Sarbanes-Oxley may be onerous, tedious and expensive. But it is also – and arguably the most important overlooked thing – a virtual and heretofore never-considered ally of corporate managers. In fact, as this author argues, learning to live with Sarbanes Oxley can yield unanticipated dividends and make a manager’s life a lot easier.

Since its passage in 2002, the Sarbanes-Oxley Act (SOX) of the United States has generated a great deal of controversy. Proponents maintain that it did not go far enough to curb agency problems and restore shareholder confidence in the governance of large public corporations. Critics contend that it has gone too far, is complicated, confusing and, most importantly, very costly to execute. In this article, I argue that the benefits from the compliance of SOX should outweigh, at least in the long-run, its associated costs. The essence of my argument hinges on how SOX compliance serves as a proxy for the key components of strategy implementation–– a job inherently complicated and expensive——but instrumental in the eventual success of a corporation.

The Critics Speak

Following its establishment in the United Kingdom in 1991, the Cadbury Commission issued a report entitled, Cadbury Committee Report: Financial Aspects of Corporate Governance in the UK, in 1992. Sir Adrian Cadbury, former chairman of Cadbury Schweppes and an ardent proponent of stringent measures to curb executive wrong doings became a synonymous with corporate governance reform. An offshoot of the Cadbury Commission, the Cadbury Report aimed at improving the perceived low level of confidence in financial reporting and in the ability of auditors to provide safeguards to the users of company reports. Sir Cadbury’s most notable achievement, the Cadbury Code, represents a highly codified set of recommendations of the Cadbury Report, which got immediate acceptance in about 50 countries. Not surprisingly, say some observers, the Cadbury Commission’s 19 recommendations for stricter and more effective governance of British public corporations culminated in the passage of SOX in 2002.

The SOX of 2002 represents perhaps “the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt” [http://www.sec.gov (accessed May 5, 2006)]. Once admired for their enviable track record, a few household names such as Arthur Anderson, Enron, Hollinger International, Tyco and WorldCom became synonymous with executive corruption, scandal and greed. In response, on July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002. The essential reforms brought about by SOX include, among other things, accounting oversight, auditor independence, disclosure, analysts’ conflict of interests, accountability for fraud, and attorney’s responsibilities. Without question, these reforms have significant ramifications not only for the public and private corporations in the US, but also for the corporations of other countries transacting with US firms, Canada included.

Below, I offer a brief overview of the criticism that has frequently been labeled against SOX, followed by an explanation of how this is related to corporate governance and strategy. Then, I present a strategy implementation model that shows how SOX compliance serves as a proxy for the basic levers of strategy implementation. Because these levers are inherently expensive, compliance with SOX may offset a great deal of costs associated with strategy implementation. I conclude on a high note, that compliant firms can turn the burden of SOX into a source of competitive advantage by integrating the Act’s relevant provisions into their routine strategy implementation process.

The most frequently heard criticism of SOX is that complying with it is time-consuming and costly, particularly for relatively small public corporations. However, the most serious criticism is directed at three sections—404, 406, and 409—under Title IV: Enhanced Financial Disclosures. The provisions of these three sections are related to some sort of internal control. Section 404, for example, requires companies to file management assertion and auditor attestation to the effectiveness of internal controls over financial reporting. Section 406 requires compliance with applicable government laws, rules, and regulations. Section 409 requires companies to disclose material changes in their financial or operating conditions on a rapid and current basis. According to various estimates, fulfilling such requirements is likely to substantially increase compliance costs. The estimates of such costs have varied widely across sources, however. Moreover, such cost estimates, according to experts, are far from accurate. One such expert notes that the numbers in the debate come from surveys and expert observations reported in the popular press, where biases and methodology can skew the estimates substantially (Bialik, C. 2005. How much is it really costing to comply with Sarbanes-Oxley? http://online.wsj.com/article. Retrieved on June 17, 2006).

But the criticism of SOX on the grounds of time and cost is greatly misplaced. My defense of it has not so much to do with the estimation bias or methodological flaws of such surveys. Rather, my defense stems from the fact that a great deal of compliance with the SOX-mandated internal control provisions falls under the repertoire of strategy implementation. Any sound strategy implementation invariably requires thorough internal control, which, if blended with the ongoing operations and culture of the corporation, should greatly offset the costs of SOX. In the end, there should not be a great hue and cry about the compliance costs of SOX.

