ACCOUNTING & AUDITING

Auditing

Ripple Effects of the Sarbanes-Oxley Act

By Jo Lynne Koehn and Stephen C. Del Vecchio

The Sarbanes-Oxley Act is the most significant change to U.S. securities law since 1934. The act’s congressional sponsors—Representative Michael G. Oxley (R-Ohio) and Senator Paul Sarbanes (D-Md.)—both believe that the legislation is helping to restore investor confidence and deter fraud. The two are divided, however, in their assessments of other consequences of the act.

Oxley is concerned that the legislation might be motivating undue risk aversion arising from fear of violating provisions of the act and incurring stiff penalties. Sarbanes thinks that the rules are forcing companies “to clean up their acts.” Although it is too soon to tell the overall impact of the act, the popular and financial press has identified certain intended and unforeseen consequences.

Negative Influence on Corporate Mergers and Acquisitions

Oxley’s concern about the act’s potentially chilling effect on risk taking is supported by a slowdown in merger and acquisition activity. Acquirers may be wary of the financial liability they could assume for the private companies they acquire. Public company executives question whether they may be held accountable for an acquired private company’s history. Understandably, the due diligence process is taking longer and deals are now being consummated more slowly.

Increased Efforts by Audit Committees

A Deloitte & Touche LLP survey found that audit committee meetings are more frequent and longer. Before the Sarbanes-Oxley Act, 11 of the 66 companies surveyed met more than six times per year. Since the act, 39 companies have met that frequently. Before the act, half of the companies surveyed met for one hour or less. Since the act, only 10% have met for such a short time. Evidence suggests that committee members are also working longer hours outside of audit committee meetings.

Contraction of the Audit Market

Accounting firms providing services to public companies faced an October 22, 2003, deadline for registering with the Public Company Accounting Oversight Board (PCOAB). Non-U.S. firms have an additional six months to register. Formerly, over 850 accounting firms audited public companies, and 250 more retained the training and credentials to do so. As of October 23, 2003, the actual number of firms registering with PCOAB by the deadline was only 598. Small firms must not only weigh the PCAOB registration costs but also consider the accompanying operating costs, such as increased liability insurance costs, staff training costs, and increased liability risk.

Decreased Competitiveness of the Audit Market

A recent report from the General Accounting Office (GAO) found that the Big Four audit around 78% of U.S. public companies. The GAO characterizes the audit providers as an oligopoly of a few businesses, with risks of becoming even more concentrated. For example, if any one of the large firms were to be sanctioned and prevented from taking on new public company clients for any period of time, the potential choice of auditor for many entities could be significantly constrained. [This online version differs from the print edition as indicated. Click here to view the authors' correction notice.] Other large firms may receive similar sanctions in the future. Additionally, none of the Big Four have expertise in every industry, so some market segments are actually dominated by just one or two firms.

Increase in Accounting Costs

For some registrants, one of the most costly provisions is compliance with section 404 of the act. Section 404 requires management to organize and assess internal control systems and the independent auditor to assess their effectiveness. Some companies estimate that section 404 compliance alone may cost 1% of earnings.

Total compliance costs for listed companies have been estimated at $7 billion a year. As the estimate implies, the costs are not one-time, but recurring: internal control systems must be tested each year. Some larger registrants, on the other hand, may have minimal out-of-pocket costs in complying with section 404 because adequate systems and talent are already in place.

The cost of recruiting appropriate board members has also increased. A financially literate audit committee is now required to have a designated “financial expert.” Some registrants may have difficulty finding qualified board members under the stricter board composition requirements. Additionally, 5,200 public companies and 3,300 mutual funds will pay fees based on average monthly market capitalization to support the PCAOB’s operations.

PricewaterhouseCoopers estimates that 81% of public companies predict that the costs of complying with the act will rise in the future. Exhibit 1 presents the findings of a survey by the law firm Foley & Lardner of 32 mid-size companies regarding the costs of Sarbanes-Oxley compliance.

Increased Records Management Requirements

Before the Sarbanes-Oxley Act, the government had the burden of proof to show that an individual destroyed evidence with knowledge that the evidence was sought in an official proceeding. After the act, an individual can be charged with obstruction of justice (carrying 20 years imprisonment) for destroying evidence if the person should have known to preserve the document for any possible future government inquiries. The act also creates potential criminal liability for the destruction of records, even when conforming with an otherwise applicable records management policy and even if no federal investigation was in process at the time the records were destroyed.

