducts investigations and disciplinary proceedings against registered firms and associated persons who violate applicable laws, rules, or professional standards — with the authority to impose sanctions including suspension or revocation of registration, monetary penalties, and prohibitions on individuals from associating with registered firms.
Title II of the Sarbanes-Oxley Act substantially strengthened the auditor independence requirements applicable to public company audits, addressing the fundamental conflict of interest that allowed auditors to simultaneously provide lucrative consulting and advisory services to the same clients whose financial statements they were auditing.
Section 201 prohibits a registered public accounting firm from providing specified non-audit services contemporaneously with an audit engagement to the same audit client. The prohibited non-audit services include bookkeeping, financial information systems design and implementation, appraisal or valuation services, actuarial services, internal audit outsourcing, management or human resources functions, broker-dealer or investment adviser services, legal services unrelated to the audit, and expert services in connection with legal proceedings in which the audit client is a party. Tax services — which had been a major revenue source for accounting firms providing audit services — are not categorically prohibited but are subject to pre-approval requirements and restrictions.
Section 203 requires mandatory rotation of the lead audit partner and the concurring review partner at least every five years. Prior to SOX, the same individual partner could serve as the primary audit engagement partner for a single public company for decades — a relationship that critics argued produced excessive familiarity with and dependence on the client at the expense of genuine independence.
Section 206 prohibits audit firms from providing audit services to a public company whose chief executive officer, chief financial officer, chief accounting officer, or controller had been employed by that audit firm and participated in the audit of the company during the one-year period preceding the initiation of the audit. This cooling-off period was designed to prevent the practice — documented at several scandal companies — of finance executives moving directly from senior positions at their audit firm to the client company, creating an obvious conflict of interest in the subsequent audit relationship.
Title III contains two of the most consequential and most directly tested provisions of the entire Sarbanes-Oxley Act — the civil certification requirement of Section 302 and the audit committee independence requirements of Section 301.
Section 301 requires every public company listed on a national securities exchange to establish and maintain an audit committee composed entirely of independent directors — directors who are not affiliated with or receiving compensation from the company other than their director fees. The audit committee must be directly responsible for the appointment, compensation, and oversight of the work of the independent auditor — the auditor reports directly to and is accountable to the audit committee rather than to management. The audit committee must establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, and auditing matters, including anonymous submission by employees of concerns about questionable accounting or auditing practices — the SOX whistleblower protection framework built on this foundation.
Section 302 — one of the two most tested SOX provisions on securities licensing examinations — requires the principal executive officer and the principal financial officer of each public company to personally certify, in each annual Form 10-K and each quarterly Form 10-Q filed with the SEC, that they have reviewed the report and that it does not contain any material untrue statement of fact or omit to state a material fact. They must certify that the financial statements and other financial information in the report fairly present, in all material respects, the financial condition and results of operations of the company. They must disclose any significant changes in internal controls or other factors that could significantly affect internal controls since the date of their last evaluation. They must accept individual responsibility for establishing and maintaining effective disclosure controls and procedures and have evaluated those controls within ninety days of the report's filing.
The Section 302 civil certification requirement is enforceable by the SEC through civil enforcement actions. An executive who signs a Section 302 certification that is materially false or misleading faces SEC enforcement action and personal civil liability under Rule 10b-5 — the certification itself constitutes a public representation about the accuracy of the company's disclosure that is subject to the full antifraud framework of the Securities Exchange Act.
Section 304 requires that if a public company is required to prepare an accounting restatement due to material noncompliance with financial reporting requirements as a result of misconduct, the chief executive officer and chief financial officer must reimburse the company for any bonus or other incentive-based or equity-based compensation received during the twelve-month period following the first public issuance of the noncompliant filing, and any profits realised from the sale of company securities during that twelve-month period. This clawback provision — applied regardless of whether the executive was personally involved in the misconduct — was substantially strengthened and expanded by the Dodd-Frank Act of 2010 and the SEC's October 2022 final clawback rules under Exchange Act Rule 10D-1, which require listed companies to maintain and enforce clawback policies covering all current and former executive officers.
Title IV contains several provisions that significantly expanded the scope and detail of required financial disclosures in SEC filings.
Section 401 requires that annual and quarterly reports filed with the SEC present all material correcting adjustments identified by the registered auditor in the financial statements — ensuring that auditor-identified corrections reach public disclosure rather than being negotiated away before filing.
Section 402 prohibits public companies from extending or arranging personal loans to their directors or executive officers — a direct response to the revelation that executives at several scandal companies had received hundreds of millions of dollars in undisclosed loans from the company, often on non-commercial terms, that were forgiven rather than repaid.
