23 minute read 21 Jun 2017
United States Capitol Building Steps

The Sarbanes-Oxley Act at 15: what has changed?

Authors

Bridget Neill

EY Americas Vice Chair, Public Policy

Regulatory and policy strategist with three decades of experience shaping public policy impacting the global financial markets and the accounting profession. Passionate about her family.

Shauna Steele

EY Americas Director, Public Policy

Experienced capital markets, public policy and trade professional helping EY firms in the Americas navigate the dynamic public policy environment. Avid reader, Spanish speaker and mother of three.

23 minute read 21 Jun 2017
Related topics Public policy Assurance

On the 15th anniversary of the Sarbanes-Oxley Act, we reflected on the positive change in the accuracy of financial reporting and quality of auditing in the US since its enactment.

On 30 July 2002, in the wake of a series of financial reporting scandals on a scale that rocked the financial markets, the Sarbanes-Oxley Act (SOX or the Act) was signed into law — following passage by an overwhelming majority in the US Senate and House of Representatives — in an effort to restore public confidence in the reliability of financial reporting.

The law set out to accomplish this daunting goal by establishing a new accountability framework for financial reporting. Perhaps the most dramatic change brought about by the law was with respect to the audit profession: by calling for the establishment of the Public Company Accounting Oversight Board (PCAOB or Board), Congress brought an end to self-regulation of the audit profession.

In addition, the law put in place a requirement for independent audit committees to oversee the financial reporting process, thus aligning their goals with those of investors and auditors. SOX also established the requirement for corporate executives to certify the contents of financial reports and significantly increased penalties for persons participating in financial fraud, among numerous other changes. We believe that the Act has been successful — financial reporting and audit quality have improved, to the benefit of investors and other stakeholders.

(Chapter breaker)
1

Chapter #1

Principal components of the Sarbanes-Oxley Act of 2002

Four major changes that SOX put into effect.

1. Established independent oversight of public company audits, funded via fees paid by public companies and SEC-registered broker-dealers

  • Established the PCAOB, an independent regulator of auditors of public companies and broker-dealers
  • Provided the PCAOB with inspection, enforcement and standard-setting authority

2. Strengthened audit committees and corporate governance

  • Required audit committees, independent of management, for all listed companies
  • Required the independent audit committee, rather than management, to be directly responsible for the appointment, compensation and oversight of the external auditor
  • Required disclosure of whether at least one “financial expert” is on the audit committee

3. Enhanced transparency, executive accountability and investor protection

  • Required audit firms to report certain information about their operations for the first time, including names of public company audit clients, fees and quality control procedures
  • Required public company CEOs and CFOs to certify financial reports
  • Prohibited public company officers and directors from fraudulently misleading auditors
  • Instituted clawback provisions for CEO and CFO pay after financial restatements
  • Established protection for whistleblowers employed by public companies who report accounting, auditing and internal control irregularities
  • Required public company management to assess the effectiveness of internal controls over financial reporting (Section 404(a)) and auditors to attest to management’s assessments (Section 404(b))
  • Established the “Fair Funds” program at the U.S. Securities and Exchange Commission (the SEC or the Commission) to augment the funds available to compensate victims of securities fraud

4. Enhanced auditor independence

  • Prohibited audit firms from providing certain non-audit services to audited companies
  • Required audit committee pre-approval of all audit and non-audit services
  • Required lead audit partner rotation every five years rather than every seven years
(Chapter breaker)
2

Chapter #2

PCAOB

Perhaps the most fundamental change made by SOX was the establishment of the PCAOB.

The establishment of the PCAOB ended more than 100 years of self-regulation by the public company audit profession. The PCAOB’s authority encompasses public accounting firms that audit public companies or play a substantial role in such audits and those that audit SEC-registered broker-dealers. The PCAOB regulates these firms by:

  • Requiring that they register with it
  • Establishing auditing and certain ethics standards
  • Conducting audit quality inspections to assess firms’ compliance with standards, SEC and PCAOB rules and identify audit quality issues
  • Investigating allegations of wrongdoing
  • Disciplining auditors of public companies and broker-dealers
As a statutorily established institution, the PCAOB has an overriding responsibility to serve the investing public by setting auditing and related professional practice standards, inspecting engagements and quality control systems against those standards, and, when necessary, disciplining auditors that fail to comply.
James Doty
PCAOB Chairman

