Widely deemed the most important piece of security legislation since formation of the Securities and Exchange Commission in 1934, the landmark Sarbanes-Oxley Act of 2002 was born into a climate still reeling from the burst of the high-tech bubble and fraud scandals at Enron and WorldCom.
Its intent was to improve corporate governance and restore the faith of investors, but many in the business world spoke out against SOX, viewing it as a politically motivated overcorrection that would lead to a loss of risk-taking and competitiveness.
“The big, unanswered question is whether SOX-related changes had any impact in the lead-up to the financial crisis.
HBS Associate Professor Suraj Srinivasan and Harvard Law School Professor John C. Coates leverage the benefit of hindsight to assess research findings from over 120 papers in accounting, finance, and law to evaluate the act's impact and establish takeaways to guide the creation of future legislation.
While current measurement systems are insufficient to make an unambiguous, overarching judgment of the act's net benefits, Srinivasan and Coates isolate a few clear findings and make a case for flexibility and experimentation to guide future laws and reforms in the financial arena.
One thing is clear: Despite severe criticism, the act and the institutions it created have survived almost intact since enactment. But so have condemnations. It's a puzzle, say the authors, that "on the one hand, the law continues to be fiercely and relentlessly attacked in the US" while those most affected by the act as implemented express "acquiescence or even mild praise."
The paper, SOX after Ten Years: A Multidisciplinary Review, is scheduled to be published later this year in Accounting Horizons.
"We took a cost/benefit approach when considering SOX," explains Srinivasan. The most worrisome part of the act on the business side was the mandate that required public companies to obtain an independent audit of their internal control practices. The cost of this requirement, he says, was felt most acutely by smaller companies, although it was ultimately deferred for companies with market caps of less than $75 million and made permanent in the Dodd-Frank Act. Audit standards also were modified in 2007, a change that reportedly reduced costs for many firms by 25 percent or more per year.

Photo: iStockPhoto
"That aspect of flexibility—being able to exempt some smaller companies from the mandate and make it easier for others to implement—is an important quality to keep in mind when we discuss future regulation," says Srinivasan, who also cites the important role of the Public Company Accounting Oversight Board (PCAOB), a nonprofit private corporation created by SOX that oversees auditors of SEC-registered companies.
Markets Have Benefitted
Despite high initial costs of the internal control mandate, evidence shows that it has proved beneficial. "Markets have been able to use the information to assess companies more effectively, managers have improved internal processes, and the internal control testing has become more cost-effective over time," according to Srinivasan.
The research does not support the fear that SOX would reduce levels of risk-taking and investment in research and growth. Another concern that the act would shrink the number of IPOs has not been borne out either; in fact, the pricing of IPOs post-SOX became less uncertain. The cost of being a publicly traded company did cause some firms to go private, but research shows these were primarily organizations that were smaller, less liquid, and more fraud-prone.
"Yes, SOX may have cut off public market financing to these companies, but the question is whether it was appropriate for them to be in public markets in the first place," Srinivasan says. "That is a value judgment, to be sure. But it may not be a bad thing if certain companies are restricted in their access to financing, simply because loss of trust in public capital markets has big consequences for the entire economy."
A 2005 survey by the Financial Executives Research Foundation found that 83 percent of large company CFOs agreed that SOX had increased investor confidence, with 33 percent agreeing that it had reduced fraud.
And yet—the financial crisis of 2008 still happened.
"The big, unanswered question is whether SOX-related changes had any impact in the lead-up to the financial crisis. Did it make things better or worse?" says Srinivasan. "We don't know the answer to that. We only know that there were benefits in terms of financial reporting and corporate governance; that costs of implementation were higher for smaller companies; and that concerns about risk-taking and investment haven't come to bear. One of the big takeaways from this paper is how difficult it is to measure costs and benefits of regulation in a systematic way."
Costs And Benefits
Building flexibility into new policymaking that allows for more experimentation and measurement is helpful, he notes, as is avoiding a one-size-fits-all approach. "The costs of regulation are more direct and easier to comprehend than the benefits, which are mostly indirect. So there will always be upfront concerns about regulation, which leads back to the importance of building in opportunities to measure the costs and benefits.
"A skeptic of regulation would say that SOX wasn't needed at all, that the system would have fixed itself," he continues. "But what was the cost of fraud to the overall economy? We intuitively feel it was large, but we have not made progress in measuring it. That is a future question for research."
Despite the difficulty of assessing the effects of regulation, Srinivasan stresses the importance of continuing to look for ways to do so, citing the possibility of experiments such as random implementation or a voluntary opt-in/opt-out approach that would enable researchers to make causal inferences.
