Sarbanes-Oxley Turns 20: A Look-Back to See Ahead
The Public Company Accounting Reform and Investor Protections Act of 2002,1 commonly known as the “Sarbanes-Oxley Act,” or “SOX” for short, has been in effect for twenty years, and as we celebrate the Act’s platinum anniversary, it is important to remember what led to its enactment and reflect upon where the Act stands today.
Investor confidence was at an all-time low when Congress passed the Sarbanes-Oxley Act in 2002. The financial and corporate scandals of the early 2000s revealed a series of corporate governance and accounting failures, resulting in the implosion of some of the largest U.S. Corporations, including Enron and Arthur Andersen. Such failures included extreme related party transactions, creative financial reporting, excessive executive compensation, and poor corporate culture. In response, Congress passed SOX to restore investor confidence in the markets, to require more independent and financially competent boards of directors, and to provide heightened control over the governance of publicly traded companies. Not only did SOX expand regulatory oversight2 and enhance corporate governance for public companies, but the Act also evolved as a standard of “best practices” for privately held companies as well.
Today SOX considerations continue to impact the American business environment. Transparency concerns that plagued public company investors in the early 2000s are now manifesting themselves with investors through the rise of the “unicorn” companies. Additionally, SOX considerations are present as stakeholders demand more attention be paid to ESG (environmental, social, and corporate governance) factors and data privacy. While applying SOX standards may look different today, the core impact SOX has had on the business world continues to be relevant even twenty years later.
Recap: SOX Standards
SOX addressed three primary issues revealed by the corporate financial scandals of the early 2000s: corporate governance and accountability, fraud, and accounting practices and transparency. The following discusses the primary regulations that SOX promulgated in each category.
Corporate Governance and Accountability
SOX placed heightened controls and requirements on high-ranking corporate individuals to ameliorate corporate governance and accountability shortcomings. Because many of the corporate scandals involved financial fraud, SOX requires the Board of Directors of public companies to have a standing audit committee, comprised of independent directors, who include a financial expert.3 This independent committee, among other things, is responsible for the appointment, compensation, and oversight of the work of any accounting firm employed to audit the company.4
Additionally, SOX limits the mechanisms in which executives may take advantage of corporate funds. Under SOX, it is unlawful for a public company to extend a personal loan to any of its directors or executive officers, a not infrequent practice prior to SOX.5 SOX also requires the chief executive officer and the chief financial officer to reimburse the company for any incentive-based compensation in the event of misconduct.6 The CEO and CFO must also re-pay any incentive-based compensation if any filed financial document must be restated due to noncompliance with securities laws.7
Finally, SOX places additional oversight requirements on executives. Primarily, the CEO and the CFO must certify as to the accuracy, completeness, and fairness of the company’s annual reports and financial statements.8 The first is a statement that accompanies any report filed with the SEC, and certifies the report fully complies with the SEC rules and fairly presents the financial condition and operations of the company.9 The second states that the officers have reviewed the report, the report does not contain untrue statements, internal controls have been evaluated, and any significant changes have been discussed.10 An officer’s misreporting of this information can result in that person’s forfeiture of bonuses and other compensation.11
SOX also requires management to include an internal control report12 and requires the CFO to disclose whether the company has a code of ethics, and if not, to provide the reasons for its absence.13
SOX sets standards to better detect and prevent fraud. Primarily, SOX implements whistleblower protections that prevent companies from discriminating against employees who lawfully assist in investigations related to securities laws or fraud violations.14 Additionally the Act imposes harsher penalties for those who perpetrate the fraud. Under SOX, no officer, director, or agent of the company may improperly influence the auditors in connection with an audit of the financial statements.15 SOX also increased the statute of limitations16 for securities fraud and increased criminal penalties for fraud and ERISA and securities law violations.17
Accounting Practices and Financial Transparency
Finally, to increase financial transparency and improve accounting practices, SOX created the Public Company Accounting Oversight Board (“PCAOB”) to oversee the auditing of public companies and related matters.18 Primarily, accounting firms are required to be independent from the companies they are auditing. Additionally, the firm performing an audit may not perform non-audit services for that company.19 Finally, the fiduciary duty of care was extended to the hiring and retention of accountants, and a company is liable if it knew or should have known an accountant it is associated with was barred by the PCAOB or the SEC.20
Whistleblowers and Up-the-Ladder Reporting
Straddling all three of SOX’s three primary points of focus, SOX created new whistleblower protections and “up-the-ladder” reporting requirements for the company’s attorneys.21
These whistleblower protections include the required adoption of internal complaint policies and procedure,22 as well as specific protection for federal law violation whistleblowers and informants.23 Employee handbooks and orientation materials are now drafted to describe the process and circumstances for reporting to the audit committee or the Board of Directors in compliance with SOX’s requirements.
