Corporate governance best practices 10 years after SOX

Section 404 has had profound impact on controls environment.

You could hardly go to a Washington hearing related to an accounting or auditing issue this spring without someone singing the praises of the Sarbanes-Oxley Act of 2002 (SOX). At a House subcommittee meeting on accounting and auditing oversight, House Financial Services Committee Chairman Spencer Bachus, R-Ala., said SOX has been successful in preventing some of the challenges it was created to address. At the PCAOB hearings on auditor independence, objectivity, and professional skepticism, experts including audit committee members, audit firm chairmen, and educators talked about the positive effects SOX has had in strengthening business oversight.

"There are a whole host of reforms that Sarbanes-Oxley has put into play that I think have definitely improved audit quality," Center for Audit Quality Executive Director Cindy Fornelli said in a telephone interview.

The most controversial provision in SOX, Section 404, was in some ways ahead of its time with a focus on internal control in addition to financials. AICPA President and CEO Barry Melancon said businesses are evolving in such a way that the question of how well their systems perform might become as important to investors as financial statements. The authors of SOX understood that, Melancon said.

University of Wisconsin professor emeritus Larry Rittenberg, who served as chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) from 2005 to 2009, divides businesses into two categories with respect to SOX. He said some have focused on simply complying with the regulations and have found themselves operating more effectively because improved controls led to better data, which sparked better decisions but not necessarily cost savings.

Other businesses, Rittenberg said, found that Section 404 forced them to think strategically and modernize their controls and processes. They discovered greater efficiencies that produced cost savings.

Rittenberg said he has been disappointed to see continued deferrals of the Section 404 effective date for small businesses. He said small businesses that offer good products and services often fail unnecessarily.

"The reason they fail is they never develop financial discipline, the sort of things the CPAs can help a lot of businesses do," Rittenberg said, "and the companies often think they're beyond that. And I would like to see a little bit more discipline in those companies that were originally included in SOX Section 404 and then deferred or exempted, because what I think we want is the companies to sustain their businesses over time."


The cost/benefit question regarding performing complicated audits of internal control systems and having external auditors attest to the findings is a complicated one to answer. Shortly after SOX was enacted, there were reports of companies buying back their shares and going private because they couldn't afford the audits.

Passed earlier this year and signed by President Barack Obama on April 5, the Jumpstart Our Business Startups (JOBS) Act, P.L. 112-106, defers the effective date of Section 404 compliance for the first five years after an initial public offering (IPO) for companies that do not exceed certain market capitalization or revenue thresholds. Even before the JOBS Act's deferrals for new public companies, the SEC had repeatedly delayed Section 404(b)'s effective date for public companies with less than $75 million in market capitalization. Those companies were granted a permanent exemption from Section 404(b) under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, P.L. 111-203.

Jack Ciesielski, president of Maryland-based investment research and management firm R.G. Associates, studied the total fees spent for auditing and audit-related services by 459 members of the S&P 500 from 2002 to 2010. His research showed audit fees increasing for those businesses from $2.07 billion in 2002 to $4.22 billion in 2007, and then essentially remaining constant from 2007 to 2010.

Rittenberg said leaders of some businesses have told him that their total costs actually decreased because of their work to comply with Section 404.

Mark Smith, CFO of Colorado-based renewable chemicals and advanced biofuels company Gevo, has taken three companies through the first stages of SOX compliance, including two IPOs in the last six years. He worked for Nabi Biopharmaceuticals when the law was enacted and said Nabi's audit fees more than quadrupled in those early days of SOX, and the company also had to spend heavily with an outside contractor to do documentation and testing.

"It just fully removed all the commonsense elements," he said. "So you ended up having to document and demonstrate documentation at an incredibly detailed level."

Since the PCAOB's issuance of Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit of Financial Statements, in 2007, Smith said, SOX requirements aren't nearly as difficult to manage. An SEC study in 2009 found that among Section 404(b) reporting companies, the mean total Section 404 compliance cost dropped 19% in the fiscal year after the reforms, compared with the previous fiscal year. Although some critics say that SOX has prevented some small companies from going public, Smith said complying with the standards at Gevo was more a matter of formalizing, testing, and documenting internal control systems that already were in place.

