Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Regulation Best Practice > The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

Regulation Best Practice

The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

by David A. Doney

Executive Summary

  • The effect of the Sarbanes–Oxley Act of 2002 (SOX) has been dramatic and global. SOX enhanced the regulatory framework for investor protection and confidence.

  • SOX has required or encouraged a variety of best practices related to management accountability, auditor independence, audit committees, internal control reporting, risk management, and improvement of financial processes.

  • One of the important contributions of the regulatory guidance is the “top-down risk-based assessment,” a robust framework for identifying and assessing financial reporting risks.

  • Compliance approaches, benefits, and costs continue to evolve as practice and regulatory guidance change.


The Sarbanes–Oxley Act of 2002 was passed in the context of a series of high-profile corporate scandals, a brief recession, and the events of 9/11. These factors were cited by President George W. Bush as a threat to investor confidence and the US economy overall. He also declared: “This law says to every dishonest corporate leader: you will be exposed and punished; the era of low standards and false profits is over; no boardroom in America is above or beyond the law.”1

US Senator Paul Sarbanes stated that during the development of the law, a series of Senate hearings with experts from business, government, and academia resulted in a “remarkable consensus on the nature of the problems.”2 These included inadequate oversight of the accounting profession, conflicts of interest involving auditors and stock analysts, weak corporate governance procedures, inadequate disclosure rules, and insufficient funding for the Securities and Exchange Commission (SEC).

The SOX law, corresponding guidance from regulators, and evolving approaches to implementation have resulted in a variety of internal control, risk management, and corporate governance best practices.

Hold Management Accountable

The law requires that the CEO and CFO sign certifications quarterly and annually attesting that they have reviewed the financial statements and (to their knowledge) believe them to be fair, accurate, and complete. Penalties for fraudulent certification are severe. This requirement has encouraged such best practices as:

  • Disclosure committees: A cross-functional group of top-level managers that meets to discuss pending public disclosures, including quarterly and annual financial reporting.

  • Representation letters: To support the certification by the CEO and CFO and ensure that material information is made known to them, a variety of senior finance and operations managers sign representation letters regarding financial reporting matters relevant to their areas of responsibility.

  • Improvement of finance organization: Many companies expanded the number and quality of financial personnel, particularly with respect to US Generally Accepted Accounting Principles and SEC reporting requirements.

Maintain Auditor Independence

Auditors are the primary watchdogs of the corporation. Prior to SOX, auditors performed significant consulting work for publicly traded companies (“issuers”) that they audited. Further, auditors often moved into senior financial management positions in the client company. These factors created at least a perceived conflict of interest.

SOX prohibits auditors from providing many types of consulting services to issuers they audit.

The law also prohibits auditors from auditing an issuer if the issuer’s CEO or top financial management worked for the audit firm during the past year.

Empower the Regulators

Prior to SOX, the audit industry was self-regulated. SOX also established the Public Company Accounting Oversight Board (PCAOB), a nonprofit, nongovernmental entity, to oversee the audit firms. The PCAOB sets standards and publicly discloses the results of its auditor reviews and any disciplinary action taken.

Critics also argued that the SEC, the regulator tasked with investor protection and corporate disclosure standards, was significantly underfunded and understaffed. The SEC budget was nearly doubled in the wake of SOX and remains at that level today.

Engage Audit Committees

Prior to SOX, former SEC Chairman Arthur Levitt stated that “qualified, committed, independent and tough-minded audit committees represent the most reliable guardians of the public interest.”3 The many scandals that resulted in SOX indicated that audit committees were not performing their financial oversight responsibilities effectively.

SOX mandated that the audit committee, rather than management, be accountable for the relationship with the auditor, including selection, compensation, retention, and review of independence. Issuers are now required to disclose whether or not the audit committee has a financial expert, which has encouraged additional financial expertise on audit committees. Auditors are now required to provide more robust disclosures to the audit committee regarding alternative accounting policies and their discussions with management. Audit committees must also ensure the availability of an anonymous reporting channel for accounting or auditing matters (i.e. a “whistleblower hotline”). The law also expanded protection for whistleblowers and penalties for retaliation against them.

Back to Table of contents

Further reading


  • Farrell, Greg. America Robbed Blind. How Corporate Crooks Fleeced American Shareholders (and How Congress Failed to Stop Them). Buda, TX: Wizard Academy Press, 2005.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share