The increased legal exposure for data protection has required a focus on content management and a new definition of a “record” or “data.” In June 2003, members of the National Association of Securities Dealers (NASD) were informed that they must retain records of instant messaging (IM) for three years. The act requires that accounting firms retain e-mail for five years and audit-related workpapers, analyses, and correspondence for seven years. Content-management vendors are responding by developing products that capture and store e-mail, instant messaging, and other correspondence.

Salary Increases

The significant salary increases seen in certain areas during 2003—6% in finance and 10% in cash management—may not be fully attributable to the act, but greater scrutiny of financial reporting and internal controls may have created premiums in these areas.

Increase in Audit Fees

Audit fees reported by the Big Four are up by 25% to 33%. These increases are reportedly the result of assisting clients in complying with the new Sarbanes-Oxley regulations. According to a May 2003 survey by Financial Executives International, audit fees are expected to rise an additional 35% by mid-2004. The act’s requirement for companies to assess their internal controls and have auditors attest to this assessment is effective May 2004.

Influence on SEC Sanctions

With the consolidation in the audit market, some question whether regulators would be able to administer severe sanctions when disciplining the Big Four. A severe sanction, such as a firm-wide one-year ban on auditing SEC clients, could put an accounting firm out of business and severely stress the remaining firms to cover the resulting needs of the audit market. Regulators will need to become more creative with their sanctions and will likely impose more temporary firm-wide bans and make the most punitive penalties financial in nature.

The SEC has shown flexibility in applying sanctions on companies not complying with CEO certification. The SEC has sanctioned very few companies for tardy certification filings. This may be due to a lack of manpower or to a desire to slowly usher in the corporate changes necessary for compliance.

The Impact on Private Companies

The Sarbanes-Oxley Act primarily places more stringent controls on public companies. Nonetheless, several implications for private companies are emerging. Both public and private companies must provide the means for whistleblowers to anonymously report potential wrongdoing to corporate audit committees.

Private companies are being pressured by potential acquirers to show compliance with internal control documentation and processes. Private firms with IPO aspirations will need to consider retaining a PCAOB-registered audit firm, complying with the internal control provisions, and recruiting an independent board with a financially literate audit committee.

Venture capitalists are not the only group applying pressure on private companies. Managers are also feeling pressure to implement improved governance and accountability, from customers, lenders, investors, and accountants.

Banking regulators have been issuing policy statements noting that various provisions of the act apply to depository institutions. For example, on March 5, 2003, the Federal Deposit Insurance Corporation issued a letter to financial institutions stating that the auditor independence, corporate responsibility, and financial disclosure requirements of the act represent sound corporate governance practices and should be complied with by banking institutions.

Reluctance of Foreign Companies to Comply

In April 2003 the SEC exempted foreign companies from most of the act’s requirements, although CEOs must still certify financial results and accept personal criminal liability if the statements are proven invalid. Before the SEC’s action, trading in American depository receipts was at its lowest level in a decade. Even with the SEC’s exemption, foreign companies may stay away from the tougher accounting rules and heightened emphasis on corporate governance.

Increased Volume of Corporate Disclosure

Companies are responding to the act with an increase in disclosure. The size of annual reports, quarterly filings, and proxy statements has increased noticeably. For example, General Electric’s latest report is 160 pages, double the size of last year’s. Eastman Kodak’s latest filing is 45% larger than last year’s, and General Motors’ is 28% larger.

Trickle-Down Accountability

The act requires top-level managers to certify financial statements in regulatory filings. A trickle-down accountability is being reported, wherein lower and mid-level managers certify results generated at their respective level of responsibility. In some cases, even third parties are being required to sub-certify documents prepared for top management.

Trickle-Down Power to Shareholders

Shareholders of most publicly traded companies do not have the right to nominate board of director candidates to appear on the official proxy ballot alongside board-nominated candidates. An example of a company that has already conceded this right to large shareholders is Apria Healthcare, where any shareholder holding 5% of the outstanding shares for a two-year period may, starting in 2004, nominate a director candidate. Other companies may follow Apria’s lead to signal seriousness regarding corporate governance reform. Many companies may vigorously oppose this shareholder right. Some experts maintain that letting shareholders nominate directors could result in boards with little understanding of the business.

