Take Your SOx Off


The Sarbanes–Oxley Act of 2002 became law on July 30, 2002. also known as the “Public Company Accounting Reform and Investor Protection Act” (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” (in the House) and more commonly called Sarbanes–Oxley or SOx is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms. SOx intended to combat fraud, improve the reliability of financial reporting, and restore investor confidence. 

This writing focuses on fraud and the SEC’s recently adopted rule.


Weak internal controls are associated with a higher risk of unrevealed accounting fraud.

It can be said with confidence that scandals at Enron, Tyco, WorldCom, and others that cost investors some $85 billion precipitated SOx. Some believe auditor attestation of internal controls over financial reporting (ICOFR) makes it less likely that management could manipulate the company’s financials. Some have expressed skepticism, contending that top company management could override the best-laid internal controls. Some argued that cunning corporate leaders would favor effective internal controls since it would reduce the chance of discovery of their malfeasance, and its fruits would fall to them personally rather than to fraudsters in the ranks.

A relatively recent study in Auditing: A Journal of Practice & Theory, published by the American Accounting Association, concludes that 404(b) provides what the paper calls “an early warning system” for company fraud. It finds “a statistically and economically significant association between material weaknesses [in internal controls] and the future revelation of fraud…driven entirely by instances where the internal control issue reflects a general opportunity to commit fraud.”

Since smaller companies are sometimes less sophisticated and lack resources to withstand “occupational fraud,” which refers to crimes committed against the organization by its employees, directors, or officers. Limited resources also contribute to small businesses being far less likely than large organizations to focus on internal controls. 

In the latest ACFE Report to the Nations, small businesses (those with fewer than 100 employees) had the highest median loss of USD 150,000, while large organizations (those with more than 10,000 employees) had a median loss of USD 140,000. It is important to note, however, that a small business likely will feel the impact of a loss this size much more than its larger counterparts.

SEC’s New Rule

On March 12, 2020, the Securities & Exchange Commission adopted a controversial rule that exempts more categories of public companies from auditor attestation of management’s internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002, despite strong opposition by investor protection advocates.

The rules benefit low revenue companies even if the funds raised in the public stock markets are not small, according to Release No. 34-88365, Amendments to the Accelerated and Large Accelerated Filer Definitions. The amendments become effective 30 days after publication in the Federal Register, which generally occurs a few weeks after a rule is posted on the SEC’s website.

Release No. 34-88365 excludes smaller reporting companies (SRCs) that have annual revenues of less than $100 million. SRCs have less than $250 million in public float. A company with no public float or with a public float of less than $700 million also qualifies as an SRC if it had annual revenues of less than $100 million during its most recently completed fiscal year. The amendments also allow business development companies (BDCs) to qualify for this exclusion if they meet the requirements of the SRC revenue test using their annual investment income as the measure of annual revenue.

As a result, these companies will not be subject to Section 404(b). 

“The amendments represent an incremental but meaningful change that builds on the benefits of the JOBS Act for smaller public companies,” said SEC Chairman Jay Clayton in a statement. “The JOBS Act provided a well-reasoned exemption from the ICFR attestation requirement for emerging growth companies during the first five years after an IPO [initial public offering].”

sox 2020

The new rule revises the accelerated filer and large accelerated filer definitions in Rule 12b-2 of the Securities Exchange Act of 1934. Previously, accelerated filers were companies that have a public float of $75 million to $700 million. Large accelerated filers have more than $700 million in public float. Only non-accelerated filers with less than $75 million in public float were exempted from Section 404(b). Public float is the value of a company’s common stock that is publicly traded. The SEC’s move comes as businesses for several years have complained that Section 404(b) is costly but offers little benefit to investors. They argue that many companies are reluctant to go public partly because of heavy compliance burdens, and the commission under Clayton’s leadership has been sympathetic to their arguments. He has mainly followed the business-friendly policies of President Donald Trump.


If you are a small or smaller company, I suggest the board and management keep a few things in mind.

  • Practice good governance and make sure you have a conflict of interest policy and it’s enforced;
  • Know who has access to cash, credit cards, and other assets;
  • Ensure you have proper insurance – commercial crime coverage that includes employee dishonesty, computer and funds transfer fraud, forgery or alteration, money and securities, and theft of property.
  • Review journal entries, write-off of receivables, and any write-down of inventory or other assets monthly;
  • Reconcile the bank accounts monthly and immediately investigate anomalies;
  • Control your inventory, if applicable;
  • Know the vendors and other service providers;
  • Check your payroll regularly and immediately investigate anomalies;
  • Have a budget and track your progress;
  • Use analytics to track trends and flesh out potential issues – considering using horizontal and vertical trend analysis (horizontal analysis looks changes in the dollar amounts in a company’s financial statements over time, the vertical analysis looks at each line item as a percentage of a base figure within the current period);
  • Make sure you know who has access to your systems and what they can access; and,
  • If there is an audit logs feature in your system(s), make sure they are turned on!

I welcome your thoughts, opinions, and suggestions!


Jonathan Pic

Jonathan T. Marks, CPA, CFE



Matthew Ege of Texas A&M University, Dain C. Donelson and John M. McInnis of the University of Texas at Austin.


Please follow and like us:
%d bloggers like this:
Skip to toolbar