Kezia Farnham

Senior Manager

Sarbanes-Oxley and corporate governance: past & future

Let’s take a time machine back to the boardrooms of 2002. Nearly half (47%) of board meetings clocked in at under two hours. Sarbanes-Oxley (SOX) was still just a proposal, and the relationship between Sarbanes-Oxley and corporate governance hadn’t yet played out — until July 30 of that year. At that time, audit committees didn’t tackle risks beyond the financial realm.

Today, in 2024, board meetings are often full or multi-day affairs. Thanks mainly to SOX and other regulations, 35% of directors now feel that the scope and complexity of the audit committee’s work rivals that of the entire board.

Understanding corporate governance and Sarbanes-Oxley requires both looking back and looking ahead. Here, we’ll detail the main ways SOX has shaped good governance over the past two decades, including:

• What the Sarbanes-Oxley Act is
• Key SOX governance controls
• Governance changes under SOX
• How SOX has improved corporate governance — and its limitations
• How the governance landscape has changed in recent years
• The complicated relationship between Sarbanes-Oxley, corporate governance and the audit profession

What is the Sarbanes-Oxley Act on corporate governance?

The Sarbanes-Oxley (SOX) Act is a piece of legislation Congress passed in 2002 in the wake of corporate accounting scandals, including Enron. It includes various mandates to increase the transparency, accountability and integrity of governance and financial reporting.

As a result, it’s no surprise that the relationship between Sarbanes-Oxley and corporate governance has been complicated; the SOX Act reshaped everything from financial reporting to internal controls. It also protected whistleblowers, further incentivizing boards to act ethically.

Key SOX governance controls

SOX governs as many areas of oversight as the board has. Some of the critical controls that continue to rule the conversation around Sarbanes-Oxley are:

• Financial controls: Boards must ensure accurate and timely financial reporting through controls that assure financial data’s credibility.
• Internal controls: Post-2002, corporationscorporates also needed to prove that they had a rigorous system of internal controls, including extensive policies and procedures designed to protect assets and prevent fraud. Notable controls included segregation of duties, which separated responsibilities across multiple individuals to reduce the risk of error or conflicts of interest.
• Documentation: Corporations also needed new ways to document and keep records of the above controls. Documentation has remained integral in proving a corporation’s regulatory and legal compliance.

How has governance changed under the Sarbanes-Oxley Act?

Governance has changed in many ways. Pre-SOX, boards were under little scrutiny and could manipulate finances with little repercussion. Though this made some corporations rich, it deeply impacted shareholders and the public.

Governance has changed in many ways post-SOX, but most of those changes have held corporations accountable to their shareholders — not those in power.

1. Independent audit: Sarbanes-Oxley mandates that audit should be independent of the board of directors so financial reporting and internal controls wouldn’t be swayed by a desire to bolster one’s reputation.
2. Certification of accuracy: Executives became personally accountable for the accuracy of financial reporting through a certification system, which requires CEOs and CFOs to guarantee that statements and disclosures are complete.
3. Comprehensive financial disclosures: Boards had to report more financial information than ever before, including transactions with related parties.
4. Elimination of corporate loans: Once, corporations could extend a loan or line of credit to their directors or executives. SOX put an end to that practice to prevent conflicts of interest.
5. Standards of conduct: Sarbanes-Oxley and corporate governance also shined a light on board conduct. Corporations had to establish a code of ethics for the CEO, CFO, controller and other finance leaders.

How has SOX improved corporate governance?

The story of Sarbanes-Oxley and corporate governance has largely been positive. SOX ushered in a new era of corporate responsibility, mainly because it leveled the playing field between shareholder relations and corporate interests. While not perfect, corporate governance post-SOX emphasized:

• Transparency: The introduction of mandatory internal controls and financial disclosures drastically increased the information investors had about the shares they owned. That transparency promoted more informed investment decisions, restoring the trust in financial markets investors had lost in previous years.
• Accountability: Corporate leaders had to take more personal responsibility for corporate finances. By putting the CEO and CFO on the hook for financial statements, SOX strived to squash bad actors.
• Independence: Pivotal to post-SOX boards, independence has further built investor trust. Now, the committee overseeing financial reporting is separate from those that compile the reports, reducing the risk of fraud, conflict of interest or dishonesty.
• Integrity: SOX targeted board conduct in many ways. From requiring codes of ethics to protecting whistleblowers who report misconduct, the post-SOX world gave boards little option but to put their most ethical foot forward.
• Ethics: Sarbanes-Oxley and corporate governance didn’t entirely prevent corporate scandals, but there have been fewer instances of fraud and misstatement since Congress adopted the legislation.

