President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) on July 21, 2010, almost two years after the failure of Lehman Brothers precipitated a worldwide financial crisis. The law was intended to address the “over-reliance on short-term financing, opaque markets and excessive-risk taking” that had “fanned a panic that nearly collapsed the global financial system,” according to University of Michigan Law Professor Michael Barr.

Even though Dodd-Frank took a long time to enact, its various provisions did not immediately go into effect. The law merely provides a framework that requires further implementation by government officials. As of July 21, 2011—one year after passage—regulators had finalized only 13 percent of the rules the law requires. This delay has allowed the financial industry more time to lobby the government to relax Dodd-Frank rules well after its passage. Financial-industry trade magazines such as American Banker pander to industry panic over the final legislation with headlines such as “Will Dodd-Frank drive the financial industry overseas?” Although the banks may have lost the initial battle, the war over financial reform is far from over, and the banks are spending millions to convince Congress of their position.

Dodd-Frank rulemaking has been hampered by vocal critics who question the need for further regulations. Republican Member of Congress Spencer Bachus has proposed subjecting every securities law on the books to a cost benefit-analysis before agreeing to further enforcement. And Republicans who share his sympathies have been effective at underfunding the Securities and Exchange Commission (SEC) to prevent it from enforcing laws already on the books. “Without sufficient human resources,” a recent report by the SEC claims, “the agency will be unable to complete the requirements of Dodd-Frank while maintaining its current activities.”

Even if enforcement were complete, however, it is not clear that the implementation of the new law will reflect its purpose. One need only look at the history of Sarbanes-Oxley, the last law we passed to prevent financial crises once and for all, to see how true this is.

In a recent New Yorker profile that focused on the Galleon insider-trading case, Preet Bharara, the U.S. Attorney for the Southern District of New York, discusses the obstacles to civil and criminal enforcement of fraud and securities laws since the 2008 financial crisis. He could have mentioned the clear evidence that U.S. Attorney’s offices have been short of funds and understaffed. But he doesn’t. Instead, Bharara cites the difficulty of prosecuting anyone when the case is complicated by the “blame game”—that is, when executives and their attorneys, bankers, and auditors point fingers at each other to excuse material misstatements and inadequate disclosures.

Bharara’s remarks are telling. Sarbanes-Oxley provides several ways to prosecute executives, board members, and their lawyers, auditors, and bankers on a civil and criminal basis in the event of fraud, material misstatement, or inadequate disclosure that harms investors. But Bharara, for one, has chosen not to take advantage of them.

Sarbanes-Oxley was passed in 2002 in the wake of serious accounting scandals at companies such as Enron, Tyco International, Adelphia, and WorldCom whose collapses cost investors billions of dollars and undermined public trust in financial statements. The law was supposed to improve internal controls over financial reporting by means of four key provisions. A closer examination of the history of these provisions does not inspire confidence that new financial laws passed by Congress—Dodd-Frank—will be enforced.

1. Financial Statements
The most noteworthy provisions of Sarbanes-Oxley were Sections 302 and 906, which require CEOs and CFOs to sign statements certifying all quarterly and annual financial reports. This portion of the law placed responsibility for false or misleading financial statements squarely on the CEO and offered a strong disincentive against manipulating reports for personal gain, since the CEO would face criminal penalties if caught.

The Department of Justice doesn’t seem to have the appetite to apply Sarbanes-Oxley to cases of disclosure fraud.

However, other than the high-profile prosecution of Richard Scrushy for Section 906 violations at HealthSouth (he was eventually acquitted), the Department of Justice (DOJ) has not pursued a single prosecution under these statutes. This is remarkable, especially given the number of companies—Lehman, Citigroup, and Countrywide immediately come to mind—involved in civil settlements and other litigation that have offered evidence of CEOs and CFOs knowingly signing false certifications. In the SEC civil cases against Angelo Mozilo of Countrywide and against three executives of IndyMac Bancorp, the agency extracted settlements for disclosure. If there was evidence of disclosure fraud, why did the DOJ decline to bring any criminal charges against Mozilo or the IndyMac executives under Sarbanes-Oxley Section 302 or 906? The DOJ doesn’t seem to have the appetite to apply Sarbanes-Oxley to these cases.

An additional provision, Sarbanes-Oxley Section 303, prohibits “any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit.” Yet this provision too seems to be gathering dust: there have been no enforcement actions for Section 303, though there seems to be no shortage of applicable cases. When the auditors of Satyam, Fannie Mae, and AIG were sued for their clients’ frauds, they defended themselves by claiming that they were “duped” by management, lied to, or given false documents. In such cases, one of these parties is culpable: either the company’s auditor made a mistake or the company’s officials engaged in fraud. Section 303 specifically covers such cases. The SEC has simply chosen not to apply it.

