Online Exclusive: A decade of SOX

A reaction to Enron- and WorldCom-type accounting scandals, the Sarbanes-Oxley Act (SOX) became law on July 30, 2002. Although the sweeping legislation had unassailable goals—preventing and deterring future accounting fraud, protecting shareholders and increasing confidence in public company financial reporting and, thus, in the U.S. capital markets—it was divisive. It imposed tremendous new duties and costs on public companies and accounting firms, and a decade later, people are still split about whether the money, time and focus lost to SOX are worth the benefits it’s yielded.

Steve Barth, co-chair of Foley & Lardner’s national transactional and securities practice, calls the legislation “an abject failure. If the goal and object of Sarbanes-Oxley was to create more confidence in our capital markets, let’s face it: It can’t prevent fraud and abuse from occurring. Has the stock market become more trustworthy over the past 10 years?”

That debate won’t see a conclusion anytime soon. The ways that SOX changed public companies, however, are undeniable. SOX led to greater internal control of financial reporting, and increased expertise and independence among more-focused boards, committees and directors. It imposed new reporting, audit, disclosure and ethics requirements, and created internal reporting and whistleblower structures upon which the Dodd-Frank Wall Street Reform and Consumer Protection Act has built.

The net effect of SOX goes beyond its components. The legislation was not revolutionary in terms of the substantive changes it made, says Randy Eaddy, a partner at Kilpatrick Townsend & Stockton. The existing laws that comprised the fundamental principles, duties and standards for corporate governance were largely unchanged, he says, but people were asleep at the switch with respect to them.

“Sarbanes-Oxley made it clear that you can’t be asleep anymore,” Eaddy says. “It was revolutionary in terms of the attitudinal and cultural change that the primarily procedural rules it introduced caused to occur within the community of public companies and the lawyers that work for them. That change is the principal legacy of Sarbanes-Oxley.”

#1: It reformed and re-empowered the corporate board of directors.

The most prominent change SOX engendered was a shift from a perspective that the board serves management to a perspective that management is working for the board. “That’s what our corporate structure in the U.S. intended, but you were seeing it exercised less in the day-to-day and more in the formalities of documentation,” says Ralph DeMartino, chair of the global securities group at Cozen O’Connor. “That’s been a radical shift.”

SOX also recognized that director independence is necessary for the board to serve effectively as a check on management. It allows for director liability if the board fails to exercise the appropriate oversight.

Steve Blonder, a principal at Much Shelist, says that in the wake of SOX, companies are stronger and subject to additional oversight from more proactive board members with greater technical expertise. In general, he says, the increased demands and need for independence has led to greater diversity among the people who serve on boards.

Today, the audit committee of the board has greater powers and many more responsibilities, such as working with external auditors of internal controls. “They’re kind of king of the hill of any board committee,” says William Currier, a partner at White & Case and a former (SEC) assistant director who was at the agency during the SOX rulemaking and implementation. “Now under certain circumstances, if management or [the audit committee of the board] doesn’t respond to reports [of misconduct] from independent auditors, the independent auditors have the obligation to inform the SEC that there has been a dispute and to resign. That’s a huge amount of leverage and responsibility directly derived from SOX.”

In general, boards are more focused on their responsibilities, says Linda Chatman Thomsen, who was director of the SEC’s Division of Enforcement from 2005 to 2009 and led the Enron investigation. Thomsen now is a partner at Davis Polk & Wardwell.

“It may be luck or effective enforcement and laws, but since, I haven’t seen an Enron or a WorldCom blowup to the magnitude that we saw those kinds of public company issues [before SOX],” she says.

#2: It encouraged the adoption of corporate codes of ethics.

SOX required companies to disclose whether their senior executives and financial officers followed a code of ethics. If they didn’t have one, they had to explain why. Around the same time, both the New York Stock Exchange and Nasdaq adopted rules requiring that listed companies adopt and disclose a code of conduct. While the SOX rule didn’t require adoption of a code, it made clear that the SEC expected one.

“Over the past 20 years, the government has been encouraging employers to adopt ethics and compliance programs in a number of ways,” says Chip Jones, a Littler Mendelson shareholder who counsels clients on such programs.

Since the mid-1980s, for example, federal sentencing guidelines have said companies with an effective ethics and compliance program would face reduced criminal sanctions. “Sarbanes-Oxley is just one regulatory framework pushing companies in that direction,” Jones says.

But even Enron had implemented a code of ethics that specifically prohibited some of the board and executives’ later misconduct. It’s clear the mere existence of a corporate code of conduct is useless without compliance.

#3: It created the PCAOB.

SOX created the independent Public Company Accounting Oversight Board (PCAOB) in 2002 to oversee the independent auditors of public companies, replacing a self-regulatory scheme and mandating true independence. The Board’s inspection powers mean the audits of companies’ internal controls are subject to scrutiny.

“To me, the creation of the PCAOB may be one of the most important features of the whole Sarbanes-Oxley structure,” Currier says. “On demand, the PCAOB can call up any given partner at any given [accounting firm] and ask to see all of his work papers for his last five engagements.”

Accounting firms that audit public companies must register with the PCAOB, and are subject to annual or triennial agency inspections, depending on their size. Currently the Board is in various stages of exploration of new initiatives in the wake of the financial crisis. They include new ways of promoting the transparency of audits, updating audit report formats, expanding foreign inspections and ensuring the independence of auditors. This includes a measure to require mandatory firm rotation, or term limits, between a public company and its audit firm

Sidebar: Inside the PCAOB

Gordon Seymour, general counsel of the Public Company Accounting Oversight Board (PCAOB), has been with the Board since 2003.

InsideCounsel: How has the agency evolved since its birth in 2002? 

Seymour: We’ve established our programs and grown from words on the pages of Sarbanes-Oxley to an organization that has close to 700 employees—more than half of those employees are inspectors. The biggest way we’ve evolved is by developing an inspection force comprising former auditors out in the field carrying out annual or triennial inspections of accounting firms.

InsideCounsel: How have audit practices changed since then?

Seymour: There’s a general consensus that the quality of financial reporting and auditing has improved post-Sarbanes-Oxley. I’m not sure if it can be empirically proven, but it’s attributable in part to the enhanced discipline our inspection process has brought, in addition to improvements in standards that we’ve made.

InsideCounsel: Did Dodd-Frank impose any additional PCAOB-related requirements on companies?

Seymour: Dodd-Frank expanded our authority so that we now also oversee the audits of securities broker-dealers. At the end of 2008, after the Madoff scandal, the SEC started requiring those broker-dealers to use a registered public accounting firm, but we didn’t have the jurisdiction to oversee those audits. Dodd-Frank closed that loophole so that we now have the same type of authority over broker-dealer audits that we have over public company audits.

#4: It both clarified and complicated the role of in-house counsel.

SOX created an SEC rule that requires in-house and outside lawyers practicing before the SEC to report evidence of a material violation to the company’s CLO or CEO. The CLO then must investigate the evidence and take reasonable steps to respond to the report. If the reporting attorney isn’t satisfied with that response, the lawyer must then report the potential misconduct to the audit or another committee.

“You can’t prove it’s working or not working because that reporting is confidential,” points out Richard Painter, a professor of corporate law at the University of Minnesota who wrote the proposal on which the rule is based. “But post-2002, you no longer saw lawyers not going to the full board, and the SEC hasn’t brought any disciplinary actions under those rules.”

For in-house lawyers, whose careers, in a sense, depend on how they’re viewed by the CEO and other executives, it was a clear wake-up call to be focused on the needs of the entity.

“That whole era clarified for lawyers the need to focus on who their client was, and that their client was the corporation and not management,” Thomsen says. “Before, there was some muddying of those waters.”

The job of in-house counsel also has gotten even more complex post-SOX, and there’s more work on their plates. In-house counsel now have to deal with ensuring compliance with all the SOX reforms, from tracking the independence of directors to working with the audit committee to ensuring whistleblower protections and internal reporting systems are in place.

“The job has gotten much tougher and requires an additional level of expertise,” Blonder says. “And Sarbanes-Oxley is not something inside counsel can simply delegate to its outside counsel.”

#5: It laid the cultural roots of shareholder activism.

Shareholder activism is increasing, with Dodd-Frank pushing forward shareholder proxy access and “say on pay” compensation advisory rules. Such trends have their roots in SOX and the Enron-era corporate scandals, which shoved issues like executive compensation and board independence into the spotlight.

“This evolving conversation about greater shareholder democracy is definitely traceable back to the kind of ethos that SOX gave rise to,” Eaddy says.

SOX banned the executive perk of corporate loans—the so-called Bernie Ebbers rule—named for the former WorldCom CEO. It also allowed the SEC to freeze executive bonuses and other “extraordinary payments.” Such rules led to a broader focus on when executive pay and perks are excessive, how consistently pay is set, and what policies govern decisions on pay and golden parachutes. Those conversations are being continued through Dodd-Frank.

“Is risk-based pay or pay-for-performance appropriate?” asks William Tolbert, a Jenner & Block partner and former associate director of the SEC’s Division of Corporation Finance. “Are shareholders allowed to nominate people to the board? These are the types of shareholder governance principles that SOX indirectly made its way into, and on which Dodd-Frank is continuing to progress on.”

