The Chilling Effect of SARBANES-OXLEY: Myth or Reality?

By Lynn Stephens and Robert G. Schwartz

E-mail Story
Print Story
JUNE 2006 - When Congress passed the Sarbanes-Oxley Act of 2002 (SOX) in response to Enron and other corporate misdeeds, apparently little thought was given to its impact on start-ups and early-stage companies and their initial public offerings (IPO). From 2000 to 2003, particularly in the technology sector, IPOs were on the decline due to the global recession. While technology company IPOs began to increase again in 2004, going public has now become a more challenging way for entrepreneurs to raise capital. The complex recordkeeping required for compliance with SOX may be responsible for the decline in IPOs. The act appears to have also served to increase the number of mergers, joint ventures, and acquisitions. A survey of 108 entrepreneurial technology firms, conducted by the authors, addresses the impact of SOX on their future development.


SOX was passed in the wake of corporate scandals involving spectacular bankruptcies, inappropriate accounting practices, and audit firms that apparently closed their eyes to those practices. The provisions of the legislation were designed to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” Although the legislation was designed to ensure a high quality of financial reporting by publicly traded companies, proposals to extend the legislation to privately held companies are being considered both at the federal level and by some states. Extending the legislation to not-for-profit corporations is also being considered. Even if the scope of SOX’s provisions is not extended, bankers and other stakeholders may begin to view SOX requirements as “best practices,” and give preferential treatment to entities that voluntarily comply with SOX-like procedures and standards.

The following four areas were addressed by SOX:

  • Defining appropriate relationships between independent auditors and the companies being audited;
  • Specifying appropriate corporate governance practices and inappropriate corporate activities;
  • Stipulating provisions with respect to corporate fraud and accountability; and
  • Establishing requirements that companies implement and document internal control systems to help ensure the integrity of financial information being reported to the public.

Internal control has received the most attention in the press because compliance in this area can be costly. The costs may inhibit companies from entering into the public markets to raise capital, or may cause companies that have been publicly traded to go private. In turn, there has been speculation that this may stunt the creation of new jobs and products because companies do not have access to the large amounts of capital available in the public markets. Most of these claims are supported by anecdotal evidence, citing only a few specific cases of companies that have either decided not to go public or have delisted due to SOX.

Mergers and acquisitions appear to have taken the place of IPOs as tools for substantive capital creation. Mergers or acquisitions may relieve some of the capital needs of start-ups and early-stage companies. Independent entrepreneurs, however, although helped by the senior-level management in their new companies, may not be easily managed or integrated. The parent company may also find itself diverted from its business activities due to the challenges presented by acquiring a younger firm. Creativity and innovation may suffer as well.

Basic Provisions of SOX

Independent auditors. The first two sections of SOX (Title I, Public Company Accounting Oversight Board; and Title II, Auditor Independence) deal with the auditors of publicly traded companies and relationships between a company and its auditors. Of particular concern to companies preparing for an IPO are limitations on the amount of consulting services that auditors may perform for clients; requirements that nonaudit services must be approved by the company’s audit committee; and requirements that the CEO, controller, CFO, chief accounting officer, or any person in an equivalent position cannot have been employed by the auditing firm during the 12 months preceding the audit. Companies considering an IPO must be in compliance with these provisions at least 36 months prior to the IPO.

Corporate governance. The provisions of SOX Title III, Corporate Responsibility, include requirements designed to improve corporate governance by requiring specific actions that need to be taken by the company or its management, and designating activities that the company or its management are prohibited from pursuing.

Specifically, SOX section 301 establishes a requirement that the company have an audit committee and that each member of the audit committee be an independent member of the board of directors. Although SOX does not require a member of the audit committee to be a “financial expert,” companies must disclose whether at least one member of the audit committee is a financial expert. A 2004 study by the Institute of Internal Auditors on the effects of SOX on audit committees of non–publicly traded entities concluded that nonpublic companies could find it more difficult to recruit and retain qualified members to serve on audit committees.

Other corporate-governance provisions of SOX require that the CEO and the CFO certify the financial statements; require that a corporate code of ethics be in place for top management; expand required disclosures about transactions involving the company and principal stockholders, directors, or officers; and prohibit the purchase or sale of stock by officers, directors, and other insiders during blackout periods. Companies considering an IPO must have appropriate policies in place prior to the IPO. The SEC also is given the power to ban any individual from serving as an officer or director of a publicly traded company.

