Chapter 7 Legal issues

Questions and Answers

An executive is responsible for establishing disclosure controls and procedures to:

• Comply with all sections of the Sarbanes-Oxley Act, including IT controls.
• Prevent all types of fraud within the organization.
• Bring material company information to the executive's attention for timely disclosure. (correct)
• Ensure the accuracy of financial statements prepared according to GAAP.

How often are the disclosure controls reviewed before filing a report?

• Every quarter
• Annually
• Upon material changes
• 90 days (correct)

What is the primary focus of internal controls under SOX, as opposed to disclosure controls?

• Ensuring timely communication with external stakeholders.
• Protecting the reliability of financial reporting. (correct)
• Preventing operational inefficiencies and waste.
• Overseeing all aspects of the company’s operations.

What must the executive disclose to their auditor?

All significant deficiencies in internal controls. (B)

What must disclosure controls address regarding company information?

Changes in information that affects company resources. (D)

What is the ultimate goal of disclosure controls?

To make sure that the company makes timely disclosures to the SEC. (C)

How do disclosure controls support the timely reporting of events to the SEC?

By bringing events to the executive’s attention for reporting. (B)

What significant information regarding internal controls should be monitored and reported?

Significant changes in internal controls since their last evaluation. (C)

Which of the following best describes the primary impact of the Enron scandal on financial reporting requirements for public companies?

Increased requirements for transparency and accuracy in financial disclosures to the SEC. (C)

What was the most significant factor contributing to the losses experienced by investors and employees in the Enron scandal?

Widespread misrepresentation of Enron's financial condition, which misled investors and masked underlying problems. (B)

In what specific way did the SEC respond to the Enron scandal to better protect investors?

By mandating that financial statements include certifications attesting to their accuracy. (C)

Which form provides investors with a comprehensive overview of a publicly traded company's financial performance and activities throughout the year?

Form 10-K (C)

Beyond the explicit requirements of SEC forms, what broader impact did the Enron scandal have on the investment community?

It eroded investor confidence in the reliability of financial statements issued by large public companies. (B)

How could Enron sustain itself for at least 5 years with inaccurate financial reporting?

Due to the constant recommendations of financial analysts to invest in Enron's stock. (C)

If an investor wants to stay informed about significant events that could impact a company's financial condition between annual and quarterly reports, which SEC form should be monitored?

Form 8-K (D)

What is the most critical role of the SEC in ensuring the integrity of financial reporting for public companies?

To require comprehensive and accurate financial disclosures that enable informed investment decisions. (C)

A company's CFO resigns unexpectedly due to health reasons. Considering SEC regulations, what immediate action should the company take?

File a Form 8-K with the SEC within four business days, detailing the CFO's departure and the reasons, if disclosed. (A)

Which scenario would necessitate the immediate filing of Form 8-K with the SEC, foregoing the standard four-day window?

Discovery of potential insider trading activities within the company. (A)

How does a balance sheet primarily aid stakeholders in evaluating a company's financial standing?

By offering a periodic snapshot of a company's assets, liabilities, and equity at a specific point in time. (A)

What is the primary function of the profit and loss statement?

To determine whether a company generated profit or loss over a specific period. (A)

A company finalizes the acquisition of a smaller competitor, significantly expanding its market share. What action related to SEC filings must the company undertake?

File a Form 8-K with the SEC, detailing the acquisition and its impact on the company. (B)

A publicly traded company secures a substantial loan to fund a new research and development initiative. Which SEC filing is most likely triggered by this event?

Form 8-K, to report the new loan as a significant financial obligation. (B)

The board of directors of a publicly traded company amends a key provision in the company's bylaws related to executive compensation. What immediate SEC filing obligation arises from this action?

Filing Form 8-K to disclose changes to board governance documents. (B)

A company decides to sell off a significant portion of its assets to streamline operations and reduce debt. What SEC filing is required as a result of this action?

Form 8-K, to report the sale of significant assets as a major corporate event. (C)

What is the primary difference between disclosure controls and internal controls, as suggested by their relationship?

Disclosure controls are broader, encompassing internal controls to ensure comprehensive and reliable financial reporting. (D)

Under SOX Section 906, what distinguishes a 'knowing' fraudulent certification from a 'willful' one in terms of penalties for CEOs and CFOs?

