Sarbanes-Oxley Act

The Sarbanes-Oxley Act (also referred to as “SARBOX” or “SOX”) is Federal legislation that was passed in the US on 30th July 2002, to reform the accounting and corporate finance sector.

SOX compliance was initiated after fraudulent reporting from prominent companies – such as WorldCom and Enron – wreaked havoc on financial markets.

It is an unfortunate but important piece of history that has changed business regulations, financial reporting and legislative systems, in the US and the rest of the world.

sarbanes-oxley act

Contents

  1. The Historical Context
  2. What Is the Sarbanes-Oxley Act?
  3. How Sarbanes-Oxley Has Affected Companies
  4. How Sarbanes-Oxley Has Affected Audit Firms
  5. The Consequences of Not Being SOX Compliant
  6. The Legacy of the Act
  7. Final Thoughts
  8. Further Reading

The Historical Context

The Enron scandal, which became public in October 2001, is one of the biggest auditing failures ever.

Enron, a Houston-based energy company, was, at the time, the seventh-largest company in the US. It used accounting loopholes and poor financial reporting to hide all its failed deals and projects. It also hid billions of dollars of debt.

Arthur Anderson, its auditing partner, fabricated balance sheets and destroyed the evidence. Enron’s share price went from a high of $90.75 in mid-2001 to less than $1 by the end of November 2001.

The scandal resulted in billion-dollar lawsuits and many arrests. It also brought to light the necessity of more stringent reporting practices.

Soon after, WorldCom, the US’s largest telecommunications organization, came under intense scrutiny for recording operating expenses as investments.

WorldCom was reporting a profit of $1.4bn, while other telecommunications companies were reporting a loss. WorldCom created an illusion of profit – when the organization was actually operating at a net loss.

The scandal resulted in the arrest of its CEO and WorldCom filing for bankruptcy. Unfortunately, tens of thousands of employees also became unemployed.

Around the same time, Tyco International, a Swiss security systems company, saw the CEO and CFO indicted for stealing around $150m. They inflated company revenue by $500m.

When the fraud was discovered, it caused the stock to plummet and shareholders to panic. Once again, high-level executives and their auditing partners were cooking the books.

Companies used to operate with very casual business regulations. Annual filings and audits were performed cursorily and questions were rarely asked.

Then, in the early 2000s, the financial markets went through a fundamental shift. Public confidence in the US securities markets was low. US lawmakers saw a need for new legislation to ensure corporations were responsible for their decisions and actions.

Sarbanes-Oxley’ was named after Senator Paul Sarbanes and Representative Michael G. Oxley, and was signed into law by President George W. Bush on 30th July 2002.

SOX compliance was initiated to ensure integrity in corporate financial reporting and to regulate the accounting profession.

What Is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act was created to protect investors and applies to all publicly traded companies.

The SOX Act has 11 titles (or subdivisions) that the Securities and Exchange Commission (SEC) is required to comply with.

These are:

  1. Public Company Accounting Oversight Board (PCAOB) is a compliance board established to provide independent oversight of public accounting firms. Under the PCAOB, auditors are registered centrally to ensure their processes and procedures are compliant with the mandates of the SOX Act.

  2. Auditor Independence ensures that the auditing partners of corporations have certain standards and limitations. Auditors are also restricted from providing non-audit services (such as consulting) for their corporate clients.

  3. Corporate Responsibility ensures that senior executives take responsibility for ensuring corporate financial reporting is accurate and complete. It is expected that company CEOs and CFOs approve and certify all financial reports to ensure their integrity.

  4. Enhanced Financial Disclosure requires that anything influencing a company’s finances is transparent, and all financial dealings are recorded and disclosed in real time. This is one of the costlier titles under the SOX Act, as it requires that organizations include a special report on internal controls with every annual report.

  5. Analyst Conflicts of Interest is a code of conduct that is in place to prevent known conflicts of interest. It ensures that measures are in place for investor confidence.

  6. Commission Resources and Authority defines the authority of the SEC and its ability to define the conditions whereby a person can be barred from acting as an advisor, broker, or dealer. Another form of restoring the confidence of investors.

  7. Studies and Reports are required to analyze various studies and report their findings. The SEC and the Comptroller General hold the organizations and accounting firms accountable, and check on the true business regulations of an organization.

  8. Corporate and Criminal Fraud Accountability ensures that any destruction, manipulation or alteration of records or other information, as well as any obstruction of justice, is criminally penalized. It also gives whistle-blowers protection.

  9. White Collar Crime Penalty Enhancement gives severe penalties for anyone associated with any type of fraud. It specifically notes that failure to certify corporate financial reports is a criminal offense.

  10. Corporate Tax Returns require the CEO to certify and sign the company tax return.

  11. Corporate Fraud Accountability gives the SEC the power to temporarily freeze transactions that are large or unusual. It also increases the penalties for tampering and corporate fraud, and records them as criminal offenses.

The Act ensures that both the corporation and its accounting partners are accountable for any actions related to the organization’s finances.

Some sections of the SOX Act are more pertinent than others. These sections are to do with corporate responsibility and reporting, the integrity of auditing partners, and the penalties for fraud.

