The Sarbanes-Oxley Act of 2002: Part I

Date: January 30, 2003

This memorandum presents a brief summary of certain key provisions of the Sarbanes-Oxley Act of 2002 (the “Act”) signed into law by the President on July 30, 2002. Although the major federal securities laws have been significantly amended since their original enactment in the 1930s, the Act represents the most significant revision to date of the laws applicable to reporting companies, and contrasts sharply with the deregulatory proposals of Congress, the Securities and Exchange Commission (the “SEC”) and industry prior to the bursting of the stock market bubble in the spring of 2000.


The Act is generally applicable to any issuer that is subject to reporting requirements under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (the “Exchange Act”). The Act is also applicable to companies that have registered debt securities under the Securities Act of 1933 (the “Securities Act”) or that have voluntarily or contractually undertaken to file Exchange Act reports, even though their equity securities may not be publicly traded.1 Unlike most securities rule proposals of the SEC, the Act appears to cover foreign issuers that file reports with the SEC.2 The Act imposes a broad array of new corporate governance and accounting requirements on virtually all reporting companies. Among its many provisions are ones establishing new financial statement certification requirements applicable to companies and their CEOs and CFOs, restricting certain executive officer and director transactions, accelerating Section 16 reporting, and imposing new obligations on corporate audit committees. In addition, the Act provides for a new regulatory body to oversee public company auditors, imposes new rules of professional responsibility on attorneys and securities analysts, and enhances a variety of criminal penalties and enforcement measures for securities-related offenses. Finally, the Act requires the SEC and other regulatory bodies to study and issue reports on a variety of topics.

1This memorandum refers generally to companies subject to the Act as “reporting companies.”

2 The Act does not apply to foreign issuers that are exempt from SEC filing requirements under Rule 12g3-2(b) of the Exchange Act.

Set forth below is a summary of the Act’s provisions that directly and in many cases immediately affect all reporting companies. For ease of reference, this memorandum groups the Acts provisions into the following general categories:

  • Corporate Governance and Responsibility (including provisions imposing new periodic report certification and audit committee requirements, banning most loans to insiders and prohibiting trading of an issuer’s securities by insiders during retirement plan blackout periods).
  • Issuer and Management Disclosure (including directives requiring reporting companies to disclose material information on a “rapid and current basis” and requiring two-day reporting of trading by insiders). • Accounting Oversight Board and Auditor Independence (the Act establishes a new independent Accounting Oversight Board to set standards or audits of reporting companies).
  • Enforcement and Related Provisions (including new securities fraud felonies, a significant stiffening of penalties for securities, mail and wire fraud, and new professional responsibility rules for attorneys and security analysts).


A. CEO/CFO Certification of Periodic Reports. Effective immediately, Section 906(a) of the Act requires the CEO and CFO of reporting companies to certify in each periodic report containing financial statements that the report fully complies with the reporting requirements of Exchange Act Sections 13(a) or 15(d) and that the information contained in the report “fairly presents, in all material respects, the financial condition and results of operations of the issuer.”3 This provision will be enforced by criminal sanctions against making knowingly false certifications.

3 The certification is not qualified to the best of the officer’s knowledge, in contrast to the form of certification in the SEC’s June certification order and that required by the Act’s other certification provision, Section 302 (see below). However, the Act provides for criminal penalties to be imposed only if a person certifies the required statement “knowing” that the periodic report does not meet the requirements recited in the certification

B. Annual and Quarterly CEO/CFO Certification and Annual Report on Internal Controls. Section 302 of the Act requires the CEO and CFO of reporting companies to certify in each annual and quarterly Exchange Act report that they have reviewed the report and that:

  • based on their knowledge, there are no materially false statements or material omissions therein;
  • based on their knowledge the report fairly presents the issuer’s financial condition and results of operations;
  • they are “responsible for establishing and maintaining internal controls,” have designed the controls to be effective, have evaluated the effectiveness of the controls within the last 90 days, and have presented their conclusions about the effectiveness of the controls in the report; and
  • they have disclosed control deficiencies and any fraud by management or employees with a significant role in internal controls (regardless of materiality) to the auditors and the audit committee, and that they have disclosed any material weaknesses in internal controls to the auditors.

