Updated 28 May 2020
The Sarbanes-Oxley Act (also referred to as “SARBOX” or “SOX”) is Federal legislation that was passed in the US on 30th July 2002, to reform the accounting and corporate finance sector.
SOX compliance was initiated after fraudulent reporting from prominent companies – such as WorldCom and Enron – wreaked havoc on financial markets.
It is an unfortunate but important piece of history that has changed business regulations, financial reporting and legislative systems, in the US and the rest of the world.
The Enron scandal, which became public in October 2001, is one of the biggest auditing failures ever.
Enron, a Houston-based energy company, was, at the time, the seventh-largest company in the US. It used accounting loopholes and poor financial reporting to hide all its failed deals and projects. It also hid billions of dollars of debt.
Arthur Anderson, its auditing partner, fabricated balance sheets and destroyed the evidence. Enron’s share price went from a high of $90.75 in mid-2001 to less than $1 by the end of November 2001.
The scandal resulted in billion-dollar lawsuits and many arrests. It also brought to light the necessity of more stringent reporting practices.
Soon after, WorldCom, the US’s largest telecommunications organization, came under intense scrutiny for recording operating expenses as investments.
WorldCom was reporting a profit of $1.4bn, while other telecommunications companies were reporting a loss. WorldCom created an illusion of profit – when the organization was actually operating at a net loss.
The scandal resulted in the arrest of its CEO and WorldCom filing for bankruptcy. Unfortunately, tens of thousands of employees also became unemployed.
Around the same time, Tyco International, a Swiss security systems company, saw the CEO and CFO indicted for stealing around $150m. They inflated company revenue by $500m.
When the fraud was discovered, it caused the stock to plummet and shareholders to panic. Once again, high-level executives and their auditing partners were cooking the books.
Companies used to operate with very casual business regulations. Annual filings and audits were performed cursorily and questions were rarely asked.
Then, in the early 2000s, the financial markets went through a fundamental shift. Public confidence in the US securities markets was low. US lawmakers saw a need for new legislation to ensure corporations were responsible for their decisions and actions.
‘Sarbanes-Oxley’ was named after Senator Paul Sarbanes and Representative Michael G. Oxley, and was signed into law by President George W. Bush on 30th July 2002.
SOX compliance was initiated to ensure integrity in corporate financial reporting and to regulate the accounting profession.
The Sarbanes-Oxley Act was created to protect investors and applies to all publicly traded companies.
The SOX Act has 11 titles (or subdivisions) that the Securities and Exchange Commission (SEC) is required to comply with.
The Act ensures that both the corporation and its accounting partners are accountable for any actions related to the organization’s finances.
Some sections of the SOX Act are more pertinent than others. These sections are to do with corporate responsibility and reporting, the integrity of auditing partners, and the penalties for fraud.
All public SEC companies in the US – and their worldwide branches – should be SOX-compliant.
When the Enron and WorldCom frauds were initially reported, CEOs and other top-level executives claimed not to have any idea what was going on in their organizations.
Sections 302 and 303 of Title III of the SOX Act stipulates that all financial reports are reviewed for omission or untrue statements, and executives cannot influence how the audit is conducted.
A corporation needs to:
The aim of the SOX regulations were to improve companies' internal control processes and how they are tested by external auditors.
Every business regulation or decision must be formalized, written down, and then tested.
Reporting requirements for accounting firms, prior to the SOX Act, were quite laissez-faire; companies were often not held accountable for their financial decisions.
In the cases of Enron and WorldCom, Arthur Anderson, the auditing firm, was considered a colluder. It was found negligent for not asking questions and overlooking blatant corporate fraud. With the Enron scandal, it also obstructed justice by destroying evidence.
The auditor’s role is:
The SOX Act used to be straightforward compliance, yet market changes and regulatory requirements set by the PCAOB continue to increase expectations for auditors and, consequently, increase hours and costs.
If auditors are found to collude or ignore fraudulent behavior, they can face criminal charges and are heavily penalized.
Auditors bill companies hourly, which can be very costly for the organization – especially when the auditor is evaluating and assessing internal control reports.
According to a 2016 survey conducted by Protiviti, a global consulting firm, approximately one in three organizations will spend around $500,000 per year on SOX compliance. About half the surveyed organizations will spend between $500,000 and $1m.
For some organizations, especially those in insurance or telecommunications, this can go up to $2m or more.
The Act details the financial penalties faced by anyone stealing, falsifying, or destroying business records. It also details the protection given to whistle-blowers.
Significant criminal charges are also placed on anyone who misrepresents, or does not correctly certify, the accuracy of financial statements.
Many business executives, accounting firms, and lawmakers think that the Sarbanes-Oxley Act is too punitive, making the US a less attractive place for businesses.
Even private companies need to adopt governance and internal control structures that are compliant with SOX standards. Otherwise, they can have trouble raising capital, face higher insurance premiums, and have greater civil liabilities. This can result in loss of investors, potential customers, and donors.
Smaller firms also find it difficult to meet the requirements of Section 404 (the requirement for internal controls and procedures for financial reporting) as it is difficult to predict how much the annual internal control report would cost, as it is determined by new legislation and mandated by the PCAOB.
Any foreign company with a dual listing on the US Stock Exchange needs to be SOX-compliant.
Many countries are moving to – or have already moved to – similar regimes of stringent regulations and tougher penalties. Smaller international businesses would struggle to participate in the US Stock Exchange.
Additionally, compliance in one set of legislation isn’t consistent across the board. Being SOX-compliant and agreeing to provide information at any time may, for example, result in being in breach of data protection in another country’s legislation.
The SOX Act has been debated heavily, and is credited with reducing corporate fraud and increasing investor protections.
But its critics are not sure if the reduced corporate competitiveness, heavy ongoing costs, and bureaucracy faced by organizations are worth it.
A 2017 study published by the American Accounting Association found that while the costs of the SOX Act were substantial (and felt greater by smaller companies), there are financial reporting benefits, and costs have fallen over time.
One approach to mitigate the cost is for auditors to note the findings of the PCAOB in advance and meet new regulations early, by aligning an organization’s internal controls with the PCAOB’s guidelines. This will make audits easier and reduce costs.
For the organization and other stakeholders, compliance with the SOX Act seems like a lot of red tape and a costly effort to trade publicly in the US stock market.
But, another way of looking at it is that, for the publicly traded company, the investor is its backbone. Financial reports, transparency, and heavy penalties are a means of protecting the investor and providing them with feedback on the effectiveness of management.
The role of the auditing company is the overseer, providing the investor with information. The heavy penalties are the repercussions.
Without the Sarbanes-Oxley Act, in a world rife with corruption, it only takes the largest bribe to influence a decision or create a conflict of interest.
You may be interested in these other articles on WikiJob: