The Sarbanes-Oxley Act: Its Legacy Looking Back and Impact Going Forward Twenty years ago, the effects of the Enron era were enormous. Confidence in the capital markets and in financial reporting and corporate governance in general had deteriorated to a dangerously low level. Shareholder losses were staggering. People’s life savings were lost. The corporate frauds and abuses were numerous and egregious. The web of culpability cast a wide net. The blame game was in full force. The lack of accountability was troubling. Bottom line: Something had to be done, and the mantle for action was laid at the feet of the United States Congress. The business lobby had little to no leverage in shaping what was about to happen. The damage done was simply unacceptable to Main Street. Bipartisan political will to reassert the integrity of the markets was strong. In a feat that appears impossible when considered in light of today’s gridlocked Congress, two colleagues from opposite sides of the aisle, Democratic Senator Paul Sarbanes and Republican Representative Michael Oxley, came together to drive a response, the Sarbanes-Oxley Act (SOX or the Act). This bipartisan pair sponsored once-in-a-lifetime legislation that would have a stabilising and lasting impact in addressing the distrust in financial reporting and helping restore investors’ waning confidence. As noted on this blog upon the passing of Mr. Oxley in 2016: In the United States, a situation like this gives Congress a strong political will to act. And act they did. SOX is a compendium of the abuses of the Enron era. The law reads as if Mr. Oxley, Mr. Sarbanes and their authorship team listed all of the high-profile abuses on a whiteboard and then designed mechanisms to address each one. They did what they had to do to solve the problem they were faced with. In doing so, they sent a powerful message of accountability for fair public and financial reporting. Topics Internal Audit and Corporate Governance Risk Management and Regulatory Compliance In addition to requiring reports on internal control over financial reporting (ICFR) by management and the independent auditors, the Act created the Public Company Accounting Oversight Board, allowed for claw back of executive compensation and, of course, required the CEO and CFO to certify quarterly their awareness and ownership of the fairness of reported financial results and the efficacy of disclosure controls and procedures underlying public reporting. This ownership by the CEO and CFO was a paradigm shift. What was previously implicit was now explicitly expressed for all to see, leaving no confusion as to who was primarily responsible for fair financial reporting. Yes, the auditors, audit committee and various owners of myriad accounting and reporting processes played important roles. But these two certifying officers were the linchpins. Despite the initial growing pains and various challenges over the years, the Act has stood the test of time. Following are a few data points: If the restatements driven by special purpose acquisition companies in 2021 are ignored, the last 20 years have seen an ongoing trend of decreasing numbers of restatements for 404(b) filers. Over the last two decades, numerous studies have focused on evaluating both the quantitative and qualitative benefits of SOX compliance. One study noted that companies subject to SOX 404(b) requirements experienced higher valuation premiums and higher credit ratings and, thus, net lower cost of debt after SOX compliance costs. Eight of 10 (83%) respondents to Protiviti’s 2021 SOX survey noted that adoption of the SOX 404(b) requirements has resulted in an improved ICFR environment for their organisation. The percentage is even slightly higher at 85% for those organisations in their first year of compliance. Bottom line, the legacy of SOX is that it accomplished its objective of elevating the reliability of and confidence in financial reporting. But it also has created a strong focus on processes and controls. In the aforementioned Protiviti survey, the majority of organisations noted: Enhanced understanding of controls design and operating effectiveness as well as improvements in company culture specifically related to risks and controls. These changes to the organisation reflect an “everyone’s responsible” mentality with respect to internal control. Increased focus on continuous improvement through an end-to-end view of business processes. Ongoing awareness of reporting requirements around the impact of significant changes in people, processes and technology through periodic certification and the focus on remediation required to implement necessary internal control adjustments have increased the discipline and appetite to consider different ways a task can be achieved or how the reliability of processed transactions can be increased. Emphasis on using technology and automation, including increased implementation of automated controls. For example, many companies are allocating substantive resources toward automating and modernising various aspects of their SOX compliance programme by enabling it with technology to drive improved efficiencies and effectiveness. Naturally, these benefits can spill over to improvements in operating processes. Although the Act’s sponsors are no longer with us, the signature legislation of Senator Sarbanes and Representative Oxley continues to achieve its aims and provides a basis from which to bring additional reliability and transparency into financial and public reporting. Its implementation drove a marked decrease in financial reporting restatements. The actions taken by organisations in response to the Act’s requirements helped to solidify confidence in the capital markets at a crucial moment in history. True, SOX has its detractors and, currently, there are concerns about rising costs. But looking back over the last 20 years, the investing public and users of financial information are the better for it. Some have questioned SOX’s value because it did not prevent the 2007–2008 financial crisis. However, SOX doesn’t mandate how financial institutions are to be run, how risks are to be managed, or when CEOs and their boards should take a fresh look at the validity of critical assumptions underlying their corporate strategy and business model. SOX is about reporting results, not about calling the shots. That remains a management and board imperative. As for the next 20 years, we continue to see organisations build on the discipline adopted for ICFR and leverage it to additional areas, such as cybersecurity and environmental, social and governance (ESG) matters. Expanding on the infrastructure of the SOX programme already in place to address additional disclosure requirements, compliance and operational areas will continue to provide benefits to businesses focused on improving the cost-effectiveness of their processes and controls. In fact, we are seeing companies build the discipline (for example, validation of completeness and accuracy, control over spreadsheets and calculations, and detailed evidence of management review) into these additional reporting areas so that certifying officers can have confidence in the reliability of required sustainability reporting. For example, according to the aforementioned Protiviti survey, more than 40% of organisations applied an ICFR-like process to their human capital reporting and ESG metric reporting for 2021, with nearly 40% more stating that they would be doing so in the future. On this 20th anniversary of SOX’s enactment, we once again pay tribute to Mr. Sarbanes and Mr. Oxley.