It’s the name of a piece of U.S. compliance legislation, with global implications, which was signed off in 2002. A key section, Section 404, went live on Nov. 15. It’s designed to prevent financial malpractice and accounting scandals such as the Enron debacle. It’s also known as the Public Company Accounting Reform and Investor Protection Act. The shorter moniker comes from the names of Sen. Paul Sarbanes, a Democrat from Maryland, and Rep. Michael Oxley, R-Ohio, who are credited as the main architects of the Act. It’s becoming known as SOX or SarbOx or SOA.

The Act covers a whole range of governance issues, many covering the types of trade that are allowed within a company, with an emphasis upon keeping everything above board. For example, the Act forbids personal loans to officers and directors. Former WorldCom boss Bernie Ebbers had taken considerable loans from his company shortly before it became the center of a corporate scandal. Other measures regulate the responsibilities of audit committees sent in to check the health of companies’ compliance. The Act also offers protection to whistleblowers.

While much of this is common sense and achievable, the actual challenge of SOX is ensuring it is observed and that compliance can be demonstrated and accurately monitored and reported. The most common area of focus is the archiving of all communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence. This should mean traders can’t contact one another or analysts on the quiet, and deals can’t be lost in the muddy waters of business. Applications such as instant messaging are also being singled out as areas that need to be secured and made clearly accountable.

SOx 1

That’s been a lot of people’s gut reaction, according to Mark Ellis, Computer Associates’ director of storage and information management. But it’s not quite that extreme. Many companies just assume that as long as they record that data, they will be compliant with that aspect of SOX–which is true, if a little naïve regarding the storage and logistics implications of such thoroughness. Ellis describes this reaction as being “like a rabbit caught in the headlights” and explained that “people need to know what they must keep.”

“Legal compliance is not about what you need to keep, it’s about knowing what you can delete,” he said, imploring companies to find out more about the complicated legislation.

Most companies are having to work with accredited auditors and consultants to ensure they have checked all the right boxes. In the United States, Ernst & Young and PricewaterhouseCoopers account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent each. A successful filing from these companies is priceless for the companies affected by SOX.These firms are there to test compliance and search for material weaknesses–flaws that would fail the SOX test–and there is a lot of shareholder trust to be gained from filing for SOX compliance.

Even if nothing bad ever happens, companies cannot afford to be remiss with their compliance. Noncompliance with SOX will probably mean heavy fines–which as yet have not been outlined or defined–and a serious loss of shareholder trust and brand value. After all, nobody wants to think their stocks might become the next Enron shares. Large financial institutions will probably be able to pay any fines with pocket change but the loss of face and the ensuing PR disaster of public naming and shaming could be colossal.

For more information:

Securities and Exchange Commission
Deloitte and Touche

 Take a S-Ox Quiz @