In quick reaction to corporate scandals that were spreading through the capital markets as rapidly, and with as devastating an effect, as an oil spill in the Gulf of Mexico, Congress enacted the Sarbanes-Oxley Act of 2002 ('SOX'). The goal wasn't to mop up the red ink spilling from the likes of Enron, WorldCom, Adelphia, and Tyco. Rather, the goal of the new law is to protect investors against future catastrophes by shoring up corporate governance and improving the accuracy and reliability of corporate disclosures, internally and externally.
Much as single-hulled tankers have had to give way to new double-hulled tankers to protect ocean and coastal eco-systems, it was time for the old system of corporate checks and balances to give way to a new system to protect the integrity of the capital markets. The old system relied upon shared responsibilities between senior management, the board of directors (in general), the audit committee (in particular), and the corporation's outside auditors. It was based upon accountability of the empowered to the empowerers, and relied heavily on integrity and the alignment of the interests of management with those of the company's shareholders. After years of erosion, the old system cracked and was swiftly replaced.
The new system of corporate checks and balances, by design, involves all persons responsible for protecting all classes of corporate assets: tangible, intangible and human. It engages all levels of management, board members, independent directors, line employees, and professional advisors. It is based on accountability to the corporate business system, the capital markets and the corporate shareholders. In other words, SOX has spread corporate responsibility from the boardroom and executive suite, through the finance department, and deep into the human resources, product management, and risk management offices. The focus of this article is to share insight into the role of risk managers under SOX.
Risk management responsibilities have expanded dramatically under SOX because of the new law's disclosure and internal financial controls requirements, whistle-blowing and document retention requirements, and professional advisor responsibilities. Because of SOX, many risk managers, perhaps for the first time, have direct and extensive contact with audit committee members.
WORKING WITH PROFESSIONALS
Risk managers should be fully cognizant of the tough new rules adopted by the SEC under SOX to prevent efforts to improperly influence outside auditors from carrying out their responsibilities. Levels of influence could be exercised to cause the outside auditors to issue an inappropriate report on the company financial statements, to not perform an audit, review or other procedure, to withdraw an issued report, or to fail to communicate a matter to the company's audit committee. The new rules apply to company officers, directors and people under their direction. Culpability under the new rules goes beyond the company to customers, vendors, consultants and lawyers that assist in efforts to influence or misinform the outside auditors. The threshold for finding a violation of the SEC rule is very low. Besides providing false or misleading information to the outside auditors, other acts or omissions — such as placing pressure on the outside auditors, intimidation, verbal abuse, creating undue time pressure, or holding back access to information — can result in liability.