"It's important for everyone who has a stake in the US economy to realize how these laws are being made and to assess whether they are working or not," he says. "We have to be very thoughtful and allow for experimentation and performance measurement. We can't have a knee-jerk reaction and leave it only to political entrepreneurs to create the law."
First, SOX did nothing to address the fundamental issues at the bottom of either the Enron-Worldcom scandal or the crisis of 2008, the same issue that was at the root of and that has remained unaddressed for the past 25 years: the unregulated and undisclosed derivatives--the so-called "off balance sheet" transactions that brought down Orange County, the LTCM hedge fund, the collapse of the British Barings Bank, Enron, Worldcom, and the collapse of all the financial institutions associated with the crisis of 2008. Derivatives are still not regulated nor disclosed. These highly-leverage bets total some 10X the world's GDP and 37X the U.S. GDP, and Wall Street and academicians continue to argue they are a zero-sum game, but they are not. Thus, there WILL be another financial crisis, and SOX has done nothing to avert it. Thus, the primary premise behind SOX, to guard against another Enron-Worldcom, has been a total failure.
Further, in advising companies and in our own corporate decision about whether to go public or not, SOX has certainly entered the equation on the negative side, big time. And the Jobs Act of 2012 increasing the number of permissible shareholders for private companies from 500 to 2,000 has certainly tilted the scale in favor of remaining private.
SOX, on the face of it, is a stringent Act. Its main purpose was to empower regulators, auditors and corporate boards to improve governance and reduce frauds.
While initially SOX faced lot of criticism and it was felt it would create fear thereby retarding businesses growth, it has by and by been understood that ultimately good governance is the key to growth. Investor confidence is directly proportional to the extent to which corporates are straightforward in their actions and remain fraud-free.
The major impact of SOX has been the improvement in the quality of financial reporting and a steep fall in adverse SOX 404 Auditor Attestation Opinions. Now the auditors do not indulge in cosultancy for the company audited and hence carry out audits without favour which obviously leads to more bold reporting. Any facts which used to be hidden by manipulation of figures are now duly observed and elements of fraud, if any, are brought to the open.
A mechanism of internal (day-to-day/concurrent) audit, notwithstanding cost, seems necessary as the statutory auditors work on the basis of a fair sample only.
In India, the new Companies Act 2013 has also many elements like those covered by SOX which, in course of time, are bound to be beneficial on the whole.
If I want to do fraud I would be happy to say that everything is fine.
This was the prime issue and continued to be an issue as SOX does not address it. PCOAB has tried to address this issue in last year with practice advisory and guided the auditor to review the management review controls effectiveness also while concluding the control effectiveness.
Let's see if we as an auditor are able to justify with our responsibility in light of last year practice advisory.
With regards to the legislation not addressing Enron/Worldcom, that's partially true because no amount of money or legislation can prevent intentional fraud at the very top of an organization. If the CEO and CFO are both intentionally defrauding financier and investors, I have yet to understand how that can be efficiently regulated or even monitored/audited.
However, SOX certainly has done what it could to address fraud in that it establishes a Whistleblower hotline mandate which is the #1 in which fraud has been uncovered per the ACFE who tracks multiple governmental and private sources.
1 - When SOX was implemented the company that I was working for, which was preparing to go public with a strong business case for growth, decided instead to stay private and harvest the business by cutting costs. The CEO was not willing to accept the personal liability for any reporting errors as required by SOX.
2 - The next company that I joined was based outside the US and considering relocating its HQ to either the US or London. The cost implementing SOX was one of the factors that led them to select London instead. That business has appreciated in value by $75 billion since this decision and we have certainly not regretted the decision to avoid costly SOX process requirements.
3 - During the 90's McKinsey did so many growth studies they nearly lost the institutional knowledge on how to do downsizing projects. Every CEO needed a growth story and we developed business plan after business plan that drove investment for growth. Once SOX was implemented, CEO's could no longer make forward looking statements and now all the messaging to investors is about increasing margins and efficiency. The 2 recoveries since SOX have both been "jobless recoveries" and businesses have traded their obsession with growth for an obsession for ROIC.
The US has become less competitive at attracting investment, while our share of the Global 500 is declining. Many factors have driven this, but certainly over-regulation has been a major factor and SOX is one of the most profound mistakes we have made in my opinion. If the authors are confident that on-balance, SOX has been good for US interests, why is it that the rest of the world has not followed the US in implementing these regulations? And why is so much capital fleeing the US to be invested in economies around the world that are unencumbered by regulation at the level of SOX?