A crucial aspect of organizations’ sustainability strategy, goal setting, and initiatives is tracking, analyzing, and reporting various environmental, social, and governance (ESG) factors and metrics. While the “E” and “S” of ESG typically get the lion’s share of leaders’ attention, the “G” shouldn’t get overlooked. To contribute to strong governance, accounting and finance professionals at all publicly traded U.S. companies and their auditors must be well-versed in the Sarbanes-Oxley Act (SOX), which was created in 2002 after several large scandals highlighted the need for greater corporate accountability.
Elizabeth Kettler
In 2001, Enron had been caught for inflating its financial position by hiding mountains of debt in special-purpose vehicles, and its auditor went out of business since it had enabled some of that behavior, recalls Elizabeth Kettler, a director in the accounting and reporting advisory group at Stout, a global investment bank and advisory firm. She notes that Worldcom, the second-largest telecom company in the world at the time, had inflated its profits by billions of dollars, and the CEO and CRO of Tyco were stealing significant sums of money from investors.
“All these scandals plunged investor confidence to an all-time low, prompting the need for greater accountability at both the executive and auditor level of public companies,” Kettler says. “In response, Congress passed SOX to hold companies and their leaders accountable for providing accurate financial information to investors.”
The Impact of SOX on Governance
The passage of SOX created the Public Company Accounting Oversight Board (PCAOB) and established standards for auditor independence, preventing auditors from also providing consulting services, which had created conflicts of interest. These new standards also created requirements for company leadership to certify that financial statements are complete, accurate, and safeguarded by internal controls to mitigate the risk of fraud, waste, or abuse.
“SOX created a framework for companies to implement assessments over the financial risks they face within their internal control environment,” Kettler says. “This boosted transparency and accountability.”
Overall, SOX has been a huge success, according to Kettler. She cites multiple third-party studies that show incidents of fraud have decreased significantly, while investor confidence in public companies’ governance has increased.
“It has helped companies identify areas for significant improvement such as opportunities to upgrade, reconfigure, or integrate financial systems and processes to resolve redundancies and process inefficiencies, and to develop processes that better align with the company’s growth strategy,” Kettler says.
Further, SOX compliance provides greater insight for companies involved in mergers and acquisitions. Kettler says that SOX has given buyers a framework to do robust due diligence and gain comfort with the seller’s financial statements and thus enter a business transaction with confidence.
Post-SOX Evolution of Internal Controls
Kettler notes that, through the PCAOB’s annual inspection program, it provides updated guidance for auditors, ultimately impacting what’s scrutinized and how much documentation support is deemed to be acceptable. Currently, there’s a significant focus on the completeness and accuracy of the key reports, or Information Produced/Provided by the Entity (IPE), that management uses in the performance of key controls, including enhancing management review controls. Instead of management relying simply on systems and processes—which can produce flawed information—to generate complete, accurate disclosures, IPE testing helps management and auditors gain comfort with the completeness and accuracy of the inputs used for control performance, Kettler says.
Technology can help. An investment tool such as robotic process automation (RPA) to improve SOX compliance efforts may lead to an increase in operational efficiency and a reduction in external audit costs, as a strong SOX environment can result in auditor reliance on internal controls to reduce the level of substantive testing, Kettler says.
“All in all, while ensuring SOX compliance requires an investment of time and money, when properly executed, a SOX compliance process can give insight into the financial standing of a company that’s valuable for both investors and company leadership,” she says.
Sustainability Standards and the Future of Reporting and Disclosure
Sustainability and ESG have been getting a lot of attention in the media and among investors and corporate executives, and SOX is especially relevant in relation to a recent SEC proposal for climate disclosures. Some companies expect that capturing and presenting ESG data will initially be more difficult than complying with SOX when it came out, since most ESG-related data has yet to be collected, in contrast to SOX, where most companies already had financial statements and ledgers from which to work.
An additional challenge with climate-related disclosures revolves around what constitutes a “climate-related event,” which means there will be a level of judgment required to identify what’s disclosed, the materiality of the disclosure, and how to build a financial framework around such a disclosure, Kettler says.
“While the capturing of specific data will be more challenging, and some data will be subjective, the framework established by SOX can be leveraged as a starting point for compliance with ESG requirements, though the effort will still require significant work,” she says.
Kettler suggests that financial reporting teams and SOX compliance groups should already be thinking about how they’ll stand up to audit-ready processes and controls. Due to the relative immaturity of ESG reporting and the various judgment calls involved, she says that many companies will find it helpful to engage an advisor who can share best practices across their specific industry.
Regulatory compliance, enforcing and strengthening internal controls, sustainability, ESG, and professional ethics are all connected. Regulatory requirements dictate what companies need to do to achieve compliance. That, in turn, drives enforcement and strengthening of internal controls and underscores the importance of professional ethics throughout a company’s operations and culture. ESG will essentially be seen as another business function over which management needs to have appropriate processes and controls to comply with regulatory requirements and build trust with all stakeholders.
The current challenge for most organizations is understanding ESG requirements and developing a framework for compliance. For many companies, this may mean changing significant portions of their business strategy, operations, and processes, Kettler says. This may impact business functions that need to be SOX-compliant, such as financial reporting, technology, and HR processes.
“Most companies will likely experience growing pains with ESG compliance similar to those when SOX was introduced,” Kettler says. “Understanding ESG requirements and establishing a framework for compliance will be challenging initially, but companies will continue to refine their compliance efforts, and the costs and level of effort to achieve compliance will decrease over time.”
November 2023