Editor’s Note: Francine McKenna is the founder and Managing Editor of Re: The Auditors. She has more than 20 years experience in leadership positions in the Big 4 and in the professional services and consulting industry both in the U.S. and abroad. You can see all of her posts for GC here and can follow her on Twitter @retheauditors.
“Morality cannot be legislated, but behavior can be regulated. Judicial decrees may not change the heart, but they can restrain the heartless.” ~ Martin Luther King, Jr.
I recently discussed the proposals for a Sarbanes-Oxley exemption for “smaller” companies. But Sarbanes-Oxley is threatened in a bigger and more imminent way: The U.S. Supreme Court will hear arguments on the constitutionality of the PCAOB on December 7th. The argument against the Sarbanes-Oxley Act of 2002, which created the PCAOB, is often one of cost-benefit. Preoccupation with cost is causing us to forget what’s right about Sarbanes-Oxley:
• Established the PCAOB, an independent regulatory body for the audit industry rather than the self-regulated process that created Enron and WorldCom.
• Restricted the scope of services auditors could provide to audit clients.
• Required implementation of whistleblower systems that allow confidential communication directly with audit committees.
• Implemented legal requirements for CEO/CFO to sign statements verifying the completeness and accuracy of financial reports.
• Requires attestations by CEO/CFO and outside auditors to effectiveness of internal controls for external financial reporting.
• Requires “real-time disclosure” of material changes in financial conditions.
A law by itself does not bring benefits. Measure the benefits of the moral and ethical behaviors the law promotes and requires, instead. Certainly, all the above requirements — except perhaps “real-time” reporting that will implemented by XBRL mandates — are now second nature to most public companies. This didn’t happen without significant cost for some and a lot of bitching. But the significant additional cost (and bitching) was the result of two separate but equal conditions:
• Many companies, even the largest and most highly regarded, were poorly run – policies, procedures and controls over external financial reporting were either very weak or non-existent.
• The audit firms used the law to gouge clients and hold them hostage to a clean audit opinion. Auditor inefficiency and higher fees were the result of a vague, incomplete law that didn’t provide the rigid rules auditors are accustomed to. They also over-tested due to legitimate fears of legal liability.
Why didn’t Sarbanes-Oxley prevent or mitigate the financial crisis?
• Executives are incorrigible when big dollars are at stake.
• Audit firm leadership is weak and corrupt. They crave the higher fees and rolledover when clients stretched, bent, and walked all over controls.
So when you hear the arguments for exempting smaller companies from SOx or repealing Sarbanes-Oxley all together, have this dictionary of translations handy:
1. “As CEO, I vouch for controls.”
Read: I don’t want to answer for top-side entries.
2. “ERP systems are money pits.”
Read: Manual controls can be circumvented.
3. “SOx costs too much money.”
Read: Paying more for audits cuts into my bonus.
4. “Leave me alone to run my company.”
Read: I want to do funky, non-arms-length, related-party transactions.
5. “This is the best controlled company around.”
Read: My people tell me, “You’re in control, boss,” while I’m telling them the EBITDA number we have to hit this quarter.
6. “Auditors don’t add value to day-to-day business.”
Read: Those weasels tell me the transaction is ok, then claim plausible deniability when the lawsuits filed.
7. “The audit opinion is a necessary evil. No reasonable investor makes a decision based on it.”
Read: The audit opinion is a necessary evil. No reasonable investor makes a decision based on it.
8. “Sarbanes-Oxley didn’t prevent financial crisis, Madoff… What’s the point?”
Read: Fraud happens. And no law will stop me from taking out my cash.
9. “We believe in internal controls, but we don’t believe having them audited is the answer.”
Read: Our CEO/CFO control the numbers because they and their directors/officers own more than 90% of the company.
10. “Let the marketplace decide, not a bunch of bureaucrats.”
Read: We believe in free markets. We should be free to do whatever the hell we want.
Requiring the SEC to review each issuer’s financials at least once every three years was also a great addition.
Publicly available SEC communication with issuers are also great resources for practitioners.
