Twenty years ago, in the aftermath of the Enron and WorldCom financial reporting scandals, Congress acted and created the Sarbanes-Oxley Act of 2002 (SOX). The legislation led to significant changes in how companies designed and monitored internal controls and how their auditors evaluated them.

Leaders of regulatory agencies commemorated the anniversary of SOX (July 30) and reminded companies and auditors of the continued importance of investors having trust in financial statements and public markets.

Gary Gensler, chair of the Securities and Exchange Commission (SEC), said in a speech during a Center for Audit Quality webcast, “A central goal of Sarbanes-Oxley was, once again, to restore trust in our financial system. In the two decades since, what have we learned? What has worked? What is still a work in progress?”

For companies, Gensler provided a reminder of SOX’s requirements for chief executive officers and chief financial officers to sign off on their financial statements every quarter and be accountable for the control environment underlying disclosures in financial statements. He noted those executives could have to reimburse compensation under the law if financial statements were required to be restated as a result of their misconduct. In addition, he mentioned SOX’s corporate governance requirements for boards and audit committees.

On the auditing front, Gensler noted the importance of auditing standards, enforcement, and auditor independence. SOX established the Public Company Accounting Oversight Board (PCAOB). Gensler encouraged the PCAOB to move more quickly to update auditing standards and to “reinvigorate its enforcement program.”

He stated the quality of company audits has improved since SOX took effect but also provided this advice: “In the last 20 years, we’ve learned a lot from this law. … Let’s not forget the core lessons, though. It’s important to have robust and independent organizations setting standards, inspecting firms, and enforcing the rules. It’s important to ensure auditor independence and to guard against inherent conflicts that might arise when auditing and other services are mixed. It’s important that corporations and their senior executives are held accountable for their financial statements.”

Erica Williams, chair of the PCAOB, also delivered a speech discussing her organization’s role in investor protection as a result of SOX.

“For the first time, investors would have an independent audit watchdog putting their interests first,” said Williams at a virtual event hosted by the Council of Institutional Investors. “The PCAOB would set clear standards to uphold the integrity of public audits, inspect for compliance with those standards, and enforce them to help restore trust in our capital markets.”

Williams went on to say the PCAOB’s mission today is “more important than ever.” The organization “audits the auditors,” and the integrity of capital markets “takes vigilance to guard against fraud that threatens to undermine our system.” She noted the PCAOB intends to enforce its standards and “will not hesitate to hold wrongdoers accountable for breaking the rules.”

“Those who break the rules should know that the PCAOB means business,” she said.

Modernizing SOX programs

There have been many changes in business operations, technology, regulations, and the economy overall since SOX was enacted. Companies’ compliance programs might not have been modified in response or more controls might have been added over time without reconsidering the continued value of controls put in place in prior years. Having and testing too many controls instead of focusing on key controls can lead to unexpected deficiencies in the effectiveness of internal control over financial reporting (ICFR).

In a recent document, Big Four audit firm Deloitte recommended now is the time for organizations to refresh, rethink, and modernize their SOX programs.

“A SOX program that has not been challenged in years may be stale, which could be a drain on resources and impede performance, particularly if this compliance program is treated more like a ‘check-the-box’ activity,” the report’s authors said.

Modernizing a SOX program can identify efficiencies and potentially reduce compliance costs while also providing insights to departments outside of accounting and finance.

Below are recommendations on how to modernize SOX programs.

Optimize the operating model: Clearly define the structure of who within the organization will support SOX compliance. Although ICFR is a primary responsibility of accounting and finance, financial reporting depends on inputs and controls over processes and systems throughout the organization. There must be sufficient human resources from all business areas with the skills and authority needed to provide monitoring and accountability when controls are not in place or are not operating to mitigate risks and to investigate deficiencies and make recommendations for change. The resources required will be different from company to company and might need to change over time as the business environment changes.

Enhance the SOX program: Both SOX requirements and SEC interpretative guidance address management’s responsibility for establishing and maintaining the internal control structure and evaluating it regularly based on specified criteria. The system of ICFR must provide “reasonable assurance” that financial reporting is reliable and external financial statements are prepared in accordance with generally accepted accounting principles (GAAP). This is a judgment area that calls for assessing risks to avoid material misstatements of financial statements, and the risk assessment and related controls might need to change over time.

For companies that have been complying with SOX for many years, now might be a good time to revisit the risk assessment process to make sure they are identifying the appropriate risks and reassess the current levels of risks (low or significant). The related controls to manage the risks should be reevaluated to consider whether existing controls address them or new or revised controls are required. Without this assessment, companies can find themselves with controls in place that are not aligned with significant risk areas.

They also might test and evaluate controls that do not relate to new or changed risks in the business, including potential for fraud. Risk assessment is a fundamental part of SOX and needs to go beyond financial reporting to consider risks and controls in other areas of the business.

Opportunities for technology and automation: There might be ways to increase automation of controls, especially for companies that have manual control environments. Companies might be able to improve the quality and efficiency of their SOX program and reduce the potential for internal control deficiencies arising from manual processes. While this effort might increase technology costs upon implementation, it can potentially reduce overall compliance costs going forward.

Areas to be considered include automating manual controls, putting in place new automated controls, and automating tests of controls. Companies should evaluate which processes and related controls would be beneficial to automate in order to free up resources, reduce costs, increase efficiencies, and reduce human errors. Governance, risk, and controls tools are available for managing overall SOX programs that can be used for documentation, assignment of responsibilities, testing, certifications, and reporting.