2. Clawbacks
Sarbanes-Oxley Section 304 provides for the seizure—“clawback”—of compensation from CEOs and CFOs in the event of financial restatements due to serious breaches of securities laws. The provision is supposed to work in concert with Section 302, penalizing executives for their failure to prevent misconduct by targeting their bonuses and compensation.

There have been some Section 304 clawback cases. The first Section 304 case was SEC v. Jenkins in 2009, a full seven years after the enactment of Sarbanes-Oxley. In the Jenkins case, the SEC asked the court to order the former CEO of CSK Auto Corporation to reimburse the company and its shareholders more than $4 million that he received in bonuses and stock-sale profits while CSK was committing accounting fraud.

In addition, there are SEC v. McCarthy, a fraud case at Beazer Homes, and the SEC’s administrative proceeding against Navistar CEO Dan Ustian and former CFO Robert Lannert. Both of these cases, however, have to do with conduct predating the 2008 financial crisis.

Why have there been no Section 304 clawback cases since the crisis? The answer is simple: many of the failures and bailouts did not result in financial restatements. Accounts that reflected overly optimistic valuations of mortgage-related assets, insufficient reserves to cover losses on those assets, and no contingency for litigation have been adjusted slowly and over a long period of time rather than all at once. No one has admitted that anyone made any mistakes, let alone manipulated the numbers with fraudulent intent. The losses we’re seeing now have been written off, literally and figuratively, as an unavoidable, cataclysmic, once-in-a-lifetime economic event. Moreover, even in cases where a company is forced to restate its earnings, such as the huge Dell restatement case, the SEC has for some reason resisted using the clawback tool.

3. Auditing rules
Section 404 is probably the best known but least understood provision of Sarbanes-Oxley. The law created a new regulator for the auditing industry, the Public Company Accounting and Oversight Board (PCAOB), that reports to the SEC. The first “rules” the PCAOB issued for implementing the law on financial reporting—Auditing Standard 2—encouraged a more detached, skeptical, adversarial relationship between auditors and management. This new standard offered a broad and vague principles-based approach to auditing, compared to the more precise rules-based approach auditors were accustomed to.

Under new rules, auditors are allowed to give more independent weight to the work performed by a company’s management.

Auditors responded by expanding the scope of their audits and demanding more evidence for management’s assertions about internal controls over financial reporting than companies expected. Companies saw substantial additional audit costs during the first few years of Sarbanes-Oxley. Companies, in turn, accused auditors of spending too much time and money protecting themselves against liability and sanctions rather than shielding shareholders from erroneous or incomplete financial disclosures.

Almost one-third of public companies switched audit firms in the first three years of Sarbanes-Oxley as a result of disputes over fees and, in some cases, reversals of accounting approaches that had been used in prior years. By early 2006 their protests had grown so loud that then–SEC Commissioner Christopher Cox tried to appease their executives with speeches and studies. In 2007 the PCAOB issued Auditing Standard 5, diluting the rules for Section 404 certifications.

Under this new standard, auditors are allowed to give more independent weight to the work performed by a company’s management, especially its internal auditors. The new rules stopped the rise in auditor fees and reset the balance of the auditor-management relationship back in favor of companies. In the period since the economic downturn, public companies have gained even more leverage over their auditors.

Private plaintiffs have begun to bring Section 404 claims related to the financial crisis. For example, a class-action suit against Washington Mutual and its auditor Deloitte included allegations that Washington Mutual “misrepresented the state of its internal controls, which were weakened in order to facilitate the bank’s reckless lending practice” and that Deloitte “made the false and misleading statement that its internal control reports were audited ‘in accordance with the PCAOB’s standards.’” The parties settled for $208.5 million. Neither the SEC nor the DOJ has followed with similar complaints against banks that played a major role in the financial crisis and their auditors.

4. Whistleblowers
Finally, Section 301 of Sarbanes-Oxley requires companies to implement procedures that enable whistleblowers to communicate confidentially with the companies’ audit committees. This part of the law initially looked onerous: Sarbanes-Oxley had both civil and criminal components to protect people who report corporate fraud, including rights to reinstatement, back pay and damages, and the possibility of felony charges for retaliation.

