The Pendulum of SOX
SOXCOMPLIANCEINTERNAL AUDIT
SOX has survived five presidents. Each one reshaped it. Here's what the current moment means for the law's future and yours.
The Contingency That Made It All Happen
SOX almost didn't happen the way it did. In June 2001, seven months before Enron filed for bankruptcy, Senator Jim Jeffords of Vermont, a Republican, announced he was changing his affiliation to Independent and would caucus with Democrats. His reasons: disappointment in the Bush tax cuts and sparse special education funding.
The move gave Democrats a razor-thin Senate majority. It made Senator Paul Sarbanes chairman of the Senate Banking Committee. It displaced Senator Phil Gramm of Texas, a fiscal conservative and deregulation champion whose wife Wendy happened to sit on Enron's board, from the chairmanship at a critical moment.
Jeffords changed parties. Then Enron collapsed. Then WorldCom. Then Tyco. Congress passed SOX 423-3 in the House, 99-0 in the Senate. A president who campaigned on deregulation signed the most significant new financial regulatory body since the New Deal.
A senator from Vermont, upset about special education funding. That's the legislative foundation of the compliance industry most of you work in.
The Five-Administration Playbook
Bush created it and then walked it back, PCAOB AS2 was replaced by AS5, introducing a risk-based approach after early implementation produced, in former SEC Commissioner Cynthia Glassman's memorable observation, dollies stacked high with sub-certification binders.
Obama expanded it through Dodd-Frank and added whistleblower provisions. The JOBS Act of 2012 tried to thread the needle by creating "emerging growth company" accommodations.
Trump 1 didn't repeal SOX (repealing it would require Congress) but aimed to cut it down. In 2018 William Duhnke, long-time GOP Senate aid was named PCAOB chair. Enforcement slowed, new standard-setting stopped, and accounting professor Robert Pawlewicz described the body as having been "ground to a halt without being formally dissolved."
Under Joe Biden, SEC Chair Gary Gensler fired the PCAOB board and replaced it. Erica Williams then oversaw the most aggressive enforcement era in PCAOB history, until she resigned mid-2025 as political winds shifted.
Trump 2 looks like Trump 1 with better evidence. Enforcement down 33%. Sanctions down 66%. Leadership replaced. The focus shifting to "back to basics."
Both Sides Have a Point
The deregulatory case isn't wrong: SOX compliance costs fell disproportionately on smaller public companies, early implementation had companies under $100 million in revenue spending over 2.5% of revenue on compliance, while companies over $5 billion spent 0.06%. The compliance burden contributed to measurable declines in IPO activity and the rise of private equity as an alternative capital source. The regulatory burden meant to protect investors may have shrunk the population of companies subject to investor protection.
The pro-enforcement case is equally valid: the years of weak PCAOB oversight under Duhnke produced weaker audit quality, and the data shows it. The profession's natural tendency, absent external pressure, is to prioritize client relationships over auditor independence. We know this because it's precisely what happened before SOX and why SOX was necessary.
Neither extreme produces good outcomes. And the profession spends enormous energy adapting to regulatory whiplash rather than building durable practices.
The Structural Problem Nobody Wants to Solve
When the standard for "what good auditing looks like" changes every four to eight years with presidential administrations, audit firms adapt rationally: staff up for aggressive enforcement eras, quietly reduce quality investments during relaxed ones. The pattern is rational from a business perspective and catastrophic from a governance perspective. Now Private Equity is getting involved, a true sign of end times.
Firms have learned to manage PCAOB relationships the way any sophisticated institution manages its regulatory relationships: anticipate what matters to this iteration of the regulator, optimize for that, and wait out what doesn't. This isn't corruption. It's rational behavior in a system that rewards short-term regulatory optimization over long-term quality investment.
What This Means Right Now
The external pressure that historically helped CAEs justify governance investments to their CFOs has softened. Again. "Are regulators going to come after us for this?" is a more persuasive budget argument than "this is the right thing to do." When enforcement relaxes, the case for proactive governance investment gets harder.
The history of SOX is: scandal, reform, relaxation, next scandal. Enron, SOX, financial crisis, Dodd-Frank, rollback, the next crisis that hasn't happened yet.
In the meantime: the law is still on the books. The certifications still carry criminal liability. The PCAOB still exists. Whatever the current administration's enforcement posture, the underlying framework hasn't gone anywhere, and neither has your signature on the management assessment.
Sometimes the right response to "nobody's watching" isn't to do less. It's to be the one organization that did the work while everyone else assumed they could get away without it.
Brian Kuenzi is a leader in the finance and technology space. Brian's experience spans SOX and Audit leadership, finance transformation, process automation, and business operations across both consulting and in-house leadership roles. You can learn more about Brian on LinkedIn.
These are the opinions of the editors of Internal Audit Next and/or the writer who authored this article. Any use of this copyrighted material without permission of Internal Audit Next - including training for AI Models - is prohibited. Copyright 2026.