As of 2022, the Sarbanes-Oxley Act (SOX) has been in effect for two decades. The legislation is seen as a milestone of investor transparency into public company finances and internal controls, and here we look back at the past twenty years of SOX compliance and how the world of internal controls continues to develop today.
What prompted the passing of the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act was created in 2002 after several large scandals highlighted the need for greater corporate accountability. Enron had been caught for inflating its financial position by hiding mountains of debt in special purpose vehicles, and its auditor went out of business since it had enabled some of that behavior. Worldcom, the second largest telecom company in the world at the time, had inflated its profits by billions of dollars, and the CEO and CRO at Tyco were stealing significant sums of money from investors.
All these scandals plunged investor confidence to an all-time low, prompting the need for greater accountability at both the executive and auditor level of public companies. In response, Congress passed SOX to hold companies and their leaders accountable for providing accurate financial information to investors.
The passing of SOX created the Public Company Accounting Oversight Board (PCAOB) and established standards for auditor independence, preventing auditors from also providing consulting services, which created a conflict of interest. These new standards also created requirements for company leadership to certify that financial statements were complete, accurate, and safeguarded by internal controls to mitigate the risk of fraud, waste, or abuse. Additionally, SOX created a framework for companies to implement assessments over the financial risks they face within their internal control environment. In whole, this boosted transparency and accountability.
While implementation costs of SOX were, and are, high, many companies have evolved from seeing SOX as a financial burden to understanding it as a financial investment that allows for greater insight into their own financial processes, technology, and controls. SOX compliance efforts often highlight areas of inefficiencies that companies then take steps to remediate.
How successful has SOX been at resolving issues such as fraud? What other consequences has SOX had on corporate financial controls?
Generally speaking, SOX has been a huge success. Incidents of fraud have decreased significantly while investor confidence has increased, as documented by multiple third-party studies.1 In addition, SOX assessments have helped companies uncover issues that are not always evident until a deeper analysis is performed. It has also helped companies identify areas for significant improvement such as opportunities to upgrade, reconfigure, or integrate financial systems and processes to resolve redundancies and process inefficiencies, and to develop processes that better align with the company’s growth strategy.
While not required to be SOX compliant, private companies can find value in compliance efforts, including highlighting a multitude of financial risks in their processes, technology, and control environment that need to be remediated. For private companies with intentions of going public, enacting a SOX-style program in anticipation of going public assists in addressing the aforementioned risks prior to becoming a public company, enhancing investor confidence.
Lastly, SOX has allowed greater insight for companies undergoing an M&A transaction. In the past, buyers would often rush to acquire another company without a full view of the seller’s actual financial standing or robust due diligence. However, SOX has given buyers a framework to gain comfort over the seller’s financial statements and enter a business transaction with confidence.
How have internal controls evolved in the last twenty years, following SOX?
For a lot of practitioners, documenting the controls for SOX compliance and testing them may feel like the same exercise year after year. This is driven in part by the PCAOB: through its annual inspection program, it provides updated guidance for auditors, ultimately impacting what is scrutinized and how much documentation support is deemed to be acceptable.
Currently, there is a significant focus over the completeness and accuracy of the key reports (or Information Produced by the Entity [IPE]) that management uses in the performance of key controls2 and a focus on enhancing management review controls. Instead of management relying simply on systems and processes – which can produce flawed information – to generate complete, accurate information, IPE testing helps management and auditors gain comfort over the completeness and accuracy of the inputs used for control performance.
When SOX was first implemented, companies focused on meeting compliance requirements and retaining the exact documentation requested by the auditor to support a clean audit. As compliance evolved, companies looked to implement efficiencies, such as standardizing processes and using continuous monitoring. This allows companies to take a proactive role in monitoring their controls throughout the year and quickly remediate any SOX-related deficiencies.
What do companies need to do today and moving forward to stay compliant with SOX, identify issues in their financial reporting, and then address them?
The key is to view SOX as more than just compliance, or a check-the-box exercise, but as a critical tool to promote operational efficiency and ensure the accuracy of financial records. Companies can explore tools – such as process automation – that can improve their SOX-compliance efforts and decrease the time and resources required for compliance.
Additionally, an investment in SOX compliance efforts may lead to a reduction in external audit costs, as a strong SOX environment can result in auditor reliance on internal controls to reduce the level of substantive testing.
All in all, while ensuring SOX compliance requires an investment of time and money, when properly executed, a SOX compliance process can give insight into the financial standing of a company that is valuable for both investors and company leadership.
How does ESG (environmental, social, and governance) fit into the future of financial reporting and disclosures?
ESG has been getting a lot of attention in the media recently, and SOX is especially relevant in relation to a new SEC proposal for climate disclosures.3 According to SEC Chair Gary Gensler, the proposal aims at creating consistent, comparable, and decision-useful information for making investment decisions, which is similar to the original purpose of SOX.
Among other requirements, this rule proposes a new footnote to disclose and quantify the effects of climate-related events on financial statement line items and their impact on estimates or assumptions used in preparing the financial statements. Since this footnote is included in the financial statements, it would require an audit and SOX controls over the ESG disclosure.
Some companies expect that capturing and presenting ESG data will initially be more difficult than complying with SOX when it came out, since most ESG-related data is not yet being collected (in contrast to SOX, where most companies already had financial statements and ledgers from which to work). An additional challenge with climate-related disclosures revolves around what constitutes a “climate-related event,” which means there will be a level of judgment required to identify what is disclosed, the materiality on the disclosure, and how to build a financial framework around such a disclosure. While the capturing of specific data will be more challenging, and some data will be subjective, the framework established by SOX can be leveraged as a starting point for compliance with ESG requirements, though the effort will still require significant work.
Financial reporting and SOX groups should already be thinking about how they will set up audit-ready processes and controls. Due to the relative immaturity of ESG reporting and the judgment involved, many companies will find it helpful to engage an advisor who can share best practices across their specific industry.
- Scholz, Susan, “Financial Restatement Trends in the United States: 2003-2012,” Center for Audit Quality, July 24, 2014; Saurabh Ahluwalia et al., “Sarbanes–Oxley Section 406 Code of Ethics for Senior Financial Officers and Firm Behavior,” Journal of Business Ethics, July 19, 2016.
- E.g., Information Provided by the Entity (IPE). IPE is a term used by external auditors to describe any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures.
- “The Enhancement and Standardization of Climate-Related Disclosures for Investors,” Proposed Rule, U.S. Securities and Exchange Commission.