Say it fast five times: Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley… If you’re like me, you’re sick of hearing these words.

Lots of people, however, don’t have the first idea what the Sarbanes-Oxley Act of 2002 is really about. I think the public-at-large thinks it’s legislation that stops fraud. That couldn’t be further from the truth.

It is true that Sarbanes-Oxley (also fondly referred to as SOX or SarbOx) was meant to protect investors in public companies. It set forth some standards and certain procedures that public companies are required to abide by.

But the legislation itself requires far less than many people believe it does. At the end of the day, the regulations require companies to document their processes and disclose whether or not their internal controls are working. It doesn’t actually force them to materially improve the internal controls. (See my article What Has Sarbanes-Oxley Done For You Lately? for more of my opinions on this.)

So what does Sarbanes-Oxley require?

Public companies must submit an annual assessment of the effectiveness of their internal controls to the Securities and Exchange Commission (SEC). The company’s independent auditors (external auditors) are also required to report on the company’s internal controls. Other provisions include:

• Certification of the financial statements by both the CEO and CFO
• Improvement of audit committees
• Increased independence of external auditors
• Implementation of anonymous mechanisms for reporting fraud (ex. a fraud hotline)
• Enhanced civil and criminal penalties for violating [tag]securities laws[/tag]
• Other miscellaneous provisions

Which companies must comply with Sarbanes-Oxley?

Companies that are publicly traded in the United States. Private companies preparing to go public may also be affected.

What positive results have come about because of Sarbanes-Oxley?

Because the legislation required significant documentation of procedures, companies naturally have a better handle on exactly what their procedures and internal controls are.

Many companies have proactively improved their internal controls over financial reporting. This has come as a result of the evaluations of their processes, as required by Section 404 of Sarbanes Oxley. Companies have also taken this opportunity to voluntarily improve efficiencies as a result of their Sarbanes-Oxely work. (It should be noted, however, that improvements to the internal controls were largely voluntary on the part of companies.)

In general, boards of directors appear to have become more proactively involved with the companies. There seems to be greater communication between the board, the [tag]audit committee[/tag] and company management.