In the Sarbanes-Oxley (SOX) environment there are twelve focus areas that are particularly important for corporate boards today.  Hence, they are the ones for the company's Legal Compliance and Ethics Officers to target, right now, in the education of corporate officers.

1. Board Governance
2. Audit Committee Responsibilities
3. Public Reporting Obligations
4. Transactions in Company Securities
5. Disclosure Policy
6. Board Independence and Related Party Transactions
7. Whistleblowing Policies
8. Compensation Committee Policies and Practices
9. Risk Management
10. Code of Conduct
11. Compliance Policies
12. Document Retention

Within the limits of this page, let us talk about three requirements of SOX.

First, there has to be an audit committee on the board of directors.  The audit committee is to be made up of outside directors who the corporation does not pay for anything except being directors of the board.  The audit committee has authority to hire independent counsel and other  advisors itself.

Second, the Act defines a “code of ethics” as the standards reasonably necessary to promote:

• honest and ethical conduct, including the ethical handling of actual and apparent conflicts of interest between personal and professional relationships;
• full, fair, accurate, timely and understandable disclosure in the periodic reports required to be filed by the issuer;
• and compliance with applicable governmental rules and regulations.

Frankly, I don't think that items 2 and 3, above, of the definition of a "code of ethics" are anything other than a definition of what is necessary to comply with statutes and regulations.  Item 1 above is something more than a legal requirement.  There is much more to ethics.

Third, of importance to attorneys:

• Section 307 of Sarbanes-Oxley applies only to attorneys "appearing and practicing" before the Securities Exchange Commission (SEC) in the representation of issuers.  It does not purport to regulate the conduct of attorneys on Main Street, USA, who never work with the SEC. So even in the same law firm or legal department, Sarbanes-Oxley may not apply to all lawyers in the firm or department.
• The SEC Sarbanes-Oxley rules require an attorney to report evidence of a material violation of securities law or breach of fiduciary duty, or "similar violations" (whatever that may mean)  to the issuer's chief legal counsel or chief executive officer.
• If the counsel or CEO does not appropriately respond to the evidence, the attorney must report the evidence to the audit committee, another committee composed entirely of independent directors, or the board of directors.

Now let's give some more general comments about some Sarbanes-Oxley requirements which many now think is a public standard of due care for corporations.

Internal Control Report Issuers must provide an internal control report as a part of their annual reports. The internal control report must:

"state that management is responsible for establishing and maintaining adequate internal control structures and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year, of the effectiveness of the issuer’s internal control structure and procedures for financial reporting. "

Section 302 of the act,  Corporate Responsibility For Financial Reports, requires that the  CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."

Section 404: Management Assessment Of Internal Controls. Requires each annual report of an issuer to contain an "internal control report", which shall:

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

The Act requires each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code, and immediately disclose "of any change in, or waiver of," an issuer's code of ethics.

Section 407: Disclosure of Audit Committee Financial Expert, in effect requires issuers to have  member of its audit committee of the board who is a "financial expert."

And what about the Corporate and Criminal Fraud Accountability Act of 2002!  It is not the Sarbanes-Oxley Act, but it comes from the same source: public revulsion about the ethics (or lack of them) in some corporations.

It is a felony to "knowingly" destroy or create documents to "impede, obstruct or influence" any existing or contemplated federal investigation.

Auditors are required to maintain "all audit or review work papers" for five years.

Employees of issuers and accounting firms are extended "whistleblower protection" that would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistle blowers are also granted a remedy of special damages and attorney's fees.