It’s hard to believe that July 2022 marks the 20-year anniversary of the Sarbanes-Oxley Act (SOX).
On the heels of the dot-com boom in the early 2000s, companies changed the way they operated and incentivized senior leaders: Financial fraud became rampant.
Flagship financial fraud cases of the era included Enron (overstated revenue and concealed debt obligations), WorldCom (inflated earnings by $11 billion), and Tyco (inflated company income). It was these types of events that catalyzed more rigorous financial reporting and internal control requirements created under SOX.
The bipartisan law, sponsored by U.S. Senator Paul Sarbanes and U.S. Congressperson Michael Oxley, has had lasting impacts on public companies of all sizes, helping to create strong control environments, standardize processes, and mitigate financial reporting risks.
Below is a timeline of some of the biggest milestones related to the evolution of SOX these past 20 years:
While many organizations and their auditors have grown accustomed to annual compliance requirements, they must still remain vigilant toward further rule changes and emerging trends. SOX programs must adequately provide insight to stakeholders and regulators as the market and regulatory landscape continue to evolve.
SOX Today and Tomorrow
As organizations consider going public and seek to establish a SOX program of their own, numerous, more recent, trends are influencing the design, scope, and urgency of reporting standards and control environments.
Some of the most prominent emerging factors include:
Innovation, Automation, and Data Analytics
In tight labor markets, organizations focus on providing value-added activities. Many companies and auditors are turning to the use of automation and data analytics to enhance the efficiency of existing processes and controls and allow individuals to focus their energy on tasks that require judgment. These types of technology are evident in the adoption of robotic process automation (RPA) and governance, risk, and compliance (GRC) tools, which can ultimately reduce the overall cost of compliance and optimize the efficacy of a SOX testing program.
Environmental, Social, and Governance (ESG)
As the SEC has issued proposals to enhance the reporting requirements for ESG-related items, companies must ensure that relevant financial-reporting controls (data validations, IPE validation, etc.) are informing and can adequately govern upcoming ESG reporting standards. Many companies are beginning to incorporate testing of their ESG-related data into their overall SOX program or performing testing currently to their SOX program.
The advancement of technology over the last 20 years has been a significant driver of the evolution of SOX. The SEC's guidance on cybersecurity disclosure rules requires companies to report on:
- Material cybersecurity incidents and their impact on financial reporting.
- Board of directors’ cyber expertise and oversight of cyber risk.
- How the company has implemented cybersecurity policies and procedures.
Cybersecurity controls are now being assessed alongside traditional IT General Controls (ITGC) during SOX testing to ensure compliance with these new requirements.
Twenty years on, the creation of SOX serves as a strong reminder of the importance of transparency, completeness, and accuracy of financial reports within the capital markets. The requirements will constantly evolve, but the fundamentals remain strong.
For expert SOX advisory support, contact CrossCountry Consulting.