Corporate fraud and accountability. Titles VIII through XI of SOX deal with corporate fraud and accountability and white-collar crime. Title VIII imposes criminal penalties for destroying, altering, concealing, or falsifying records where the intent is to obstruct a federal investigation or a bankruptcy proceeding; makes debts incurred in violation of securities fraud law nondischargeable through bankruptcy; and extends the statute of limitations for private actions for securities fraud violation to not later than two years after discovery of the fraud or five years after the violation occurred. One implication of these provisions is that companies need to develop, implement, and periodically review document-retention and -destruction policies.

SOX also extends whistleblower protection for employees who provide evidence of fraud. Companies must implement or review whistleblower policies to ensure compliance with the requirement that employees have an avenue for “confidential, anonymous submissions” and to ensure nondiscrimination against whistleblowers.

Internal controls. SOX section 404, which covers management assessment of internal controls, has probably received the most negative publicity, due to the additional compliance costs it implies. In July 2004, Financial Executives International (FEI) surveyed 224 public companies with average revenues of $2.5 billion to determine estimates of the cost to comply with section 404. Results showed that the average total cost of compliance was estimated at $3.14 million per company, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. First-year compliance costs for companies with revenues of less than $1 billion were estimated at $1 million or less. First-year compliance costs for companies with over $5 billion in revenue had increased from an estimated $4.6 million in the January 2004 survey to $8 million in the July 2004 survey. These costs may be viewed as a significant deterrent for a company considering an IPO.

Venture Capital and Technology IPOs

According to the National Venture Capital Association, the number of venture-backed technology IPOs declined from 245 in 1999 to 28 in 2002. In 2003, the number of deals was up to 29, and in 2004 it climbed to 93.

Overall, technology IPOs did not fare any better during the same time period. There were 900 such IPOs in 1999, and the next year that number declined to 713. The number of technology IPOs took a freefall thereafter, falling to 77 in 2001 and 71 in 2002. In 2003 they declined even further, to 20. There was a turnaround in 2004, with 88 technology IPOs. According to preliminary data from Venture One, there were 41 technology IPOs in 2005.

Costs and Consequences of SOX

The law firm of Foley & Lardner conducted studies in 2003 and 2004 on the impact of SOX. The survey found that the average annual cost of being a public (registered) company had nearly doubled following the enactment of SOX, from $1.3 million to almost $2.9 million for companies with revenues under $1 billion. These costs represent continuing annual costs, exclusive of first-year costs to comply with the assessment of internal control systems. A significant portion of the increase was related to insurance for directors and officers (D&O). The study indicated that D&O insurance increased from an average of $329,000 a year pre-SOX to an average of $639,000 a year for 2002 fiscal years, and $850,000 annually for 2003 fiscal years.

As a consequence, there have been reports of companies that have delisted their securities or have elected to delay or cancel their IPOs. Of the 115 public company respondents to Foley & Lardner’s 2004 survey, 21% indicated that they were considering going private, 6% indicated they were considering selling the company, and 7% indicated they were considering merging with another company as a result of SOX requirements.

Companies currently listed with the SEC can avoid SOX by either going private or going “dark.” When a company goes private, its shares are no longer publicly traded in any venue. A company that elects to “go dark” will deregister its securities, which means it no longer has to file with the SEC, but shares will continue to trade in the over-the-counter (OTC) market. The decision by many companies to either go private or go dark has been attributed to the cost of complying with SOX.

Linster W. Fox, CFO of Anacomp, a data-management company that decided to go dark, was quoted as saying “complying with [SOX] would have added $1 million to its annual costs.” Fidelity Federal Bancorp is another company that went dark. Donald R. Neel, Fidelity’s CEO, stated that “going dark will save $300,000 a year, a substantial sum for a bank with just $200 million in assets.”

Articles published soon after the passage of SOX cited compliance cost as a reason that companies delayed IPOs or elected to be acquired by other companies. Specific companies cited to support these claims included Telica, an Internet phone provider, which had been set to file for an IPO but instead decided to be acquired by Lucent Technologies. Because of SOX, PayMaxx, a large payroll-service provider, dropped its plans for an IPO, issued convertible debt structures, and began storing up cash generated from its operations.

Despite the many chilling headlines and reported cases where companies have cited SOX as the reason to shelve plans for an IPO, the evidence to date that SOX is sufficient cause for companies to stay private has been largely anecdotal or limited in scale.