During the first year after enactment, more than 50 Sarbanes-Oxley whistleblower cases were filed with the Occupational Safety and Health Administration (OSHA); however, most of those turned out to be for violations that occured before the law was passed, and section 301 was not applied retroactively. Furthermore, OSHA is responsible for investigating whistleblower complaints under 21 different statutes. About two-thirds of those complaints are related directly to occupational safety and health. Sarbanes-Oxley complaints are outside OSHA’s core competency.

Perhaps as a result, OSHA has successfully pursued only a few cases. According to the Center for Public Integrity, from 2002 through May 20, 2011, OSHA found merit in only 21 whistleblower complaints under Sarbanes-Oxley and dismissed 1,211 others. During the same period, the agency oversaw 291 Sarbanes-Oxley settlements between employees and employers. Another 237 cases were withdrawn before a decision was made.

Sarbanes-Oxley also does a poor job protecting some whistleblowers. Two former Boeing employees who were fired after notifying the media about the company’s possible violation of Sarbanes-Oxley requirements, recently lost a lawsuit to Boeing. The Ninth Circuit Court of Appeals rejected their claim, saying the law protects whistleblowers only when they tip off federal authorities, Congress, or a supervisor—not the media.

Like Sarbanes-Oxley, Dodd-Frank is supposed to be the law that puts an end to the financial scandals of recent memory once and for all. In some respects, Dodd-Frank makes significant improvements. However, on balance, Dodd-Frank may only repeat the failings of its predecessor.

Between 2002 and 2011, OSHA found merit in only 21 whistleblower complaints under Sarbanes-Oxley and dismissed 1,211 others.

Dodd-Frank strengthens the Sarbanes-Oxley whistleblower provisions by promising generous bounties to whistleblowers: 30 percent of the government’s haul from successful cases involving $1 million or more. The SEC has structured the rules to encourage internal reporting first, before reporting wrongdoing to the SEC, in order to receive the full reward. Nevertheless, critics such as the U.S. Chamber of Commerce reject this dual-track reporting as an assault on corporate sovereignty and a major waste of time and money, due to the added external pressure it puts on companies’ internal investigations.

Dodd-Frank also attempts to improve upon the utter failure of Sarbanes-Oxley clawback provisions. The new law mandates that companies implement policies that allow recovery of excess payments to executives when there has been a financial restatement, even if there has been no misconduct. Prior to Dodd-Frank, “nearly 50 percent of S&P 500 firms had no excess pay–clawback policy whatsoever,” says Professor Jesse Fried of Harvard Law School:

Of those firms with clear policies, 81% did not require directors to recoup excess pay but rather gave directors discretion to let executives keep excess pay. Of the remaining firms, 86% did not permit directors to recoup excess pay absent a finding of misconduct. As a result, fewer than 2% of S&P firms required executives to return the excess pay under any circumstances. Thus, on the eve of Dodd-Frank, most executives were not subject to sufficiently robust excess-pay clawback policies.

Such policies have failed to win support from company directors and shareholders because it is time-consuming and costly to determine forensically how incentive awards are calculated—in the past they were often not documented in detail in board minutes—and to trace the portion of an award that should be retrieved once a fraud is uncovered. In addition, it is difficult for company directors to recover compensation from executives many years after it has been paid and perhaps spent. For instance, in 2004 some shareholders at Computer Associates attempted to recover bonuses paid in the late 1990s to the company’s top-three executives shortly before a profits warning severely devalued its stock. The company’s board of directors advised shareholders to vote against the proposed clawbacks, which were soundly rejected.

Although the clawback provision of Dodd-Frank is welcome, it suffers the same weakness that has plagued Sarbanes-Oxley: clawbacks first require financial restatements. And since the SEC has not forced firms that suffered falls during the financial crisis to issue restatements, there is no basis for clawbacks under either law.

As for Sarbanes-Oxley’s stronger audit provisions, Dodd-Frank actually does away with them. The post-crash pressure on profits, in particular at smaller companies and startups, persuaded lawmakers to use Dodd-Frank to repeal the Sarbanes-Oxley requirement with respect to smaller public companies, those with less than $50 million in revenues or less than $75 million in market capitalization. Never mind that companies of that size and maturity are the ones most vulnerable to fraud and significant accounting errors because of poor internal controls.

Dodd-Frank is an imperfect law, most of whose rules are yet to be written. It was passed in haste with the most contentious provisions left out in the spirit of compromise. What was left was vague and difficult to enforce. Unless Dodd-Frank’s form is filled out soon, completely and robustly, it is destined to repeat the failure of Sarbanes-Oxley. And no matter how concrete and wise the Dodd-Frank provisions end up being, the law itself cannot improve the poor record of both civil and criminal enforcement by government officials.