A 'knowing' certification involves awareness but not intent, whereas a 'willful' certification presumes malicious intent, leading to higher penalties. (B)

How does SOX Section 404 impact IT professionals regarding Internal Controls Over Financial Reporting (ICFR)?

It mandates IT departments to create, document, and test ICFR, leading to possible compliance headaches. (D)

What is the role of external auditors in relation to a company's Internal Controls Over Financial Reporting (ICFR) under SOX Section 404?

External auditors review management's annual ICFR report and provide verification of its effectiveness. (A)

If a CEO knowingly certifies a fraudulent financial report, what is the maximum penalty they could face under SOX Section 906?

A fine of $1 million and imprisonment for up to 10 years. (A)

What is the key difference between disclosure controls and internal controls?

Disclosure controls aim to ensure that information is accurately recorded, processed, summarized and reported, while internal controls safeguard assets and ensure operational effectiveness. (C)

A CFO is aware of inaccuracies in financial reports but signs off on them without further investigation. Under SOX Section 906, what type of violation has occurred?

Knowing certification. (B)

After management reports on ICFR, what is the subsequent action required by external auditors under SOX Section 404?

To verify that the ICFR work. (D)

What is the primary objective of the SEC's guidance issued in 2007 regarding ICFR assessments under Section 404?

To assist companies in efficiently assessing ICFR by focusing on controls that prevent or detect significant financial statement deficiencies. (B)

According to the SEC, what two broad principles should management follow when assessing ICFR during their Section 404 review?

Assess how internal controls prevent or detect significant deficiencies in financial statements and perform a risk-based review of the effectiveness of these controls. (C)

What is the role of professional judgment, as emphasized by the SEC, in the context of Section 404 reviews?

To limit the scope of a Section 404 review to internal controls, including IT controls, that affect financial reporting. (B)

How does SOX (Sarbanes-Oxley Act) apply to IT controls, according to the SEC's guidance?

SOX applies to internal controls, including IT controls, that affect financial reporting. (C)

What level of assurance is required concerning IT systems' operation to protect financial reporting?

Reasonable assurance that IT systems operate properly to protect financial reporting. (C)

What critical aspect of IT systems must management review to ensure the protection of financial reporting, according to the text?

General IT controls. (C)

In the context of ICFR and Section 404 reviews, what does a risk-based review primarily focus on?

Prioritizing controls that have the most significant impact on preventing or detecting financial statement deficiencies. (D)

What challenge prompted the SEC to issue additional guidance in 2007 regarding Section 404 reviews?

Complaints about the extensive scope of Section 404 reviews and difficulties in addressing IT controls. (A)

Which factor most directly triggered the U.S. securities laws reform mentioned?

The Enron bankruptcy. (C)

What is the primary reason the Enron scandal remains a significant case study in corporate governance and ethics?

Its impact led to substantial legal reforms and continues to shape discussions on corporate responsibility. (D)

How does owning stock in a public company directly benefit the shareholder?

It entitles the shareholder to a portion of the company’s profits, distributed as dividends, based on the number of shares owned. (B)

What distinguishes a public company from other types of business organizations regarding ownership?

A public company's ownership is divided into shares of stock, allowing many investors to own a portion of the company. (A)

If a company issues a dividend, how is the amount each shareholder receives determined?

The amount is proportional to the number of shares each shareholder owns, with those holding more shares receiving larger dividends. (B)

How might the structure of a public company contribute to potential financial oversight challenges?

The dispersed ownership among many shareholders can dilute individual accountability, potentially leading to less scrutiny of financial practices. (A)

Considering the influence of individuals like Kenneth Lay, what inherent risk exists within large corporations regarding ethical conduct?

The personal ethics and decisions of key leaders can significantly impact the company's culture and ethical standards, potentially leading to widespread misconduct. (C)

What broader implications can be drawn from the Enron scandal's impact on American pop culture?

The scandal's presence in pop culture reflects and reinforces ongoing societal concerns about corporate greed and ethical failures. (A)

Flashcards

Enron Scandal Impact

Financial mismanagement at Enron led to significant changes in U.S. securities laws.

Enron's Reputation

Enron's name represents corporate greed and accounting scandals.

Enron's Formation

Enron was formed in 1985 through the merger of two natural gas companies.

Enron's CEO

Kenneth Lay was the CEO of Enron.

Enron's Peak

By the mid-1990s, Enron was the leading U.S. natural gas company.