Strategy and corporate governance

Although corporate governance and strategy—its formulation and implementation—are inextricably interrelated in many different ways, two relationships are vital. The first relationship stems from the separation of a firm’s ownership from its control. As a seminal work (e.g., Berle, A.A., & Means, G.C. 1932. The modern corporation and private property. New York: Macmillan) documented about three quarters of a century ago, diffused stockholders of large public corporations surrender the control of their wealth to professional managers. Such a separation undermines the role of profit maximization as a guide to resource allocation. This is the prototypical agency problem, which embeds large US corporations in a repository of mechanisms for the protection of shareholder interests. Agency theory stipulates that as rational economic actors in the governance of a corporation, managers are impediments to stockholders’ interests and that these managers place self-interests above all else. For example, because a corporation’s size is the most important determinant of the structure and level of salary and perks it pays to its top managers, executives are keen on cutting corners in order to grow the company. Yet when the corporation incurs losses from such expansions, these losses reduce retained earnings, which, in turn, reduce dividends to shareholders. Because of the divergence of interests of these two groups—stockholders and top executives—shareholders need to find a way to align the interests of executives with their own so that shareholders’ interests are protected. It is in this context that corporate governance takes on added importance.

The second relationship, although rooted in the first, is somewhat indirect. Many investors consider the reputation and integrity of a firm’s top management team as a proxy for board effectiveness. What follows is that the self-serving decisions of a firm’s top management team signals a governance problem within the firm which, in turn, negatively affects its ability to attract capital both at home and abroad. Therefore, executive decisions without a clear link to value propositions can erode the respect of investors and employees, undermining faith in the free-market system. Both implications are serious, and SOX is primarily intended to address these two imperfections in the governance of large publicly-traded US corporations.

Strategy implementation and SOX

As it should follow from the above section, corporate governance has a lot to do with the strategies of a firm. I, however, stress that the most important interrelationship between the two resides in strategy implementation. Smart strategies abound, but the problem lies with their effective implementation. Experts have come to appreciate that a well-conceived strategy is one that can be implemented effectively. Because strategy implementation is the sin qua non for competitive advantage, the focus on the content and process of successful strategy implementation in both academic and practitioner circles has taken on added importance. Strategy implementation is also very expensive. In essence, a company incurs most of its bureaucratic costs, that is, the costs associated with the running of a governance structure, for strategy implementation (Jones, G.R., & Hill, C.W.L. 1988. Transaction cost analysis of strategy-structure choice. Strategic Management Journal, 9: 159-172). Implementation levers such as control systems, integration devices, and structures add substantially to such bureaucratic costs. Control systems are put in place to make sure that top managers implement the strategy in a way that, while being subject to ethical and legal constraints, will maximize stockholder value. As I will elaborate later, this is a diagnostic view of strategic control. Control can be interactive as well. A combination of diagnostic and interactive approaches makes control systems “ … information-based processes for planning, budgeting, cost control, environmental scanning, competitor analysis, performance evaluation, resource allocation, and employee rewards” (Simons, R 1990. Strategic orientation and top management attention to control systems. Strategic Management Journal, 12: 49-62). Integration ensures that proper communication and coordination take place among managers and employees at various functional and divisional units of the organization. Structure is an organizational blueprint that guides the flow of information and the context, intensity, and nature of human interactions. As it may seem obvious, these three levers are intertwined. I argue that compliance with SOX includes these three basic levers, and thus, offsets the SOX-related bureaucratic costs to a large extent. Given this offsetting effect, SOX compliance is not really as expensive, time-consuming, and prohibitive as many make it out to be.

The above discussion is captured in the two following graphic representations. Figure 1 shows the relationship among strategy implementation, its three levers, and corporate governance. As the top oval displays, a company’s board of directors, as well as its top management team, provides the real perspective for its strategic leadership. The top management team is responsible for making decisions regarding the content and process of strategy implementation, and thus, this influence is shown by the arrow from the yellow oval to the green one. Implementation cannot occur in a vacuum: top managers implement strategies through the stated three levers, and as such, the arrow also flows downward to the purple oval. While implementing strategies, top managers have ample opportunities to engage in self-serving endeavors. Proper adherence to the implementation levers, especially control mechanisms, is likely to curb agency problems arising from managerial opportunism. Hence, another vertical arrow flows upward from the purple oval. Strategy implementation involves the creation of control systems that, in conjunction with integration and structure, satisfy managerial needs to understand performance. Existing control, integration, and structure influence and shape strategy implementation as it proceeds. Such interrelationships between strategy implementation and its three levers are demonstrated by the use of two almost laterally slanted arrows in inverse directions between the green and blue ovals.

