Skip to main content

Prepared Remarks at Center for Audit Quality “Sarbanes-Oxley at 20: The Work Ahead”

Washington D.C.

July 27, 2022

Thank you for the kind introduction. It’s good to be with the Center for Audit Quality. As is customary, I’d like to note I am speaking on behalf of myself and not on behalf of the Commission or the SEC staff.

As I open my remarks today, I’d like to discuss a speech from a different summertime conference — one that took place 133 years ago.

In June 1889, the statistician Carroll D. Wright spoke at the Convention of Commissioners of Bureaus of Statistics of Labor in Hartford, Connecticut.[1] (To be clear, I wasn’t there.)

Mr. Wright, the first U.S. Commissioner of Labor, used his opening remarks to warn against the abuse of numbers for personal gain.

“Figures will not lie,” he said, but “liars will figure.”[2]

I think of this maxim often — not only because my grandfather Ellis Tilles, an immigrant from Lithuania, often said the same thing, but also because it speaks to so much about the history of finance.

Forty years after that statistics conference, in 1929, the stock market crashed. Our country learned all too well what happens when liars figure, eroding trust.

Finance, ultimately, is about trust. In the depths of the Great Depression, Congress and President Franklin Delano Roosevelt tried to restore that trust, through the first federal securities laws. They started with requirements for public companies raising money from the public.

Specifically, these companies had to provide full, fair, and truthful disclosure to the public. Investors needed facts and figures they could trust — figures without the liars.

Sarbanes-Oxley Act of 2002

Nearly 70 years after those first securities laws were established, our system, frankly, was breaking down.

The energy conglomerate Enron was then the seventh-largest company in the U.S.[3] Then, in December 2001, it collapsed — the largest bankruptcy in U.S. history.

Enron’s management had cooked the books, concealed problems in the business, defrauded investors, and more. Its failure wiped out more than $2 billion in pension plan assets and tens of thousands of jobs, including at Enron’s audit firm, Arthur Andersen.[4]

Six months later, the SEC filed allegations against WorldCom, once the largest handler of internet data, whose failure surpassed even Enron’s.[5] These scandals were followed by other multi-billion dollar accounting frauds at Adelphia and Tyco.[6]

In response to this crisis, 20 years ago this week, President George W. Bush signed the Sarbanes-Oxley Act into law. It had passed almost unanimously in the House and 99 to 0 in the Senate.[7]

The late Sen. Paul Sarbanes, my hometown senator from Maryland, was the new chair of the Senate Banking Committee. I was honored to have a front-row seat, working as his Senior Advisor on this legislation.

A central goal of Sarbanes-Oxley was, once again, to restore trust in our financial system.

In the two decades since, what have we learned? What has worked? What is still a work in progress?

Auditing standards

First, the Enron crisis revealed a key problem: the quality of auditing standards.

Candidly, the relationships between issuers and auditors, between standard-setters and auditing firms, were too clubby.

It matters who sets the standards. It matters who “audits the auditors.”

Auditing standards were set by the American Institute of Certified Public Accountants (AICPA), a professional association. The profession was writing its own rules. That’s an inherent conflict.

Additionally, auditing firms were tasked with “inspecting” each other. Naturally, such inspections had conflicts, failing to identify serious shortcomings in auditor independence and audit quality.

To correct course, the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB), an independently funded board under the regulatory oversight of the SEC.

The PCAOB is tasked with setting enhanced auditing standards. For practical purposes, Congress permitted the then-new PCAOB to carry over existing AICPA standards on an interim basis. The expectation was that the Board would produce a more appropriate set of standards going forward.

Historically, though, the PCAOB has been too slow to update auditing standards.

Twenty years later, most of those interim standards remain.

In May 2022, the PCAOB announced that it plans to update almost all of the remaining interim standards.[8] I look forward to these critical auditing standard updates.

While they have their work cut out for them, I believe that Chair Erica Williams and the Board can live up to Congress’s original vision with respect to standard-setting. I hope we can make some progress before Sarbanes-Oxley can legally drink.

Auditing inspections, investigations, and enforcement

In addition, the PCAOB is tasked with inspecting and investigating auditing firms for compliance with auditing standards and, when necessary, bringing enforcement actions.

Inspections, investigations, and enforcement are critical components of instilling trust in our capital markets. Under the current leadership, the PCAOB has a chance to reinvigorate its enforcement program.

The work to improve auditing standards, coupled with rigorous enforcement of auditor’s professional and ethical requirements, is essential for investor protection.

Sarbanes-Oxley gave the SEC fair fund authority to return monies directly to harmed investors.[9] Over the past eight years, the SEC has returned more than $5 billion to harmed investors.[10]

Accounting and auditing cases also are an important focus of the SEC’s enforcement program. We recently charged Ernst & Young LLP with cheating by its auditors (on Certified Public Accountant ethics exams, no less!) and with withholding evidence of this misconduct in our investigation. This action underscores the importance for accounting firms of fulfilling their gatekeeper functions in the spirit and letter of Sarbanes-Oxley.[11]

Auditor independence

Another problem the Enron crisis revealed was weak auditor independence.

