Financial reporting hasn’t always been above board. Although Enron is one of the most infamous companies to misrepresent its assets, it isn’t the only organization to mislead the public about its liabilities and earnings. Congress fought back in 2002 by introducing steep penalties through the Sarbanes-Oxley Act, commonly shortened to SOX.
Under the SOX Act, organizations must follow specific requirements regarding financial reporting. The cost of non-compliance is steep: millions of dollars in fines, years of imprisonment or, in some cases, both.
Though internal compliance can also be costly, it’s still a fraction of the financial and reputational risks associated with not meeting SOX requirements. Here’s everything organizations need to know about SOX penalties and the cost of non-compliance.
What Is a SOX Violation?
A SOX violation happens anytime an organization does not meet a requirement set forth by the SOX Act. Violations can occur even if an organization misreports financial figures by accident. Though the SOX legislation is lengthy, there are several key provisions that all organizations need to know to sidestep a SOX penalty.
Some of these include requiring senior management to certify — in writing — that financial reports meet SEC disclosure requirements, that organizations have satisfactory internal controls and reporting methods and that organizations follow the rules for record-keeping and retention.
Though many SOX provisions call out financial departments, accountants and auditors, it also has requirements for IT departments. Organizations should complete regular SOX audits and ensure all teams are on board with compliance, so they don’t incur a SOX penalty.
What Are the Penalties for Noncompliance With SOX?
For SOX compliance, the following must accompany financial reporting: a written statement from the CEO and the CFO, certifying that the report satisfies SEC disclosure requirements and is a fair representation of the organization’s “financial condition.”
Executives who fail to meet either of the above requirements are subject to one of the below SOX penalties.
1. Penalties for Knowingly Submitting a Report That Does Not Meet Requirements
The first penalty occurs if an executive provides a written statement with a report they know does not meet the requirements of the SOX Act. Under SOX, “knowingly” means that the executive is aware of the report’s deficiency rather than an accident or mistake. In this case, the executive may be fined up to $1 million or serve up to ten years in prison.
2. Penalties for Willfully Certifying a Report That Does Not Meet Requirements
SOX reserves the steepest penalties for executives who willfully certify a financial report that either does not meet SEC disclosure requirements or is otherwise unsatisfactory under SOX. “Willfully” means that the executive did so with the intent to mislead or deceive. In this case, the executive may be fined up to $5 million or serve up to 20 years in prison.
3. Penalties for Companies That Fail to Comply
Executives aren’t the only ones subject to SOX penalties. Organizations can also suffer if their reports aren’t SOX compliant; they could be delisted from the public stock exchange, which is a massive hit for investors and shareholders.
SOX Protections for Whistleblowers
SOX penalties may be high, but it doesn’t penalize just anyone who knows about the misreporting. The SOX Act has provisions to protect employees, commonly called whistleblowers, who take steps to report financial fraud.
Companies themselves also can’t penalize employees for speaking up; the SOX Act states that employers won’t "discharge, demote, suspend, threaten, harass, or discriminate against" employees who cooperate with investigators or who testify against the company. If organizations do retaliate, the employee could sue them; another protection under the SOX act.
Creating a Culture of Compliance
Compliance isn’t about checking boxes, nor is it about limiting compliance activities to the teams named in the SOX Act. It takes more than financial and IT departments to make compliance a non-negotiable for all business activities. Effective internal compliance requires a more proactive approach that engages employees at all levels.
Organizations can protect themselves from SOX penalties and other financial and reputational risk by modernizing their approach to compliance. This requires doing away with manual processes, centralizing compliance methods and getting all employees on board. But that’s just the beginning.
We've identified four priority areas that are critical to getting your entire organization on board with compliance initiatives. Find out more by downloading the white paper Best Practices for Building a Culture of Compliance from Diligent.