directors. Section 302 places responsibility for the content of the financial
reports firmly at the feet of the CEO and CFO by requiring that they certify
them. Certification is nothing new, but with SOX, the conditions of certification
have become much more rigorous. There is zero tolerance for misinformation.94 Part II: Diving into GRC
SOX: A Layperson’s Translation
We want to help you understand the most impor-
tant things about SOX. This means we try to put
something very technical — law — into plain
English. There are professionals who both make
the law clearer and sometimes make it more
complicated: Those people are called lawyers.
Just keep in mind that we make no guarantees
about our explanations here; go talk to a lawyer
if you want that kind of help. Also, we can rec-
ommend another book for more information:
SOX For Dummies (Wiley Publishing), by Jill
Gilbert Welytok, who isa lawyer.302:The CEO and CFO are directly responsible
for the accuracy, documentation, and submis-
sion of all financial reports, as well as the inter-
nal control structure to the SEC.
(Translation: The CEO and CFO are on the hook
for making sure the company’s financial reports
sent to the US Securities and Exchange Com-
mission are right. We talk more about Section
302 in a bit.)401:Financial statements must be accurate,
without any incorrect information, and include
all off-balance sheet liabilities, obligations, or
requirements.
(Translation: It is no longer possible for compa-
nies to hide any information that might affect
their share price if it became common knowl-
edge. They must present their true face to the
world, warts and all.)404:All annual financial reports must contain an
Internal Control Report, stating that manage-
ment is responsible for an “adequate” internal
control structure. Management should providean assessment of the internal control structure,
and report any shortcomings.(Section 404 is another biggie; we’ll explain this
one in detail later.)
406:Companies must disclose whether they have
adopted a code of ethics for their top financial
managers and if not, why not. The code must
establish standards and provide for avoiding
conflicts of interest. It must mandate personal
and corporate compliance with SOX regulations.(Translation: A code of ethics will guide finan-
cial managers on how to behave should they be
tempted to stray from the path.)
409:Companies are required to disclose on an
almost real-time basis information concerning
material changes in its financial condition or
operations.(Translation: If there are big changes to the
company’s financial condition or its operations,
the company has to tell the SEC.)
802:Imposes fines and/or sentences of up to
20 years imprisonment for altering or destroy-
ing records with the aim to disrupt a legal
investigation.(Translation: Destroying documents is bad.)
906:Requires that each periodic report filed with
the SEC is certified by the CEO and CFO and that
it complies fully with the statute and presents
fairly the financial condition of the company.(Translation: So that CEOs and CFOs can never
again say, “I didn’t know.”)