Public Company

A public company is owned by investors through stock.

What is Stock?

A stock represents a share of a corporation’s profits or assets.

Dividends

Shareholders receive dividends, which represent a portion of the company's earnings.

SEC Response to Enron

After Enron, the SEC mandated more detailed reporting and certifications to ensure accuracy.

Importance of SEC Filings

Financial statements filed with the SEC are key for investors researching a company's financial health.

Financial Disclosure Statements

Public companies must submit these to the SEC to disclose their financial status.

Form 10-K

An annual report filed with the SEC, providing a comprehensive overview of a company's performance.

Form 10-K Requirement

A report that publicly traded companies are required to submit to the SEC each year.

Form 10-Q

A quarterly report filed with the SEC, updating investors on a company's performance every three months.

Form 8-K

It is used to report significant events. The report must be submitted within four business days of the event.

Disclosure Controls Purpose

Ensuring material company information reaches the executive's attention.

Disclosure to Auditor

Significant control deficiencies must be revealed to the auditor.

Disclosure Controls

Management ensures timely disclosures to the SEC.

Disclosure Controls Function

Processes ensuring timely information flow.

Internal Controls

Processes protecting financial report reliability.

Disclosure Control Breadth

Broader in scope than internal controls.

Internal Control Focus

Focus on reliable financial reports.

Ultimate Goal of Disclosure Controls

Disclosure ensures timely material event reporting to the SEC.

Form 8-K Filing Deadline

The time frame within which companies must file a Form 8-K with the SEC after a major event.

Insider trading discovery

Snap judgement, requires immediate filing of Form 8-K with the SEC

Balance Sheet

A financial document providing a snapshot of a company's assets, liabilities, and equity at a specific time.

Profit and Loss Statement

A financial document summarizing a company's revenues, costs, and expenses over a period of time to determine profit or loss.

Form 8-K Trigger

A significant event, like bankruptcy, that necessitates a disclosure to the SEC.

Prospectus

A document with information investors should review before investing.

SEC's Goal

Ensure accurate financial information for wise investment decisions.

ICFR Purpose

Internal controls that prevent or detect significant deficiencies in financial statements.

SEC 2007 Guidance

Helped companies assess ICFR during their Section 404 review.

Risk-Based Review

Management assessments should be risk-based.

SOX Section 906

SOX section imposing criminal liability for fraudulent certifications. Penalties include fines up to $1 million and imprisonment up to 10 years for knowingly certifying fraudulent reports.

Willful Fraudulent Certification Penalty

Fines up to $5 million and imprisonment up to 20 years.

Professional Judgment

Management must use their judgment to limit the scope of Section 404 review.

SOX Scope

SOX applies to IT controls affecting financial reporting.

SOX Section 404

Requires company management to report on the effectiveness of the company’s Internal Controls Over Financial Reporting (ICFR).

ICFR

Internal Controls Over Financial Reporting.

General IT Controls

Ensure IT systems operate properly and consistently.

ICFR Management Responsibilities

Executive management must create, document, and test ICFR each year.

IT Systems Assurance

Provide reasonable assurance that IT systems support financial reporting.

Auditor's Role in ICFR

Outside auditors must review management's report and verify the ICFR work.

ICFR and IT Goals

Protect financial reporting.

Study Notes

• This chapter focuses on security issues faced by publicly traded companies.
• It reviews why Congress created rules to improve corporate responsibility and stop fraudulent financial reporting.
• It also reviews how the resulting law influences information security practices and affects other organizations.

Enron Scandal and Securities-Law Reform

• The Enron, WorldCom, Tyco, and Adelphia scandals shook American investor confidence in the early 2000s.
• These companies engaged in mismanagement, questionable financial deals, and accounting fraud, thus tarnishing financial services professionals' reputations.
• Enron, once called the "Most Innovative Company in America," filed for bankruptcy in December 2001 and hid billions in debt through fraudulent accounting.
• Adelphia, a cable company, filed for bankruptcy in June 2002; its founder was convicted of fraud and sentenced to 15 years in prison in 2004.
• WorldCom, a telecommunications company, filed for bankruptcy in July 2002, marking the largest bankruptcy in U.S. history, and its CEO was sentenced to 25 years in prison in 2005.
• In June 2005, Tyco's former CEO was convicted of theft, conspiracy, securities fraud, and falsifying records, leading to a sentence of 8 to 25 years and over $200 million in fines and restitution.
• These scandals led to the largest reform in U.S. securities laws since the Great Depression.

