Clause 61: The Pushback Blog

Because ideas have consequences

Archive for October 2015

Sarbanes-Oxley: Ideas Are Not Laws

leave a comment »

The Sarbanes-Oxley Act of 2002 was and still is a contentious piece of legislation. Comments are still flying insinuating that the law is an unwarranted intrusion into the private sector and has negative consequences for the economy as a whole. I do not agree with this claim.

The act is also an excellent case study into how government does not operate on constitutional principles and the problems that arise from this fact. It works well in this role because the law is relatively brief and comprehensible — as acts of Congress go — and because so many ordinary people have had to live with the consequences.

Let’s peel it apart and see what the issues are.

The Law

The text of the law can be found here: It is only 66 pages long, and not nearly as difficult to comprehend as the Patient Protection and Affordable Care Act of 2010.

The act, commonly referred to in industry as Sarbox or SOX, is divided into eleven major sections, or Titles:


Much of the law addresses problems commonly found in business at the time of the legislation. For example, Title II addressed the practice of consulting firms to offer audit services essentially as a loss leader to get the ear of executives so they could sell computer software selection, systems implementation and other management services. Once such relationships were in place, the notion of auditor independence was out the window; a dissatisfied audit client could hit back by reducing purchases of non-audit services from the consultants. The GAO had been pushing for changes in this area for years. As a result, all the audit firms who had not already spun off their management and IT consulting businesses were forced to do so.

Most of the complaints about the act arise from Title IV. For example, Section 402 prohibits publicly traded companies from making personal loans to their officers, a common practice prior to 2002. If you want to have a company that you can use as a personal piggy bank, don’t take the company public. Then it’s between you and your other private investors (if any) how you run it. However, it is bad public policy to allow these practices in a publicly traded company.

The most problematic part of the law was Section 404. Here it is, in its full glory:

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent  fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement

That’s it. The officers of the company have to attest that they have adequate internal controls and, as described in Section 302, they have to sign the report. Here is Section 302 in its entirety:

(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
(b) FOREIGN REINCORPORATIONS HAVE NO EFFECT.—Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.
(c) DEADLINE.—The rules required by subsection (a) shall be effective not later than 30 days after the date of enactment of this Act.

It’s a little longer, and it’s not entertaining reading, but it is not incomprehensible, either. And there is some dry humor here: anyone who has ever worked in a publicly traded company would find it comical to think of an executive team cheerfully reporting, “Yeah, we have these known deficiencies in our internal controls” to the shareholders.

Congress acted to address real problems. Every time there was any accounting irregularity at a publicly traded firm, the executives would claim no knowledge of it, seeking low-level employees and managers to blame. At the same time, executive compensation was spiraling upward and justified by the claim that companies needed the best talent available. There are plenty of people who are good at evading responsibility; there is no need for a bidding war to find talent like that.

However, there is a substantial problem with the law as written: what, legally, is an internal control structure? By what criteria does one judge its adequacy? Sarbox is mute on this subject. So how do you know whether or not you are out of compliance with the law?

Chaos Reigns

For five years, the business world was plunged into a compliance crisis. Are my financial controls adequate? How do I tell? How would I substantiate it in court if I had to?

The law became the Sarbanes-Oxley Full Employment for Management Consultants Act. An entire industry sprang up for devising controls that might be adequate. Examples of the extent to which people went include:

  • An instance where the company required the CFO to personally hand every employee their payroll check;
  • An instance where auditors found the company out of compliance because a salesperson spent $15 for donuts for a meeting and was not required to have two authorizing signatures on the reimbursement;
  • An instance where auditors required the company, as part of Sarbox compliance, to take pictures of a smoke detector and retain receipts for the batteries.


Further, the newborn audit industry put great weight on separation of duties, which focuses on the risk of low-level misbehavior. As Solomon and Peecher observed in a 2004 Wall Street Journal article:

Billions are being spent documenting controls that lie below, and can be stealthily overridden by, C-suite members.
— “SOX 404 — A Billion Here, a Billion There …”, WSJ, 9 Nov 2004.

There was a general tendency to demonstrate compliance by volume instead of weight. Elaborate charts and documents were generated to show the abundance of controls, whether or not they provided meaningful reduction of risk.

The real danger was that a class-action suit would assert that shareholders were defrauded by a company having inadequate controls, and then a judge would be determining what adequacy was.

