Sarbanes-Oxley Turns 10

The Sarbanes-Oxley Act, enacted on July 30, 2002, was the regulatory response to a corporate crime wave, as executives from Enron, WorldCom, and many others were making daily perp walks on the nightly news. On the occasion of its ten-year anniversary, many are asking if the law, which ushered in a new era of compliance, has worked and if it was worth the steep cost?

The legislation's overwhelming, bipartisan support—it was passed by a 403-3 vote in the House and a 99-0 vote in the Senate—was, to great degree, a response from Congress to do something, anything, to ease investor concerns amid rampant accounting manipulations and corrupt business leaders who created a conspiracy of colleagues to ensure personal gain.

SOX was the biggest corporate reform since the Securities Act of 1933. It saddled public companies with a slew of new requirements that included: new standards for auditor independence, certification requirements for top executives, disclosure demands to shed light on off-balance sheet financing, stringent internal control requirements, the creation of the Public Company Accounting Oversight Board, and new penalties for white-collar crime.

Former Securities and Exchange Commission Chairman Christopher Cox, currently president of Bingham Consulting and a partner at the law firm Bingham McCutchen, says SOX helped restore trust in U.S. markets. “It has changed the business world in mostly very positive ways, including strengthening audit committees and causing boards of directors of public companies to be more deeply engaged. Directors of public companies are paying closer attention and doing a much better job.  The PCAOB has done a creditable job of replacing what had been merely the self-policing of auditing firms.”

Peter Henning, a law professor at Wayne State University Law School, agrees that SOX has generally been a success, even if it's not a silver-bullet solution to accounting fraud. “On the whole, it has been successful in what it tried to accomplish,” he says. “You are always going to have accounting fraud. Someone's going to do something. But it changed the view of corporate America toward accounting and internal controls. There is a far greater commitment of resources to compliance than we ever had.”

Henning says SOX “spread beyond public companies,” and many private companies and non-profits now view its internal control and reporting requirements as an industry standard.

Many fail to fully appreciate “the totality of what is actually in the law” and how it changed the business world globally, not just in the United States, says Les Brorsen, director of Ernst & Young's Office of Public Policy. Aligning the interests of audit committees, auditors, and oversight authorities with shareholders is the net effect that is most significant, he says.

“We in the profession, obviously, had a major change in terms of the move from self regulation to independent regulation,” Brorsen says. “Audit standards, the quality inspection process, and the disciplinary process that were housed within the profession itself for 100 years were shifted to independent oversight in the form of the PCAOB. That has been, and continues to be, replicated throughout the world and in various forms.”

There is plenty of empirical evidence that SOX has had a positive effect on the reliability of financial reporting. A report released by Ernst & Young last week found that audit quality has been improved by “stronger alignment of independent auditors, independent audit committees, independent audit oversight authorities, and public company shareholders,” it says. A 2008 survey by the Center for Audit Quality found that 90 percent of the audit committee members surveyed said they now “work more closely with the independent auditor.”

More audit committees now have financial experts, too. In 2003, only a small number of audit committee members were financial experts. Today, almost one-half of all audit committee members are identified through proxy statement disclosure as meeting the definition of a financial expert, Ernst & Young says.

Companies that comply with all of the internal control provisions in SOX are also less likely to issue financial restatements. A November 2009 study published by Audit Analytics found the rate of financial restatements was 46 percent higher for companies that did not comply with all of the SOX internal control provisions.

“[Sarbanes-Oxley] has changed the business world in mostly very positive ways, including strengthening audit committees and causing boards of directors of public companies to be more deeply engaged.”

—Christopher Cox,

Former Chairman,

SEC

While portions of the legislation—such as Section 404—have been criticized as costly and burdensome, concerns have been largely addressed through regulatory and legislative actions and the outcry is no longer as loud as it once was. Many companies have simply digested the changes and have moved on.

In its most recent annual audit fee survey, the Financial Executives Research Foundation asked members whether their company experienced a change in its internal costs of compliance with SOX 404 within the past three years; 29 percent said they faced an increase (new IT systems were a common culprit), while 48 percent actually experienced a decrease.

And plenty of companies say the pain was worth it. Fifty-one percent of those surveyed said better internal controls were worth the expense.