Section 403 accelerates the reporting of insider stock transactions by officers, directors, and beneficial owners of more than ten percent of a registered class of equity securities. Prior to SOX, insiders were required to report their transactions on SEC Form 4 within the first ten days of the calendar month following the transaction — a window that could allow more than forty days between a transaction and its public disclosure. SOX amended Section 16 of the Securities Exchange Act to require Form 4 disclosure within two business days of the transaction — dramatically accelerating the transparency of insider trading activity and enabling investors and regulators to identify potentially suspicious trading patterns much more quickly.
Section 409 requires public companies to disclose to the public on a rapid and current basis any material changes in their financial condition or operations in plain English — the provision that was subsequently implemented through the expansion of SEC Form 8-K reporting to cover eighteen categories of material corporate events requiring current disclosure, effectively creating a continuous disclosure obligation for major corporate developments.
Title VIII is the criminal enforcement title of the Sarbanes-Oxley Act, substantially increasing the penalties for securities fraud, document destruction, and obstruction of justice — and directly responding to the perception that the pre-SOX criminal penalty framework was inadequate to deter the magnitude of fraud that had occurred.
Section 802 creates a new federal criminal offence of knowingly altering, destroying, mutilating, concealing, covering up, falsifying, or making a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any federal department or agency, with penalties of up to twenty years imprisonment. This provision was a direct response to Arthur Andersen's document shredding — the pre-SOX obstruction of justice statute had been interpreted narrowly to require a pending judicial proceeding, creating a loophole that allowed document destruction during investigations that had not yet resulted in formal proceedings.
Section 807 creates a new federal criminal offence of securities fraud — separate from and in addition to the pre-existing Rule 10b-5 civil and criminal framework — with penalties of up to twenty-five years imprisonment for knowingly executing a scheme or artifice to defraud persons in connection with securities of issuers registered under the Exchange Act or otherwise required to file reports. The twenty-five year maximum substantially exceeded the prior maximum under Section 32(a) of the Exchange Act for wilful violations.
Title IX — the White Collar Crime Penalty Enhancements Act of 2002 — substantially increased the maximum penalties for mail fraud, wire fraud, and violations of the ERISA pension fund provisions.
Section 901 increased the maximum prison term for mail fraud and wire fraud from five years to twenty years per count — a fourfold increase that dramatically elevated the potential consequences of the fraudulent communications that had been used to sustain the accounting schemes at Enron, WorldCom, and the other scandal companies.
Section 906 — the second of the two most directly tested SOX provisions — creates the criminal certification requirement that operates alongside the Section 302 civil certification. Section 906 requires the chief executive officer and chief financial officer of each public company to certify in each annual and quarterly report filed with the SEC that the report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act and that the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company. An officer who certifies a report knowing that it does not comply with these requirements is subject to criminal penalties of up to one million dollars and up to ten years imprisonment. An officer who wilfully certifies a false report — knowing that it does not comply — is subject to criminal penalties of up to five million dollars and up to twenty years imprisonment. The Section 906 criminal certification became effective immediately upon enactment — July 30, 2002 — unlike the Section 302 civil certification which required SEC rulemaking before becoming operative.
The distinction between Section 302 and Section 906 is directly tested on securities licensing examinations. Section 302 is the civil certification — its violation is enforceable by the SEC through civil proceedings. Section 906 is the criminal certification — its violation is prosecuted by the Department of Justice as a federal crime. Both certifications are required for every annual Form 10-K and every quarterly Form 10-Q filed by a public company. Both are signed by the CEO and CFO personally. An executive who signs both certifications knowing them to be false faces civil liability under Section 302 and criminal liability under Section 906 simultaneously.
Section 404 of the Sarbanes-Oxley Act is the provision that has generated the most operational compliance burden and the most ongoing controversy since the Act's enactment — requiring public companies to include in their annual Form 10-K reports a management assessment of the effectiveness of their internal controls over financial reporting, and requiring the company's independent auditor to attest to and report on that assessment.
Management's assessment under Section 404(a) must state management's responsibility for establishing and maintaining adequate internal controls over financial reporting, include a description of the framework used to evaluate the effectiveness of those controls, include an assessment of the effectiveness of internal controls as of the end of the fiscal year, and identify any material weaknesses — defined by the PCAOB as a deficiency, or combination of deficiencies, in internal controls over financial reporting such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected and corrected on a timely basis. If management identifies a single material weakness, it cannot conclude that the company's internal controls are effective — the assessment must disclose the material weakness and conclude that controls are not effective.
