The Sarbanes-Oxley Act and its Impact on Corporate Security Departments2013-08-28T16:45:29-04:00

Whitney D. Gunter, CPO
July 12, 2004

In the early 2000s, there were numerous high profile corporate scandals. Enron and Worldcom are perhaps the most memorable. These were brought about by high-level employees "cooking the books." In most of these cases, the scandals involved either an attempt to make it appear to the stockholders that the company made more money that it actually did, or to avoid tax payments to the IRS. These violations cause monetary loss beyond fines to the corporation involved.

The impact of white collar crimes reaches investors, business partners, and all U.S. tax-payers. The loss amounts are extensive, as are the ramifications. In fact, "the total cost of all American bank robberies in the last 100 years is less than the cost of... a single corrupt [Savings and Loan]" (Rosoff, Pontell, & Tillman, 2002). Additionally, past corporate fraud cases have caused investors to commit suicide or cause their families to starve or suffer from malnutrition. (Gunter, 2004)

In the ensuing outrage over these highly public scandals, several ways of combating the corporate fraud problem were proposed. In 2002, the Sarbanes-Oxley Act was enacted by the federal government as a solution. The law takes full effect on June 15th, 2004. However, small (a size not defined by the act itself) companies will have until April 2005 to comply.

Summation of the Law

The Sarbanes-Oxley Act includes several definitions for terms used within the act. The following terminology contains some of the most frequent definitions.

  • Scope of Employment: The employee must have been doing something he had the authority to do.
  • Willful Blindness: This occurs when a person of authority or an individual in a position to take action against illegal acts fails to investigate such illegal acts so to avoid identifying a suspect or finding evidence against such a suspect.
  • Misprision of Felony: Should any employee within a corporation, regardless of position, discover that a felony has occurred, that individual must report said felony. The criminal act must be reported to a law enforcement authority or other government official in a position to investigate such a felony.
  • Retaliation against Informants: Any person that retaliates against an employee "for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense" has committed the offense of Retaliation against Informants.

Corporate Criminal Liability
A corporation can be held responsible for an employee's action or failure to act if it was within the scope of employment, benefits the corporation, and intent is shown by an employee of the corporation. If the company stands to gain nothing from the employee's actions, the corporation cannot be held responsible. For example, if an employee runs an illegal web site through the company's computers, but no profits were given to the company, it did not "benefit the corporation." For the intent requirement, the corporation must have intended for the criminal act to take place. However, this doesn't apply if "Willful Blindness" or "Misprision of Felony" occurs.

Criminal Liability
This section of the law sets forth several charges that may be brought against a corporation, as well as several other regulations that broaden the responsibility for criminal acts.

  1. The employer can be held liable for Conspiracy if the act involved at least one employee.
  2. When corporations merge, previous criminal acts from both parties may be prosecuted against the new entity.
  3. Any business entity that takes step to prevent discovery of a felony by authorities may be held criminally responsible for Misprision of Felony.
  4. Willful Blindness may be charged even if the act was not a felony. As long as criminal acts are clearly present, a corporation failing to take countermeasures could be charged with this violation. Claiming that the corporation was unaware of the crimes is not a valid argument and will be viewed as "looking the other way."
  5. Collective Knowledge - An employer can be held liable if no single employee could be charged with a crime, but collectively all the elements of a crime (act and intent) were present. Example: a supervisor had intent, but a subordinate performed the illegal act.

Sentencing Guidelines
The Sarbanes-Oxley Act directs "government prosecutors to weigh the following five factors in deciding whether to seek an indictment against a corporation: (i) the company's history of wrongdoing, (ii) its response to regulatory actions, (iii) its reaction to the criminal conduct committed by its employees, (iv) the level within the corporation at which the crimes were committed or condoned, and (v) the pervasiveness of the criminal behavior within the organization" (Brief & McSweeny, 2003).

Additionally, corporations, if convicted, must rectify any wrongdoings. This can be accomplished through the payment of Restitution (compensating victims) or Remedial Measures (fines). Community Service can also be used to meet this requirement in some instances.

Various other aspects are also taken into consideration in the sentencing section of the Act, the first is that any business operating solely for criminal activities will receive the highest fines. The amount of the fine is also determined by the seriousness of the crime and the culpability of the company. This can be established by the "Culpability score," which is based on several factors, such as:

  • How high in the chain of command was the criminal activity present?
  • Was the company aware of the criminality?
  • Did the company condone the actions?

The nature of the business can also be considered a mitigating or aggravating factor. For example, a non-profit organization could receive less fines than a profitable corporation.

Corporate Compliance Programs
By setting up a program to prevent or detect criminal activities, companies can reduce fines if found guilty of criminal acts. Under these guidelines, the program must be deemed by the court as being "reasonably capable of reducing the prospect of criminal conduct." Furthermore, a high level employee must be assigned to oversee the program. However, if that employee is found to be involved in criminal activities, the program is no longer considered a mitigating circumstance.

The Sarbanes-Oxley Act also states that the company must show "due care not to delegate substantial discretionary authority to individuals whom the organization [knows], or should... know... [have] a propensity to engage in illegal activities." This can also be considered a mitigating or aggravating circumstance dependant upon the amount of care taken to abide by this section. Code of conduct guidelines and training in ethics are also considered a part of such programs.

Other programs that enforce compliance to law and regulations, as determined by a judge, also can be used to mitigate fines and restitution. An example of how to achieve these goals is included in the law itself. In it, a company can set up a system allowing employees to report criminal acts without fear of retribution. This program would protect these whistleblowers and would be encouraged by managers. Through this program, any reported violation of law would have to be fully investigated and disciplinary action taken if the claim is deemed true. An anonymous telephone "tip-line," the simplest of these types of programs, is required by the Act.

Impact on Security

First and foremost, if security learns of a felony, the authorities must be informed. Additionally, because Willful Blindness may be charged even if the act was not a felony, all crimes must be investigated. In other words, a poor security department could be seen by the courts as an attempt to ignore crime. Another strict requirement set forth by the Sarbanes-Oxley Act requires that corporations have an anonymous form of submission for complaints about crimes and regulatory violations. Establishing a phone number without caller ID is the simplest way to comply with this requirement. However, this number must be available to employees.

Security also should be aware that fines are based on seriousness and culpability of the company, resulting in the following two questions being asked: "How high in the chain of command was the activity present?" & "Was the company aware of the criminality?" Therefore, crimes must be investigated regardless of how high the criminal is in management and the authorities, usually the police or regulatory agency, must be notified.

Corporate Compliance Programs
By setting up a program to prevent or detect criminal activities, companies can reduce fines if found guilty of criminal acts. The Sarbanes-Oxley Act states that the program must be deemed by the court as being "reasonably capable of reducing the prospect of criminal conduct" Therefore, the more money invested in security's program to detect these crimes, the smaller the fines and restitution the corporation could potentially be required to pay if found guilty of a violation.

The act also sets forth the guideline that a high level employee must be assigned to oversee the program. The director of security or other high-level security personnel may fit this description. Security personnel have (or should have) faced rigorous background checks, therefore, any involvement in the program by security will meet the "due care not to delegate substantial discretionary authority to individuals whom the organization [knows]… engage in illegal activities" requirement. A Chief Security Officer (C.S.O.), may also be used to oversee the program. ASIS International's C.S.O. guidelines (2003) lists incident prevention and information gathering as primary key responsibilities of the C.S.O., making the C.S.O. a good candidate to be the program overseer.

Ethics programs often involve security and can be considered a mitigating factor if information about reporting illegal activities to security and to authorities if the act was felonious is included. Establishing a way for an employee to anonymously report an illegal act without fear of retribution is also mitigating; Security's web site, an anonymous phone line, or other methods of reporting fit this guideline.

Suzanne Wood, an author for Security Management (2003), identified two reasons why an employee would not report someone; people are raised not to "tattle" and they need to know why the violation is a risk to the company. Overcoming these inhibitions is key to getting good and accurate reports and, therefore, having proof that security is investigating crimes and other violations. Obviously, security awareness programs play a key role. Corporate security departments must educate officers and other employees about these vital programs.


ASIS Commission on Guidelines. (2003). Chief Security Officer (C.S.O.) Guidelines.

Biden Jr, J. R. (2003). Certifying Statements under Section 906 of the Sarbanes-Oxley Act. Federal Sentencing Reporter, 15, 257-262.

Gunter, W. D. (2004). Countermeasures Against White Collar Crime. New Perspectives: A Social Sciences Journal, Spring 2004, 6-12.

Gural, A. (2002). Taking stock of it. Security Systems News, 5, 9.
H.R. 3763 (2002).

Hurley, E. (2003). Security and Sarbanes-Oxley.

Rosoff, S. M., Pontell, H. N., & Tillman, R. H. (2002). Profit Without Honor: White-Collar Crime and the Looting of America, 2nd ed. Upper Saddle River, NJ: Pearson Edu. (n.d.) Retrieved February 20th, 2004, from

Sarbanes-Oxley Rulemaking and Reports. (n.d.) Retrieve February 24th, 2004, from

What is Sarbanes-Oxley?. (n.d.) Retrieved February 22nd, 2004, from

Wood, S. (2003) I know what you did last shift. Security Management, 48, 53-57.

Whitney Gunter is a 2004 Criminal Justice graduate of York College of PA and is currently enrolled in the Administration of Justice master's degree program at Shippensburg University. He is a Certified Protection Officer, a member of ASIS International, and has been published in New Perspectives: A Social Sciences Journal.