Sarbanes-Oxley at 20: What Hath It Wrought?

This month marks the 20th anniversary of the Sarbanes-Oxley Act. Anniversaries provide for remembrance and reflection and future perspective. 

The financial and corporate scandals surrounding Enron and Arthur Andersen in 2002 resulted in a nadir of investor confidence. Such failures stemmed from extreme related-party transactions, creative financial accounting, excessive compensation, and poor corporate culture. In response, Congress passed SOX to restore investor confidence, require more independent and financially competent boards, and provide heightened control over public-company governance. Not only did SOX expand regulatory oversight and enhance corporate governance, but it also evolved as an example to private companies. 

SOX addressed three primary issues: corporate governance, fraud, and accounting transparency. It requires the board to have an audit committee comprising independent directors, who include a financial expert. This independent committee is responsible for any accounting audit firm’s appointment, compensation, and oversight. Under SOX, it is unlawful for a company to extend a personal loan to any of its directors or officers. The measure also requires the CEO and CFO to re-pay the company for any incentive-based compensation in the event of misconduct or if any filed financial document is restated due to noncompliance with securities laws. Finally, SOX places additional oversight requirements on executives. Primarily, the CEO and the CFO must certify the accuracy, completeness, and fairness of the company’s annual reports and financial statements.

SOX sets standards to better detect and prevent fraud. Primarily, SOX implements whistleblower protections that prevent companies from discriminating against employees who lawfully assist in investigations related to securities laws or fraud violations. Further, it requires the establishment of minimum standards of professional conduct for attorneys representing companies before the SEC. Attorneys must report evidence of a material violation of securities law, breach of fiduciary duty, or similar violation by the company or its agents to the CEO or chief legal officer, and if that officer does not appropriately respond to the violation, the attorney must report the evidence to the audit committee, another independent committee or to the full board. 

SOX also prescribes the circumstances where auditors and other accountants are required to report directly to the audit committee or the full board, rather than to management. To increase financial transparency and improve accounting practices, SOX created the Public Company Accounting Oversight Board to oversee the auditing of public companies. Primarily, accounting firms are required to be independent of the companies they are auditing. Additionally, the firm performing an audit may not perform non-audit services for that company. 

While SOX only directly applies to public companies, the act also serves as an exemplar for private companies. Post-SOX case law has endorsed SOX standards in interpreting fiduciary duties generally. As a result, private companies and their advisers now consider SOX standards in benchmarking fiduciary duties and establishing best practices. 

Going further, and more recently, the act continues to indirectly affect large private companies, data-privacy protection, and ESG compliance. Although SOX has increased transparency and investor confidence in the public market, the attendant cost of compliance has motivated many companies to defer or reject “going public.” The result is that there are now more private “unicorn” companies (those valued at over $1 billion) than ever before. As private companies, these “unicorns” are not subject to the same reporting, corporate governance, or accounting/audit requirements as their public company counterparts. 

SOX standards are instructive in ad-dressing data privacy and protection. While SOX applies only to financial information, the mechanisms and controls set in place by SOX may be instructive to companies seeking to increase their data privacy controls. SOX’s internal control requirements have caused corporate management to create policies and protocols to protect the integrity and storage of financial information. Companies may now extend these systems to protect non-financial and customer data as well.

Recently SOX compliance has also been considered in relation to ESG trends. Investors are increasingly interested in prioritizing ESG (environmental, social, and governance) factors in their investments. As a result, professionals are looking to SOX compliance procedures for guidance on how to implement, track and verify ESG compliance.

In short, the past 20 years have revealed the impact of SOX on the corporate environment. Lasting changes in corporate governance, fraud prevention, and financial transparency have occurred. Many of these changes have translated from the public to the private sector. Now, the policies, processes, and procedures embodied in and implemented to comply with SOX are being viewed and applied anew in addressing the emerging exigencies of the business community, including ESG activism and data privacy threats.