Tomorrow (Saturday, July 30) marks the 20th anniversary of the enactment of Pub.L. 107-204; also known as the Sarbanes-Oxley Act or SOX. Introduced as the broadest-sweeping legislation to affect corporations and public accounting since the 1933 securities act, SOX made a significant impact on audit, accounting, and financial reporting practices in public corporations, worldwide. It also provided a wake-up call for private companies, and it has become a standard for nonprofit organizations as well.
The Ethics & Compliance Initiative (ECI) was privileged to have Mike Oxley – the “OX” part of SOX – serve as chairman of our board of directors for almost 7 years, until his untimely death in 2016. I got to know Mike well, and because of that, when SOX reaches a milestone it makes me think about the importance of the legislation that is a big part of his legacy. I recalled writing an article about the milestone for the 15th anniversary of SOX; I thought I’d refresh and repost it now for the 20th. After all, many of the reasons that SOX made an impact are still relevant today. How did SOX make a difference?
First, SOX increased the veracity of financial statements, and put boards and business leaders on notice as to their accountability should fraud occur. SOX changed the composition of board audit committees by defining the experience that was required to serve as a member, and by encouraging committee members’ independence and knowledge. It’s also not a big stretch to think that because of SOX most CEOs and CFOs now take a moment to pause before they sign their names to their company financial statements. Additionally, it is impressive to see the number of procedures and internal controls that companies have implemented due to the SOX requirements to ensure that their statements are correct.
Second, SOX improved the quality of the audit process. Not only did it mandate that companies change audit partners on a regular basis to ensure objectivity; SOX also radically impacted the function of external auditors themselves. A new standard of independence was applied, modifying the services that an audit firm can provide to a client and the relationships that individual auditor can have. SOX also increased the reporting requirements of the auditor to the board audit committee, and it also established the Public Company Accounting Oversight Board (PCAOB) which is now the rule-making and enforcement arm for the auditing world.
Third, the Act made a bold statement about the importance of whistleblowers. SOX mandated the establishment of a confidential and anonymous reporting system for the receipt, resolution and retention of information related to misconduct. The mandate also provided new protections for individuals who report suspected fraud and abuse, and it also imposed criminal penalties on employers who retaliate against those who “blow the whistle.”
SOX was also the spark that ignited an industry. An ethics & compliance community existed before SOX was enacted, but it exploded after the bill became law. Compliance functions grew exponentially inside corporations, and with that came a greater need for support. As a result, ethics & compliance became professional career path; organizations like ECI expanded to provide continuing education and networking opportunities; and many service providers and consultants were established to help companies comply with the law. Many of us look at the industry now and point to the enactment of SOX as a watershed moment for our field.
Finally, SOX influenced regulation in other countries. For example, rules like Directive 2014/56/EU in Europe have established the frameworks for audits, public oversight of auditors and cooperation between EU authorities. The Committee of European Auditing Oversight Bodies functions in a way that reflects the PCAOB. And in the wake of the Wirecard scandal (arguably the Enron of Germany), the discussions that are taking place among public officials about the independence of auditors and protection of whistleblowers is reminiscent of the conversations held in Congress during the making of SOX.
Of course, SOX is not without its shortcomings. The Act ushered in what critics have called an overly restrictive regulatory environment in US financial markets, and the internal cost of compliance for any one company is substantial (and arguably onerous). To this day auditing firms struggle with the extent to which they must ensure their independence, and there continue to be opponents to some of the provisions for the protection of whistleblowers. Most importantly to me, while SOX has been an important contributor to the growth of “compliance” inside corporations, by its very nature it does not (and cannot) ensure the strengthening of ethical culture. Based on ECI’s ongoing research, a strong ethical culture is the biggest factor in reducing the likelihood that financial fraud will occur.
So was the enactment of SOX a good thing? If Mike were here, he would offer an emphatic “yes.” He would be proud that the United States has not seen financial fraud on the scale of Enron since the bill became law. Since its inception, SOX has been augmented by Dodd-Frank and refined by case law. Sox also increased public awareness of the importance of compliance, strengthened corporate oversight and internal controls, and boosted the quality of the work of the ethics & compliance industry. For all these reasons, I would agree with Mike that SOX has been a good thing. His family should continue to be proud for the contribution he made.
Happy anniversary, SOX. Thanks Mike, for your role in this important contribution. We still miss you.
