What Is the Legislative Impact of the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act of 2002 (SOX) is a U.S. federal law enacted in response to major corporate and accounting scandals from the early 2000s. These events led to the collapse of large corporations and damaged public confidence in securities markets. The Act’s primary objective was to restore this trust by improving the accuracy and reliability of corporate financial disclosures through more stringent standards for corporate governance and accountability.

The Public Company Accounting Oversight Board (PCAOB)

Title I of the Sarbanes-Oxley Act ended self-regulation for the public accounting profession by establishing the Public Company Accounting Oversight Board (PCAOB). The PCAOB is a private-sector, nonprofit corporation that oversees the audits of public companies to protect investors and ensure accurate audit reports. This shifted regulatory power from industry peer reviews to an independent body.

The PCAOB’s duties are comprehensive. It is responsible for registering public accounting firms that audit publicly traded companies, and no firm can legally perform these audits without PCAOB registration. The board also establishes professional standards for auditing, quality control, ethics, and independence for these firms.

To ensure compliance, the PCAOB conducts regular inspections of registered firms. Firms auditing more than 100 public companies are inspected annually, while others are inspected at least once every three years. Finally, the PCAOB can investigate and discipline firms for violations of SOX or other securities laws. Disciplinary actions range from monetary penalties to the permanent revocation of a firm’s registration, serving as a deterrent against poor auditing.

New Standards for Corporate Responsibility

The Sarbanes-Oxley Act introduced requirements that placed greater responsibility on the senior leadership of public companies. Section 302 mandates that the CEO and CFO personally certify the content of their company’s quarterly and annual financial reports. In signing these statements, they attest that they have reviewed the report, that it does not contain any untrue statements of a material fact, and that the financial statements fairly present the company’s financial condition and results of operations.

They must also affirm their responsibility for establishing and maintaining the company’s disclosure controls and procedures. This includes confirming they have evaluated the effectiveness of these controls within 90 days prior to the report.

SOX also redefined the role of the corporate audit committee as an overseer of financial reporting. The Act mandated that audit committees be composed entirely of independent directors, meaning they cannot be part of the company’s management team or receive other compensation from the company. This independence is intended to ensure objective oversight.

Furthermore, the audit committee was given direct responsibility for the appointment, compensation, and oversight of the external auditor. This makes the auditor accountable to the audit committee rather than to management, strengthening auditor independence. Companies must also disclose if their audit committee includes a “financial expert” as defined by SEC rules.

Requirements for Internal Controls Over Financial Reporting

Section 404 of the Sarbanes-Oxley Act mandates a framework for internal controls over financial reporting (ICFR). ICFR includes the processes designed to ensure the reliability of financial reporting and prevent or detect errors and fraud. This section imposes two distinct requirements.

The first requirement is that company management must establish and maintain an adequate internal control structure. Management must then produce an annual “Internal Control Report” that states their responsibility for this structure and provides an assessment of its effectiveness.

The second requirement mandates that the company’s independent external auditor must also audit and issue a separate opinion on the effectiveness of the company’s ICFR. This external audit provides an independent assessment of whether the company’s controls are designed and operating effectively, though smaller reporting companies are exempt from this part.

The implementation of Section 404 required companies to formally document, test, and monitor their key financial processes. This involves identifying significant accounts, mapping transaction flows, and documenting controls to mitigate risks, making it a permanent feature of their compliance activities.

Rules for Auditor Independence

The Sarbanes-Oxley Act established strict rules to address conflicts of interest and ensure auditor independence. Section 201 prohibits auditors from providing certain non-audit services to their audit clients, as this could result in the auditor reviewing their own work. Forbidden services include:

• Bookkeeping
• Financial information systems design and implementation
• Appraisal or valuation services
• Actuarial services
• Internal audit outsourcing services
• Certain human resources or management functions

To prevent overly familiar relationships from developing, SOX mandated the rotation of key audit personnel. The lead audit partner and the reviewing partner must be rotated off the engagement after serving for five consecutive years. This requirement introduces a fresh perspective to the audit and reduces the risk that a long-standing relationship could impair objectivity.

Another provision is the “cooling-off” period required by Section 206. This rule prohibits an accounting firm from auditing a public company if one of its senior executives in a financial reporting role was employed by the audit firm and worked on the company’s audit during the one-year period preceding the current audit.

Enhanced Disclosures and Penalties for Fraud

The Sarbanes-Oxley Act increased both the transparency required in corporate reporting and the severity of penalties for fraud. Section 409 enhanced disclosure requirements by requiring companies to disclose material changes in their financial condition or operations on a rapid and current basis. The Act also specifically targeted the use of off-balance sheet arrangements by requiring their disclosure in financial reports.

On the enforcement side, SOX introduced new criminal charges and substantially increased existing penalties. It created specific crimes for the destruction, alteration, or falsification of records with the intent to impede a federal investigation. It also established severe criminal penalties for any executive who knowingly certifies a financial report that fails to comply with the Act’s requirements, with penalties including fines of millions of dollars and prison sentences of up to 20 years.