Sarbanes-Oxley Act (SOX) — Corporate Accountability After Enron
Why SOX Was Needed
The early 2000s saw a wave of corporate fraud that wiped out billions in shareholder value:
- Enron (2001): Used off-balance-sheet entities to hide $38 billion in debt. Arthur Andersen, its auditor, shredded documents
- WorldCom (2002): Overstated earnings by $11 billion through fraudulent accounting
- Tyco (2002): CEO looted $600 million from the company
These scandals destroyed public trust in financial reporting. Congress passed SOX with overwhelming bipartisan support on July 30, 2002.
Key Provisions
| Section | Provision | Description |
|---|---|---|
| Section 302 | CEO/CFO Certification | CEOs and CFOs must personally certify the accuracy of financial statements |
| Section 404 | Internal Controls | Companies must assess and report on the effectiveness of internal controls over financial reporting |
| Section 906 | Criminal Penalties | Up to 20 years in prison and $5 million fine for willfully certifying false statements |
| Title I | PCAOB Creation | Public Company Accounting Oversight Board established to oversee auditors |
| Section 201 | Auditor Independence | Audit firms cannot provide certain non-audit services to audit clients |
| Section 301 | Audit Committee | Audit committees must be independent and have at least one financial expert |
| Section 802 | Document Retention | Destruction of records related to investigations is a criminal offense |
| Section 806 | Whistleblower Protection | Employees who report fraud are protected from retaliation |
Section 404 — The Most Impactful (and Costly) Provision
Section 404 requires management to assess and report on internal controls over financial reporting, and external auditors must attest to that assessment. This has been both SOX’s greatest contribution and its most criticized element:
| Dimension | Benefits | Costs |
|---|---|---|
| Financial Reporting | Higher quality, more reliable financial statements | Average compliance cost $1-5 million/year for large companies |
| Fraud Detection | Material weaknesses identified before they become scandals | Small companies disproportionately burdened |
| Investor Confidence | Restored trust in public company reporting | Some companies chose to go private or stay private longer |
| Audit Quality | Auditors are more thorough and independent | Audit fees increased significantly post-SOX |
Impact on Corporate Governance
SOX fundamentally changed how public companies operate:
- Boards became more independent — audit committees must have no management members
- Executive accountability increased — CEOs can’t claim ignorance of financial fraud
- GAAP compliance became more rigorous with PCAOB oversight
- Auditor rotation and independence rules reduced conflicts of interest
- Whistleblower protections encouraged internal reporting of fraud
Key Takeaways
- SOX (2002) was passed after the Enron and WorldCom accounting scandals
- CEOs and CFOs must personally certify financial statement accuracy (Section 302)
- Section 404 requires internal controls assessment — the most impactful and costly provision
- The PCAOB was created to oversee public company auditors independently
- Willful certification of false statements carries up to 20 years in prison
Frequently Asked Questions
What is the Sarbanes-Oxley Act?
SOX is a 2002 federal law that established stricter standards for corporate governance, financial reporting, and auditing of public companies. It was a direct response to accounting frauds at Enron, WorldCom, and other companies.
What is SOX Section 404?
Section 404 requires public companies to assess and report on the effectiveness of their internal controls over financial reporting, with external auditors independently attesting to that assessment.
What is the PCAOB?
The Public Company Accounting Oversight Board is a nonprofit organization created by SOX to oversee the audits of public companies. It sets auditing standards, conducts inspections, and enforces compliance with audit quality rules.
What happens if a CEO falsely certifies financial statements?
Under Section 906, willfully certifying materially false financial statements is a criminal offense carrying up to 20 years in prison and a $5 million fine.
Does SOX apply to private companies?
SOX primarily applies to public companies registered with the SEC. However, many private companies voluntarily adopt SOX-like controls, and some provisions (like document destruction penalties) apply broadly.