SOX requires the establishment of minimum standards of professional conduct for attorneys representing public companies before the SEC. In particular, the rules require that (1) attorneys report evidence of a material violation of securities law, breach of fiduciary duty or “similar violation” by the company or any agent of the company to the chief legal counsel or the chief executive officer of the company (or their equivalent), and (2) if the chief legal counsel or the chief executive officer does not “appropriately respond” to the evidence (adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation) the attorney must report the evidence to the audit committee, another Board committee comprised solely of independent directors, or to the full Board of Directors.24
SOX also prescribes the circumstances where auditors and other accountants are required to directly report to the audit committee or the Board of Directors, rather than directly to management - a not infrequent practice prior to SOX.
SOX as a Standard of “Best Practices” for Private Companies
While SOX only directly applies to publicly-traded companies, the act has also been seen over the last twenty years as a standard for private company “best practices.” To this point, court cases support the proposition that SOX standards may impact corporate fiduciary duties more generally. In Pereira v. Cogan, the district court held directors of a private company liable for breaches of their fiduciary duties based on the board of director’s failure to establish an audit committee, reporting and monitoring systems, codes of conduct, compliance policies, and a compensation committee comprised of independent directors.25 Although the case was later vacated on procedural grounds,26 it stands for the idea that SOX standards may provide a benchmark for a director’s fiduciary duties to the company in general. As a result, it behooves private companies and their advisors to consider SOX standards in benchmarking corporate fiduciary duties and establishing corporate best practices.27
SOX Today, Twenty Years Later
The last twenty years have revealed the long-lasting impacts of SOX. While SOX had a direct effect on the control environment, documentation, and processes of public corporations,28 the act has indirectly affected the number of large private companies (who delay going “public”), data privacy and protection regimes, and ESG compliance.
Increase in Large Private Companies
SOX has increased transparency and investor confidence in the public company market. However, the attendant cost of compliance has motivated many companies to defer or reject “going public.”29 The result is that there are more “unicorn” companies than ever before. Unicorn companies are those with a valuation over $1 billion.30 As private companies, these “unicorns” are not subject to the same reporting, corporate governance or accounting/audit requirements as their public company counterparts.31 A high cost of compliance disincentivizes companies from going public and, in turn, may diminish SOX’s impact to promote transparency and investor confidence in the marketplace.
Data Privacy and Protection
SOX standards are also applicable to data privacy and protection in the United States. Just as corporate financial scandals plagued the early 2000s, data breaches have taken the pole position in the late 2010s and early 2020s. While the European Union published the General Data Protection Regulation (“GDPR”) in 2016, which enacted standardized data privacy and protection laws among the European Union, the United States has yet to implement an overarching data privacy and protection law. Instead, data privacy laws are tailored to specific segments of data, such as health information (HIPPA) and consumer information (FTC). While SOX applies only to financial information, the mechanisms and controls set in place by SOX may be instructive to companies seeking to increase their data privacy controls. SOX’s internal control requirements have caused corporate management to create policies and protocols to protect the integrity and storage of their company’s financial information. Because these systems are already in place, corporations may now extend these and similar processes and procedures to protect their company’s non-financial and customer data as well.
Recently SOX compliance has been compared to ESG compliance. Corporate investors are increasingly interested in companies that prioritize ESG (environmental, social and governance) factors.32 This year the SEC proposed rules requiring registrants to disclose climate-related risks that are reasonably likely to have a material impact on their business and financial condition.33 In light of these proposed rules and the growing uncertainty surrounding other ESG regulations, professionals are looking to SOX compliance procedures for guidance.34 As more regulations around ESG reporting emerge, it is important to have internal controls to communicate that data accurately and completely.35
SOX required companies to implement internal controls for financial purposes. The primary difference between SOX financial internal control reporting and ESG reporting is expertise. With SOX, those implementing and verifying the controls were in the financial space, already familiar with the operations.36 With ESG, these factors concern the entire firm, and those implementing and verifying those controls are less likely to be experts in the ESG field.37 Although a company may not have experts in environmental or social factors, companies can use what they have learned by implementing SOX reporting standards to prepare their systems for the impending ESG wave and its regulations and activism.
The last twenty years have revealed the impact of SOX on the corporate business environment. Lasting change in corporate governance and accountability, fraud prevention, and financial transparency have occurred. Many of these changes have translated from the public to the private sector, and in some instances have stunted the growth of the emerging public company marketplace. Now, the policies, processes, and procedures embodied in and implemented to comply with SOX are being viewed and applied anew in addressing the emerging exigencies of the business community, including ESG activism and data privacy threats.