Benefits of SOX Compliance for Smaller Companies

Although the cost of compliance with SOX has made it more expensive to be a public company, which may deter smaller companies from going public and may also result in some companies electing to withdraw from the public markets, entrepreneurs need to be aware of the SOX provisions to which private firms are subject, as well as the benefits of voluntary compliance with SOX.

SOX impacts all companies, public or private, through its provisions related to enforcement of federal laws and regulations. Specifically, the provisions concerning criminal liability for document destruction and retaliation against whistleblowers, increased penalties for white-collar crime and securities fraud, and blackout notice requirements apply to both public and private companies.

Entrepreneurs who anticipate being acquired by a public company also need to comply with SOX if the operations of the acquired company will have a material effect on the financial statements of the public company. Other stakeholders may view SOX compliance as a best practice that a company should follow even if it is not required. Companies that are not SOX compliant may discover that raising funds, either through venture capital or by borrowing from financial institutions, is more expensive.

Currently, a private company can selectively apply some SOX provisions, such as those covering its relationship with auditors, corporate governance, and financial reporting. As long as compliance is voluntary, non–publicly traded companies can weigh the costs versus the benefits of SOX compliance, and pick and choose which SOX provisions to implement. Federal and state legislators, however, are considering extending SOX provisions to private companies. Entrepreneurs who currently believe that SOX does not apply to them may want to develop at least some familiarity with SOX and its implications, even if they do not intend to take their companies public in the near future.

Challenges Posed by SOX

According to a random telephone survey, conducted by the authors, of 108 U.S. technology-based companies, it appears that SOX has played only a very minor role in companies’ decisions to not go public, because the majority of companies either were unfamiliar with SOX or had no plans to go public. While SOX may delay companies that lack the necessary organizational or reporting structures from going public, when companies were questioned about whether their decision to go public was delayed by SOX, companies highly disagreed with the statement that SOX was a reason for the delay.

Survey respondents were asked to identify challenges from a list associated with SOX requirements. Their responses, shown in the Exhibit, reflect the views of companies that are considering going public, as well as those that are not planning to go public.

Most of the publicity surrounding the cost of SOX compliance has focused on the costs of assessment and reporting on the effectiveness of internal control. The item most frequently mentioned by survey respondents was “assessment and reporting on effectiveness of internal control structures,” which is consistent with the public perception. Interestingly, “corporate governance” and “relationship with auditors” were each noted as challenges by the same number of respondents, and were noted only slightly less frequently than “assessment and reporting on effectiveness of internal control structures.” “Financial statement certification” was also mentioned, as was “prohibitions on loans to directors or company executives.” It is interesting that 17% of the respondents noted “prohibitions on loans to directors or company officers” as a challenge, because this provision has received relatively little attention in the financial or popular press. It may be that entrepreneurs, especially those who do not plan to take their business public, view loans from the company as an important additional source of income.

Other comments volunteered by the respondents generally reflected dissatisfaction with the provisions of SOX. Respondents noted requirements for documentation to demonstrate compliance, the overhead/costs associated with compliance, presumption of guilt, and loss of flexibility as complaints. One respondent, who stated that he is a supporter of SOX, nevertheless commented that the act required “too much paperwork!”

Future Challenges

The results of the survey do not indicate that technology-based entrepreneurs are factoring SOX compliance into their current decision making. The 35% of respondents indicating that they would consider going public may be evidence of changing market dynamics. After four years of challenges faced by technology-based firms and their IPO needs, perhaps companies are again starting to consider the public market for capital.

Companies face diverse challenges in meeting the challenges of SOX requirements. While these challenges may not chill entrepreneurship to the level many initially thought, SOX remains more a myth than a reality for entrepreneurs until they and their incubator management “go to school” on SOX. As these entrepreneurs become more familiar with SOX, their level of concern about its impact on their decision to go public may rise. Furthermore, it is difficult to ascertain whether the effect of “unfamiliarity” with the provisions of SOX can be separated from the “lack of deterrence,” in this and other surveys.

And while the results of the analyses are inconsistent with prior literature, the differences may be attributed to the paucity of evidence and the diversity of cohorts for the population being sampled. Nevertheless, technology entrepreneurs appear much less concerned than prior research and articles would indicate.

Lynn Stephens, PhD, CPA, is a professor in the department of accounting and information systems, and Robert G. Schwartz, PhD, is the EWU Distinguished Professor of Entrepreneurship, both at the college of business of Eastern Washington University, Cheney, Wash.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices