FirmAdapt
FirmAdapt
LIVE DEMO
Back to Blog
sarbanes-oxleyfinancial-reportinginternal-controlssec-and-regulatory

The Impact of Sarbanes-Oxley on Financial Reporting Quality 20 Years Later

By Basel IsmailJuly 10, 2026
The Impact of Sarbanes-Oxley on Financial Reporting Quality 20 Years Later

Sarbanes-Oxley came out of a genuine mess. Enron collapsed in late 2001, WorldCom admitted to a multibillion dollar accounting fraud a few months later, Arthur Andersen disintegrated, and for a stretch it was reasonable to wonder whether any published financials could be trusted. Congress responded in 2002 with the most sweeping corporate reporting law since the original securities acts of the 1930s.

More than two decades on, the fair question is whether it worked. My read is mostly yes, with real gaps. If you analyze companies for a living, or manage your own money seriously, both halves of that answer are useful, because SOX also created a paper trail that most investors never bother to read.

What SOX actually changed

Three parts of the law matter most for anyone reading financial statements today.

Section 302 makes the CEO and CFO personally certify every quarterly and annual report. Before SOX, an executive caught with fraudulent numbers could plead ignorance and point at the accounting department. That defense is mostly gone now. The certifications are filed as exhibits 31.1 and 31.2 in each 10-K and 10-Q, and Section 906 backs them with criminal penalties that reach $5 million in fines and 20 years in prison for willfully certifying false statements.

Section 404 is the one analysts should care about most. Companies must document and test their internal controls over financial reporting, management must assess those controls every year, and at larger companies an independent auditor has to attest to that assessment. Every process that touches financial data, from revenue recognition to inventory counts, gets mapped, tested, and made defensible. I spent years inside American Express, and the sheer volume of process that exists at a company like that purely because of Section 404 is hard to overstate.

The law also created the PCAOB, the Public Company Accounting Oversight Board, to inspect and discipline audit firms. Until then the audit profession regulated itself, and Andersen's role in Enron made a fairly complete case that self-regulation had failed.

The cost complaint

The loudest criticism of SOX has always been cost, and it's fair as far as it goes. Compliance means audit fees, internal audit staff, documentation systems, and a lot of management attention. Those costs barely register at a mega cap but can consume a meaningful share of the finance budget at a small one, so the burden lands hardest on the companies least able to absorb it. Some firms have cited SOX when explaining a decision to go private or to list outside the US.

The benefit side is harder to see because it's diffuse. Fraud that never happens doesn't show up in anyone's budget. So the costs are concentrated and visible while the benefits spread thinly across every investor in the market, and that asymmetry has kept the argument alive for twenty years. Anyone who lived through the Enron era, though, or watched Wirecard unravel in a market with no SOX equivalent, will have a hard time calling the discipline worthless.

Did reporting quality actually improve?

The evidence leans positive. Financial restatements surged in the first years of Section 404 as companies and auditors dug into control environments and found problems, peaked around 2006, and have trended down since. That's roughly the pattern you'd hope for: an initial wave of cleanup, then fewer errors reaching published statements because controls catch them earlier.

Audit quality moved too. PCAOB inspections are public, they name deficiencies, and firms that get flagged tend to clean up their practices in later cycles. Whatever you think of the board's pace, auditors now operate under real external scrutiny for the first time.

There's a limit, though. The SOX control framework is built to catch process errors and clumsy manipulation. It's much weaker against management override, where a CEO or CFO simply instructs people to book entries the controls would otherwise flag. The most damaging frauds in history ran through the top of the house, and a certification regime raises the personal cost of that behavior without making it impossible. The US has had plenty of post-SOX accounting scandals, so controls raise the floor without guaranteeing the numbers, and you should treat them as one input rather than an answer.

How to use SOX disclosures in your own analysis

The practical payoff is that the law forces every public company to publish a running assessment of its own reporting reliability, and all of it sits on EDGAR for free.

Start with Item 9A of the 10-K

Item 9A, Controls and Procedures, is where management reports on internal control effectiveness and where material weaknesses get disclosed. A material weakness means there's a reasonable possibility that a material misstatement would not be prevented or detected in time. Sit with that definition for a second: the company is telling you, in its own filing, that its numbers could be materially wrong without anyone catching it. The market usually punishes these disclosures, and it should.