Corporate Fraud at Enron

• The Enron case has become synonymous with corporate greed and scandal.
• Founded in 1985 in Houston, Texas, through a merger of two natural gas companies, Enron, led by CEO Kenneth Lay, became the leading U.S. natural gas company by the mid-1990s.
• Enron grew by capitalizing on energy market deregulation and expanded into various markets internationally.
• From 1997 to 2001, Fortune magazine repeatedly listed Enron among America's most innovative companies, with rapidly increasing employment and valuable stock.
• Enron was struggling, losing billions on international investments and facing increased competition, despite appearing successful and making money.
• Enron began losing energy futures contracts market share as other companies adopted similar strategies.
• The company needed to raise money to meet operating expenses in the late 1990s but did not want to alarm investors and cause its stock price to fall.
• It was critical to maintain a high stock price to attract new investors and keep credit lines with banks.
• Enron CFO Andrew Fastow created affiliated companies to hide losses in their financial records, with himself and other employees profiting.
• Enron often changed division names and moved assets to obfuscate transactions and violated GAAP.
• Enron mislabeled about $8.6 billion in loans from banks (1992-2001) to hide them from investors.
• Kenneth Lay retired in February 2001 and was succeeded by Jeffrey Skilling, who along with Fastow, oversaw Enron's business practices
• Financial analysts questioned Enron's complicated financial statements beginning in April 2001.
• Despite this, Enron continued to portray itself as successful, and Skilling resigned unexpectedly in August 2001, leading to Lay's return as CEO upon request of the board of directors.
• Enron announced its first loss in October 2001. The SEC began an investigation, and Enron's board formed a committee led by William C. Powers to investigate Fastow's companies, also known as the "Powers Report."
• Enron announced in November 2001 that it was amending financial statements from 1997-2001 because of accounting errors, shaking investor confidence and causing banks to stop issuing credit, and shares dropped below $1.
• Enron filed for bankruptcy on December 2, 2001, as the largest bankruptcy ever.
• Enron was removed from the New York Stock Exchange (NYSE) in January 2002.
• Enron employees lost $1.3 billion in retirement savings, and Arthur Andersen, Enron's auditor, closed.
• The U.S. government prosecuted top executives, although complexity and difficulties arose in prosecuting those specifically involved in the fraud.
• CFO Andrew Fastow entered a plea agreement, testified against Skilling and Lay, was sentenced to 6 years, and paid $30 million in restitution, being released December 2011.
• Kenneth Lay was convicted of fraud and conspiracy in May 2006 but died the following July. The court vacated the conviction.
• Jeffrey Skilling was convicted on federal fraud charges and sentenced to 24 years, with the U.S. Supreme Court hearing his appeal in March 2010.
• In June 2010, the U.S. Supreme Court ruled that the law used to convict Skilling was improperly applied and sent the case back to a lower court; Skilling was later sentenced to 14 years and released in 2019.

Public versus Private Companies

• A public company, also called a publicly traded company, is owned by many investors through stocks representing a share of a corporation's profits or assets.
• Shareholders are entitled to a share of public company profits called a dividend. The people who own more shares of stock receive larger dividends.
• Public corporations can sell stocks and bonds, with a bond representing a loan to the corporation that must be repaid with interest.
• Stocks and bonds are called securities.
• All securities sold in the United States must be registered with the U.S. Securities and Exchange Commission (SEC).
• Public companies file financial documents with the SEC regularly to inform investment decisions.
• A private company is owned by a small group of private investors and does not have the same obligations to shareholders.
• Private companies do not have to register with the SEC or file financial documents.

Why Accurate Financial Reporting is Important

• The Enron scandal significantly shook investor confidence in the US economy.
• The US Congress held hearings and meetings due to the fraud and damage to Enron investors.
• Enron significantly misstated its financial condition in the financial statements it filed with the SEC, which caused its investors to lose money.
• Enron was able to sustain itself for at least 5 years because of inaccurate financial reporting.
• Financial analysts continued to recommend its stock as a good investment, and the public and employees invested in it.
• Investors lost confidence in large public companies due to large investment losses.
• Financial statements filed with the SEC are a main source of information to determine a company's true financial condition.
• The SEC required more information to be reported and the accuracy of the forms to be certified post-Enron.
• Public companies file:
  • Form 10-K - Annual report
  • Form 10-Q - Quarterly report
  • Form 8-K - Current report
• Publicly traded companies must submit annual reports using Form 10-K, with the deadline for filing depending on the size of company.
• Form 10-K requires a full description of the company's business, operations, and financial statements, including balance sheets, income statements, and cash flow statements.
• An independent auditor must audit the company's financial statements for the Form 10-K filing, which must be signed by the CEO, CFO, and board majority.
• The Form 10-Q, a quarterly report, is less detailed than the Form 10-K and must be filed 40 to 45 days after the fiscal quarter.
• A Form 8-K must be filed with the SEC within 4 days of a major event as it could affect their financial condition.
• The SEC recommends investors review a company's prospectus and financial reports and look for red flags in a company's financial condition to help detect fraud.

The Sarbanes Oxley Act of 2002

• Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002, also known as SOX or Sarbox.
• It was named after Senator Paul Sarbanes and Representative Michael Oxley and passed following the Enron, WorldCom, and Adelphia scandals.
• It proposed changes to the Securities Act of 1933 and the Securities Exchange Act of 1934.
• SOX moved quickly through the U.S. House and Senate and signed into law by President George W. Bush on July 30, 2002.
• The goal of SOX was to protect shareholders and investors from financial fraud by increasing corporate disclosure requirements and strict penalties for violations.
• SOX has 11 titles, and it establishes the Public Company Accounting Oversight Board (PCAOB) overseeing firms in the U.S. that audit public companies.
• Forbids auditors from providing some non-audit services to clients with corporate responsibility.
• Corporations are required to create audit committees on their board of directors and improves the amount of information that public companies give to the SEC in filings
• Establishes rules to make sure that securities analysts provide independent opinions about a public company's stock risk.
• SOX gives the SEC authority to discipline investment firms for unprofessional conduct and additional funding for SEC programs.
• SEC must review public accounting firms at least every 3 years and issue reports about how the securities market operates.
• Imposes document retention requirements on companies and auditors.
• SOX protects whistleblowers, bans retaliation against employees who participate in fraud investigations, and imposes criminal penalties for violating SOX.
• CEOs and CFOs that certify that the company's financial reports fairly represent its financial condition face criminal penalties for signing fraudulent statements.
• Congress strongly suggests that a CEO sign the federal income tax return of a corporation and establishes criminal liability for corporate officers involved in certain types of fraud.
• SOX includes international companies that trade stock on U.S. stock exchanges and supplements current federal securities laws.
• SOX compliance requires companies to verify financial information accuracy through IT systems, impacting IT functions and review their controls.
• It also impacts records management functions due to the vast amounts of data stored electronically.
• Executive management must certify that controls are in place to protect the accuracy of company information

Public Company Accounting Oversight Board

• Before SOX, auditors and accountants belonged to a self-regulating profession, but the Enron scandal proved the drawbacks of this.
• The Enron scandal proved there were several drawbacks of self regulation.
• Enron's accounting firm, Arthur Andersen, provided accounting, auditing, and consulting services which may have caused critical advice to be lacking when reviewing Enron's statements.
• The Congress helped the PCAOB to provide oversight on auditing by ensuring audit reports are fair and independent.
• Under SOX, the PCAOB duties are:
  • Register accounting firms that prepare audit reports for public companies.
  • Establish standards for the preparation of audit reports.
  • Conduct inspections of registered public accounting firms.
  • Conduct investigations and disciplinary proceedings against registered public accounting firms.
  • Perform other duties or functions necessary to carry out SOX.
  • Enforce SOX compliance.
  • Set a budget for the PCAOB and manage its operations.
• SEC selects and appoints 5 PCAOB members to staggered terms.
• The SEC can remove PCAOB members if needed if they are financially literate, demonstrated commitment to the interests of investors and the public, and have individuals of integrity and reputation. Those individuals cannot have any financial interest in an accounting firm.
• The SEC believes that globally accepted accounting principles will benefit U.S. companies, evaluating the International Financial Reporting Standards (IFRS).
• One of the main functions of the PCAOB is to set standards for how auditors review public companies, which must be approved by the SEC through auditing, ethics, and independence standards.
• The PCAOB bases many standards on Generally Accepted Accounting Principles (GAAP).
• The SEC requires financial statements to be prepared in line with GAAP with the framework established by Financial Accounting Standards Board (FASB) guidelines.
• PCAOB's Auditing Standard 2201 offers guidance on an audit of a company's internal controls over financial reporting (ICFR). The organization must be aware of cybersecurity incidents.