My brief comments with regards to SOX vs No SOX with respect to controls from my experience as an auditor is the following. Out of all my experience, clients that I have dealt with that maintain SOX compliance tend to be extremely efficient in their reporting. Individuals are charged with responsibility, there are clearly defined process performers and process controllers, and everyone tends to be extremely knowledgeable about the entire process as a whole for the line they are in. To put it simply, responsibilities are clearly defined and the ability to play the blame game or snowball the auditors, boss, cfo etc is reduced significantly. For non-sox clients I’ve dealt with, its been my general perception that all bets are off. Blames games, power plays, people just get an email from some random dude, do what they have to, and then send it back, all sorts of tangles and red tape, oh and of course no one signs off on anything, so no responsibility. Do realize I am referring to enterprise level clients, thousands of transactions a day, materiality on the order of a couple hundred million euros. However for small entities that are not complex in nature and deal in less than say a thousand transactions a day I must agree, SOX is probably overkill. In my general perception what it really comes down to is……as whatever President or C-Suite level employee you are, Don’t you wanna know that everything is being done right and at the end of the day those numbers are correct? To put it simply, Controls are the processes put in place by management to protect the company’s assets. Without controls how can you protect your assets?
just my thoughts
What I experienced in multiple SOX engagements is consistent with Francine’s comments on the primary cost drivers with one addition #3 following.
1) Companies had not kept up documentation of internal controls and few people in management positions cared specifically about controls, except to the extent of preventing anyone in the general employee population from stealing from the company. As a result, very few people in management in many (but not all) companies actually understood the overall effectiveness of the system of internal controls. They knew about the points raised in individual internal audit reports, but not how everything integrated into a coherent system of controls.
2) In order for the companies to get a clean opinion, management perceived that the Big 4 firms insisted that clients prepare SOX documentation according to what each of the firms determined would be their audit approach. I did not see one instance in which a Big 4 firm considered working from the client’s existing internal control documentation and policy-procedure manuals, even if they were up-to-date.
3) AS-2 required minimum audit coverage of the financial reporting controls without regard to the risk of reporting errors or fraud. At that point it became an add-on cost game. The Big 4 insisted on auditing 10%-15% more of the financial statement amounts so as to have a cushion so that in case of audit error, they would still meet the AS 2 coverage requirement. Then, management felt they had to document and internally test another 10%-15% in order to have a cushion to ensure getting a clean opinion. In the end, internal compliance coverage often exceeded 90%, even for minimal risk operating units and accounts. It was a case of CYA all around.
The firm I worked with in 2002 started out developing a risk based compliance methodology. As soon as AS 2 was published, the risk based methodology died and client compliance costs went up dramatically. As I understand, many of the people working with the PCAOB in developing AS 2 were former Big 4.
Fortunately, AS 5 and the PCAOB’s guidance to management have taken care of the last 2 points. The auditor is supposed to consider auditing from the client’s existing internal control documentation if it covers the relevant control activities and the basis for both management compliance and audit is to be assessment of risk. Those two changes will have a much greater effect on reducing SOX costs than the single audit opinion option in AS 5.
One qualification on the closing of @2 Guest’s comments regarding C-level execs wanting to know that everything is done right, numbers are correct, and assets are protected. The statement seems to assume that the C-level executives ARE NOT the ones causing the problems, but are only interested in doing the right thing for their companies. However, experiences pre- and post- Enron don’t support any such assumption. While error and fraud exists at all levels, the frauds that have resulted in company failures and that drove the creation of SOX were almost 100% done or facilitated by C-level execs. That is the reason for the whistle-blower and other provisions of SOX that provide for specific oversight and monitoring of the actions of C-level execs. If you read a C-level exec complaining about SOX, take out your copy of the 10 phrase translation dictionary Francine provided and then consider the person’s motives. Some will be honestly objecting to the additional costs their companies incur to provide additional transparency for a control system that is already very effective. Others will only be trying to block any regulation that restricts their flexibility to act in their own self-interest at the expense of investors and other stakeholders.