"There are certain processes and procedures that you just have to have in place if you're going to take other people's money, in particular, and invest it on their behalf," he said. "No one can say they love this process, right? It's arduous, and there are some elements of it which feel like they're overkill and a little bit thoughtless. But in the more recent iterations ... I think there is some value to it."

Not everybody was pleased with the adjustments that took place in 2007. Barbara Roper, director of investor protection for the Consumer Federation of America, said the SEC implementation guidance issued after AS5 was not the principles-based approach the commission advertised.

"A principles-based approach says, 'Here's the principle we expect you to achieve, and you have some flexibility about how you achieve it,' " she said. "This just never set out the principle it was expected to achieve and just talked about all those things that auditors didn't have to do as part of the audit. We've been concerned about some of the erosion of the standard."


Some of SOX's most impactful regulations significantly strengthened the role of independent audit committees in corporate governance.

Cathy Lego serves as independent audit committee chair of two California-based tech companies, SanDisk Corp. and Lam Research Corp. She frequently attends round-table meetings for audit committee chairs and said audit committees are doing a better job now than they were before SOX.

"I think boards are stepping up their level of responsibility," Lego said. "I believe audit committees are stepping up their skepticism and questioning. Internal (auditors) have stepped up and are working with external auditors to make sure the internal processes and systems are working the way they were intended to."

Lego said the Section 404 regulations provide a good systems-only approach to internal control, but she added that audit committees can't rely just on that audit. She said it's important to test the attitude of businesses' people, particularly top management, toward risk and accuracy.

"There's a qualitative aspect that's necessary to overlay on top of the hard-core testing," Lego said. "If bad guys want to collude, bad guys can do bad things. And what you have to do is not just test, but watch and look and test outside of what happens to make sure that you have the tone at the top. In some risky (situations) you do more testing."

Ken Tysiacis a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at or 919-402-2112.

Eight Habits of Highly Effective Audit Committees

In September 2007, the JofA published popular guidance for audit committees as they came to grips with the greater responsibility the Sarbanes-Oxley Act of 2002 placed on them for overseeing public companies’ accounting, financial reporting, internal controls, and audits (see “Eight Habits of Highly Effective Audit Committees,” Sept. 2007, page 46). The principles described in that article remain sound today:

1. Create and adhere to a written charter. The document should identify audit committee functions, authority, and responsibilities, and the skills and experience members must possess.

2. Specify critical success factors. Audit committee members must possess these competencies for the committee to discharge its duties and function effectively.

3. Identify committee core values. These should reflect those of the organization. Written procedures should foster open communication, equitable dispute resolution, and active participation by all committee members.

4. Reserve the right to invite any group or individual to a meeting. Audit committees can offer “safe haven” to individuals interviewed during executive sessions, but still ask incisive questions.

5. Ensure all members actively participate in setting the agenda. Whenever possible, avoid conducting committee business between meetings.

6. Formalize procedures. Committee members should agree to ground rules for making decisions and resolving stalemates that relate back to the charter.

7. Review. At the beginning of each meeting, review the previous meeting’s highlights. As you review, refer to the company’s written organizational vision, core values, and critical success factors.

8. Summarize. At the end of each meeting, summarize what has happened so each member understands key aspects without referring to notes or minutes.

—By Joan Pastor, Ph.D., ( ) a licensed industrialorganizational and clinical psychologist. She founded, an arm of JPA International Inc., dedicated exclusively to executive and board development, and her company has consulted for the audit, risk, security, and finance communities since 1986.


Preparing the statement of cash flows

This instructive white paper outlines common pitfalls in the preparation of the statement of cash flows, resources to minimize these risks, and four critical skills your staff will need as you approach necessary changes to the process.


Keeping you informed and prepared amid the COVID-19 crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.