Management Tools: Reporting for SOX Duty

By Paul Falcone Jun 1, 2006

HR Magazine, June 2006 Review your Sarbanes-Oxley responsibilities and brush up on other ethical practices.

When Congress passed the Sarbanes-Oxley Act of 2002, the new law unleashed a panoply of corporate obligations and responsibilities, not the least of which affected the day-to-day conduct of employees of publicly traded companies. When most U.S. workers hear the name Sarbanes-Oxley, or SOX as its often abbreviated, the first thing that comes to mind is financial and operational controls and disclosure requirements. And while financial measures and reforms in corporate governance standards make up a majority of SOX initiatives, documented codes of ethics are also a mainstay of the act.

To comply with the new law, publicly traded companies must publish a code of conduct and ethics, often referred to as a business conduct statement, that in turn must be proactively communicated to all employees.

That proactive communication typically comes in the form of live or online training, and is critical to employee comprehension and ownership. When SOX was passed, it had teeth. After the stock market crash of 2000 to 2003, when millions of investors lost trillions of dollars in the equities market, having depended in good faith on falsified corporate financial statements, Congress made sure that any public companies that failed to comply with SOX reporting requirements would face stiff consequences.

Specifically, CEOs and CFOs could face penalties of up to $1 million and/or imprisonment for up to 10 years for something known as defective certification. Defective certification means that the CEO either knew or should have known about the inaccuracy in the companys filed financial statement but failed to correct it. In addition, CEOs and CFOs could face penalties of up to $5 million and/or imprisonment for up to 20 years for willful noncompliance, or fraud.

By SOX making CEOs and CFOs criminally liable, U.S. corporations took notice and rolled out ethics and compliance programs in all worldwide locations at an unprecedented pace. Now is a good time to recognize your responsibilities and rights under SOX as well as to review other ethical obligations in the workplace.

Disclose Potential Conflicts of Interest

SOX contains management certification requirements to confirm that no potential conflicts of interest exist that could threaten the validity of a corporate filing. To avoid defective certification, a CEO must verify that the information contained in a financial report is accurate and complete. And the only way your CEO can do that is to poll the workforce and ask employees to certify that they in turn have no conflicts of interest that could interfere with the larger corporate filing.

So what does a potential conflict of interest look like? A conflict of interest exists when your outside business or personal interests adversely affect or have the appearance of adversely affecting your judgment at work, says Ann Kotlarski, litigation partner in the employment practice of Seyfarth Shaw LLP in Los Angeles. Its critical that you disclose in writing anything that could place your company at risk, and having an undisclosed family relationship with co-workers, customers, suppliers or competitors of the company is typically the No. 1 issue, says Kotlarski. Other examples of potential conflicts include:

  • Accepting a personal benefit that obligates you in any way to a customer, vendor or competitor.
  • Accepting or offering cash under any circumstances.
  • Taking a business opportunity away from your company by doing personal business with a customer, supplier or competitor of the company, except as a regular consumer.
  • Having a financial interest in a customer, supplier or competitor, other than less than 1 percent ownership of a publicly traded company.
How do you handle such situations? Simply report these potential conflicts on any employee certification form that your company asks you to complete. To be on the safe side, advises Kotlarski, even if youre not given a formal disclosure form, e-mail the issue to your supervisor so that you have an electronic record of the disclosure to protect yourself.

Protect Company Time, Property and Supplies

A critical obligation that you have to your company lies in your use of company property. Remember that your e-mail and voice mail are company property. You have no reasonable expectation of privacy when it comes to e-mail, voice mail, desks or lockers, advises Kotlarski. And you could expect your company to reiterate this point during SOX training. Company systems are for company use. Period.

Does that mean that you cant surf the Internet for a few minutes to buy a book, schedule a flight or the like? Probably not. Most companies wont punish employees for limited and reasonable use of the Internet. However, youve got to be careful. If you visit a retail web site and then minimize that site on your desktop (i.e., keep it running but out of sight) rather than close it, it will still show up electronically as a continuous connection should you be audited by your companys IT department.

Heres how that perception problem could play out in the workplace: If your boss complains to human resources that your performance is substandard because youre spending too much time on non-company activities, HR may ask IT to run a check on your Internet usage. The result? The electronic record you will have made could come back to bite you. If that retail site you were visiting was minimized for four hours even though you only accessed it for four minutes, it could end up being your word vs. your bosss regarding the amount of actual work time that you spent making that retail purchase.

Bear in mind as well that if you purchase a screen saver for your home PC at a local retailer and later install it on your work computer, that could be a big problem. Remember that IT is obligated to conduct desktop audits on occasion, and if youve installed software that the company doesnt own a license for, you could be disciplined for violation of software licensing rules.

Oh, and dont forget the more-common-than-wed-like-to-believe problem about pornography on the Internet, advises Kotlarski. Just because you close your door and draw your shade doesnt mean that you couldnt be terminated even for a first offense of viewing pornography in the workplace. Many employees seem to forget that their Internet visits are traceable.

