What is the Sarbanes-Oxley Act and why do we have it?
Congress reacted to corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom, by passing the Sarbanes-Oxley Act of 2002. This Act, often referred to as SOX or Sarbox, is designed to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.”
The Act provides for new levels of auditor independence; personal accountability for CEOs and CFOs; additional accountability for corporate Boards; increased criminal and civil penalties for securities violations; increased disclosure regarding executive compensation, insider trading and financial statements; and certification of internal audit work by external auditors.
Taken together, the provisions of the Sarbanes-Oxley Act of 2002 are significant enough that SOX is considered by many to be the most significant change to federal securities laws in the United States since the New Deal. Every publicly traded company in the U.S. has felt its impact. Some provisions are not complex, but carry a great impact. Examples are changes in how companies interact with their external auditors, in requirements for anonymous whistle-blowing mechanisms, and in the requirements for makeup of the corporate Board of Directors.
Other changes sound simple but are actually very complex. Section 302, for instance, requires that CEOS and CFOs sign an attestation to accompany each annual or quarterly report. This attestation removes any “I didn’t know” defense for these officers, since they must assert that
- they have reviewed the report, it is true, and it fairly represents the financial condition of the company, and
- they know this to be so because they have accepted responsibility for internal controls over their financial processes, have designed controls that ensure that material information reaches them, and have personally evaluated the effectiveness of these controls.
Prior to the passage of SOX, no company in America had in place a system of controls, auditing, and reporting that would have completely satisfied the language of SOX Section 302. For some, the gap was small. For most, it was large.
The most expensive and time-consuming SOX effort, however, is represented in Section 404 of the Act. In this short section are the high-level requirements for management’s assessment of the company’s controls, referred to in Section 302. The detailed requirements for how management must conduct its assessment – and what standards external auditors must use in deciding whether they can sign off on that assessment – have been hammered out by auditing firms, under the direction of a newly-created organization, the Public Company Accounting Oversight Board (PCAOB).
To comply with Section 404, companies have had to assess whether their processes for working with financial data are established, documented, and structured to contain controls against risk. They’ve had to do the same for information systems that manage financial data. They’ve had to assess whether they have adequate security controls to ward off theft or corruption of data. They’ve had to determine whether their employees’ roles, responsibilities, access rights, and permissions could allow material fraud or misrepresentation of financial data. In companies with multiple locations and divisions, they’ve had to ensure that their accounting takes an “apples-to-apples” approach – even if the same piece of data has a different name in each division.
Before management could attest to controls, they’ve had to ensure that they can recognize problems, can analyze their severity, and can understand and communicate the materiality of problems. And, they’ve had to ensure that all of the above was expressed using specific risk management language. Every company has found itself lacking in one way or another. Those with cultures and practices geared toward formally managing risk still found, for instance, gaps in how they documented or described those risks. Other companies with informal approaches to process found large gaps in their system and process documentation as well as gaps in their controls. Companies with “dot-com” cultures found they needed to create a complex layer of formal documentation and controls before they could even begin the job of assessing its effectiveness.
In clarifications to the Act, the SEC and the PCAOB have said that a company could “fail” Sarbanes-Oxley if controls are inadequate – even if no actual problems slipped through those controls. While such a failure itself does not carry direct penalties, investors have already demonstrated that stock prices do react to disclosures of material weaknesses. (SOX does include criminal provisions for altering or destroying certain kinds of records.)
There has been a universal outcry against the burden placed on public companies to comply with Sarbanes-Oxley. At the same time, there has been a quiet but persistent response that the Act simply made mandatory what were industry-accepted good practices, and that investors have a right to the levels of transparency and accountability that are the result of complying with Sections 302 and 404.
The SEC has responded to complaints by softening some requirements and pushing back deadlines for others. However, it has insisted that the reasons behind the Act are valid and that its provisions, on the whole, are in the best interest of the country. Congress seems to agree, with no indication of a repeal.