• NYSE President Not Sure About All This Auditing

    By | July 18, 2017

    Over at the House Committee on Financial Services, some opposition to Sarbanes-Oxley has come up in a hearing called “The Cost of Being a Public Company in Light of Sarbanes-Oxley and the Federalization of Corporate Governance.”

    The gist of it is this — some people think regulations like Sarbanes-Oxley have made it too difficult to for businesses to go public and remain public. And yes, it is difficult for a business to go public, but shouldn’t it be difficult? Whether you’re jumping over hurdles or through hoops, passing through a challenging obstacle course seems like a worthwhile price to pay for gaining access to the public’s investing dollars.

    But, hey, not everyone agrees, including the new SEC Chairman Jay Clayton and New York Stock Exchange President Tom Farley. Mr. Farley was one of the witnesses at today’s hearing, which MarketWatch’s Francine McKenna live-tweeted, noting that Farley is in favor of repealing the SOx 404 requirement for attestation by auditors.  This Wall Street Journal piece notes this part of his testimony:

    It “put such a great cost on corporate America, and the benefits are not entirely clear,” Mr. Farley said at a hearing of a panel of the House Financial Services Committee. “The data doesn’t show clearly that we have reduced fraud or greatly inspired confidence. But what is clear is we have far fewer public companies.”

    Farley went on to say that he recommends “narrow[ing] the definition of internal controls” and “requir[ing] that the PCAOB not pass new rules and regulations that could in any way burden public companies.”

    Perhaps, conveniently, Farley’s company — a major exchange for public companies — would benefit greatly from an easier path for companies to go public. And audit firms probably would too! The 404 gravy train is more or less over, but there will always be money to be made guiding companies through the IPO process, quarterly reviews, and annual financial statement audits. Besides, now that public companies do much of the work on assessing internal control effectiveness, auditors might be able to take advantage and water down other rules, while deregulation is politically fashionable.

    If you have 3 hours to spare on a Tuesday afternoon in July, feel free to watch the hearing in full:

    [GOPFinancialServices, WSJ]

    Image: iStock/Jorgenmac

    • Big4Veteran

      “The data doesn’t show clearly that we have reduced fraud or greatly inspired confidence. But what is clear is we have far fewer public companies.”

      Maybe because the companies with weak internal controls and lots of fraud aren’t going public as much anymore?

      The people who argue that we shouldn’t have SOX because it doesn’t prevent all fraud are the same people who argue we shouldn’t have gun control because it doesn’t prevent all shootings. Construct a strawman…slay the strawman.

      • Jeff Jones

        I have been running my company’s IT SOX compliance program for over 10 years and I speak from experience when I say the controls we’re required to maintain run the gauntlet from somewhat effective to utter wastes of time. For example:

        1) Our auditor makes a huge deal every year about 5 or 6 userids that were terminated more than 24 hours after the person left the company. Mind you, that is 5 or 6 out of over 12,000 employees and contractors. Usually it’s because their manager submitted the electronic paperwork late and HR had to backdate the termination to avoid missing the final paycheck. Still, we waste countless hours going over this every single year.

        2) We have to set arbitrary project end dates, so our auditor can check to make sure that we get final project approval prior to that date. Now, anyone who has worked in the private sector for more than 5 minutes knows that major projects rarely end exactly on the date named during the planning phase. Business needs change, new technologies emerge, etc. So, we waste countless more hours trying to enforce those end dates. Our project managers have no incentive to end a project without proper scrutiny and signoff. They have every incentive to do the right thing. This is another waste of time with no risk to justify the hours.

        3) We have to test the monitoring of our interfaces between financial reporting systems and large ERP systems (SAP, Oracle, Workday). The auditors want to make sure we are responding to alerts when those interfaces go down. An interface going down is definitely important, but it is only loosely related to financial misstatement. Yet, our auditors want to increase this testing from 10 reporting systems to over 100 this year. For what?

        I could go on and on. SOX may have had good intentions, but it has outlived its usefulness. Remember that I am a SOX professional. If SOX goes away, so does a large portion of my job. But, new compliance work will open up as my company has been wanting to start a ton of compliance projects that have been put on hold because of the time and money we waste on SOX.

        • PwC Guy

          This is cute.

          1) Auditing is risk-based, and if you don’t see the risk inherent in a terminated employee retaining system access, you probably shouldn’t have the job that you claim to have.
          2) They are your controls, not the auditors’. If you keep failing your own controls, change them to something you can realistically achieve. Not rocket science.
          3) Loosely related is still related. Maybe try asking them why they increased the testing. They might have a legitimate reason, other than to make you miserable.

          Go on as much as you like, your role is only tangentially related to the “meat” of SOX compliance, and since your experience is just IT-related, and you clearly have a minimal grasp on risk assessment, calling yourself a “SOX professional” is a bit of a stretch. External audit exists because sometimes people are not as competent as they think they are and make sizable mistakes (or commit fraud) which ends up affecting the financials in a material way. Maybe leave the long-winded opinions on SOX to the actual “SOX professionals”. 😉

          • Jeff Jones

            To the PwC Guy with small man syndrome:

            1) Auditing is risk-based, and if you don’t see the risk inherent in a terminated employee retaining system access, you probably shouldn’t have the job that you claim to have.

            >>>That is not what I said at all. I said 6 out of 12,000 is 0.05%. Given that part of the business process has to be performed manually by managers, the chances of ever getting 100% are slim to none…as if PwC or the US Government could ever dream of only having 0.05% late terminations. And, those terminations were only a few hours late.

            2) They are your controls, not the auditors’. If you keep failing your own controls, change them to something you can realistically achieve. Not rocket science.

            >>>No kidding, genius. Again, I don’t consider 0.05% to be failing. You might, because your obsolete job depends on it. And, our external audit firm (one of the former big 5) has said they won’t be able to rely on it if we make the timeframe less stringent. See how that works? Of course you don’t, because you don’t want to.

            3) Loosely related is still related. Maybe try asking them why they increased the testing. They might have a legitimate reason, other than to make you miserable.

            >>>Do you actually think we haven’t asked that question? They always fall back on “the PCAOB is tough on us” even though they rarely get chosen for audits from that board.

            Go on as much as you like, your role is only tangentially related to the “meat” of SOX compliance, and since your experience is just IT-related, and you clearly have a minimal grasp on risk assessment, calling yourself a “SOX professional” is a bit of a stretch. External audit exists because sometimes people are not as competent as they think they are and make sizable mistakes (or commit fraud) which ends up affecting the financials in a material way. Maybe leave the long-winded opinions on SOX to the actual “SOX professionals”. 😉

            >>>I’m not just a SOX professional. My job is general IT compliance. That includes ISO27001, ISO9001, internal audit, cloud audit, and mobile apps audit. If you’re a “real” SOX professional then, as I stated before, you’re obsolete. When this dinosaur of a law is neutered or repealed, be sure to call the person in Bangalore or Xi’an who will be taking your job and congratulate them.