Cox says ongoing efforts have helped ease the burdens placed on companies by SOX regulations. “Of all the Sarbanes-Oxley provisions, Section 404 brought forth the keenest wailing,” he says. “When I arrived at the Commission, the vast majority of U.S. companies were complying, but the expenses of compliance were far higher than the SEC had predicted … Experience had shown it was too complex and unmanageable for companies of all sizes.”

A new standard, AS 5, reduced the Section 404 compliance burden for small businesses and also made the entire 404 process more effective, Cox says, adding that “today it is a top-down, risk-based, materiality-focused, and scalable process that generally works well for companies of all sizes.”

The Birth of GRC

Shellye Archambeau, CEO of MetricStream, a leading GRC software provider, says Sarbanes-Oxley essentially created a whole new industry. “There had always been risk officers in financial services and compliance officers in the life sciences arena, but they started to spread to other industries,” she says.

Companies may never fully view compliance as a profit center, but Archambeau does see SOX regulations creating value. “There were a lot of companies that always had strong controls and always had tight oversight and transparency, and it cost them money to do that,” she says. “But that was the best way to run their business. One of the things SOX did was level that overall playing field in terms of spending. Along the way companies saw that there really was some value. Implementing SOX was not just for the regulation's purposes, but to drive better business operations and business controls.”

Don't count John Berlau, senior fellow for finance and access to capital for the Competitive Enterprise Institute, among those celebrating the Sarbanes-Oxley anniversary. Despite being billed as necessary to “prevent the next Enron,” the financial crash of 2007-2008 revealed that it did “nothing to prevent” future failings of corporate governance and reckless actions, he says. “It didn't tame the bad actors,” he says. “The big Wall Street powerhouses just got stronger.”

SOX: TEN YEARS ON

The chart below from MetricStream illustrated what's happened since Sarbanes-Oxley's implementation:

Source: MetricStream.

What it did do, he says, is slam the brakes on what had been a robust market for companies, small and large, to conduct initial public offerings. The former was particularly hampered by regulations, and the lack of IPOs by small-cap companies with great growth potential hurt returns for ordinary investors.

“You can argue that the ability of smaller companies to do IPOs when credit was tight led to a faster recovery [in the 1990s],” he says. “That's one of the important things missing from this recovery … Maybe if smaller companies could have grown and were not hobbled by [regulations], there would have been more investment there and less in real estate.”

Berlau claims SOX regulations led companies to “focus on the wrong kinds of risks.” “Do you do these sort of ‘check the box' sort of governance risks like 404 has, how many letters are in an employee password or things like that, or do you actually look at the quality of who you are lending to and what for?” he asks.

Rollback?

Numerous conservative political figures–among them Ron Paul, John Huntsman, Michelle Bachman, and GOP presidential nominee Mitt Romney–have advocated the repeal of some, or all, of Sarbanes-Oxley.

Berlau doesn't see this approach as feasible. More likely, he said, is the continued reshaping of Sarbanes-Oxley by amendments and new legislation.

The JOBS Act of 2012, for example, has been criticized by consumer advocates for provisions that directly bypass regulations established in Sarbanes-Oxley.

The legislation, enacted in April, exempts “Emerging Growth Companies,” broadly defined as having less than $1 billion in annual revenue, from complying with Section 404(b) of the Sarbanes-Oxley Act. In addition to confidential, pre-IPO submissions to the SEC, it also exempts them from complying with new auditing standards unless the SEC determines that the application of such standard is “necessary or appropriate in the public interest.”

"Ten years after Sarbanes-Oxley was rushed through Congress, even the Obama administration and the majority of congressional Democrats are concerned about its overreach,” Berlau says, calling the JOBS Act, “a small but significant step in curbing that overreach.”

Archambeau sees a lasting legacy of SOX in the “proactive steps” taken by businesses. “Companies coming together to do what's required and what's right before they actually need regulations put in place,” she says. “They realize if they don't step up and self-govern, the government will put regulations in place.”

“What might be the most interesting thing is if 10 years from now, the name, Sarbanes-Oxley, might drop off or become a footnote,” suggests Henning. “It was an important moniker 10 years ago, even five years ago, but it's not any more. The name may not really matter because it has just become engrained, part of the DNA of the financial system."