Key Takeaways
- Corporate governance is the system of rules, practices, and processes by which a company is directed and controlled.
- The board of directors is responsible for oversight of management, strategy, risk, and internal controls.
- Sarbanes-Oxley Act (SOX) requires CEO/CFO certification of financial statements and assessment of internal controls over financial reporting.
- SOX Section 404 requires management's assessment and auditor's attestation of internal controls over financial reporting.
- Ethics programs include codes of conduct, training, hotlines, and enforcement mechanisms.
Last updated: January 2026
Governance and Compliance
Quick Answer: Corporate governance is the system by which companies are directed and controlled, involving the board of directors, management, shareholders, and other stakeholders. The Sarbanes-Oxley Act (SOX) imposed significant governance requirements on public companies, including CEO/CFO certification of financials and assessment of internal controls over financial reporting.
What Is Corporate Governance?
Corporate governance is the system of rules, practices, and processes by which a company is directed and controlled. It involves balancing the interests of a company's many stakeholders.
Key Stakeholders in Governance
| Stakeholder | Interest | Role in Governance |
|---|---|---|
| Shareholders | Ownership value | Elect board, vote on major decisions |
| Board of Directors | Fiduciary oversight | Oversee management, set strategy |
| Management | Day-to-day operations | Execute strategy, report to board |
| Employees | Fair treatment, employment | Follow policies, report concerns |
| Customers | Quality products/services | Provide feedback, complaints |
| Regulators | Compliance with laws | Enforce requirements, examine |
| Creditors | Repayment of obligations | Monitor financial health |
Principles of Good Governance
OECD Principles of Corporate Governance
| Principle | Description |
|---|---|
| Basis for Framework | Promote transparent and fair markets |
| Shareholder Rights | Protect shareholder rights and key ownership functions |
| Equitable Treatment | Ensure equitable treatment of all shareholders |
| Stakeholder Role | Recognize stakeholder rights and cooperation |
| Disclosure & Transparency | Ensure timely and accurate disclosure |
| Board Responsibilities | Ensure strategic guidance and accountability |
Board of Directors Responsibilities
Primary Board Functions
| Function | Description | Key Activities |
|---|---|---|
| Oversight | Monitor management performance | Review reports, ask questions |
| Strategy | Set strategic direction | Approve major initiatives |
| Risk Oversight | Ensure appropriate risk management | Review risk appetite, major risks |
| Succession Planning | Plan for leadership continuity | CEO succession, board renewal |
| Compensation | Set executive compensation | Align pay with performance |
| Integrity | Promote ethical culture | Set tone at the top |
Board Committees
| Committee | Primary Responsibility | Independence Requirement |
|---|---|---|
| Audit Committee | Financial reporting, internal controls, external audit | 100% independent |
| Compensation Committee | Executive compensation | 100% independent |
| Nominating/Governance Committee | Board composition, governance policies | Majority independent |
| Risk Committee | Enterprise risk oversight | Common in financial institutions |
Audit Committee Responsibilities
The Audit Committee has specific responsibilities under SOX and listing standards:
- Oversee financial reporting — Review financial statements before release
- External auditor relationship — Appoint, compensate, and oversee external auditors
- Internal audit oversight — Oversee internal audit function
- Internal controls — Review effectiveness of internal controls
- Whistleblower procedures — Establish and monitor complaint procedures
- Related party transactions — Review and approve related party transactions
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 was enacted in response to major corporate scandals (Enron, WorldCom) to protect investors by improving the accuracy and reliability of corporate disclosures.
