Congress passed the Sarbanes-Oxley Act of 2002 (sometimes called “SOX”) in response to a number of corporate high-profile financial scandals. These scandals involved accounting fraud by publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom. The full name of the legislation is the Public Company Accounting Reform and Investor Protection Act of 2002. That name makes clear its mission of improving the oversight and regulation of auditing. Many consider the Act as the most consequential piece of legislation impacting the U.S. securities market since the 1930s.
The Sarbanes-Oxley Act was named after the two sponsors of the bill—Democratic Senator Paul S. Sarbanes of Maryland and Republican Senator Michael G. Oxley of Ohio. The act got bipartisan support. When President George W. Bush signed it into law in 2002, he declared, “the era of low standards and false profits is over. No boardroom in America is above or beyond the law.” Following the implementation of the Sarbanes-Oxley Act, many countries implemented similar regulatory reforms in an effort to bolster corporate accountability.
The Sarbanes-Oxley Act Created a Regulatory Corporation
The Sarbanes-Oxley Act created the Public Company Accounting Oversight Board (PCAOB). This nonprofit corporation oversees and regulates the auditing of public companies and broker-dealers. The PCAOB’s stated purpose is “to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.” Headquartered in Washington, D.C., it is composed of five board members, including a Chairman. The Securities and Exchange Commission (SEC) appoints each PCAOB board member. Prior to appointments, the SEC receives input from the Chair of the Board of Governors of the Federal Reserve System and the Secretary of the Treasury.
Internal Controls Required
One of the most important and highly scrutinized components of the Sarbanes-Oxley Act is Section 404. Section 404 created disclosure-based incentives in order to encourage firms to spend money on internal control systems for financial reporting. This section is arguably the most controversial section of the act.
Many have asserted that an unintended consequence of the implementation of this section is adverse effects on corporate investment activity. Section 404 requires public companies to describe in detail the effectiveness of the company’s internal controls in their annual 10-K reports. Both the management team and the company’s independent auditor must sign off on this assessment of the internal controls. In March 2020, the SEC voted to implement amendments to Section 404(b). These amendments seek to ease the burden on smaller companies of costly compliance requirements. Section 404(b) now exempts smaller companies with less than $100 million in annual revenues from having an independent auditor attest to the internal controls.
The CEO and CFO Must Certify Under the Sarbanes-Oxley Act
Another significant provision is Section 302. Section 302 of the Sarbanes-Oxley Act requires the CEO and CFO to personally certify in writing that the company’s financial statements are accurate and disclose all material information. Criminal penalties apply to corporate officers that knowingly certify financial statements that are inaccurate.
A third provision that is particularly significant is Section 802. This section pertains to recordkeeping rules. It outlines the types of business records that a company may not intentionally destroy, mutilate, altere, or conceal. SOX802 also defines the retention periods for storing records of different types. For example, tax returns should be retained for seven years and timesheets should be retained forever. In response, businesses have had to develop data retention protocols to reduce the risk of data falsification, alteration, and deletion. The penalties for failure to comply are steep and include criminal liability.
Finally, the Sarbanes-Oxley Act anti-retaliatory provision in Section 806 affords protections to employees of publicly traded companies who report illegal activities. Section 806 protects employees who report securities violations to the SEC, the Department of Labor, or internally to “a person with supervisory authority over the employee.” Just eight years after the Sarbanes-Oxley Act was passed, Congress enacted the Dodd-Frank Act. Dodd-Frank further strengthens the whistleblower protections in the Sarbanes-Oxley Act.
Criticisms of the Sarbanes-Oxley Act
Critics have described the Sarbanes-Oxley Act as a costly regulatory overreaction to high-profile accounting scandals such as Enron, Tyco, and WorldCom. They argue that overburdensome regulations result in reduced corporate investment and risk-taking activities. According to this line of reasoning, the compliance costs and increased litigation risk causes companies to forfeit valuable investment and growth opportunities. Foreign firms listed on U.S. exchanges have criticized the Sarbanes-Oxley Act as overreaching to regulate foreign accounting and corporate governance.
Meanwhile, proponents of the legislation have touted the Sarbanes-Oxley Act as bringing net long-term benefits. They argue that the Sarbanes-Oxley Act provides incentives for firms to allocate more money on internal controls, which reduces fraudulent behavior and promotes transparency in the long run. Acknowledging that the Sarbanes-Oxley Act is still a work in progress, they note that more reliable financial reporting and accountability leads to greater shareholder value and firm growth.
Some studies show that white collar sentencing increased after the passage of Sarbanes-Oxley. In attempting to address major fraud scandals, it also has resulted in minor white collar crimes or minor discrepancies in annual 10-K reports facing severe penalties. The Sarbanes-Oxley Act quadrupled the maximum sentences for mail and wire fraud. It also resulted in broad-ranging discretion so that certain actions that had previously been regulated by agencies suddenly became subject to criminal punishment.