The auditor's attestation under Section 404(b) requires the registered public accounting firm to examine and attest to the accuracy of management's assessment — providing an independent opinion on whether management's evaluation of the company's internal controls is fairly stated and whether the company's internal controls over financial reporting are, in fact, effective. The PCAOB's Auditing Standard No. 5 — which replaced the original Auditing Standard No. 2 in 2007 to focus the audit on the most significant risks — establishes the standards for the Section 404(b) attestation engagement.
The compliance costs of Section 404 were substantially greater than Congress or the SEC anticipated, particularly for smaller public companies whose compliance costs represented a disproportionately large percentage of revenue and net income. The Dodd-Frank Act of 2010 permanently exempted non-accelerated filers — companies with public float below seventy-five million dollars — from the Section 404(b) auditor attestation requirement, while the JOBS Act of 2012 provided additional relief for emerging growth companies with annual gross revenues below one billion dollars — exempting them from the auditor attestation for up to five years after their IPO.
Section 1001 — the sole provision of Title X — requires that the chief executive officer of each public company sign the federal income tax return of the company, establishing personal executive accountability for the accuracy of the corporate tax return in a manner parallel to the Section 302 and 906 certifications for SEC filings.
Title XI supplements the criminal provisions of Title VIII by addressing additional categories of corporate misconduct and expanding the remedies available to the SEC and courts in securities fraud cases.
Section 1102 creates a criminal offence of tampering with a record or otherwise impeding an official proceeding — extending Section 802's document destruction provisions to cover obstruction of any official proceeding, not only federal investigations.
Section 1103 authorises the SEC to seek a court order — in emergency circumstances — to temporarily freeze extraordinary payments to any officer, director, or other person who is the subject of an SEC investigation for securities fraud, for a period not exceeding forty-five days pending resolution of the SEC's investigation.
Section 1105 authorises federal courts to permanently bar individuals who have violated securities laws from serving as officers or directors of public companies — a remedy available previously only in injunctive proceedings but made more readily available through the SOX amendments to the Securities Exchange Act.
Section 806 of the Sarbanes-Oxley Act provides civil whistleblower protection for employees of public companies who report suspected securities fraud or violations of SEC rules to federal regulatory or law enforcement agencies, to their employer, or to supervisors or Congress. An employee who reports such concerns may not be discharged, demoted, suspended, threatened, harassed, or otherwise discriminated against as a result of the report.
A whistleblower who suffers retaliation may bring a complaint before the Department of Labor's Occupational Safety and Health Administration, and if the complaint is not resolved within one hundred and eighty days, may file a civil action in federal district court seeking reinstatement, back pay with interest, and compensation for litigation costs including attorney's fees. The remedies under Section 806 apply specifically to employees of public companies and their contractors, subcontractors, and agents.
The Dodd-Frank Act of 2010 substantially expanded the whistleblower framework by adding the SEC's Whistleblower Programme under Exchange Act Rule 21F — providing financial awards of ten to thirty percent of sanctions above one million dollars for individuals who provide original information leading to successful SEC enforcement actions, and extending whistleblower protections to cover tips made to the SEC regardless of whether the employer operates a registered securities issuer.
The PCAOB's development of auditing standards since SOX's enactment has progressively created a comprehensive body of public company audit requirements that diverges in important respects from the private company auditing standards maintained by the American Institute of Certified Public Accountants. Key PCAOB auditing standards include AS 2201 — the successor to the original Auditing Standard No. 2 and its replacement No. 5 — which governs the integrated audit of the financial statements and internal controls; AS 2101 and 2110 governing audit planning and risk assessment; AS 1301 covering communications with audit committees; and AS 6101 covering letters for underwriters in registered securities offerings.
The PCAOB conducts annual inspections of large audit firms — those auditing more than one hundred public companies — and publishes inspection reports that identify audit deficiencies and quality control criticisms. These inspection reports are publicly available and provide investors, companies, and regulators with detailed information about the quality of the audit work performed by each registered firm on the specific engagements reviewed. The PCAOB's enforcement programme investigates and sanctions firms and individuals for violations of PCAOB auditing standards — penalties include monetary fines, suspension or revocation of registration, and bars on individuals from associating with registered firms.
The Sarbanes-Oxley Act produced significant structural changes in the securities market beyond its direct compliance requirements. The Act's governance provisions — audit committee independence, auditor rotation, prohibition on personal loans, and accelerated insider transaction reporting — became standard corporate governance expectations applied by institutional investors, proxy advisory firms, and rating agencies to all public companies regardless of size or industry.
