Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX), enacted in 2002, was Congress’s response to corporate frauds at Enron, WorldCom, and others. It tightened public company disclosure, required executives to certify financial statements under penalty of perjury, mandated audit committee independence and auditor rotation, and created the Public Company Accounting Oversight Board (PCAOB) to oversee auditors. SOX was the most significant securities law change since the Securities Exchange Act of 1934.

Executive certification: Sections 302 and 906

SOX’s most visible requirement is that the CEO and CFO must certify, under penalty of perjury, that the company’s financial statements are accurate and complete. This is Section 302. Section 906 makes criminal penalties for false certification — imprisonment up to 20 years for fraud. The intent was to make executives personally accountable, using the threat of prison to deter fraud.

The effect has been significant. CFOs now spend enormous effort verifying numbers; signing off on financials is no longer a rubber-stamp exercise. However, critics note that executives can claim they relied on faulty information from subordinates, and some major frauds (Theranos, WeWork) occurred despite certification by executives who may not have understood the underlying facts.

Section 404: Internal control testing

Section 404 requires that every public company establish a framework for internal controls (systems and processes meant to ensure accurate financial reporting) and test whether controls are effective. The company’s auditor must also audit the internal control environment and issue a report.

Section 404 compliance is expensive — large companies spend millions annually on internal control testing, documentation, and auditor fees. Small and mid-sized companies often cite SOX costs as a burden that discourages IPOs. In response, the SEC has created scaled versions of SOX requirements for smaller public companies, reducing the burden.

Auditor independence: Section 208

Before SOX, an audit firm could sell consulting services to the same client it audited. If the client threatened to fire the auditor and hire someone else, the auditor faced a conflict — the consulting revenue might be at stake. SOX banned most consulting by auditors, separating audit from consulting services. SOX also required auditor rotation every five years (the lead auditor must change, though the firm can continue).

Section 208 also created the Public Company Accounting Oversight Board (PCAOB), a nonprofit that registers auditors and sets auditing standards. The PCAOB can inspect auditors and discipline those that violate standards. Prior to SOX, the accounting profession was largely self-regulated; now it is federally overseen (though the PCAOB is private, not a government agency).

Audit committee independence: Section 301

The audit committee — the board committee responsible for overseeing auditors — must be fully independent (no management members). The committee must hire and fire the auditor, set its fees, approve the audit plan, and discuss findings. The chair of the audit committee must be a “financial expert.”

This requirement has transformed audit committees from rubber stamps to active overseers. However, audit committees are part-time and rely heavily on the company’s management and the external auditor for information. They have limited power to uncover fraud; their value is more in being a check on management.

Financial expert disclosure

SOX requires that companies disclose whether the audit committee includes a “financial expert” and, if not, explain why. A financial expert is someone with education and experience in accounting, auditing, financial reporting, or internal controls. This has led to the rise of board seats for CFOs, chief accountants, and financial consultants.

Increased SEC disclosure

SOX expanded disclosure requirements beyond what was already required by the Securities Exchange Act of 1934. Companies must now disclose off-balance-sheet transactions, management’s compensation philosophy, the code of ethics (or explain why there is none), and the structure of the audit committee. The intent was to shine light into dark corners where fraud often hides.

The cost-benefit debate

SOX is hotly debated. Proponents argue it has deterred fraud and restored investor confidence post-Enron. They point to the fact that major accounting frauds have become rarer (though Theranos in 2018 shows they have not disappeared). Critics argue the costs far outweigh the benefits — that small and mid-sized companies have been discouraged from going public, that the compliance burden is excessive, and that large sophisticated frauds can evade even rigorous controls.

See also