The Sarbanes-Oxley (SOX) Act of 2002 is almost two decades old, but it remains one of the most complex capital markets regulations in the US regulatory system. Recent events have seen an uptick of interest in the Act, which has led us to release this latest primer that addresses what it does, why it was necessary and the concerns that the market may have.
What is the Sarbanes-Oxley Act of 2002?
SOX was law passed in 2002 in direct response to a number of high-profile scandals that came during the dot-com bubble, such as at Enron in 2001 and WorldCom earlier that year. It came as a direct result of concern over the reliability of financial reporting in the US corporate sector.
The act took its name from its two sponsors, Senator Paul Sarbanes of Maryland and Representative Michael Oxley from Ohio.
The Act introduced requirements that introduced stringent financial reporting standards. The major innovation from SOX was a requirement that companies have their auditors attest to the sufficiency of internal controls, which are those that a company relies upon in prepared financial statements.
"The thought being that if the internal controls for companies preparing financial statements are shaky, then the chances that the company will report incorrectly on how to issue a restatement, whether due to error or due to fraud, increases," said Joseph Hall, partner at Davis Polk.
In essence, the SOX Act was an attempt at comprehensive reform to address many of the accounting abuses that plagued that era of capital markets.
Who is subject to Sarbanes-Oxley?
SOX applies to all issuers (including foreign private issuers) that:
- have registered securities under the US Securities Exchange Act 1934,
- are required to file reports under Section 15(d) of the Exchange Act; or
- have filed a registration statement under US Securities Act 1933, as amended (the Securities Act), that has not yet become effective.
What reforms does it contain?
Effectively an extension to the Securities Exchange Act of 1934, SOX addressed some of the weaknesses that had been highlighted in existing securities laws. "For example, previously, many tried to go out and hold officers and directors liable, in some cases – particularly with directors – the argument was that there could be no liability because there was no access to information," said Mike Hermsen, partner at Mayer Brown.
SOX created various reporting requirements for accountants and attorneys to ensure that information was provided to the board so that it could make informed decisions and would no longer be able to argue that there was no access to information or liability.
It also created the Public Company Accounting Oversight Board for the auditors of public companies. Before this accounting firms had been self-regulating, covered by state law requirements with only minor SEC involvement. SOX created a body that brings uniformity and imposes stricter requirements on auditors about how they go about doing their day to day work.
Perhaps the most significant provision led to far enhanced requirements around the internal control of companies. Firms were required to implement substantial internal control requirements related to the integrity of financial reporting and in most cases were forced to have those controls vetted by auditors.
"SOX substantially increased the costs of being a public company; the dreaded Sox SOX 404, which is probably the most salient provision it contains, but there are many, many others included in the legislation that have far ranging consequences," said Adam Fleisher, partner at Cleary Gottlieb.
Almost all of what was perceived as weaknesses in securities laws before that was addressed in SOX. For issues such as conflicts of interest SOX brought provisions that prohibited certain actions between executive officers and public companies. The Act very specifically addressed issues so that as to be readily available to hold actors liable in the event of similar types of accounting events occurring in the future.
What are the downsides?
As with all regulation SOX has its critics, but it also remains largely unchanged and uncontested in its 17-year history. As such it would be hard to argue that it has not been successful. According to Hall, it has been "a huge benefit to financial reporting in the US to require companies to have their internal controls audited by independent auditors," the lack of major accounting scandals in its wake proves its success.
"The biggest complaint is that the cost that compliance imposes on companies, particularly newer public companies or smaller ones, can be quite dramatic," said Hermsen. "It does discourage companies from going public as early as they might otherwise have in the past, it shows that they are just not ready to be public companies with this reporting regime, or are not able to bear the cost of being a public company."
SOX 404 plays a large part of this. Compliance creates a lot of cost and a lot of work. "The perception from a lot of issuers is that, if they aren't doing anything wrong and have good systems, then it is overkill," said Fleischer. "SOX led to a flood of foreign issuers in particular leaving the US market, there was a wave of deregistration and delisting in the wake of 2002."
Of course, there are a lot of reasons for companies to avoid going public, such as market conditions, valuations, monetary policy and the widespread availability of relatively cheap money. Certainly public company compliance is an important factor, but it can be overplayed. Regulatory benefit or cost, if looked at fairly SOX has had a huge impact on the reliability of financial statements and a huge impact on investor confidence in the markets. Other regulations such as the JOBS Act in 2012 looked to counteract these issues and reinvigorate the IPO market but have had little impact.
Taken in tandem with the development of highly sophisticated private markets, there are a number of investors chasing yield, a sophisticated private market developing and the higher costs associated with being public due to SOX. As a result of these factors, companies are staying private for longer.
"The real question is really how to reduce the cost of compliance. The SEC or others need to be thinking if there are ways still to provide the benefits without necessarily incurring the same costs," said Hermsen.
Although the Act was seen as a burden for several years, its resilience shows its success.
The rules are clear, and the concern is making sure that firms comply. Overall, it has been a successful piece of legislation.
However, the recent debacle at shared workspace company, WeWork, arguably highlighted certain weaknesses. Had the company gone public two or three years ago when it first came to prominence, at a much lower valuation, it has been suggested that the reportedly excessive behaviors at all levels of management would have been halted far earlier on and not left to go on unabated. The cost of compliance however delayed its IPO and the result was the excessive valuation, which could still lead to the company's demise.
According to one partner, it likely is more the scrutiny of the public market, rather than any single piece of legislation, that led to the valuation adjustments in this case. "In effect, a number of retail and institutional investors looked at the trade and addressed it in light of their own views and experiences from pressure testing the model," they said.
When corporates are private it is up to investors to put a mark on the securities based on their own valuation benchmarks, wherever more capital can be raised and wherever there is spotty secondary trading. The private secondary market is not as robust as the public markets, there is a lot more give in the joints around valuation – but it is a different process after going public. When a company announces its intention to go public, everyone takes out a magnifying glass to try and figure out what the company is actually worth.
There have been suggestions that similar measures imposed on public companies should be applied to those that are in the midst of an IPO, before they are public. This too raises concern: "If they are going to have to be subject to this as private companies it is going to put a dampener on the innovation and invention that these companies are working on, because they are going to be subject to SEC scrutiny even sooner," said Hermesen.
In the case of WeWork there were a lot of disclosures about material weaknesses. There have not been many high profile cases of companies going public where the first internal control audit revealed that the entire whole business model was a fraud.
"If there were a few more of those there would be more pressure to have the internal controls audit applied to IPO companies, but nobody is advocating for that right now," said Hall.See also: Uber's botched IPO could prompt unicorns to go public sooner