Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Are You Clear?

​Wipe away the confusion surrounding your various responsibilities for Sarbanes-Oxley compliance.

HR Magazine, October 2005

Touted as one of the most important and most complex pieces of legislation in recent history, the Sarbanes-Oxley Act of 2002 (SOX) helps to assure the investment community that corporate financial disclosures have veracity and that company executives are held accountable for maintaining an ethical code of business conduct.

On the surface, SOX seems to be a minimal HR concern. But dig a little deeper and you will find HR aspects scattered throughout the 66-page labyrinth. “There’s so much for HR to do that it can seem overwhelming,” says Donna Martin, senior vice president and chief HR officer at Ameren, an electric power producer in St. Louis, who is helping her company meet all the HR-related SOX mandates enforced by the Securities and Exchange Commission (SEC).

Without a doubt, the most time-consuming piece of the legislation for HR professionals is Section 404 (covered in-depth in the first article of this cover package, "Demystifying Section 404"). However, other sections of the law impose burdens and have ramifications that HR can ill afford to ignore. Following is a section-by-section overview of the major HR-related issues.

Section 402: Executive Compensation/Personal Loans

Section 402 of the Sarbanes-Oxley Act bans personal loans to executive officers or members of the board of directors. (An executive officer is any person who performs a policy-making function, as defined under SEC Rule 3b-7. Examples include company presidents, as well as vice presidents in charge of a principal business unit, division or function such as sales, administration or finance.) Loans made prior to July 30, 2002, are grandfathered; however, they can’t be renewed or modified unless in favor of the company.

HR-administered programs that may run afoul of Section 402 include:

  • Split-dollar life insurance policies, in which a company pays premiums for a policy insuring the life of an officer or executive.
  • Stock option exercises, which are company extensions of credit for broker-assisted, cashless exercises of stock options.
  • Loans to cover home purchases or college tuition.

The act does not apply to loans taken from an executive’s 401(k) account, loans for business purposes (like travel advances), or loans to employees who are not executive officers or directors. Should these individuals be promoted to an executive position, it’s likely their loans will be grandfathered. So far, many companies are opting to eliminate personal loans to all employees—executive or not.

Even with loans that are permissible—travel advances, personal use of company credit cards and relocation payments—there are potential problems, cautions Audrey Mross, a partner and head of the labor and employment group at Davis Munck PC, a Dallas-based law firm.

“If you’ve got someone in the C-suite with outstanding payments due on his American Express card who has been commingling business and personal purchases, when the company pays the balance on the card, it could be making an illegal loan,” cautions Mross. “The advice is to have a written agreement with executives where they authorize you to withhold money from their pay to cover the bill when it comes in. That’s one fail-safe way to get the money back.”

Section 306: ERISA Notifications

During a blackout period, which is a temporary suspension on stock trading, executive officers and directors are prohibited from engaging in transactions involving securities they acquired as a result of their employment—such as through a 401(k) savings plan or profit-sharing plan that offers stock as an investment option.

Section 306 requires companies to provide executives and the SEC with advance notice of the blackout period. It does not set a time limit, discuss a format or require a particular mode of delivery. Stacy D. Shartin of Seyfarth Shaw in Los Angeles recommends written notice. If someone improperly takes advantage of the blackout period, willfully or not, the company is entitled to recover any profits the executive realized.

A second SOX notification requirement in Section 306, geared at protecting workers, requires companies to notify employees at least 30 days prior to a blackout. Notice may be sent electronically. Contents should include reasons for the blackout, expected dates for the blackout, and a statement that participants and beneficiaries should evaluate their current investment decisions in light of their inability to change investments during the blackout.

Section 406: Ethics Code

Section 406 of the act requires companies to have an ethics code designed to deter wrongdoing, including a statement promoting financial integrity that clearly applies to senior financial officers.

There is no prescribed format for the code. It should emphasize that unethical conduct will not be tolerated, that employees have an obligation to report wrongdoing, that they can do so without fear of retaliation, and that the company is obligated to investigate each report fully and fairly. HR will need to document that employees received not only a copy of the code but also suitable training. The code should affirm commitment to:

  • Honest and ethical conduct.
  • Avoidance of conflicts of interest.
  • Full, fair, accurate, timely and understandable financial disclosure in reports and documents.
  • Compliance with applicable government laws, rules and regulations.

“Most companies already have decent codes; many need to beef up the financial fraud provisions and be more specific in emphasizing C-suite accountability,” Mross says. Minimally, all new hires should be provided with a copy of the code and asked to sign it. Often, each employee is asked to review and sign the code again annually. The code should appear prominently in the employer’s literature and online.