This alert was authored by William E. Quick, a shareholder with Polsinelli PC and an Adjunct Professor of Law at The University of Kansas School of Law, and by Toni Ruo, a summer clerk with Polsinelli PC and a law student at The University of Kansas School of Law.
1 Sarbenes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745 (2002).
3 Sarbanes-Oxley Act of 2002 §§ 301, 407; Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC Release No. 33-8177 (Mar. 3, 2003); Strengthening the Commission's Requirements Regarding Auditor Independence, SEC Release No 33-8138 (May 6, 2003).
4 Sarbanes-Oxley Act § 301. The Act also describes standards relating to the composition, powers, duties, authority, function, procedures and control of the audit committee. Id.; see also Standards Relating to Listed Company Audit Committees, SEC Release Nos 33-8220, 34-47137 (Apr. 25, 2003).
5 Sarbanes-Oxley Act § 402(a).
6 Id. § 302.
8 Id.; Management’s Report on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, SEC Release No. 33-8238 (Aug. 14, 2003); Certification of Disclosure in Companies’ Quarterly and Annual Reports, SEC Release No. 33-8124 (Aug. 29, 2002); Certification of Disclosure in Certain Exchange Act Reports, SEC Release No. 33-8212 (May 15, 2003).
9 Sarbanes-Oxley Act § 906; Management’s Report on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, SEC Release No. 33-8238 (Aug. 14, 2003); Certification of Disclosure in Certain Exchange Act Reports, SEC Release No. 33-8212 (May 15, 2003).
10 Sarbanes-Oxley Act§ 302.
11 Id. § 304.
12 Id. § 404.
13 Id. § 406; Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC Release No. 33-8177 (Mar. 3, 2003); Strengthening the Commission's Requirements Regarding Auditor Independence, SEC Release No 33-8138 (May 6, 2003).
14 Sarbanes-Oxley Act§ 806.
15 Id. § 303; Improper Influence on Conduct of Audits, SEC Release No. 34-47890 (June 26, 2003).
16 Sarbanes-Oxley Act § 804.
17 Id. §§ 901–06.
18 Id. § 101.
19 Id. §§ 201-02
20 Id. § 105.
21 Id. § 307; Implementation of Standards of Professional Conduct for Attorneys, SEC Release No. 33-8185 (Aug. 5, 2003).
22 Sarbanes-Oxley Act§§ 806, 1107.
23 Id. See also 29 C.F.R. 1980 (discussing the “whistleblower” protections as they pertain OSHA).
24 Sarbanes-Oxley Act§ 307; Implementation of Standards of Professional Conduct for Attorneys, SEC Release No. 33-8185 (Aug. 5, 2003).
25 Pereira v. Cogan, 294 B.R. 449, 520–24 (S.D.N.Y. 2003).
26 Pereira v. Farce, 413 F.3d 330 (2d Cir. 2005).
27 Amy L. Goodman & Steven M. Haas, Corporate Governance: Law and Practice § 1.03 (2021). See also Fletcher’s Cyclopedia of Corporations § 844.10 (perm. ed., rev. vol. 2002). The proposition has also been made that corporate fiduciary obligations are universal and not dependent on the size of the corporation. Fletcher’s Cyclopedia of Corporations § 844.20 (perm. ed., rev. vol. 2002) (“The fiduciary obligations of a close corporation’s directors or majority shareholders is not relaxed any more than in other corporations.”).
28 Stephen Wagner & Lee Dittmar, The Unexpected Benefits of Sarbanes-Oxley, Harvard Business Review (Apr. 2006).
29 Simon Constable, How the Enron Scandal Changed American Business Forever, Time, Dec. 2, 2021; Jared Dillan, The SEC’s Concern About Unicorns Misses the Point, The Washington Post, Jan. 14, 2022.
30 Allison Herren Lee, Comm’r, Sec. & Exch. Comm’n, Going Dark: The Growth of Private Markets and the Impact on Investors and the Economy (Oct. 12, 2021) (transcript available on the SEC website).
32 ESG Investing & Analysis, CFA Institute https://www.cfainstitute.org/en/research/esg-investing.
33 Press Release, SEC, SEC Proposes Rules to Enhance and Standardize Climate-Related Disclosures for Investors (Mar. 21, 2022) https://www.sec.gov/news/press-release/2022-46.
34 Steve Estes, The “SOXification of ESG Reporting” KPMG https://advisory.kpmg.us/articles/2021/soxification-esg-reporting.html.