In many cases, including Enron, audit firms had lucrative consulting engagements with the companies they were auditing.

Thus, Sarbanes-Oxley directed the SEC to take steps to create a stronger barrier between auditors and other parts of their firms’ business when dealing with audit clients, with some exceptions.

A number of firms spun out their consulting businesses in the days shortly before and after Sarbanes-Oxley. Over the past 20 years, however, many of these firms went on to rebuild them again. PCAOB inspections continue to identify independence — and lack of professional skepticism — as perennial problem areas.

Those advisory practices not only have grown; they also have gotten more complex. Given the growth in the size and complexity of non-audit services, it is important that audit firms maintain a culture of ethics and integrity — placing the highest priority on auditor independence throughout the firm, not just in the audit practice.

As SEC Acting Chief Accountant Paul Munter recently noted, “staff have seen situations of decreased vigilance when it comes to auditor independence.” [12]

I have asked the PCAOB to consider adding updates for auditor independence standards to their agenda. We may need to take a fresh look at the SEC’s auditor independence rules as well. In the meantime, I encourage firms to review and enhance their independence protocols with respect to their auditing and consulting practices.

Accounting standards

Next, the Enron crisis revealed problems in accounting standard-setting. In response, the Sarbanes-Oxley Act provided that the accounting standards-setter, the Financial Accounting Standards Board (FASB), would have secure, independent funding.

Previously, FASB had to fundraise for itself — often from the very issuers for which it was setting standards.[13] As a result, this created conflicts of interest that witnesses agreed had made FASB slow to adopt new standards and reluctant to tackle controversial topics.[14] Again, Sarbanes-Oxley sought to create greater distance between standard-setters and industry.

Corporate governance

Additionally, Sarbanes-Oxley established requirements regarding corporate governance and accountability to help ensure that the incentives of executives, boards, accountants, and investors were better aligned.

For example, under Section 302 of the Act, chief executive officers and chief financial officers have to sign off on their companies’ periodic financial statements, strengthening the accountability and control environment underlying disclosures. We routinely, however, bring enforcement cases related to Section 302.[15]

In addition, under Section 304 of the law, those same executives have to reimburse certain compensation when an issuer is required to restate its financials as a result of misconduct. After the 2008 financial crisis, Congress built upon these so-called clawbacks of executive compensation. We recently reopened the comment file on a proposed rulemaking on clawbacks.[16]

Sarbanes-Oxley also added requirements for corporate boards and their audit committees.[17]

Coverage of foreign issuers in the U.S.

Finally, Congress required foreign issuers to comply with Sarbanes-Oxley as well. Again, here, the Act led to a lot of progress, though there is a ways to go.

I recall watching negotiations between Sen. Sarbanes and other members of Congress as they debated a key question: Should the bill cover foreign issuers in U.S. markets?

Sen. Sarbanes thought about it — he was always thoughtful — but was unambiguous. Investors should be protected — and should have trust in the numbers — regardless of whether an issuer is foreign or domestic. He understood that it’s a privilege to access the U.S. capital markets: the deepest, largest, and most liquid in the world. If foreign issuers want that access, they need to comply with our requirements.

This approach benefits companies, too. All issuers should have a level playing field.

Countries all over the world have strengthened the quality of auditor oversight. More than 50 jurisdictions have complied with the requirements that the PCAOB inspect audit firms of U.S.-listed companies based in their borders. Two have not: China and Hong Kong.

Congress recently reaffirmed the commitment to inspections and investigations under the Holding Foreign Companies Accountable Act of 2020 (HFCAA), which amended Sarbanes-Oxley. Under the HFCAA, if the PCAOB is “unable to inspect or investigate completely”[18] registered public accounting firms located in foreign jurisdictions, issuers that use those firms for three consecutive years face prohibitions on their securities trading in the U.S.

This bill, which unanimously passed the Senate, went to the President’s desk in December 2020, a couple of days after we lost Sen. Sarbanes.

Going forward, will our markets include Chinese issuers? That still is up to our counterparts in China. It depends on whether they are willing to comply with the requirements of U.S. law to be able to remain in the U.S. markets.

Consistent with the HFCAA, the SEC and the PCAOB have been negotiating with Chinese authorities on a Statement of Protocol to govern inspections and investigations of registered public accounting firms on the ground in China and Hong Kong.

We are not willing to have PCAOB inspectors sent to China and Hong Kong unless there is an agreement on a framework allowing the PCAOB to inspect and investigate audit firms completely.

Any framework would need to bring specificity and accountability to fulfilling the goals of the HFCAA.

Make no mistake, though: The proof will be in the pudding. While important, any framework is merely a step in the process.

In light of the time required to conduct these inspections — as well as to fulfill quarantine requirements — a Statement of Protocol would need to be signed very soon if the inspections have any chance to be completed by the end of this year.