SEC oversight of the PCAOB: The Commission has general oversight authority over the PCAOB, including in the following areas:

  • Appointment of PCAOB members: The Commission has the authority to appoint PCAOB board members, in consultation with the Secretary of the Treasury and the Chair of the Federal Reserve. Two seats are to be occupied by individuals who are or have been certified public accountants.
  • Opportunity to review rules and standards: The SEC has the opportunity to vote on PCAOB rules and standards before they take effect. The SEC can vote to approve or disapprove PCAOB rules and standards but cannot amend them.
  • Budget approval: The SEC must approve the PCAOB budget.
  • Hear appeals: The SEC has the authority to review and modify final disciplinary sanctions imposed by the Board.

Standard setting

The PCAOB has the authority to set standards governing:

  • How auditors conduct audits of public companies and broker-dealers
  • Auditor ethics and independence
  • Audit firm system of quality control

To develop its standard-setting agenda, the PCAOB has the ability to utilize information obtained from inspections as well as input received from stakeholders such as its Standing Advisory Group, which includes representatives from investor groups, the audit profession, public company board members and academics.

Over the past several years, some stakeholders have raised questions about the process used to establish the PCAOB’s standard-setting priorities, as well as the length of time it takes to finalize standards and rules.11 This has resulted in a number of changes that are currently being implemented (see “Revised PCAOB standard-setting process”).

The PCAOB issues its standards in proposed form before they are finalized, providing a comment period for external stakeholders. Recent and current standard-setting projects include those related to auditor transparency, revisions to the auditor’s reporting model, supervision of other auditors, auditing accounting estimates and fair value measurements, and the auditor’s use of the work of specialists.

In addition to standard setting, PCAOB staff periodically issue practice alerts to draw attention to emerging audit issues or risks. Recent alerts have highlighted audit risks associated with the current economic environment and certain emerging markets.

Inspections

Under SOX, the PCAOB is required to inspect a registered audit firm at an interval based on the number of public companies that the firm audits. Firms that perform annual audits of more than 100 issuers are inspected annually, while other firms are inspected at least every third year. During inspections, the PCAOB staff typically looks at firmwide quality controls as well as a sample of audit engagements.

The PCAOB indicates that it uses a variety of factors to select the audits it inspects, including its assessment of the risk that a public company’s financial statements may contain a material misstatement.

Inspections are intended to provide an independent review of audit quality and highlight opportunities for improvement within audit firms, both at the individual audit level and with respect to a firm’s system of quality control. Inspection results can be used to identify areas in which additional audit guidance, training, practice reminders or enhanced skills may be needed.

The PCAOB Remediation Framework

Over time, the PCAOB has sought to provide additional transparency into its process for evaluating a firm’s activities to address quality control findings identified through inspections. In 2013, it issued staff guidance related to this process, which highlighted five criteria PCAOB inspection staff apply when assessing a firm’s remediation process, often referred to as the “remediation framework”:

  1. Change – does the remedial step represent a change to the firm’s system of quality control that was in effect at the time the quality control concern was identified?
  2. Relevance – is the remedial step responsive to and does it specifically address the quality control criticism described in the inspection report? Is a root cause analysis appropriate?
  3. Design – is the remedial action designed to remediate the quality control criticism?
  4. Implementation – was the remedial step implemented within 12 months? If not, has the firm made appropriate progress?
  5. Execution and effectiveness – has the remedial step achieved the proposed effect that it was designed to have?

While this framework has not garnered the same attention that new PCAOB audit standards would receive, we believe it has had a significant positive impact on audit quality. The framework encourages audit firms to examine their understanding of the root causes of the identified quality control concerns. In some cases, this has led to additional investment and focus by firms on their processes to consider the root causes of identified deficiencies. Confronting root causes allows for the design and execution of more effective remediation activities, resulting in more timely improvements in audit quality. We believe that such improvements have been a key driver in the decreasing trend in inspection findings over the most recent inspection periods.

Enforcement

The PCAOB’s enforcement staff investigates and sanctions individual auditors and audit firms for violations of laws, regulations and professional standards. The PCAOB’s disciplinary powers include the authority to impose civil monetary penalties on individual auditors or the audit firm, temporarily or permanently revoke an audit firm’s registration with the PCAOB (which would prevent it from performing audits of public companies and/or broker-dealers), place limitations on the operations of a firm or individual auditor and bar an individual auditor from association with registered audit firms. It also can punish firms and auditors that do not cooperate with PCAOB investigations and inspections and may refer matters to the SEC and other relevant authorities.

