Individual Behavior, Corporate Action and Sarbanes-Oxley

Governance
Author: Robin Lyons, Principal, IT Audit Professional Practices, ISACA
Date Published: 14 February 2022

In recapping the history of the Sarbanes-Oxley Act (SOX) of 2002, discussions often include lists of the corporations whose actions led to enactment of this United States legislation. The terms “corporate scandal” and “corporate fraud” are used. This is not untrue and the legislation itself even specifically mentions corporate failure when it refers to the collapse of Enron. Given that, there is a direct correlation between corporate actions and the SOX legislation. But, as we know, corporations are made of individuals. So, are recaps of SOX’s history remiss in attributing these collapses or failures solely to corporations?

In reviewing the impact of SOX, the Journal of Business Ethics referenced results from a symposium that considered accounting ethics and regulation in an article entitled Thematic Symposium: Accounting Ethics and Regulations: SOX 15 Year Later. The article offered its opinion that the impact of SOX has been largely based on research of economic results related to the stock market or audit fees. The article added that this was surprising since the heart of the legislation was whether SOX had reduced unethical behavior of executives and audit firms.

Excluding torts, where an officer or director acting in his or her official capacity may have some personal liability, it is true that the corporation is the most likely defendant in circumstances of corporate naughtiness. But the linear relationship from individual behavior to corporate action is very real. In fact, SOX legislation calls for a code of ethics for senior financial officers. This requirement complements periodic reporting required by the Security Exchange Commission (SEC) under the SEC Act of 1934 that confirms adoption of a Code of Ethics by companies for whom SOX is applicable.

A natural question, then, is: how effective are codes of ethics at stemming corporate fraud? Looking purely at codes of ethics from a design perspective (not including execution), examples of potential weaknesses include codes that make it challenging for employees to make a connection between the code and their behaviors. This is perhaps because the codes are too legalistic, too vague or lacking in guidance that relate to the particular line of business.

So, there are challenges with codes of behavior. However, these governance tools do provide a platform for clear statements of corporations’ expectations of its individual members – for example, employees who defend themselves against allegations of misleading customers by saying that they were never told that they could not lie could benefit from very clear statements. Also, until there are studies or research that specifically target the behavior of executives and audit firms, having a Code of Ethics is a great tool to have in place to drive the connection between individual behavior, corporate action and Sarbanes-Oxley.

Editor’s note: For additional resources on this topic, download ISACA’s IT Control Objectives for Sarbanes-Oxley publication.