Separate the two audit opinions

At accelerated filers, the auditor issues one opinion on the financial statements and a separate one on internal controls, and the two can diverge. A clean opinion on the financials next to an adverse opinion on controls means the auditor believes this year's numbers are fairly stated but the process that produced them is unreliable. I'd treat that combination as a yellow flag on every estimate-heavy line item, since next year's numbers will come out of the same broken process.

Track the trajectory, not the snapshot

Say a company disclosed a material weakness two years ago in revenue recognition for multi-element contracts, described a remediation plan, and closed it out the following year. That's a normal story, and arguably a good sign about how seriously management takes the finance function. Now compare a company that remediates one weakness and discovers two new ones in different areas, three years running. That pattern points at something systemic: underinvestment in accounting staff, turnover in the controller's office, or acquisitions being bolted on faster than the back office can absorb them.

Read the audit fees in the proxy

Audit and audit-related fees are disclosed every year in the proxy statement. Compare them with similar-sized companies in the same industry. Fees that look unusually light for the company's complexity can mean the audit is being shopped on price. A sudden jump with no acquisition or accounting change to explain it often means the auditor found something that required extra work. Neither is proof of anything, but both belong in your notes.

The small company blind spot

One wrinkle matters a lot if you fish in small caps. Non-accelerated filers, historically defined by a public float under $75 million, are exempt from Section 404(b), the auditor attestation. Management still has to assess its own controls under 404(a), but nobody independent checks that homework. The JOBS Act extended a similar exemption to newly public companies for up to five years.

So the smaller and younger the company, the more the control story is self-graded, and that's exactly the corner of the market where reporting problems surface most often. The SOX disclosures you'd most want verified are the ones that aren't. For small caps I put extra weight on adjacent signals: who the auditor is and how long they've held the engagement, late filings, CFO turnover, and whether the footnotes explain the judgment calls or just recite boilerplate.

What PCAOB inspection reports tell you

Hardly anyone uses these, which is strange because they're free and quite readable. The PCAOB publishes inspection reports on individual audit firms, describing how many of the audits it examined had deficiencies serious enough that the firm should not have signed off the way it did. If the firm auditing your company keeps showing up with a high deficiency rate, that doesn't invalidate any particular opinion, but it should lower your confidence in the attestation work generally. The audit firm's name is right in the 10-K, so the lookup takes minutes.

Since 2019, phased in by company size, the auditor's report also includes critical audit matters, the areas where the audit team faced the most difficult judgment calls. CAMs read like a map of where the accounting risk lives: goodwill impairment assumptions, revenue on long-term contracts, loss reserves. If you only read one page of an audit report, make it that one.

Where SOX falls short

A few honest caveats. The compliance burden probably contributed to companies staying private longer, though researchers still argue over how much of the IPO decline to pin on SOX versus the rise of abundant private capital. Either way, public market investors have fewer companies to choose from than they did in the late 1990s.

Inside companies, control testing can rot into a checkbox exercise. When the same walkthroughs run the same way every year regardless of how the business has changed, the testing stops measuring actual reporting risk. You can sometimes spot this from the outside, in control disclosures that don't change a word year over year while the business transforms underneath them.

Personal liability also cuts both ways. Executives who face prison for a false certification get careful, which is the point, but careful can shade into defensive. Disclosure that has been scrubbed by three layers of lawyers is often technically accurate and practically uninformative, and plenty of MD&A sections read exactly like that.

Putting it to work

The certification-plus-controls model clearly stuck. The SEC reused the same architecture for its cybersecurity incident disclosure rules, and newer reporting regimes keep borrowing it: management attests, someone independent checks, the market reads the exceptions.

For your own process, treat SOX disclosures as a standing feed on reporting reliability. Read Item 9A, note any material weakness and its remediation status, check whether the controls opinion matches the financials opinion, glance at audit fees in the proxy, and look up the audit firm's latest PCAOB inspection. That's maybe an hour per company, and it's an hour most investors never spend. We built this monitoring into FirmAdapt's company diagnostics because doing it by hand across a full watchlist gets tedious, but every piece of it is sitting in EDGAR for free.

SOX didn't end fraud, and it was never going to. It raised the price of sloppy reporting and left behind a structured, comparable record of how much to trust each company's numbers. Most investors never read that record, so working through it remains one of the cheaper ways to catch problems before they show up in the stock.

Ready to uncover operational inefficiencies and learn how to fix them with AI?
Try FirmAdapt free with 3 analysis credits. No credit card required.
Get Started Free