(Chapter breaker)
3

Chapter #3

Strengthened audit committees and corporate governance

SOX greatly expanded the responsibilities of audit committees, significantly strengthening corporate governance at many public companies.

SOX required the boards of companies listed on US stock exchanges to establish audit committees made up solely of board members independent from management. Because of SOX, audit committees, not management, are directly responsible for the appointment, compensation and oversight of the work of external auditors, who are charged with evaluating whether the financial statements prepared by management are fairly presented in accordance with the relevant financial reporting framework.

With respect to the composition of the audit committee, SOX codified and enhanced changes that the SEC and US stock exchanges had begun making in the late 1990s. In 1998, only about half of all public companies had fully independent audit committees. Many audit committees were reconstituted in order to meet independence requirements implemented by the SEC and US stock exchanges in late 1999. SOX went further and enhanced independence requirements by requiring for the first time that all listed company audit committee members be independent, meaning they could not be affiliated with the company or any subsidiaries, and they could not directly or indirectly receive any compensation from the company other than in their capacity as members of the board.

SOX also encouraged audit committees to have at least one member who is a “financial expert”18 to serve as a resource to help the audit committee carry out its duties. This puts the audit committee in a stronger position to review and challenge financial statements, determine whether internal controls are appropriate and sufficient and, if necessary, mandate certain accounting actions to protect shareholder interests. Companies that do not have an audit committee member with financial expertise must disclose this in the annual proxy statement and explain the rationale for not having one. In 2003, only a small proportion of audit committee members were financial experts. Today, on average, 60% of S&P 500 audit committee members are formally designated financial experts.

To facilitate audit committees’ oversight of a company’s financial reporting, SOX required companies to provide audit committees with the resources and authority to engage independent counsel and advisors to help them carry out their duties. SOX also required audit committees to establish procedures for receiving whistle-blower complaints regarding accounting, auditing and internal control irregularities and to provide for the confidential and anonymous treatment of employee concerns regarding such matters. In addition, SOX enhanced the external auditor’s required communications with the audit committee to include the following:

  • A discussion of all critical accounting policies and practices used by the company
  • All alternative accounting treatments that have been discussed with management, the ramifications of the use of alternative disclosures and accounting treatments, and the accounting treatment preferred by the audit firm
  • Other material written communications between the auditor and management
(Chapter breaker)
4

Chapter #4

Enhanced transparency, executive accountability and investor protection

Another core element of SOX was to clearly define and place responsibility for a company’s financial statements with its CEO and CFO.

SOX mandated that these executives certify the following facts (among others) for each annual and quarterly report:

  • They have reviewed the report.
  • Based on their knowledge, the financial information included in the report is fairly presented.
  • Based on their knowledge, the report does not contain any untrue statement of material fact or omit a material fact that would make the financial statements misleading.
  • They acknowledge their responsibility for establishing and maintaining internal controls over financial reporting as well as disclosure controls and procedures.
  • They have evaluated the effectiveness of these disclosure controls and procedures and disclosed any material changes in the company’s internal controls over financial reporting.

By making management executives fully accountable for their companies’ financial statements and related controls, Sarbanes-Oxley set a clear tone for corporate responsibility and helped restore investors’ confidence in financial statements. To enhance the significance of these certifications, SOX mandated stiff penalties for executive officers who certify that financial reports comply with the various regulatory requirements while knowing that they do not. Such penalties include potential SEC enforcement action, forfeiture of bonuses and profits, or criminal penalties such as fines or imprisonment. As a further step to help restore investor confidence in corporate financial statements, SOX required companies to have an auditor attest to the effectiveness of the company’s internal controls over financial reporting (see additional discussion in the next section).

