A Brief History of Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (SOX) has been painted as lousy legislation, a corporate burden, and a complete waste of time, but is this representation accurate? Since SOX has been around for nearly two decades, it is an excellent time to remember why this act exists and what benefits it has brought to corporate culture over those years.
If you were not an auditor in the early 2000s, you might not realize how disruptive the public collapse of companies like Enron, Worldcom, and Tyco was to the US economy. An article from Stanford University described the US stock market leading up to SOX as the “third year of free fall—a $4 trillion loss—the depths of which had not been seen since the years of the Great Depression.” The US government passed the act, drafted by Senators Sarbanes and Oxley, to force corporations to improve their corporate governance, improve control over financial reporting, and reduce the risk of fraudulent financial reporting.
The Impact of SOX
In the years since US corporations implemented SOX, “the positive impact of SOX has extended beyond its initial goals,” according to an article in Accounting Today. Perhaps the most significant impact was on changing corporate awareness of controls. Up to that time, internal auditors were among the only corporate teams talking about risk and control. With the SOX requirement to document, test, and certify controls over financial reporting, suddenly, the corporate finance functions were obligated to take a significant part in the conversation.
The Sarbanes-Oxley Act pushed corporations into a new governance era that recognized the importance of a robust control environment. The problem many of us face now is apathy. The SOX controls in some companies remain the same for many years, and the process of testing and certification becomes monotonous for the control owners. In other cases, management passed the bulk of the SOX work onto internal audit who should not own control responsibility.
Benefits of SOX
To invigorate the control owners and increase the continued success of the SOX program, we can take several steps:
- Ensure control ownership lives with control owners close to the actual process. Some groups place ownership with the Controller’s office or with internal audit instead of naming the true control owners.
- Revisit SOX controls and revise activities at least annually to consider environmental and technical changes. Nothing stays the same in a business environment for very long, so the control owners should keep the documentation up to date.
- Review documented controls to ensure those categorized as SOX are related to financial reporting. All too often, the controls initially labeled as SOX are actually just management controls. These are great to document as well, but not for SOX purposes.
- Update SOX control testing with the latest techniques and automated when possible. Not only will this alleviate the burden from control owners, but this will reduce the overall SOX program cost, freeing up funds that can be used more productively.
With a reliable SOX program, we decrease the risk of destructive corporate financial reporting fraud. Updating your SOX program with the suggestions above shows control owners the seriousness of their position and continues the critical work of developing a healthy system of governance.