The Act directs the SEC to issue rules to be effective within 30 days of enactment (i.e., by August 29, 2002).

C. Ban on Loans to Executive Officers and Directors. Effective immediately, Section 402 of the Act prohibits reporting companies from extending, directly or through a subsidiary, most types of personal loans to their directors or executive officers. The Act includes a “grandfather” clause that permits reporting companies to maintain loans already made, however the Act does not permit modification or renewal of grandfathered loans.

The Act exempts loans made by FDIC-insured banks and thrifts that are subject to the existing U.S. bank regulatory insider lending restrictions. Non-U.S. banks whose securities are listed in the United States are not exempted from this provision.

D. Disgorgement of CEO and CFO Compensation and Profits. Effective immediately, Section 304 of the Act provides that if a reporting company is required to restate its financial statements due to material noncompliance with any financial reporting requirement that resulted from misconduct, the CEO and CFO must reimburse the company for any bonus or other incentive- or equity-based compensation received during the 12-month period preceding the relevant filing. Section 304 contains ambiguities that hopefully will be clarified through SEC rulemaking. In particular, it does not specify whose misconduct will be relevant or the level of misconduct (e.g., negligent, knowing or willful) required for imposition of the disgorgement penalty.

E. New Audit Committee Requirements. Section 301 of the Act directs the SEC to require national securities exchanges and the Nasdaq Stock Market to adopt listing standards requiring that each reporting company’s audit committee meet specified criteria.4 A reporting company’s audit committee will have to be directly responsible for the appointment, compensation and oversight of the company’s outside auditors, who must report directly to the audit committee. The audit committee must be composed solely of “independent” directors, defined as these directors who (i) have not accepted compensation from the company, except in his or her capacity as a director, and (ii) are not affiliated with the company or any subsidiary of the company. The Act also requires audit committees to determine the appropriate compensation for auditors and to have authority to engage independent counsel and other outside advisors. The SEC is also required to direct reporting companies to disclose in periodic reports whether the company’s audit committee includes at least one member who is a “financial expert,” and if not, why not. The SEC is authorized to provide exemptive relief from the independence requirements with respect to particular relationships.

The Act requires the SEC to issue most of the new audit committee rules no later than 270 days following enactment (i.e., by April 26, 2003). However, the SEC must propose the rules governing disclosure of whether an audit committee includes at least one “financial expert” no later than 90 days following enactment, and issue final rules no later than 180 days following enactment (i.e., by January 26, 2003).

4 Unlike the NYSE and Nasdaq Stock Market’s recent corporate governance proposals, the Act does not include an exemption from its audit committee requirements for non-U.S. companies

F. Prohibition on Insider Trades During Pension Fund Blackout Periods. Section 306(a) of the Act prohibits trading by directors and executive officers during any “blackout period”5 imposed under a company sponsored 401(k) plan or other profit sharing or retirement plan of any of their company’s equity securities obtained in connection with their services to the company. This prohibition is effective within 180 days after enactment of the Act (i.e., by January 26, 2003) and the Act directs the SEC, in consultation with the Department of Labor, to issue final rules, which, among other things, may exempt purchases made under a dividend reinvestment plan or advance election. Any profits realized by an executive officer or director in violation of this provision, regardless of that person’s intent, may be recovered by the company, including through a shareholder derivative suit.

5 A “blackout period” means any period of more than three consecutive business days during which employee participants in company sponsored plans are prohibited from purchasing selling or transferring company securities held by the plan.