SOX established a number of other protections for investors, including:

  • Establishment of the SEC’s “Fair Funds” program: To supplement the financial relief available to victims of securities fraud, this program allows the SEC to add monetary penalties paid by those who commit securities fraud to the funds available for distribution to wronged investors.
  • Provision of accurate information to auditors: Public company officers, directors and persons operating under their direction are prohibited from manipulating, coercing, misleading or fraudulently influencing the external auditor.
  • Enhanced disclosures: Public companies are now required to provide enhanced disclosures in annual and quarterly reports regarding material off-balance sheet transactions, arrangements and obligations.
  • Disclosure of material changes: Public companies are required to report material changes in the financial condition or operations of the company on a rapid and current basis.
(Chapter breaker)
5

Chapter #5

Internal controls over financial reporting

Public companies must assess how effective their internal control over financial reporting (ICFR) is at preventing misstatements that could be material to the financial statements.

While public companies have long been required to maintain effective systems of internal controls pursuant to the Foreign Corrupt Practices Act of 1977, SOX requires them to annually evaluate their financial internal controls and to disclose the results of that assessment. This includes whether there were any material weaknesses in controls that may not prevent or detect a material misstatement in the financial statements.

The process of evaluating the effectiveness of a company’s internal control over financial reporting has been subject to significant discussion during the past few years. ICFR has been a source of significant PCAOB inspection findings, which has led to significant remediation efforts by audit firms to address the identified deficiencies. SEC staff have raised concerns that the audit deficiencies may indicate issues in ICFR and/or management’s assessment of ICFR.

The process of evaluating the effectiveness of a company’s internal control over financial reporting has been subject to significant discussion during the past few years. ICFR has been a source of significant PCAOB inspection findings, which has led to significant remediation efforts by audit firms to address the identified deficiencies. SEC staff have raised concerns that the audit deficiencies may indicate issues in ICFR and/or management’s assessment of ICFR.

For their part, preparers have raised concerns about how the auditor’s assessment of management review controls is being executed, including the degree of precision needed in ICFR assessments as well as the level of required documentation. Preparers have indicated that the work that auditors require of companies with respect to ICFR appears inconsistent with the reforms developed by the SEC and PCAOB in 2007 that were intended to enhance both the effectiveness and efficiency of the assessment process.

As a result of the concerns, both the PCAOB and SEC performed outreach with preparers, auditors, audit committee members and others to understand the concerns and consider next steps. SEC and PCAOB staff have provided additional perspective on the nature and extent of evidence required to support ICFR assessments, and plan to monitor activities in this area to assess whether further activities would be appropriate. They also continue to emphasize the importance of effective ICFR in providing reliable financial reporting for investors.

(Chapter breaker)
6

Chapter #6

Enhanced auditor independence

Quality audits performed objectively by independent auditors support investor confidence in financial reporting.

Sarbanes-Oxley strengthened auditor independence in several ways, including by restricting the types of non-audit services that audit firms can provide to the public companies they are auditing. Two additional ways that it reinforced auditor independence include requiring:

  • Audit committee preapproval of all audit and non-audit services by the auditor, enabling audit committees to assess the cumulative impact of all services provided by the auditor on its independence. SEC staff have emphasized that management and audit committees need appropriate policies and procedures in place to evaluate and monitor non-audit services provided by the registrant’s auditor in order to mitigate the risk that deviations in the scope of such services could impair independence.
  • Mandatory rotation of key partners involved in audits, to limit overfamiliarity with a company and/or management, including:
  • The lead engagement partner every five years (prior to SOX, professional standards required rotation every seven years)
  • Concurring audit partner every five years
  • Other audit partners who have significant responsibilities on audits every seven years

Since SOX, auditor independence has been a focus of both the SEC and PCAOB. The Commission and Board have emphasized the importance of auditors evaluating and applying the independence rules carefully and ensuring that partners and staff (including those providing non-audit services) receive training on the rules and follow them.

(Chapter breaker)
7

Chapter #7

Auditor oversight around the world

The PCAOB was one of the first independent audit oversight bodies to be created but now has numerous counterparts around the world.

In 2006, 18 such bodies came together to establish the International Forum of Independent Audit Regulators (IFIAR) in order to share knowledge of the audit environment, promote collaboration and consistency in regulatory activity and facilitate cross-border cooperation. Today, IFIAR members span the globe, covering 52 countries. In 2017, IFIAR achieved an important milestone, establishing for the first time a permanent secretariat, which is located in Tokyo, Japan.

