Fiduciary rules and SOX
Caroline Burns Ph.D
Learning Objectives
At the end of this module, you will be able to
- Define key fiduciary duties and explain their ethical and legal significance.
- Summarize the core provisions of SOX and their impact on corporate governance.
- Describe how fiduciary responsibility has evolved beyond shareholder primacy.
Fiduciaries – The Principals’ Agents
Corporate governance indicates who has the ultimate power in a business, how key decisions are made, and who is accountable for the outcomes of those decisions. This section introduces the key actors in governance and the fiduciary duties they have.
The three key categories of actors in corporate governance are: stockholders, the board of directors, and senior executives.
- Stockholders provide capital and hold limited rights, such as voting on major decisions and electing directors. While often described as owners (though that is a contentious topic today), they do not manage the business. Their influence lies in selecting the board and holding leadership accountable through their investment choices.
- The board of directors (the agents) governs on behalf of stockholders (the principals) by providing strategic and fiduciary oversight. The board also selects and evaluates senior management, oversees strategy and financial matters, and ensures that executive incentives align with the firm’s long-term goals. Its role is to challenge management constructively and monitor risk, not to run operations.
- Finally, senior executives, such as the CEO and CFO, commonly referred to as The C-Suite, are responsible for implementing the board’s strategy, though members of the executive team, in particular the CEO, are often on “The Board.”
Fiduciary Duties
A fiduciary duty is both an ethical and legal obligation to act in the best interests of those who place trust in the decision-maker. Fiduciaries are expected to prioritize the interests of the organization above their personal gain. Fiduciary duties are central to the ethical conduct of directors, officers, managers, and others whose authority materially affects organizational well-being.
Directors and leaders typically hold three primary fiduciary responsibilities: the duties of loyalty, care, and good faith.
Duty of Loyalty
The duty of loyalty requires fiduciaries to act in the best interests of the organization, placing those interests above any personal or conflicting interests. This duty demands integrity, objectivity, and transparency in all actions. When conflicts of interest arise, fiduciaries are required to disclose them promptly and fully to the board or other designated authorities. For example, a director who holds a financial interest in a potential corporate transaction (outside of their position as a board member) must declare that interest before any decisions are made. The duty of loyalty also encompasses the principle of non-competition. Fiduciaries may not exploit proprietary information, intellectual property, or privileged access to benefit a competitor or launch a rival business. Closely related is the corporate opportunity doctrine, which prohibits fiduciaries from diverting potentially beneficial business opportunities away from the organization for personal use. If a fiduciary becomes aware of an opportunity that falls within the firm’s line of business, such as the chance to acquire a valuable property or enter a strategic partnership, they must disclose it to the organization first.
Duty of Care
The duty of care obliges fiduciaries to make decisions with diligence, informed judgment, and prudent oversight. Directors and officers must actively educate themselves about relevant facts, assess risks, and exercise the level of care related to the business. In practical terms, this duty entails staying apprised of the organization’s financial condition, monitoring industry trends, reviewing reports and evaluations, and challenging management. Fiduciaries must also enforce internal systems that support accurate financial reporting, robust risk controls, and effective operational oversight. Finally, the duty of care includes the responsibility to act inline one’s authority and competence. Directors should attend board meetings consistently, participate meaningfully in discussions, and insist on receiving sufficient information to make well-founded decisions. Where they lack expertise to make a decision, they must seek appropriate, competent advice.
Duty of Good Faith
The duty of good faith, sometimes considered a subsidiary to the duty of loyalty, requires fiduciaries to act honestly, ethically, and with a sincere commitment to advancing the organization’s mission and values. Fiduciaries demonstrate good faith by establishing and monitoring internal systems that detect and mitigate ethical or legal breaches. Passive inattention or deliberate ignorance related to these issues is unacceptable under the duty of good faith. Senior leaders must also model integrity, respond promptly to credible concerns brought to their attention, and ensure that ethical principles are embedded in both strategy and culture. Importantly, good faith entails not just adherence to legal norms, but it also requires proactive ethical leadership. Directors and officers are expected to intervene when misconduct occurs, to engage in difficult decisions when necessary, and to cultivate a culture of accountability; this would include, for example, following up on red flags, reinforcing whistleblower protections, and upholding ethical standards even when inconvenient.