To stress a bit further, although these inverse arrows show that the need for control, strategy, and structure stems from strategy implementation, the interaction between the three, while put to work, may dictate the success or failure of strategy implementation.

Figure 2, which is an adaptation of the widely-used balanced scorecard approach (Kaplan, R.S., & Norton, D.P. 1992. The Balanced Scorecard: Measures that Drive Performance. Harvard Business Review, January-February: 71-79), is basically an illustration of how companies should exercise control on different dimensions of their performance. This approach combines financial measures of a firm’s performance with three other measures: customer satisfaction, internal processes, and innovation and learning. Together, the extent to which a firm has been able to achieve success on these four measures in relation to the set targets determines its overall performance. In essence, then, a balanced scorecard demonstrates strategic controls along four dimensions which, in turn, amount to organizational performance.

As the balanced scorecard perspective suggests, the realization of a firm’s performance, in essence, is a control of unfavorable variances, which are normally detected through management by exception. In this sense, control systems are diagnostic tools for the detection of variances. In large, complex organizations, the real cause of a variance is generally rooted in multiple sources, some seemingly unrelated to the variable itself. Therefore, tracing the sources of variances turns out to be difficult, if not impossible, in certain cases. This difficulty calls for as much relevant information at the managers’ fingertips as possible so that they can properly assess the real reasons underlying a variance.

In order for this to happen, there should be a repository of information—preferably seamless—highlighting the mismatches or contradictions, if any, among relevant variables across functions or divisions. Such a provision not only ensures instantaneous checks and balances, but also eliminates the ex-post need for digging out otherwise irrelevant information, simplifies audit trails, and finally, reduces or eliminates chances for cost overruns. Therefore, the diagnostic role of control systems is likely to greatly offset excessive accounting and audit fees, which critics tend to attribute to compliance with SOX.

Figure 2: A Balance Scorecard Approach:

When control systems are interactive, in addition to initiating remedial actions in response to exceptions, top managers also engage themselves in the decisions of subordinates on a regular basis (Simons, R 1990. Strategic orientation and top management attention to control systems. Strategic Management Journal, 12: 49-62). When such interactive control is pursued, debate and challenge of data, assumptions, and actions become formalized in the organizational routine and culture. One important purpose of SOX—providing legal protection to employees of publicly-traded companies who report unethical or illegal practices—is thus mitigated through interactive control, which makes ethics part of the regular decision making process for managers and employees alike. Any deviation may lead to bad publicity, public backlash, expensive law-suits (including class action), and finally, plummeting share prices. As well, this may dampen employee morale and infect the entire corporate culture or subcultures with a sense of insecurity, helplessness, and mistrust. As the missteps of Arthur Anderson, Enron, Hollinger International, Tyco, and WorldCom executives tell us, there is too much to lose, including life1, in being unethical, dishonest, and greedy. On the other hand, a company which pursues and promotes ethical practices, adds much to its reputation, and likely outperforms rivals in profitability and long-run sustainability. Consider PepsiCo. Recently, PepsiCo received an offer to disclose its bitter rival’s highly-guarded, confidential trade secrets. Instead of seizing this opportunity, PepsiCo contacted Coca-Cola immediately and alerted the FBI, which nabbed three Coca-Cola employees. By doing this, PepsiCo set a unique example of high ethical standard, benefited its shareholders, instilled a sense of pride amongst its employees, and most importantly, raised the standard of competition for the entire soft drink industry.


In summary, SOX is intended to force public corporate executives to do what they already have an administrative, fiduciary, and moral responsibility to do in the first place. As I have argued throughout this paper, the incremental cost beyond the existing responsibilities of the organization should be marginal when compared to the systems, processes, and cultures that are already supposed to exist. So, why should companies not begin to learn to live with and love SOX?

For their assistance in preparing this article the author wishes to thank Susan DeYoung, Kendra Hart, Greg Hebb, Sunny Marche, and Andrews Oppong.