#6: It made public companies more expensive to run.

There’s no doubt that SOX compliance is costly. By their fourth year of SOX compliance, most organizations spend in the range of $100,000 to $1 million annually on compliance-related activities, according to a 2011 survey by Protiviti, an audit and risk consultancy. That doesn’t include the time and focus board members and executives must spend on compliance matters.

The survey also found that most companies in their first year of SOX compliance say the costs outweigh benefits. However, after the first year, they consistently take the opposite view, identifying benefits such as a better understanding of control design and increased effectiveness and efficiency of operations.

Nonetheless, the costs and demands that SOX put on SEC-registered companies are largely blamed for driving companies from public listing in the U.S., especially foreign and smaller companies. The 2000s saw a drop in U.S. initial public offering (IPO) activity while IPOs rose in foreign countries. The Committee on Capital Markets Regulation reports that in 2005, going-private transactions made up 25 percent of all public takeovers—that’s more than twice the pre-SOX level. The trend was largely blamed on SOX.

A study by Robert Bartlett, assistant law professor at UC Berkeley School of Law, found that big companies going private post-SOX haven’t avoided forms of financing that still require SEC reporting. If they were going private to avoid SOX-imposed compliance burdens, he says, there should have been a decrease of such funding sources. However, the opposite was true for smaller companies.

Bartlett, who advises Silicon Valley startups and venture capitalists, says that from what he’s observed, the cost of SOX compliance has “significantly” increased the time period in which a company remains private. “It takes time to set up those procedures [required by SOX],” Bartlett says, “and it requires a more sophisticated back office as well.”

That’s not a bad thing from a corporate governance standpoint, Blonder says, pointing to the Internet bubble. Companies that go public today are often in a better position to do so because they’ve had to consider the increased duties of SOX. Before, he says, “you had startup-type companies that weren’t going the traditional route of growth and maturing.”

No doubt the costliest—and most maligned—provision of SOX is Section 404, which imposes the requirement that companies must hire third-party independent auditors to assess their internal controls. The requirement took effect in 2004, and external audit fees increased 271 percent between 2001 and 2006, according to a 2007 Foley & Lardner study.

Eaddy says the costs of 404 compliance were “grossly, grossly burdensome.” In 2007, the SEC passed a series of Section 404 reforms to exempt smaller companies from the independent audit requirement, and the SEC says more than 60 percent of the companies filing with it are now exempt. But the 404 requirements aren’t all bad.

“I’ve heard businesspeople say they never really understood their business until they did that,” says Currier.

#7: It empowered the SEC.

Among other measures, SOX extended the statute of limitations for the SEC to pursue actions and increased the penalties at their disposal. According to Currier, SOX changed the balance of power between companies and prosecutors, putting prosecutors in the driver’s seat. 

SOX also made clear what disclosures were required of public companies, so now it’s easier for the agency to pursue enforcement. “The core values that you have to follow when making disclosures are much clearer now than they were, say, 10 years ago,” Tolbert says.

Thomsen says the SEC has gotten quite a bit of use from the ability under SOX to distribute disgorged money to wronged investors through Fair Funds. According to the Government Accountability Office, $9.5 billion in Fair Funds were ordered from 2002 through February 2010, most prior to May 2007. The disgorged funds come from penalties from violators, either companies or individuals.

“The SEC has really been aggressive lately in enforcing the disgorgement provision,” says Tolbert. “The SEC has asked CEOs and CFOs to disgorge compensation. It’s played a role in some of the Dodd-Frank provisions, such as one mandating the implementation of CEO/CFO disgorgement procedures.”

For example, in November 2011, CSK Auto Corp. CEO Maynard Jenkins, while not personally charged by the SEC, was required under SOX to return $2.9 million in bonuses and stock profits to the company because he received it while CSK was committing accounting fraud.

And that has had its effect on how management operates.

“I find senior management is being far more proactive, like questioning things in the [financial report] and discussing those issues with their acting managers,” says DeMartino.

#8: It changed things for private companies, too.

Private companies that aren’t subject to SOX reforms have nonetheless adopted some of its provisions as best practices, such as ensuring the independence of directors and adopting audit and audit committee procedures.

“While Sarbanes-Oxley has transformed public companies, it’s transformed private companies even more,” Blonder says. “They do it on a voluntary basis because it’s good business and it provides transparency, whether it’s to banks, private equity firms or other financing sources.”

That’s another factor bringing SOX’s effects to private companies: Increasingly, various sources of financing have an expectation of solid corporate governance and transparency. And some private companies are making sure they’re ready for the demands of future public listing.

“Depending on their exit strategies,” Barth says, “larger public companies have adopted various levels of SOX compliance.”