The Business Judgment Rule
The business judgment rule offers legal protection to directors and officers who make informed, honest decisions, even if those decisions do not result in successful outcomes for the firm. Recognizing that strategic choices involve uncertainty and risk, the rule can shield fiduciaries from liability levied by stockholder challenge. To invoke legal protection based on the business judgment rule, fiduciaries must:
- Make decisions based on adequate information;
- Act without personal gain, bias, or conflicting interests;
- Sincerely intend to serve the organization’s best interests.
When these conditions are met, courts generally defer to the judgment of directors, understanding that hindsight cannot substitute for reasonable foresight. The rule encourages well-intentioned, calculated risk-taking and long-term thinking, while deterring reckless or self-serving conduct.
The Evolution of Fiduciary Responsibility
Fiduciary responsibility has started to mean something different from what it used to mean. Where it once focused almost entirely on shareholders, it now carries a broader set of expectations. A lot of this shift has resulted from the growing recognition that business decisions don’t happen in a vacuum but that they affect people and the planet both in the short and long terms. At the heart of this evolution are two influential issues. First, fiduciaries are being asked to think beyond shareholders and pay attention to employees, communities, supply chains, and even future generations. Second, governance systems are being judged not just by whether they exist, but by whether they work.
Expectations of contemporary governance are higher than ever before. These expanded expectations did not emerge in isolation. They have been reinforced by changes in the regulatory environment as a response to reckless governance issues. The Sarbanes-Oxley Act is one such form of regulation that marked a sharp turning point in how fiduciary responsibility was enforced.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002, or SOX as it is commonly referred to, was enacted in response to a series of high-profile corporate scandals, including Enron, WorldCom, and Tyco, which exposed widespread failures in financial oversight, internal controls, and ethical leadership. These governance failures wiped out billions in shareholder value and deeply eroded public trust in the business community. The SOX legislation aimed to restore that trust by strengthening board oversight, enhancing the reliability of financial reporting, and imposing direct accountability on senior executives. Foremost among its influences was the creation of the Public Company Accounting Oversight Board, or PCAOB, a regulatory body tasked with setting auditing standards, inspecting accounting firms, and enforcing compliance.
The Sarbanes-Oxley Act applies to all publicly traded companies doing business in the United States and subsidiaries, as well as the audit firms that evaluate public companies. Private firms are generally not bound by SOX requirements unless they are preparing to go public. SOX also has international reach, as foreign firms headquartered outside the US but "listed" and doing business in the US must comply with SOX requirements.
Board Responsibilities and Ethical Governance
SOX explicitly connects corporate governance with ethical conduct. Public companies are required to adopt and publicly disclose a code of ethics developed for their senior officers, including the chief executive and chief financial officers. Boards are responsible for overseeing the implementation of this code and for ensuring that it is applied consistently and meaningfully. Boards are also expected to create and maintain a broader culture of compliance, to include establishing reporting structures, internal controls, and disclosure processes that support full and fair communication with regulators, shareholders, and the public.
Audit Committees and Director Independence
One of the most important provisions of the Act requires all public companies to establish a board-level audit committee composed entirely of directors who are independent of company management. At least one member of this committee must qualify as a financial expert under regulatory guidelines. This group is charged with overseeing the selection, compensation, and evaluation of the company’s external auditors. By shifting this authority from management to the board, SOX creates a more objective relationship between the firm and those tasked with reviewing its financial performance.
Executive Certification
SOX imposes personal responsibility on executives for the content and accuracy of corporate financial statements. Chief executive and chief financial officers must certify the veracity of each quarterly and annual report, affirming that the disclosures are complete, not misleading, and fairly represent the company’s financial condition. These officers must also confirm that they are responsible for designing and maintaining the internal controls necessary to support such disclosures. Executives who certify false financial statements face different penalties depending on their level of culpability:
- Knowing violations: CEOs and CFOs who knowingly certify financial reports that do not comply with SOX requirements face fines of up to $1 million and imprisonment of up to 10 years.
- Willful violations: Executives who willfully certify false financial statements with intent to deceive face much more severe penalties: fines of up to $5 million and imprisonment of up to 20 years.
In practice, this means that companies must develop and maintain detailed documentation of their financial processes and control systems. Management must assess and disclose any material weaknesses in these systems, while external auditors must independently validate the findings.
Audit Firm Responsibilities and Independence
SOX introduced strict limits on the relationships between companies and their external auditors to prevent conflicts of interest and preserve objectivity. Audit firms are required to retain their work papers and documentation for seven years. They must report directly to the audit committee rather than to management. Their lead audit partners must rotate at regular intervals to prevent overfamiliarity with the firm’s employees. Also, former audit firm employees cannot hold senior financial roles at their client companies; a cooling-off period. Finally, audit firms are prohibited from providing non-audit services, such as consulting, to clients whose financial statements they also audit; no cross-selling.
Whistleblower Protections and Ethical Reporting
SOX introduced significant protections for whistleblowers. It is now illegal for a company to retaliate against employees who report suspected fraud or participate in investigations related to alleged fraudulent activities. This provision reinforces the ethical imperative for employees to speak up when they witness something amiss. It affirms that integrity must be safeguarded not only through rules and oversight but through a culture in which individuals can raise concerns without fear of reprisal.
Enforcement and Penalties
SOX calls for severe financial consequences for those who violate its provisions. Executives who knowingly certify false or misleading financial statements may face fines of up to $5 million and prison sentences of up to 20 years. It is now a criminal offense to alter, destroy, or falsify financial documents or audit records. Furthermore, firms found in violation may face delisting from stock exchanges, regulatory action, and long-term damage to their reputations.
Critique of SOX
The Sarbanes-Oxley Act reshaped the legal and ethical expectations of corporate governance. It clarified executive responsibility, reinforced board oversight, and institutionalized external accountability through formal audits and structured controls. In doing so, it reframed fiduciary duties as obligations owed not only to shareholders but to the public and the financial system more broadly. At the same time, its limitations are widely acknowledged. Compliance costs have proven onerous for smaller firms. Some would charge that the administrative burden of SOX regulation may deter companies from going public or push them toward more permissive jurisdictions. Perhaps most critically, SOX failed to prevent the next wave of financial wrongdoing as demonstrated by the 2008 financial crisis.
The conversation now continues in the realm of environmental, social, and governance reporting. If SOX answered the question of how firms must account for their financial integrity, ESG raises a more expansive one: how should firms account for their impact on the world?
Knowledge check
Media Attributions
- P20314-27a.jpg
The structures and processes by which firms are directed and controlled. Governance defines who has authority, how decisions are made, and how accountability is upheld.
A broad term for the money or other assets that are used by a business to generate returns. See more
Financial and non-financial rewards such as stock options, bonuses, or performance targets that influence managerial decisions. Poorly designed incentives can distort priorities, while ethically aligned ones encourage long-term value creation.
Chief Executive Officer, the highest-ranking person in a company or other institution, ultimately responsible for making managerial decisions.
A chief financial officer is a senior executive responsible for a company's financial operations.
Sensitive, non-public business data, such as pricing strategies, trade secrets, or customer lists, that confer competitive advantage. Misuse or unauthorized disclosure undermines trust and may constitute misconduct.
Creations of the mind, such as inventions, designs, or proprietary methods, that hold commercial value. Unauthorized use or disclosure by fiduciaries breaches loyalty obligations.
The relevant knowledge or skill needed to make informed, responsible decisions. In governance, directors are expected to either possess or seek appropriate expertise when assessing complex issues.
Legal guarantees that shield employees who report suspected wrongdoing from adverse treatment. These protections are essential to fostering transparency and are mandated by statutes such as the Sarbanes-Oxley Act.
The ability to anticipate future risks, opportunities, and consequences. In governance, foresight distinguishes reactive management from strategic leadership.
Named after bill cosponsors, U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH), the Sarbanes-Oxley Act was US legislation passed into law in 2002 that mandates certain practices in financial record keeping and reporting for corporations. See the text of the bill
Operational systems designed to ensure reliable financial reporting, prevent fraud, and support regulatory compliance.
Companies whose shares are traded on public stock exchanges. These firms are subject to heightened disclosure requirements, including mandatory governance and financial reporting. See more
A financial review that is conducted by a party not associated with the company or department that is voluntarily or involuntarily under audit See more
A business that is owned privately and does not trade its shares on public exchanges. They are not subject to the same regulatory requirements as public companies.
A listed company issues shares of its stock for trading on a stock exchange. See more
Governmental or independent bodies responsible for overseeing compliance with legal and ethical standards in specific sectors. Examples include the Securities and Exchange Commission (SEC) and the PCAOB.
The executive is aware that the financial report does not comply with SOX requirements but certifies it anyway
The executive both knows the report doesn't comply AND acts with intent to deceive investors, regulators, or other stakeholders
To punish an individual, often a whistleblower, for reporting misconduct or cooperating with investigations. The Sarbanes-Oxley Act prohibits retaliation against employees who raise concerns in good faith.