How Sarbanes-Oxley Has Affected Companies

All public SEC companies in the US – and their worldwide branches – should be SOX-compliant.

When the Enron and WorldCom frauds were initially reported, CEOs and other top-level executives claimed not to have any idea what was going on in their organizations.

Sections 302 and 303 of Title III of the SOX Act stipulates that all financial reports are reviewed for omission or untrue statements, and executives cannot influence how the audit is conducted.

A corporation needs to:

  • Ensure reports are reviewed by signing officers.

  • Ensure all reports are signed and certified by the CEO and CFO.

  • Report everything in real time and make sure there is no omission or untrue statements.

  • Check that all financial statements represent the true financial condition of the organization.

  • Ensure all internal controls are evaluated and any deficiencies are reported.

  • Protect any presumed whistle-blowers in the organization, with no effect on their careers.

  • Never avoid SOX stipulations by transferring their activities outside of the US.

  • Save all business records for at least five years. Noncompliance or destruction results in fines, imprisonment, or both.

The aim of the SOX regulations were to improve companies' internal control processes and how they are tested by external auditors.

Every business regulation or decision must be formalized, written down, and then tested.

How Sarbanes-Oxley Has Affected Audit Firms

Reporting requirements for accounting firms, prior to the SOX Act, were quite laissez-faire; companies were often not held accountable for their financial decisions.

In the cases of Enron and WorldCom, Arthur Anderson, the auditing firm, was considered a colluder. It was found negligent for not asking questions and overlooking blatant corporate fraud. With the Enron scandal, it also obstructed justice by destroying evidence.

The auditor’s role is:

  • To check a company’s financial dealings, report discrepancies, and ensure the accuracy of reports.

  • To avoid a conflict of interest and refrain from giving advice in any other regard.

  • To disclose any aspect that influences a company’s finances in real time.

  • Verifying and assessing the effectiveness of all internal controls and procedures.

  • To ensure that there is paperwork documenting all business regulations according to SOX standards.

The SOX Act used to be straightforward compliance, yet market changes and regulatory requirements set by the PCAOB continue to increase expectations for auditors and, consequently, increase hours and costs.

If auditors are found to collude or ignore fraudulent behavior, they can face criminal charges and are heavily penalized.

Auditors bill companies hourly, which can be very costly for the organization – especially when the auditor is evaluating and assessing internal control reports.

According to a 2016 survey conducted by Protiviti, a global consulting firm, approximately one in three organizations will spend around $500,000 per year on SOX compliance. About half the surveyed organizations will spend between $500,000 and $1m.

For some organizations, especially those in insurance or telecommunications, this can go up to $2m or more.

The Consequences of Not Being SOX-Compliant

The Act details the financial penalties faced by anyone stealing, falsifying, or destroying business records. It also details the protection given to whistle-blowers.

Significant criminal charges are also placed on anyone who misrepresents, or does not correctly certify, the accuracy of financial statements.

Many business executives, accounting firms, and lawmakers think that the Sarbanes-Oxley Act is too punitive, making the US a less attractive place for businesses.

Even private companies need to adopt governance and internal control structures that are compliant with SOX standards. Otherwise, they can have trouble raising capital, face higher insurance premiums, and have greater civil liabilities. This can result in loss of investors, potential customers, and donors.

Smaller firms also find it difficult to meet the requirements of Section 404 (the requirement for internal controls and procedures for financial reporting) as it is difficult to predict how much the annual internal control report would cost, as it is determined by new legislation and mandated by the PCAOB.

The Legacy of the Act

Any foreign company with a dual listing on the US Stock Exchange needs to be SOX-compliant.

Many countries are moving to – or have already moved to – similar regimes of stringent regulations and tougher penalties. Smaller international businesses would struggle to participate in the US Stock Exchange.

Additionally, compliance in one set of legislation isn’t consistent across the board. Being SOX-compliant and agreeing to provide information at any time may, for example, result in being in breach of data protection in another country’s legislation.

Final Thoughts

The SOX Act has been debated heavily, and is credited with reducing corporate fraud and increasing investor protections.

But its critics are not sure if the reduced corporate competitiveness, heavy ongoing costs, and bureaucracy faced by organizations are worth it.

A 2017 study published by the American Accounting Association found that while the costs of the SOX Act were substantial (and felt greater by smaller companies), there are financial reporting benefits, and costs have fallen over time.

One approach to mitigate the cost is for auditors to note the findings of the PCAOB in advance and meet new regulations early, by aligning an organization’s internal controls with the PCAOB’s guidelines. This will make audits easier and reduce costs.

For the organization and other stakeholders, compliance with the SOX Act seems like a lot of red tape and a costly effort to trade publicly in the US stock market.

But, another way of looking at it is that, for the publicly traded company, the investor is its backbone. Financial reports, transparency, and heavy penalties are a means of protecting the investor and providing them with feedback on the effectiveness of management.

The role of the auditing company is the overseer, providing the investor with information. The heavy penalties are the repercussions.

Without the Sarbanes-Oxley Act, in a world rife with corruption, it only takes the largest bribe to influence a decision or create a conflict of interest.

Further Reading

You may be interested in these other articles on WikiJob:

Due Diligence

Audit and Assurance

What is Audit Risk?