This could be particularly important as Congress is considering accelerating the HFCAA’s timeline from three years to two years.

Regardless of the outcome, I look forward to ensuring key investor protections in our markets — with China-based issuers, if the law is followed; or without China-based issuers, if it is not.


So, happy birthday, Sarbanes-Oxley. In the last 20 years, we’ve learned a lot from this law. The quality of public company audits has improved.

Let’s not forget the core lessons, though. It’s important to have robust and independent organizations setting standards, inspecting firms, and enforcing the rules. It’s important to ensure auditor independence and to guard against inherent conflicts that might arise when auditing and other services are mixed. It’s important that corporations and their senior executives are held accountable for their financial statements. It’s important that all issuers, whether foreign or domestic, are on a level playing field when it comes to the investor protections of Sarbanes-Oxley.

There’s more work to be done. If Sarbanes-Oxley meets its full potential, trust in our markets can grow — and that benefits investors and issuers alike.

After all, as Mr. Wright (and my grandfather) said, liars will figure, so it’s especially important to have rules of the road and a cop on the beat to figure them out.

[1] See The New York Times, “Labor Statistics: The Seventh Annual Convention of Commissioners to Meet June 25” (June 16, 1889), available at

[2] See Garson O’Toole, “Maxim: Figures don't lie, but liars do figure,” available at

[3]See Staff of the Joint Committee on Taxation, “Report of Investigation of Enron Corporation and Related Entities Regarding Federal Tax and Compensation Issues, and Policy Recommendations: History of the Company,” available at

[4] See Associated Press/Business Insider, “10 YEARS LATER: What Happened To The Former Employees Of Enron?” (Dec. 1, 2011), available at

[5] See Simon Romero and Riva D. Atlas, “WorldCom’s Collapse: The Overview” (July 22, 2002), available at

[6] SEC v. WorldCom, Inc., No. 02-CV-4963 (S.D.N.Y. June 27, 2002) (Compl.); SEC v. Adelphia Communications Corp., No. 02-CV-5776 (S.D.N.Y. July 24, 2002) (Compl); SEC v. Tyco Int’l Ltd., No. 06-CV-2942 (S.D.N.Y. Apr. 17, 2006) (Compl.).

[7]See H.R.3763, Sarbanes-Oxley Act of 2002, available at

[8] See “PCAOB Updates Standard-Setting and Research Agendas” (May 4, 2022), available at This includes standards on reporting on going concern uncertainties, confirmations, and quality control systems. For example, Going Concern, AS 2415, was originally adopted by the AICPA in 1989, adopted as an interim standard by the PCAOB in 2003, and has not been updated to reflect risks to investors and changes to accounting requirements around going concern disclosures.

[9] Fair Fund authority was created as a result of Sarbanes-Oxley Section 308 in 2002. Prior to this law, all penalties that the Commission received in enforcement actions had to be sent to the U.S. Department of the Treasury. See, e.g, Stephen M. Cutler, “Testimony Concerning Returning Funds to Defrauded Investors” (Feb. 26, 2003) available at

[10] Data refers to data from FY 2013 through FY 2021. Total is approximately $5.2 billion. See SEC annual Congressional Justification figures.

[11] These settled charges included a $100 million penalty, the largest such penalty against an audit firm in SEC history. See “Ernst & Young to Pay $100 Million Penalty for Employees Cheating on CPA Ethics Exams and Misleading Investigation” (June 28, 2022), available at

[12] He continued: “what we describe as a ‘checklist compliance’ mentality.” See Paul Munter, “The Critical Importance of the General Standard of Auditor Independence and an Ethical Culture for the Accounting Profession” (June 8, 2022), available at This statement was neither approved nor disapproved by the Commission and, like all staff statements, has no legal force or effect.

[13] See Sarbanes-Oxley Section 109 with respect to the accounting support fees for FASB and the limitation on FASB’s alternative sources of funding—e.g., from publication, etc., if it would jeopardize their perceived independence (Section 109(j)).

[14] See Testimony of Arthur Levitt before the U.S. Senate Committee on Governmental Affairs (Jan. 24, 2022), available at, and Testimony of Richard C. Breeden before the U.S. Senate Committee on Banking, Housing, and Urban Affairs (Feb. 12, 2002), available at

[15] Violations of this certification requirement (set forth in Item 601(b)(31) of Regulation S-K) routinely result in personal civil liability for CEOs and CFOs under Rule 13a-14 of the Exchange Act in SEC enforcement actions.

[16] See “SEC Reopens Comment Period for Proposed Rule on Recovery of Erroneously Awarded Compensation” (June 8, 2022), available at

[17] Specifically, boards need to disclose whether there is a financial expert on the audit committee. This audit committee is responsible for hiring and firing auditors, determining auditors’ compensation, and approving any non-audit services provided by the firm. Public companies also are required to disclose the fees paid to, and services delivered by, their audit firms.

[18] See S.945 - Holding Foreign Companies Accountable Act, available at

Return to Top