What is Sarbanes-Oxley Compliance?

Sarbanes-Oxley compliance refers to compliance with the Public Company Accounting Reform and Investor Protection Act of 2002, also known as Sarbanes-Oxley. Sponsored by Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio, the Act was a response to an excess of corporate fraud scandals, such as the Enron case. Compliance requires that financial institutions carefully document and disclose their internal controls, the ethics codes that employees are subject to, and audit committee reports.

The Act is rather complicated and attempts to prevent corporate fraud. To that end, Sarbanes-Oxley compliance requires attention to many different clauses. For example, Section 402(a) limits the conditions under which companies can make loans or extend credit to their executives, and Section 404 mandates self-assessment reports to be compiled, addressing the effectiveness of the internal controls the company uses.

Sarbanes-Oxley compliance also requires agents of the law to adhere to the legal changes that the Act has made. For instance, Title VIII, the Corporate and Criminal Fraud Accountability Act of 2002, makes fraud a riskier business and expands the government’s ability to prosecute in cases of fraud. The Act makes it illegal to falsify or destroy documents, requires that auditors keep records for at least five years after an audit, extends the statute of limitations for fraud prosecution, and contains a provision for “whistleblower protection” for employees who comply with the law against their company’s wishes. Similarly, Title IX increases the penalties for fraud and gives the Securities and Exchange Commission more authority when dealing with fraud cases.

Studies on Sarbanes-Oxley compliance have shown that proportionately, large financial institutions spend much less on achieving compliance than small companies. In fact, compliance with the Act is often so expensive that many small public companies have become private in order to avoid the expense. Originally, only companies with a market capitalization of $75 million US Dollars (USD) or more had to comply with the internal control reports, but after several years, all companies of all sizes were required to comply.