What do you do, however, if you accidentally connect to a web site that contains inappropriate information like pornography? Disconnect the second you realize that you shouldnt be there. In fact, you may want to call human resources or IT, explain the situation, and forward them the e-mail link that you accidentally opened to make a record of the unintended site visit, says Kotlarski.

Finally, bear in mind that whatever you commit to e-mail becomes an electronic record of the companys. Plaintiffs attorneys are taking advantage of the gold mine of discoverable information available from poorly thought out e-mails.

Your best bet? Avoid putting anything into e-mail format that you wouldnt put on company letterhead because of its questionable nature. Just pick up the phone and call instead. If you still feel a need to use e-mail to document your message, speak with your corporate general counsel about making the communication an attorney-client privileged document.

Remember as well that any extraordinary attempts to destroy pertinent e-mail communication could be seen as an obstruction of justice, and employees of both publicly owned and privately owned companies could face fines and imprisonment of up to 20 years. It doesnt matter if you delete the e-mail, clear out your recycle bin, or even instruct someone in IT to delete the information from the primary and backup servers.

Warns Kotlarski: All youll be doing is creating an electronic record of your efforts to impede an investigation since the meta-data will ultimately remain traceable.

Your Rights Under SOX

Section 806 of the actthe whistle-blower protectionprohibits retaliation against any employees of a publicly traded company who make good-faith complaints and then are subject to retaliation for disclosing illegal activities by their employers that could ultimately constitute material fraud against shareholders. Here again SOX has teeth: CEOs and CFOs will be subject to fines and up to 10 years in prison for retaliating against informants.

For that reason, you can expect your companys code-of-conduct trainers to emphasize the importance of a flexible reporting chain when lodging a complaint. The whole thrust of SOX centers on disclosure and review. A company can only fix problems that it is made aware of, and if employees fear going to their immediate supervisors, they must be given the chance to speak with others in the company.

Thats why many publicly traded companies provide their worldwide employees with phone numbers and e-mail addresses of senior corporate leaders and even audit committee board members. Employees may contact the board directly, either confidentially or by disclosing their names. Either way, employees have direct and immediate access right to the top of the corporation.


Your company will no doubt take the opportunity to document and train all employees about its expectations regarding workplace behavior in terms of harassment and discrimination. SOX is, after all, a statement and confirmation about workplace ethics and behavior. Reminding everyone of their right to enjoyand ensurea workplace that is free from inappropriate workplace behavior consequently lies right at the heart of SOXs ethics message.

First, understand that if you are a supervisor and develop a personal relationship with a subordinate, then that personal relationship must be disclosed. Thats fairly logical: If you have the ability to affect a subordinates performance review or merit increase, and you suddenly fall out of love, any negative work-related criticism could be viewed as retaliation. What would be a typical company response to disclosing a personal relationship with a subordinate? Transferring the subordinate to another unit or supervisor so that there is no immediate threat of retaliation may provide a simple and fair solution. The key lies in disclosing the new relationship right away, before a perception of retaliation ever has a chance of rearing its ugly head.

Second, remember that harassment can take place on duty or off, in the office or on the road. Therefore, you should expect co-workers to treat you with the same respect off-site as in the office. Likewise, youre under no obligation to put up with inappropriate comments or off-color jokes, physical contact (think back rubs), or nonverbal conduct such as leering or staring. Any such incidents should be reportable to a flexible reporting chain within your company, including your supervisor, department head, human resources, labor relations or other company compliance officers (typically corporate counsel).

Be aware, however, that absolute confidentiality cannot be guaranteed if you make a claim that requires an investigation (and almost all claims do). Of course, all reports should be treated as confidential to the extent appropriate. However, human resources or the individual conducting the investigation will likely be obliged to expand that investigation on a need to know basis and ultimately bring your complaint to the individual charged. Such confrontation is never easy, but, again, your companys antidiscrimination policies and practices should provide appropriate protections from retaliation.

SOX Reiterates Ethics

SOX certainly caught corporate Americas attention. Any time a new law threatens criminal sanctions against a companys CEO and CFO, you can expect that law to garner lots of attention in the press as well as in the practice of company operations.

SOX is a broad law that covers ethical business issues ranging from anti-trust and insider information matters to political and charitable contributions and international anti-boycott laws. Its most significant contribution will no doubt lie in its emphasis on financial compliance and internal controls.

Its alter ego, however, focuses on human behavior and ethics, and companies that undergo best-practices SOX training will re-emphasize the importance of maintaining a work environment that upholds the highest standards of business ethics and workplace behavior. Your rights and responsibilities are now more clearly outlined and defined than ever before, and for that you can be grateful, both as an employee and as an investor.

Paul Falcone is a human resource executive and a best-selling author of five AMACOM books, including 2,600 Phrases for Effective Performance Reviews , The Hiring and Firing Question and Answer Book, 96 Great Interview Questions to Ask Before You Hire , and 101 Sample Write-Ups for Documenting Employee Performance Problems: A Guide to Progressive Discipline and Termination .

Web Extras


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect