Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

15 Years Later, Does SOX Still Matter?

Chris Gaetano
Published Date:
Aug 2, 2017

Signed into law 15 years ago, on July 30, 2002, the Sarbanes-Oxley Act (SOX) transformed the public accounting arena in significant ways. From mandatory internal controls testing to regular inspections from the Public Company Accounting Oversight Board, SOX introduced changes that today are seen as the standard features of any worthwhile audit. But now, a decade and a half later, lawmakers and business leaders have questioned the legacy of these changes and, indeed, are seeking to roll some of them back.

House Republicans in June passed the Financial Choice Act, which would undo a wide variety of financial regulations. While the Dodd-Frank Act is the legislation’s primary target, it promises to weaken SOX as well. The legislation would double the SOX compliance threshold from $250 million in publicly held shares to $500 million, and exempt issuers with annual gross revenues of less than $50 million from 404(b) internal control report requirements for 10 years, unless their annual revenues grow beyond $50 million or they become a large accelerated filer before then. But the Financial Choice Act faces a tough road in the Senate, where it would need 60 votes to pass.

More recently, New York Stock Exchange President Thomas Farley, testifying before the House Financial Services Committee on July 18, said that SOX has created a significant financial burden for public companies, particularly when it comes to managing PCAOB inspections. These burdens, he said, have discouraged people from taking their companies public and therefore shrunk the pool of capital available for investors.

Douglas Beck, the CFO of JLM Couture who has extensive public company experience, said that SOX’s impact has been a matter of trade-offs. On the one hand, he said that there is a significant cost of compliance, though these costs do decrease over time.. Recalling his own public company experience, during which he needed to hire outside experts for assistance, he noted that staffing needs can lead some companies to have trouble meeting all the requirements.. On the other hand, he noted that there’s more accountability for the accuracy of financial information and more eyes looking at the numbers to make sure they’re right. Moreover, under SOX, companies have identified process weaknesses and operational efficiencies they may not have known about prior to SOX.

All this leads to the question of whether, 15 years later, SOX still matters. To Neil W. Ehrenkrantz, an audit partner with Friedman LLP’s SEC Services Group, the answer is unequivocally yes.

“I think there are more companies, and stakeholders, that have benefitted… based on increased accountant skepticism and audit procedures based on risk built around 404(a) or 404(b). I think if they weren’t there, I think companies would be a little more lax in their quarterly and annual filings,” he said.

Bruce H. Nearon, Managing Partner of SOC 1 and SOC 2 Quality PLLC, formerly National Director of IT Audit at CohnReznick, was even more resolute on this point, saying that “you take SOX away and you’ll have another Enron, a pile of more Enrons.” SOX, he said, has led to higher-quality financial information that investors can be confident in, and better-quality audits due to the PCAOB’s oversight.

Beyond the immediate regulatory effects, Nearon also said that SOX created a positive cultural shift within firms, which served to improve the professionalism of their audit practices, something he witnessed in his former firm when SOX went into effect. 

“There was a sea change in attitude at my former firm. Everyone, as soon as we became aware of SOX, all the partners and managers of the auditing departments became really serious about all the i’s being dotted, all the t’s being crossed—any hint of conflict of interest was taken very seriously,” he said.

Nearon said this created a spillover effect into other audits, as the staff that had improved their processes for SOX engagements took these same techniques and considerations to non-SOX clients as well. The growth of IT audits for both public and private companies is an example of this. Prior to SOX, it was not a common practice to do an audit of IT general control procedures. But once firms and partners became familiar with SOX and understood why the IT audit was so important for public companies, Nearon said, auditors began including the procedures for private companies as well.

“Partners and managers could see the value it brought … because they had a complex system and the [auditing] standards said you have to understand the system. How can you understand the system if you don’t understand the general controls? So I think that was a great spillover effect,” he said.

Ehrenkrantz said there was a similar cultural shift in clients. Between the pre- and post-SOX world, he said he’s seen clients strive harder to identify and mitigate their risks and be more cognizant of material weaknesses in the internal controls. Beck noted, too, that companies have become much more mindful of fraud possibilities since SOX, partially due to all the controls in place intended to curb it. He added that the act probably also had a deterrent effect on potential fraudsters, given the higher levels of scrutiny that the law brought.

While Ehrenkrantz acknowledged that issuers have indeed faced increased expenses as a result of SOX (he noted that audit fees increased between 15 to 30 percent), he said that, with 15 years to observe the effects, the positives outweigh the negatives. 

“Does [SOX] still matter? I think it does. I think it’s something that should stay, and I think the public has a right to see what a significant deficiency or material weakness is,” he said. 

Click here to see more of the latest news from the NYSSCPA.