As discussed in other chapters as well, the Sarbanes-Oxley Act (SOx) is a large, complex piece of legislation covering many areas. While we still are following or complying with the text of the 2002 SOx legislation, SOx, like any U.S. federal act, is subject to detailed rules that define how we must comply with this legislation. Some significant governance rules changes have been introduced through the Act's Section 302, discussed in Chapter 7, but Section 404 of SOx covering reviews of internal accounting controls has received perhaps the most attention and compliance activity. Section 404 covers processes where a registrant enterprise is responsible for reviewing, documenting, and testing its own internal accounting controls. The results of that review work are passed on to the enterprise's external auditors, who are charged with reviewing and attesting to that internal controls review as part of their audit of the subject enterprise's reported financial statements and results. This area had been a major pain point for many enterprises because their external auditors were following a very detailed set of financial accounting audit procedures called Auditing Standard No. 2.

Despite some SOx concerns in other areas, Section 404 requirements have been a major concern and an area for ongoing criticisms and complaints regarding these reviews of internal accounting controls under AS2. During those first years after ...