The Sarbanes-Oxley Act illustration

The need for regulating governance: the Sarbanes-Oxley Act illustration

Due to scandals which occurred in the late twentieth century, new laws regarding corporate governance practices, especially on the controls of listed companies, appeared to control these. An example is the guidelines within the Sarbanes-Oxley Act[1], an American law on listed companies on the Stock Exchange. These new control systems of companies were first used in 2003.

The Sarbanes-Oxley Act of 2002, enacted following the accounting disasters at Enron and WorldCom, is probably the law that most impacts publicly listed companies on the Stock Exchange since the Securities Exchange Act of 1934. In order to restore investor confidence in the financial reports of publicly listed companies on the Stock Exchange, the Sarbanes-Oxley Act makes company executives personally responsible for any falsification of financial data. A business executive who has knowingly signed in a false report is liable to a fine of up to one million dollars and can be sentenced to up to ten years in prison. Even though the law came into force in 2004, it continues to develop whilst the SEC (U.S. Securities and Exchange Commission) decides on the time for compliance and publishes rules on requirements and compliance. According to a study carried out by AMR Research, about 85% of listed companies have planned to change their computer systems as part of their efforts for compliance with this law. AMR has estimated that businesses spent over 2.5 billion dollars to achieve compliance with Sarbanes-Oxley, for 2003 alone.

Guided by three main principles being accuracy, accessibility to information and managerial accountability, and the independence of auditors, the Act seeks to increase corporate responsibility and better protect investors to restore confidence on the market. Its primary objective is to control whether companies act responsibly with shareholders, giving them access to reliable financial accounting and transparent information. Most companies have made the changes required by the Sarbanes-Oxley and are now in the process of full documentation. Some companies have even expanded the scope of their Sarbanes-Oxley projects in order to “understand the documentation, design and implementation of processes and controls.  Most of them go well beyond the financial reporting process”.[2]

Six major measures are distinguished:

1)       The most significant measure is the “responsibility”[3]of CEOs (Chief Executive Officer / CEO and Chief Financial Officer / CFO). Any voluntary or conscious impropriety is penalized. The managers who are caught in the act are liable to ten years’ imprisonment.

2)       To improve access and information reliability, companies must provide the SEC with complementary information (accounting principles guiding the presentation of accounts, out of balance sheet transactions, changes in ownership for assets owned by managers, codes of corporate ethics).[4]

3) Since 26 April, 2003, companies must have set up independent audit committees to oversee the audit process[5]. They are empowered to receive complaints from shareholders or employees concerning the company’s accounting and audit procedures.

4) The rotation of external auditors is also planned.

5) A new regulatory and supervision body, the Public Company Accounting Oversight Board, shall supervise the accounting firms, establish standards, investigate and punish the individuals and legal entities that violate the rules.

6) The penalties have increased considerably. The maximum sentence for fraud has increased and is now twenty five years.

History will recall the Sarbanes-Oxley Act as the regulation that sought to eliminate fraud and abuse in companies because it demands complete corporate responsibility concerning financial reports. Organisations outside the United States that have made the effort to establish corporate governance may now seek to capitalize on this effort and to move towards compliance with Sarbanes-Oxley Act, as the European Commission, as an example, is setting up a similar monitoring system.

The challenge today is to find adequate regulatory instruments and rules that will draw the line between the regulation and autonomy of the market in a context of significant changes that challenge the established world order.


[2] Méta Group et d’AMR research

[3] Section 302. This section, “Responsibility of the Company towards financial reports” came into force in 2002. It implies that the CEO and CFO personally certify financial results for the company. The Section 302 also specifies the criminal penalties incurred by officials who knowingly publish false statements 19 20

[4] Section 409. This section, “Reporting real-time problem” requires notification in real time ofimportant events that could impact on the financial performance of a company. Although the SEC has not defined what it means by “real time” and although no final deadline has been set for the time being tocomply with Section 409, many companies interpret it as 48 hours. The industry experts on information systems noted that for compliance with Section 409, a computer system with the implementation of real-time notifications and alerts of events will be necessary.

[5] Section 404. As noted by many commentators, Section 404, “Evaluation by the management of internal controls, “presents the greatest difficulties of compliance. It requires the auditors to certify the controls and the underlying processes used by the company to create reports on their financial results. It includes an assessment of controls and identification of the framework used for evaluation. Section 302 requires that financial statements are complete and accurate, while Section 404 requires that the process used to generate statements is accurate and meets the accepted industry standard (for example, the Standards of the Committee of Sponsoring Organizations of the Treadway Commission, developed after the savings and loan crisis of the 80s). Section 404 also requires that changes in the process are reported quarterly. Large American companies had until 15 June 2004, whereas small companies had until 15 April 2005.