Chapter 7. Other SOx Requirements: Sections 302, 409, and Others
The Sarbanes-Oxley (SOx) legislation is filled with a wide range of new rules, although many professionals such as internal auditors think of SOx rules primarily in terms of Section 404 on internal control assessments. As discussed in Chapter 6, Section 404 has been the major pain point for many larger corporations attempting to establish compliance in SOx's first years. In addition to complaints from major U.S. corporations, the anguish of smaller enterprises and the threat of foreign corporations to seek U.S. stock exchange de-listing to avoid SOx registration, caused the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) to release the AS5 risk-based auditing standards introduced in Chapter 3. These should make SOx compliance less painful going forward. However, we sometimes forget that SOx contains a large set of rules impacting enterprise financial management and governance beyond Section 404 internal controls. While there have been no new AS5-like rules changes in these other areas, this chapter will highlight several other areas of SOx that are important to financial management and internal auditors.
This chapter will revisit five other areas beyond the Section 404 internal control assessment rules under AS5:
Section 302 on management's responsibility for their financial reports
Section 401 setting the rules for enhanced financial reporting disclosures
Section 409 calling ...