Meanwhile, everyone who wanted to avoid change now had an evergreen excuse to do so: “We can’t do that because of Sarbanes-Oxley.” In 2006, my responsibilities included changing business processes. I finally downloaded the legislation on to my laptop and, when confronted with this excuse, would invite the person to look at the law and show me where it says the existing process has to be the way it was to maintain compliance. Disingenuous, to be sure; but so was the excuse I was given. This is the real hidden economic cost of Sarbox: compliance as a justification for inertia.


Title I of the Act created the Public Company Accounting Oversight Board (PCAOB) to supervise the audit practices of publicly traded companies and set standards. Although its actions have the force of law, Section 102 explicitly states:

(b) STATUS.—The Board shall not be an agency or establishment of the United States Government, and, except as otherwise provided in this Act, shall be subject to, and have all the powers conferred upon a nonprofit corporation by, the District of Columbia Nonprofit Corporation Act. No member or person employed by, or agent for, the Board shall be deemed to be an officer or employee of or agent for the Federal Government by reason of such service.

The Act made the PCAOB answerable to the Securities and Exchange Commission, which is an independent agency of the federal government. The SEC must approve PCAOB rules and standards.

In July 2007 the PCAOB produced Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, which formally provided for:

  • Risk-driven determination of control adequacy;
  • Scaling of the audit relative to the size of the business being audited.

Nevertheless, the guidance primarily addresses the process of auditing the controls, rather than control structure adequacy.

The constitutionality of the PCAOB was itself challenged. Within Section 101, this paragraph provides the SEC with exclusive supervision over board members:

(6) REMOVAL FROM OFFICE.—A member of the Board may be removed by the Commission from office, in accordance with section 107(d)(3), for good cause shown before the expiration of the term of that member.

This places the board members outside the supervision of either Congress or the President. The challenge  maintained that the PCOAB violated separation of powers, and further that the board members should have been working for the Government since they were executing the law. The challengers sought an injunction blocking the board from exercising the authority described in Title I. In 2010, in the decision Free Enterprise Fund and Beckstead and Watts, LLP v. Public Company Accounting Oversight Board, et al. (561 U.S. 477), the Supreme Court found that the structure did violate separation of powers, but simply severed the clause from the remainder of the Act, which the Court upheld.

Management Controls

Managers exist to plan, organize, staff, direct and control. Management controls are the tools available to you as a manager so that you can know what is going on when your back is turned.

Here are some common examples of management controls:

  • An expense report;
  • A purchase order;
  • A work order in a factory;
  • A second signature line on a check;
  • A budget;
  • A schedule;
  • A project review meeting;
  • A status report;
  • Paid vacation with a requirement that it be used every year (Do you see why? If not, think about check kiting: you can’t go on vacation if you’re kiting checks.).

Many managers are not good at devising and implementing controls. If you have any significant work experience, think about all the false starts and big splashes that you have seen, which fizzled out in weeks when upper management turned their attention to the next emergency or big idea. What happened? Almost always, a plan is launched with no controls. Once the sponsors were not paying full attention, the entire initiative falls by the wayside.

Controls have costs, and can be applied excessively. You may have seen checks requiring a countersignature only where the amount exceeds a threshold level. The risk of abuse below that level is not worth the additional time and energy to obtain a second signature. This is why the earlier cited requirement to get two signatures on a reimbursement for $15 of donuts is ridiculous.

Typically, as a company grows, controls have to be put in place, and these harden into policies. Then you encounter people who think policy is God and have no understanding of why the policy came about, enforcing minutiae while failing to understand intent. Eventually the company chokes on red tape, and the policies have to be relaxed. Then, the next time financial results go down or a compliance crisis occurs (such as provoked by this legislation), a new set of policies is thrown together. And so on, and so forth, and scooby doobie doobie.

So if the members of Congress and their staff aides thought that “adequate internal control structure” was a well-understood norm in the private sector that needed no definition, they had another think coming.


Throughout Anglo-American history, people strove to replace rule of man with rule of law. Rule of man could be arbitrary and capricious; rule of law is systematic, comprehensible and predictable. Under rule of law, the citizen can know what actions would be contrary to the law and avoid these actions.

The Constitution considers Congress the premier branch of government, not the President (you’d never know that from watching TV news). Article I is half of the original Constitution. The Constitution forbids Congress from taxing the exports of a state to another, granting titles of nobility or passing bills of attainder. The Constitution provides Congress with the authority to coin money, raise and support armies and make laws.