Document Retention

• SOX contains records retention provisions as an estimated 93 percent of all business documents are created and stored electronically.
• Organizations should develop document retention policies for tracking different obligations. Many state and federal laws, especially SOX, contain these rules.
• Public companies need to store audit papers for 7 years, including work papers, memoranda, correspondence, and any records that can be saved, sent, or have been received in connection with an audit.
• A person or company that violates its records retention provisions can be fined and serve 10 years in prison.
• If a person tampers with any record in an attempt to interfere with a federal investigation, they can be fined up to $10 million and up to 20 years in prison.

Certification

• SOX requires companies to report accurate financial data to protect investors including the CEO. SOX certifications encourage establishing, maintaining, and reviewing internal controls.
• SOX Section 302 requires CEOs and CFOs to certify a company's SEC reports to put executive management is notified of a company's financial condition.
• The CEO and CFO need to certify reports must be prepared with these items:
  • They have reviewed the report.
  • The report does not contain untrue nor misleading statements about the company.
  • The financial statements fairly represent the company's financial condition.
  • The executive is responsible for creating disclosure controls and procedures designed to bring material company information to the executive's attention, and controls have is reviewed 90 days before filing report.
  • The executive has disclosed all significant internal deficiencies to the auditor.
  • Whether significant internal control changes occurred since the last evaluation.
• Controls under Section 302 are disclosure controls include the processes and procedures that make sure disclosures get made.
• Disclosure controls are different from SOX internal controls - Internal controls must be both processes and procedures that should be followed in order to provide any reasonable financial assurance. SOX needs to ensure effectiveness in reporting management.
• If CEOs and CFOs knowingly confirm fraudulent reports under SOX Section 906, they must be aware reports may up to over $1 million and can be imprisoned for up to 10 years.
• SOX Section 404 requires companies management to have an executive report effectiveness and ICFR to show reports each year within filing Section 10K.
• The outside auditors must verify, create document, and test ICFR. Under the SEC rules, ICFR processes helps provided reasonable assurance that financial reports under the SEC rules. They provide management with reasonable assurance that:
  • Financial reports, records, and data are accurately maintained.
  • Transactions are prepared according to GAAP rules and recorded properly.
  • Whether unauthorized data and assets might affect financial statements and that will prevent statements within a timely manner.
• Reasonable assurance does not mean absolute assurance, but means a high level of effectiveness that must be reported by management.
• Companies must disclose cybersecurity risks in order to ensure that the information is provided accurate.
• SEC recognizes COSO that created an Integrated Framework of Internal Control because many US businesses use this framework because systems are controls as a whole in different sectors.
• COSO states that for a company to be effective when managing they control to reasonably assure the following:
• Understanding of an how an entity works depending on operational objectives.
• Ability to publish statements and to make reports reliably.
• Ability to comply under applicable law.
• The Framework can review an IT profile with 5 components:
  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring
• The Framework issued guidance on how to assess Section 404 in 2007 during reviews.
• To comply with assessment under Section 404 the SEC stated that companies must assess how internal controls will prevent any significant deficiencies. If these deficiencies are in place, management must perform any risk review that ensures effectiveness in the company's controls.

Oversight

• The Security and Exchange Commission's mission to protect investors to improve their investment and make wise money as possible.
• They consist of 5 commissioners that had been appointed by a U.S. representative with their individual 5-year terms. The terms can only have 3 commissioners to oversee how political duties need to be handled.
• SOX gives the specifications for duties and what they can be used for by the SEC (Security and Exchange Commisison). The agency should review public companies in Section 10K and Q and make sure that are followed correctly.
• If SEC feels compliance is needed by someone who has committed fraud or made inaccurate statements, the agency can consider taking account factors such as if a company has amended financial reports. The agency can also compare companies on how much their stock changes when compare stock and earnings against particular economic sectors. SEC should consider that that under SOX with compliance, they do have the power to investigate public companies and have them sanctioned.