A. Accelerated Section 16 Filing Deadlines. Prior to the Act, Section 16(a) of the Exchange Act required insiders (i.e., directors, executive officers and greater than 10% beneficial owners) to report trades by the tenth day of the month following the month in which the transaction occurred. Section 403 of the Act significantly accelerates the due date for insiders to file Section 16(a) transaction reports (filed on Form 4) to two (2) business days after the transaction has been executed. The amendment is effective 30 days after enactment (i.e., August 29, 2002).

In addition, the Act mandates the following additional requirement to be in place within one year after enactment of the Act (i.e., by July 29, 2003): •

  • Form 4s must be filed electronically (i.e., via EDGAR).
  • The SEC must provide electronic access to Form 4s on a public internet site by the end of the business day following filing.
  • Reporting companies that maintain a corporate website must post the reports on the website within one business day following filing.

B. Real-Time Disclosures. Section 409 of the Act amends the Exchange Act to require reporting companies to disclose to the public, in plain English, on a “rapid and current basis,” information to be prescribed by the SEC concerning material changes to their financial condition or operations. The additional disclosures would be implemented by SEC rule, although no deadline is specified. The SEC has already proposed numerous additional mandatory Form 8-K disclosures within a two-business day deadline for U.S. public companies.6 We expect the SEC to incorporate the requirements of the Act in a revised rulemaking proposal.

6 See, “Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date” (SEC Release No. 33-8106 (June 17, 2002)).

C. Additional Disclosures Required in Periodic Reports. The Act directs the SEC to adopt rules, effective no later than 180 days after enactment of the Act (i.e., by January 26, 2003), to require the following additional disclosures:

  • Off-Balance Sheet Transactions. Under Section 401 of the Act, all annual and quarterly reports will be required to disclose all material off-balance sheet transactions, arrangements, obligations (including contingent obligations) and other relationships of the reporting company with unconsolidated entities that “may have a material current or future effect on financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant components of revenues or expenses.”7 

7 The SEC addressed these matters in a statement issued on January 22, 2002, entitled “Commission Statement About Management’s Discussion and Analysis of Financial Condition and Results of Operations” (Release No. 33-8056).

  • Pro Forma Financial Information. Pro forma financial information (including “as adjusted” figures) included in a periodic report filed with the SEC, or in a press release or other public disclosure, will be required to be presented in a manner that is not misleading and must be reconciled with the reporting company’s financial condition and results of operations under GAAP.
  • Code of Ethics. Under Section 406 of the Act, the SEC is directed to require each reporting company to disclose in its periodic reports whether or not (and if not, why not) it has adopted a code of ethics for senior financial officers (CFO and principal accounting officer or controller), and to immediately disclose any change in or waiver of this code of ethics. The Act requires the SEC to issue rules pursuant to Section 406 within 90 days of the enactment of the Act and to finalize the rules within 180 days after enactment of the Act (i.e., by January 26, 2003).

D. Management Assessment of Internal Controls. Section 404 of the Act requires the SEC to adopt rules requiring that annual reports filed by reporting companies contain a statement of management’s responsibility to establish and maintain adequate internal controls and procedures for its financial reporting and a report evaluating the effectiveness of these controls and procedures. The reporting company’s independent auditors must report on and attest to the assessment made by management.


A. Establishment of Accounting Oversight Board. Title I of Act provides for the creation of a new independent board, the Public Company Accounting Oversight Board (the “Oversight Board”) to regulate and oversee auditing firms. The Oversight Board will have broad powers to set auditing, quality, control and ethics standards for accounting firms that audit reporting companies and will have authority to inspect, investigate and bring disciplinary actions against auditing firms that violate standards of conduct. The Act provides that the Oversight Board shall be operational within 270 days and that, within 180 days thereafter (i.e., by October 23, 2003), auditing firms must register with the Oversight Board.

B. Structure of the Oversight Board. The Act provides that the SEC must name the initial members of the Oversight Board within 90 days of enactment of the Act. The Oversight Board will consist of five (5) full-time members serving five year terms, no more than two of whom may be certified public accountants.