The Act's internal controls framework under Section 404 created an entirely new industry of internal audit professionals, compliance consultants, and information technology specialists focused on documenting, testing, and improving the controls over financial reporting across thousands of public companies. The skills and methodologies developed for SOX Section 404 compliance have been applied beyond SEC-registered companies to banks, insurance companies, government agencies, and large private companies seeking to improve their financial reporting processes.
The Act's acceleration of insider transaction reporting under Section 403 — requiring Form 4 disclosure within two business days — fundamentally changed the information landscape for investors seeking to monitor insider activity. The Securities and Exchange Commission's EDGAR database now receives and publishes tens of thousands of Form 4 filings annually, creating a publicly accessible real-time record of all insider transactions in public company securities that academics, journalists, and investors analyse for evidence of unusual trading patterns potentially indicative of insider knowledge.
While the Sarbanes-Oxley Act directly applies only to issuers of publicly registered securities and their auditors, its influence on the Investment Advisers Act framework operated through the SEC's parallel enhancement of the expectations applicable to registered investment advisers. The emphasis on internal controls, compliance infrastructure, and executive accountability that SOX embedded in the public company world was applied by analogy to the investment adviser world through the SEC's June 2004 adoption of Advisers Act Rule 206(4)-7 — the Compliance Rule — which requires every registered investment adviser to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act, designate a Chief Compliance Officer, and conduct an annual review. The parallel between Section 302's CEO/CFO certification and the Compliance Rule's CCO designation reflects the SEC's consistent post-SOX emphasis on named individual accountability for compliance functions.
The Sarbanes-Oxley Act of 2002 is tested on the Series 7 and Series 65 examinations in the context of public company corporate governance, financial disclosure obligations, auditor independence and oversight, executive certification, internal controls, whistleblower protections, and criminal penalties for securities fraud.
The key points to retain are these.
The Sarbanes-Oxley Act — Public Law 107-204 — was enacted July 30, 2002 in response to the Enron, WorldCom, Tyco, and related accounting scandals. It applies to all public companies registered under Securities Exchange Act Section 12 or required to file reports under Section 15(d). Title I created the PCAOB as an independent auditor oversight body under SEC supervision, with authority to register public accounting firms, set auditing standards, conduct inspections, and bring disciplinary proceedings — its constitutionality was upheld in Free Enterprise Fund v. PCAOB 561 U.S. 477 (2010) with the severance only of the for-cause removal protection.
Title II strengthened auditor independence — Section 201 prohibits specified non-audit services contemporaneously with the audit engagement; Section 203 requires mandatory audit partner rotation every five years; Section 206 imposes a one-year cooling-off period before audit firm alumni can take senior finance positions at former clients. Title III Section 301 requires fully independent audit committees directly responsible for auditor appointment, compensation, and oversight. Title III Section 302 requires CEO and CFO to personally certify each Form 10-K and Form 10-Q — certifying that the report does not contain material misstatements, that financial statements fairly present the company's condition, and that disclosure controls have been evaluated and reported — enforceable by the SEC through civil proceedings. Title IV Section 403 accelerates insider transaction reporting to two business days from the prior ten-days-after-month-end requirement. Title IV Section 404(a) requires management's annual assessment of internal controls over financial reporting; Section 404(b) requires independent auditor attestation — the Section 404(b) attestation is permanently exempt for non-accelerated filers under Dodd-Frank and available to emerging growth companies under the JOBS Act.
Title VIII Section 802 criminalises knowing document alteration, destruction, or falsification with intent to obstruct any federal investigation — up to twenty years imprisonment — directly addressing Arthur Andersen's shredding. Section 807 creates a new securities fraud criminal offence — up to twenty-five years imprisonment. Title IX Section 906 creates the criminal certification — CEO and CFO certify each annual and quarterly filing criminally: knowing violation carries up to one million dollars and ten years; wilful violation carries up to five million dollars and twenty years. Section 302 is the civil certification — Section 906 is the criminal certification — both are signed for every Form 10-K and Form 10-Q. Title III Section 304 requires CEO and CFO clawback of bonuses and stock sale profits during twelve months following a restatement caused by misconduct — expanded by Dodd-Frank and SEC Rule 10D-1 October 2022. Section 806 provides civil whistleblower protection for public company employees who report suspected securities fraud. Section 1105 authorises permanent officer and director bars for securities law violations.