Compliance and Security Controls

• IT is hard to be assessed in ICFR. IT professionals do have few frameworks that they can assess controls with. And, there are also many familiar that determine which of the current company's controls to consider that can be implemented.
• • COBIT or a "Control Objective" framework should be released in 1996 for Information and Relating Technology. It should help manage the values in how controls are related to an assets. And, COBIT also assists the processes for governing managements and assets.
• It has principle for separating governing based on tailored, integrated needs:
• Offering stakeholder value.
• Implementing a holistic approach.
• To understand that Dynamic management happens and that governance can tailored individually needs.
• COBIT 2019 that the organization should build to the frameworks that they currently have. Organization should list processes of each of the practices of assessing IT structures and objectives with governance management.
• It doesn't recommend controlling individuals it simply manages the IT structure. Some of the objectives are including security control objectives. A free choice is to make sure how the controls are managed and that they meet compliance objectives.
• GAIT or Guide to Assessment of IT Risk was created by the IIA- It helps companies comply under Section 404 and it helps identify the areas where error might be a cause to a financial statement.
• Similar to SEC: they would recommend for companies to use top-down when assessing against IT controls and to review any risk.
• Top down must make sure that any financial accounts of review systems and risk are limited to either all systems, application, or data.
• Processes must be minimized by using IT objectives and not with specific controls.
• ISO/IEC Standard: which reviews companies implementing, or in the process of implementing security controls The standards are:
• Reviewing governance with different control security measures.
• Governance must be in accordance with international Standards and should review any IT team's objectives. Standard explains listed should have listed categories for organization along with standards.
• Information Security Policy.
• Business continuity management.
• ISO/IEC helps with specific security standards and assist with internal controls and also helps to determine the relationship between SOX and security goals. The Standard also includes a security for guidance depending on the organization. For, NIST as security helps with control to guide organizations and security for helping federal agencies.
• (FISMA) Modernization Acts is a publication that integrates the security depending of their compliance depending on SOX. Many of the organization help use framework to help with the guidelines.

SOX Influence

• SOX influences public companies and many organizations because good corporate governance practices are promoted.
• SOX governance provisions implement many principles to make sense for other organizations to have, such as:
• Having individual directors - SOX needs a public company to create a board of directors for making individual decisions. There should be audits committee to approve an audit that makes sure accuracy of the financial reports. There should also be a review to disclose, in any case of conflict Following SOX makes the move for companies and the transitions made from private to pubic that is easier to do.
• Non-profit organization have individual incentives because many of the foundations need the proper management. Because that is how they make their finances. Follow SOX for it has became one and the same with many company's plans and processes to oversee bad practices.

Corporate Privacy

• Corporate Information Privacy discusses many angles. Depending on how many records have been accounted will help you establish different type of concerns. There are corporate privacy concern such as privacy of employee data, customer data, and of any corporate data.
• Generally, there does not have an general expectation of privacy for workers/employees in their working site/office. Most of the ways employers can watch and view their workers/employees is monitor their workplace behavior, monitor phone/email conversations, monitor internet and computer usage. Many cases, there is better practice for employees should give notice about the activities.
• They should consider that similar to other tool. There are limits such is, employers usually cannot monitor sensitive locations due to have an expectation to reasonable privacy in those areas.
• Companies should also certain information to protect employees - Companies should maintain a confidential about any health plan that protects what needs protected under HIPAA. A company can also prevent breach a with security protocol that compromise their information. Laws by states are also implemented to help make customers aware of it.
• Then there has to be organization with internal records to protect organization, financial resources, personnel. A business should direct their company to the correct ways to have right and in small businesses, there is this. They have ability to enter and review and have right to access the internal documents depending if there are able to make decision.
• Every cooperation need to respect all right to inspect depending inspection during business's hours.

Case Studies and Examples

• Investment help learn about the company's finance with different type of source and find with retrieving databases (EDGAR).
• https://www.sec.gov/edgar/search-and-access and helps search within companies to see the most popular one such as Microsoft, Apple, Starbucks, and Walt Disney. Can also view form of information from 10-K, so the user/stakeholder can learn that the security is protected fully in detail.

Description

Explore disclosure controls, their review frequency, and their role in timely SEC reporting. Understand the impact of the Enron scandal on financial reporting, focusing on investor protection and SEC responses. The quiz highlights the significance of internal controls under SOX.