C. Registration with the Oversight Board. Section 102 of the Act provides that no accounting firm will be permitted to audit a reporting company unless it is registered with the Oversight Board. Registered firms will be required to submit an initial application and file an annual report with the Oversight Board. The bulk of the Oversight Board’s funding will come from fees collected annually from reporting companies in amounts assessed according to their market capitalization. Registration applications and annual reports will be made available to the public, except for information reasonably identified as proprietary.

D. Powers of the Oversight Board. Section 103 of the Act directs the Oversight Board to promulgate auditing and professional conduct standards, conduct regular examinations of registered auditing firms to ensure compliance with professional standards and applicable law, perform investigations and institute enforcement actions. The Act mandates that the Oversight Board adopt certain specified rules requiring, among other things, that registered accounting firms:

  • prepare and maintain audit work papers for seven (7) years;
  • provide the concurring opinion of a second partner not in charge of the audit;
  • report on the scope of the auditor’s testing of internal controls; and
  •  impose quality standards relating to professional ethics, independence, intra-firm consultation on accounting on auditing issues, and supervision of audit work.

E. Inspections and Investigations. Section 104 of the Act empowers the Oversight Board to inspect auditing firms, subject to SEC oversight. Large auditing firms (over 100 reporting company clients) will be inspected annually. The inspection reports will be transmitted to the SEC and made publicly available.

The Act also vests the Oversight Board with the power to investigate and discipline auditors and request testimony and production of documents. The Oversight Board may request that the SEC issue a subpoena to require testimony or production of documents in the possession of any person, including clients of registered auditing firms, in such investigations. However, discovery obtained from investigations will not be discoverable in civil litigation. Under Section 105 of the Act, sanctions include the temporary or permanent revocation of registration and money penalties up to $100,000 (individual) or $2,000,000 (entity), increasing to $75,000/$15,000,000 if there is intentional or knowing misconduct or “repeated instances of negligent conduct.”

F. GAAP Principles. The Oversight Board does not have authority to establish generally acceptable accounting principles applicable to reporting companies. The SEC retains this authority under Section 19 of the Securities Act.

V. Auditor Independence and Non-audit Services.

Title II of the Act further regulates and redefines the relationship between registered public auditing firms and their audit clients and authorizes the SEC to issue final regulations carrying out the Act’s mandates.

A. Non-Audit Services. Section 201 of the Act amends the Exchange Act to prohibit registered auditing firms from providing eight categories of non-audit services to their audit clients, including financial information systems design and implementation, valuation and internal audit outsourcing services. A registered auditing firm may engage in non-audit services not prohibited by the Act (e.g., tax services) with the pre-approval of the reporting company’s audit committee.

B. Audit Committee Pre-Approval of Auditor Services. Section 202 of the Act requires audit committee pre-approval of all substantive auditing services provided by a reporting company’s outside auditor. The audit committee may delegate pre-approval authority to one or more members of the committee. Pre-approval of non-audit services must be disclosed in periodic reports.

C. Audit Partner Rotation. Section 203 of the Act amends the Exchange Act to provide that the lead, coordinating or reviewing audit partner of the registered auditing firm cannot perform audit services for the same issuer for more than five consecutive fiscal years.

D. Auditor Communication With Audit Committee. Section 204 of the Act amends the Exchange Act to require that registered auditing firms report to audit committees on critical accounting policies and practices, any disagreements between the auditor and management, alternative treatments of financial information that have been discussed with management, and other material written communications with management.

E. Restrictions on Employment of Auditor Personnel. Section 206 of the Act amends the Exchange Act to prohibit registered auditing firms from providing audit services to issuers whose CEO, CFO or chief accounting officer (or any person serving in an equivalent position) was employed by the audit firm and participated in the audit in any capacity within one (1) year of the initiation of the audit.

Continued in Part II - click here