IFIAR has undertaken several significant projects to increase consistency and collaboration among its members as well as improve audit quality. An early IFIAR project was to develop global principles on independent audit oversight that its members should strive to implement. More recently, IFIAR members concluded a multilateral memorandum of understanding (MMOU) regarding cooperation on inspections and enforcement matters. The MMOU establishes a framework for members to share information with each other confidentially, facilitating oversight of cross-border audits and cooperation on multinational investigations. In addition, during the past five years, IFIAR has released annual Global Surveys of Inspection Findings, which compile inspection data from a number of its members around the world.

IFIAR’s Global Audit Quality Working Group (GAQ)48 and the large individual audit networks meet regularly to discuss cross-border audit quality. One output of these discussions is that in 2015, the GAQ and the large networks set a target to reduce the number of listed public interest entity audits with at least one inspection finding by an aggregate 25% in the nine GAQ member countries over four years (by 2020). The GAQ and the networks also are engaged in dialogue on effective root cause analysis of inspection findings and implementation of actions to address them. The PCAOB is a member of the GAQ, and Board Member Lewis Ferguson is its Chair.

(Chapter breaker)
8

Chapter #8

Looking ahead: the next 15 years

Markets are constantly changing, and auditors, companies, regulators and other stakeholders must keep up in order to maintain their relevance and vitality.

While we believe the Sarbanes-Oxley Act will continue to be relevant over the next 15 years, we expect that audit oversight and standard setting will evolve in light of the dynamic environment. Some of the areas in which we expect to see significant evolution are the use of technology in audits, corporate reporting and standard setting, to name a few.

Technological developments

Advances in technology, including the use of data analytics, are allowing businesses to track large volumes of information about their operations. These advances also enable the audit profession to increasingly use data and analytical tools to carry out audits, with the potential to enhance the quality and relevance of the audit. They may allow, for example, auditors to test entire data populations rather than conduct sampling-based testing. Auditors are also able to use data and statistical techniques to help identify factors that are associated with quality audits and to further improve responses to audit risk. As technology continues to evolve, it will be important for the PCAOB and audit profession to engage in dialogue about the potential impact on the audit, inspections and audit standards.

Corporate reporting

Corporate reporting is another area in which evolution will lik     ely be a constant. Companies have begun voluntarily undertaking innovative approaches to make their disclosures more focused and effective. Technological changes may enable investors to more easily find the information most critical to their investment decisions through data tagging or other methods, and we should expect that. Integrated reporting and sustainability reporting, in addition to traditional disclosures provided by public companies, likely will continue to gain traction. Companies may also begin to report more about cybersecurity and non-GAAP measures.

PCAOB standard setting

We expect PCAOB standards, as well as the standard-setting process, to continue to evolve. Topics on the PCAOB’s research agenda and rule-making docket include changes in the use of data and technology in the conduct of audits, audit firm quality control systems, auditing accounting estimates and the use of specialists in conducting the audit. With regard to the standard-setting process, in recent years the PCAOB has innovated its approach, including by incorporating economic analysis in its rule-making and conducting its first post-implementation review of a standard in 2016. As discussed above, the PCAOB also is implementing a new process for selecting rule-making projects that involves first conducting research and obtaining extensive stakeholder input, setting the stage for high-quality standard setting.

Shift in PCAOB inspection focus

In the future, another area of potential evolution could be with respect to inspections placing greater focus on audit firm quality control systems. As Board Member Jeanette Franzel stated, “Another potential future change could involve evolution in the focus of inspection procedures between inspecting individual audits and testing of a firm’s quality control system … In an optimistic scenario of a large firm improving its quality control system so that it is effective in preventing audit deficiencies — in other words if a large firm strengthens its quality control system to the point that it has very few or no Part I audit deficiencies in the individual audits inspected by the PCAOB — then it may make sense to increase the inspection focus on testing the firm’s quality control system while potentially decreasing the number of audits inspected.”

Summary

We reflect on the positive change in the accuracy of financial reporting and quality of auditing in the US since the enactment of the Sarbanes-Oxley Act.

About this article

Authors

Bridget Neill

EY Americas Vice Chair, Public Policy

Regulatory and policy strategist with three decades of experience shaping public policy impacting the global financial markets and the accounting profession. Passionate about her family.

Shauna Steele

EY Americas Director, Public Policy

Experienced capital markets, public policy and trade professional helping EY firms in the Americas navigate the dynamic public policy environment. Avid reader, Spanish speaker and mother of three.

Related topics Public policy Assurance