The limitations of Sarbanes-Oxley and its impact on corporate governance

As transformative as Sarbanes-Oxely has been, it also had its detractors. The act’s broad scope led to implementation challenges and largely contributed to the much longer post-SOX board meetings. After SOX passed, corporations also had to reckon with the following:

• Increased costs: Corporations had to increase headcount and implement new systems to meet the acts’s financial and internal control requirements. Auditors made up a more significant portion of staff than before, a particular drain on smaller companies with a smaller cash flow.
• A one-size-fits-all approach: Leaders have long believed thatregulators created SOX mainly for large public companies, and there is some truth to that. Enron, the scandal that gave way to SOX, was worth $70 billion and employed over 20,000 employees. Over the years, businesses of different types and sizes have struggled to keep up with the complex legislation.
• Inability to compete: At the time, businesses feared that the increased Sarbanes-Oxly and corporate governance requirements put U.S. corporations on uneven footing with companies in other parts of the world not subject to strict regulatory requirements.
• Administrative burdens: Management suddenly had to build documentation, reporting, and internal control procedures. That redirected leaders’ attention away from innovating and toward compliance, something some corporations worried would hinder growth.

Sarbanes-Oxley and corporate governance boards

Despite the increased post-SOX board roles and responsibilities, boards have evolved to meet today’s challenges. In 2013, 88% of directors told us they found their boards “adequately experienced and skilled.” This figure increased to a complete 100% by 2023.

However, as directors’ expertise and confidence have grown, so have the issues on their plates — from ESG to DEI to cyber, COVID-19 and more. These evolutions in the business landscape have shaped what’s on board agendas and directors’ minds over 20 years after Sarbanes-Oxley.

Cyberthreats have further challenged corporate governance

Throughout the 2020s, cybersecurity has remained a top priority, with the continued proliferation of e-commerce, digital services and digital currencies, and the convergence of IT and operational technologies.

As digital transformation accelerates on all fronts, exposure to cyber risk increases. Yet, cybersecurity practices haven’t always kept up. According to PwC’s 2024 Global Digital Trust Insights survey, 30% of companies don’t consistently follow cybersecurity best practices. Only 5% of companies reached the other end of the spectrum, where strong defense and a growth orientation are the norm.

At the same time, the percentage of companies who experienced a breach costing $1 million or more was a staggering 36%, up from 27% in 2023. The rapid increase of cyber threats and the relatively slow pace of cybersecurity preparedness underscores the need for boards to adapt. Many boards are now turning to a centralized governance platform to get a better view of risk across the organization.

Though Sarbanes-Oxley and corporate governance patched up far-ranging ethical concerns, 20 years later, it is cybersecurity for which boards must prepare.

Sarbanes-Oxley and the audit profession

Sarbanes-Oxley affected the audit profession in many ways, mainly by making audit services integral to the boardroom. Audit independence was central to the SOX Act, and more corporations sought external auditors to verify their internal controls over financial reporting (ICFR).The demand for audits gave way to the large public accounting firms ubiquitous in corporate settings today. Contracting external bodies helped corporations meet the SOX Act’s strict standards, including the Public Company Accounting Oversight Board (PCAOB).

These shifts have profoundly impacted the audit profession, which is primarily why, two decades later, audit teams have become strategic advisors to the board. They’re well-versed in corporate finances and regulatory requirements, uniquely positioning them to identify relevant threats and opportunities.

Keep compliant with Sarbanes-Oxley’s corporate governance requirements

More than two decades after Sarbanes-Oxley became the law of the land, corporations are still reckoning with its effects. The COVID-19 pandemic, the resurgence of ESG, and the barrage of cyber attacks have only deepened boards’ resolve to protect their people and assets. Compliance is the key to all those governance activities and more.

Yet, SOX compliance can feel complex. Sabranes-Oxely and corporate governance are inextricably linked, which explains why the legislation comes with lengthy requirements. Take some time to understand those requirements, then put your new knowledge into practice with a SOX compliance audit that propels your governance forward.

Use this guide as you complete your next SOX compliance audit.