What is the Sarbanes-Oxley Act? Definition and summary

History and why SOX was created

The legislation sought to both improve the reliability of public companies' financial reporting as well as restore investor confidence in the wake of high-profile cases of corporate crime. The act was named after its sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael Oxley, (R-Ohio). Former U.S. President George W. Bush, who signed the act into law on July 30, 2002, called the act "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt."

Federal lawmakers enacted the Sarbanes-Oxley Act largely due to corporate scandals at the start of the 21st century.

• The energy firm Enron Corporation was considered one of the largest, most successful and innovative companies in the United States. Around 2000, Enron unraveled in less than two years as both the company's fraudulent practices and its executives' criminal activities came to light.
• The telecommunications giant WorldCom became embroiled in scandal as its own fraudulent accounting practices made the news. After filing for bankruptcy in 2002, the company was hit with a $750 million SEC fine. Its chief executive officer (CEO) was sentenced to 25 years in prison and the chief financial officer (CFO) received a five-year jail sentence as a result of criminal charges in the case.
• The security systems company Tyco International's financial scandal also preceded the Act. The company's former CEO and CFO were convicted of stealing hundreds of millions of dollars from the company, falsifying business records and violating other business laws.

These corporate scandals eroded public trust in the financial markets, cost investors billions of dollars, and prompted lawmakers to take action to restore transparency and accountability.

Key provisions and requirements

The Sarbanes-Oxley Act is arranged into 11 sections, or titles. Two sections of particular note are Section 302 and Section 404.

Section 302: Corporate responsibility for financial reports

Section 302 pertains to corporate responsibility for financial reports. It established, in part, that CEOs and CFOs must review all financial reports and that the reports are "fairly presented" and don't contain misrepresentations. This section also established that CEOs and CFOs are responsible for internal accounting controls. The Act requires year-end financial disclosure reports and that all financial reports come with an internal controls report. Financial disclosures must contain reporting of material changes in financial condition.

Section 404: Management assessment of internal controls

Section 404 deals with management assessment of internal controls. It requires companies to publish details about their internal accounting controls and their procedures for financial reporting as part of their annual financial reports. Section 404 requires corporate executives to personally certify the accuracy of their company's financial statements and makes them individually liable if the SEC finds violations.

The whistleblower protection provision states that employees and contractors who report fraud and/or testify about fraud to the Department of Labor are protected against retaliation, including dismissal and discrimination.

Additional SOX provisions

Other key provisions and requirements under the Act include the following:

• Whistleblower protections. Employees and contractors who report fraud to the Department of Labor are protected from retaliation.
• Off-balance sheet transactions. Companies must disclose any off-the-books financial dealings that could impact financial stability.
• Prohibition of executive loans. Personal loans from a corporation to executives are largely prohibited.
• Document retention rules. Tampering or destroying records during an SEC investigation can result in fines and imprisonment.

Legal obligations for corporate attorneys

Attorneys representing public companies before the SEC must report securities violations to the CEO.

Auditing under the Sarbanes-Oxley Act

The Sarbanes-Oxley Act also created new requirements for corporate auditing practices.

Among its many requirements, the Act requires public corporations to hire independent auditors to review their accounting practices and defines the rules of engagement for corporate audit committees and external auditors.

It also created rules for segregation of duties by detailing a number of non-audit services that a company's auditor cannot perform during audits. These rules are designed to further guard against fraudulent financial practices and conflicts of interest.

Furthermore, the Act led to the creation of the Public Company Accounting Oversight Board (PCAOB), which sets standards and rules for audit reports. Under the Act, all accounting firms that audit public companies are required to register with the PCAOB. The PCAOB investigates and enforces compliance at the registered accounting firms.

Criticism of the Sarbanes-Oxley Act

The Act had critics from the start, including many executives who felt they were unfairly burdened by new regulations due to the dishonest and negligent acts of a few others. In 2008, Newt Gingrich blamed the financial crisis on the Act, citing it as the reason for a low number of initial public offerings, and asked Congress to repeal the Act.

Critics also charged that the Act was a politically motivated reaction to a few, albeit high-profile, corporate financial scandals and that the law would hinder competition and business growth.

Corporate leaders also voiced concerns that meeting the regulations laid out in the Sarbanes-Oxley Act would take too much executive time and that compliance costs would amount to an exorbitant amount of money. Many complained about Section 404 and said it was overly burdensome.

Benefits of the Sarbanes-Oxley Act

Despite criticism, SOX has also been credited with strengthening corporate governance and restoring investor confidence.

• Enhanced financial integrity. The law has improved financial controls and reduced the likelihood of fraud.
• Standardized financial reporting. Companies now follow clear, standardized procedures for disclosing financial information.
• Stronger investor confidence. Studies show that SOX has helped investors feel more secure about corporate financial practices.
• Greater transparency and accountability. Companies are now more accountable to shareholders and regulators.

Some business leaders who initially opposed SOX have since acknowledged its positive impact on corporate accountability.

Updates since its inception

Despite early and ongoing criticism, the Sarbanes-Oxley Act remains in place, essentially unchanged from when it was first enacted in 2002. Studies show that the law improves financial reporting.

However, many business leaders continue to believe that the resources required to meet the law's mandates are burdensome, noting that research has found that smaller companies are disproportionately burdened by the Act.

Although proponents and critics continue to assess the overall impact of the law, it is seen as the most significant piece of security legislation since the Exchange Act.

There are several IT security frameworks and cybersecurity standards available to help protect company data. Here is some advice for selecting the right security frameworks and cybersecurity standards for your organization. Also, know the system controls at your disposal to help with identify and access management compliance.