The law works best when there are lists of requirements that you can check off. For example, to have a contract, there must be lawful subject matter, parties with capacity to commit to a contract, offer, acceptance and consideration to both sides. If any of these elements are not present, there is no contract. The law then defines the elements: what constitutes adequate capacity to enter into a contract, what is and what is not acceptance, what is and what is not consideration. The issues can get complicated because people are complicated; it is possible to apply the law to the facts and figure out whether or not you are in a contractual relationship.

The citizen has to be able to comprehend the law and its application to the her actions in order to be law-abiding. Judges love to say, “Ignorance of the law is no excuse.” But you can read Sarbox from front to back and still have no idea what would be an adequate internal control structure, and thus in compliance with the law. It is not possible to apply Sarbox to your facts and figure out whether or not you have adequate internal controls.


.. [T]he Supreme Court created modern jurisprudence by giving full faith and credit to any expression that could get a majority vote in Congress. The Court’s rule must once again become one of declaring invalid and unconstitutional any delegation of power to an administrative agency or to the president that is not accompanied by clear standards of implementation.
— Theodore Lowi, The End of Liberalism (2nd Ed.), 1979, p. 300.

The Constitution visualized Congress as a the lawmaking power within the government, Congress being the branch of government most accountable to the people (and to the states, but that is another topic for another day). The president is the executive and exists to execute the will of Congress. There was no provision for administrative agencies effectively accountable to no one.

The last time the Supreme Court took non-delegation seriously was 1935. In A. L. A. Schechter Poultry Corporation, et al. v. United States (295 U.S. 495), the Court found that the National Industrial Recovery Act contained an unconstitutional delegation of congressional law-making power to the executive.

President Roosevelt’s response was to threaten to seek congressional approval to expand the Supreme Court by six additional justices. Roosevelt abandoned this “court-packing” proposal after one justice shifted his position on rulings in 1937 to be more favorable to Roosevelt — the “switch in time that saved nine” — while another justice who was consistently opposed to New Deal legislation retired. Since then, the Court has been unwilling to uphold non-delegation.

Lowi shows how the rule of law has been abandoned as public controls have shifted:

  • from concrete and specific to abstract and general;
  • from rule-bound to discretionary;
  • from proscriptive through prescriptive to comprehensive (Lowi calls this last categoric).

Under present conditions, when Congress delegates without a shred of guidance, the courts usually end up rewriting many of the statutes in the course of construction. Since the Court’s present procedure is always to find an acceptable meaning of a statute in order to avoid invalidating it, the Court is constantly legislating. In contrast, a blanket invalidation under the Schechter rule is tantamount to a court order for Congress to do its own work.
— Lowi, p. 300.

The Constitution visualized Congress as the lawmaking body and accountable to the people. The Constitution, augmented by John Marshall, did not visualize courts as accountable to the people, but neither did the Constitution grant courts the power to make law. No one visualized a private non-government entity reporting to an independent federal agency where the private entity could make pronouncements with the force of law.

For rule of law to exist, it is necessary that the government is rule-bound. Laws must have clear definitions of the behavior to be avoided. Complex issues will arise that will cause the public to have a sense that something is going on that is improper, unfair or downright wrong. However, the starting point is that behavior is allowed unless ruled otherwise. If Congress cannot spell out what the unlawful behavior is, there should be no law.

The Bottom Line

The Sarbanes-Oxley Act offers a tour through important issues that are fundamentally wrong with lawmaking today:

  • Congress passed what was described as a law, but was really, in the instance of Section 404, a sentiment.
    • There were no factual definitions of the proscribed behavior.
    • The citizen could not know whether or not he was in compliance with the law.
  • Congress made a full-toss delegation of the definition of the details of the law to a non-governmental entity (PCAOB) working for a constructively autonomous federal agency (SEC).
  • Citizens had to wait years to have key aspects of the law operationalized and when that was provided, it was not provided by Congress.
  • Confronted with a constitutional challenge to the law, the Court granted itself a line-item veto to rewrite the law.
  • No one who operationalizes the law is politically accountable to the citizens for his actions.

It serves as an example of these issues that is comprehensible by those of us who have had to live with the effects of the law.


Written by srojak

October 31, 2015 at 5:14 am