Section 301:Complaint Procedures and Training

Section 301 of SOX requires companies to develop a complaint system and an anti-retaliation statement and to communicate these to employees.

In addition to current employees, HR should open up the complaint system to former employees, customers and public interest groups. This is usually done on a company’s web site, which should provide opportunities for complaints to be delivered anonymously. Information about the complaint process may be included in the ethics code or issued separately.

At Kansas City Southern Railway, HR is responsible for investigating all types of wrongdoing, SOX included. The complaint process appears in the business ethics and conduct statement. “We encourage employees who have any knowledge about compliance issues to let us know,” says HR Director Tony Robertson. “We have hotlines set up, a helpline and a confidential web site. We make it clear that if someone comes forward, we will investigate discreetly to protect their work relationships, and we will guard against retaliation.”

At Williams, a natural gas company in Tulsa, Okla., managers receive a toolkit that helps them discuss compliance with their employees. If a complaint arises, HR investigates following the same processes it uses when it looks into harassment or discrimination complaints, says Robyn Ewing, vice president of HR. Similar to the way employers proactively address harassment and discrimination through training, HR should educate employees about SOX and the ethical conduct it requires, provide instructions on how to file a fraud complaint and explain what would constitute “material fraud against shareholders”—the threshold for violating SOX.

Approaches to ethics and compliance training vary, often featuring scenario analysis and role-playing for both new hires and seasoned employees. At Williams, HR owns the SOX training component. “We have mandatory training, a hotline, intranet sites, communications from our CEO, a compliance toolkit for our leaders and a requirement that every employee have a goal around compliance,” says Ewing.

Similarly, at Kansas City Southern, Robertson says, HR developed training manuals for SOX compliance and posted them online.

Section 802: Documentation/Retention

Section 802 of SOX strengthens existing obstruction of justice sanctions against people who destroy, alter or falsify documents with the intent to impede or influence an investigation. What’s more, even if SOX charges have been settled, the employer must retain the documentation. This section applies to both publicly traded and privately owned companies and includes fines and imprisonment up to 20 years for violators.

Until interpretations of the act are clearer, some companies are saying, “When in doubt, retain everything.” “Keeping everything for now would be the easiest thing,” Mross observes. “But there are costs and other factors that favor not holding onto things longer than you have to.”

Section 806: Whistle-Blower Protection

Section 806 protects whistle-blowers from retaliation if they speak out against unethical or wrongful actions that could have a negative effect on a company’s share value. The shield applies not only to employees at publicly held companies but also to any organization or individual that works for a publicly held company—including contractors, subcontractors and agents. Whistle-blowers are protected if they seek out a supervisor, a person authorized to receive complaints within the company, a government agency or a member of Congress. They can reach out to any or all of these parties in any sequence they choose. Currently, SOX does not appear to protect a whistle-blower who contacts the media.

Even if whistle-blowers get the facts wrong, they can still prevail with a retaliation claim. “The law says you can’t retaliate against an employee who brings a case in good faith, right or wrong,” says Philip Berkowitz, a partner in Nixon Peabody LLP, a New York-based law firm.

To protect against claims, Berkowitz says HR has to be sensitive to the possibility that an employee is being victimized. “When you hear someone is not a team player or ‘not playing ball,’ it can be code for someone who is objecting to going along with the way the company is doing things. You need to be able to look behind these statements.”

Begin by building on your existing processes, he counsels. “You’re halfway there if you’ve got the [Equal Employment Opportunity] stuff in place. The smart thing to do is to take lessons from defending discrimination and sexual harassment claims and apply them to this situation.”

Just the Start

This discussion only touches the surface of HR-related issues under SOX. It comes at a time when HR’s importance in SOX compliance is becoming especially important for smaller companies—those with a market capitalization under $75 million—who must comply with SOX by July 2006. (At press time, the SEC was considering extending that deadline by one year.) Companies with a market cap above $75 million should already be in compliance.

“We must make sure management understands the HR implications of SOX; they’re serious and, if not handled correctly, can prove very costly,” says Kathleen Huggins, manager of compensation and human resource information systems at Crosstex Energy Services in Dallas. “But we can’t educate them until we educate ourselves,” she adds.

Robert J. Grossman, a contributing editor of HR Magazine , is a lawyer and a professor of management studies at Marist College in Poughkeepsie, N.Y.


​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.