Key SOX Provisions
| Section | Requirement | Who It Affects |
|---|---|---|
| Section 302 | CEO/CFO certification of financial statements | Public companies |
| Section 404 | Management assessment and auditor attestation of internal controls | Public companies |
| Section 906 | Criminal penalties for false certifications | CEO/CFO |
| Section 301 | Audit committee independence and responsibilities | Public companies |
| Section 802 | Criminal penalties for document destruction | All |
| Section 806 | Whistleblower protections | Employees of public companies |
SOX Section 302: CEO/CFO Certification
CEOs and CFOs must personally certify:
- They have reviewed the report
- The report does not contain material misstatements or omissions
- Financial statements fairly present the financial condition
- They are responsible for internal controls
- They have disclosed any significant deficiencies or fraud to the auditors and audit committee
SOX Section 404: Internal Control Assessment
Section 404(a) — Management's Responsibility:
- Assess effectiveness of internal control over financial reporting (ICFR)
- Document the assessment process and conclusions
- Report any material weaknesses
Section 404(b) — Auditor Attestation:
- External auditor must attest to and report on management's assessment
- Required for larger public companies (accelerated filers)
- Smaller companies may be exempt from 404(b)
Internal Control Deficiencies
| Severity | Definition | Reporting Requirement |
|---|---|---|
| Deficiency | Control does not allow timely detection/prevention of misstatements | Document internally |
| Significant Deficiency | Deficiency that merits attention of those responsible for oversight | Report to audit committee |
| Material Weakness | Deficiency with reasonable possibility that material misstatement would not be prevented/detected | Report in 10-K filing |
Regulatory Compliance
Key Regulatory Requirements
| Regulation | Focus | Affected Industries |
|---|---|---|
| SOX | Financial reporting, internal controls | Public companies |
| FCPA | Anti-bribery, books and records | All with international operations |
| GDPR | Data privacy and protection | Organizations handling EU personal data |
| HIPAA | Health information privacy | Healthcare organizations |
| PCI DSS | Payment card data security | Organizations processing cards |
| Basel III | Capital adequacy, liquidity | Banks and financial institutions |
Compliance Program Elements
| Element | Purpose | Examples |
|---|---|---|
| Written Standards | Document expectations | Policies, procedures, code of conduct |
| Oversight | Assign responsibility | Compliance officer, committee |
| Training | Educate employees | Annual compliance training |
| Monitoring | Verify compliance | Audits, testing, reviews |
| Reporting Mechanisms | Enable reporting | Hotlines, speak-up channels |
| Enforcement | Address violations | Disciplinary procedures |
| Response | Address identified issues | Root cause analysis, remediation |
Ethics Programs
Code of Conduct/Ethics
A Code of Conduct (or Code of Ethics) is a written document that:
- Defines the organization's values and principles
- Establishes standards of behavior
- Provides guidance for ethical decision-making
- Applies to all employees, officers, and often board members
Ethics Program Components
| Component | Description | Best Practice |
|---|---|---|
| Written Code | Document ethical standards | Clear, accessible, translated |
| Tone at the Top | Leadership commitment | CEO message, visible commitment |
| Training | Educate on ethical standards | Annual, scenario-based |
| Hotline | Anonymous reporting channel | 24/7, multiple languages |
| Investigation Process | Address reported concerns | Fair, timely, documented |
| Non-Retaliation Policy | Protect reporters | Clear policy, enforcement |
| Discipline | Consistent enforcement | Applied at all levels |
Ethical Decision-Making Framework
When facing an ethical dilemma, consider:
- Is it legal? — Does it comply with laws and regulations?
- Is it ethical? — Does it align with company values and professional standards?
- Is it fair? — Are all stakeholders treated appropriately?
- Would you be comfortable if it were public? — The "newspaper test"
- What would a reasonable person think? — Consider outside perspective
Test Your Knowledge
Under SOX Section 404, who is required to attest to and report on management's assessment of internal controls over financial reporting for large public companies?
A
B
C
D
Test Your Knowledge
Which of the following internal control deficiencies must be disclosed in a public company's 10-K annual report?
A
B
C
D
Test Your Knowledge
Which board committee is typically responsible for overseeing the external audit relationship and the internal audit function?
A
B
C
D
Test Your Knowledge
SOX Section 302 requires which executives to personally certify financial statements?
A
B
C
D