On October 8, 2003, the SEC proposed rules that would allow the inclusion of certain outside candidates on proxy materials if one of the following two events occurs:

Impact on D&O Insurance Underwriting

The directors and officers (D&O) liability insurance market is using the act’s CEO certification requirement in underwriting decisions. If a company is required to restate financials that have been previously certified, D&O companies may use the restatement event as a reason to deny coverage or cancel D&O policies. The underwriting rationale is that the new certification requirements for financial statements and internal control assessments create a greater risk of shareholder class-action suits.

Increased Costs of D&O Insurance

Rates for D&O insurance, if obtainable, have ballooned by 100% to 400%, depending on the size of the company. Another source estimates that mid-size companies will see D&O insurance premiums rise an average of 94.2%, from $329,000 to $639,000.

Consulting Is Booming

Consulting companies are rushing to retool offerings to assist corporations with compliance. The act requires that companies establish an avenue for employees to anonymously report company noncompliance. Consulting solutions range from new software implementations to telephone hotlines for informants. Other consultants are offering ethics training or fraud investigation services.

New Compliance Software Production

The leading producer of software to facilitate compliance with the act is SAP, which is creating software for its R3 enterprise platform and financial software suite to facilitate compliance. A key feature of the new software is the anonymity it provides company whistleblowers in reporting corporate wrongdoing. Other software vendors involved with compliance software include InfoStep, Applix, Ariba, and Concur.

More Work for Lawyers

The act has created “a series of minefields for in-house counsel,” according to securities lawyer David Gourevitch, quoted in USA Today, because there are so many rules and the penalties for noncompliance can be severe. Several surveys outlined in Exhibit 2 show the effects of the act on attorneys.

Educational Impact

Some colleges are reporting a rebirth of interest in accounting courses. Universities are also changing their auditing curricula, adding courses focused specifically on fraud. Whether in response to the act or to improving general economic conditions, public accounting firms are in a hiring mode this year.

Company Loans to Executives Prohibited

The Sarbanes-Oxley Act forbids companies from loaning executives money. Previously, company loans to executives were a way to facilitate executives’ purchases of stock as part of their incentive compensation systems.

Change in the Audit Process

Section 404’s requirement of an opinion on internal control will change the nature, timing, and extent of testing of controls. The range of controls tested and the level of testing currently in place will not provide sufficient assurance to comply with the act. Also, before the Sarbanes-Oxley Act, auditors could elect to forgo the testing of controls and perform the audit using only substantive testing. The act does not allow this approach. The mix of transactions tested by the auditor will also change, because those selected for testing will depend on the internal control selected for testing. Previously, auditors would often elect to test preventive controls rather than detective controls. Under the act, a high level of assurance is unattainable without testing both types. Furthermore, proposed rules released from the PCAOB on October 7, 2003, will require auditors to scrutinize the audit committee.

Two Tiers of Compliance?

Some small registrants are arguing that they are unfairly burdened by the Sarbanes-Oxley Act. Some claim that complying with the act’s provisions would be unduly expensive for small companies. Others counter that flexibility for smaller companies already exists in the “comply or explain” provisions of the act.

It may be difficult to support different treatment for smaller registrants, given that smaller companies are not immune from financial fraud. Transparency and quality accounting are “part of the price of being a public company. If you don’t want to pay the price, go private,” according to Lynn Turner, former chief accountant at the SEC.

“Auditing” the Auditors

Beginning in 2004, public accounting firms registered with the PCAOB will be inspected on a regular basis. Any firm auditing more than 100 public company clients is subject to an annual inspection, while firms not meeting the 100-audits threshold are subject to inspection every three years. The PCAOB conducted a limited inspection of the Big Four accounting firms in 2003.

After inspection, firms will receive a report of findings. The firms will have one year to address the issues raised before any problems are publicly disclosed. The PCAOB will be able to levy fines, censure, suspend, and bar from practice both individual accountants and firms.

Changes in Attorneys’ Legal Conduct

The act also establishes a new standard of professional conduct for public-company attorneys. If corporate attorneys become aware of material wrongdoing, they must report it to top management or the chief in-house counsel. If top management takes no action, then the attorney must report it to the board of directors. This SEC rule of conduct became effective on August 8, 2003. Another SEC proposed rule for attorneys, termed “noisy withdrawal,” would require lawyers to resign in a public fashion and disclose the corporate wrongdoing with the resignation. Lawyers are opposed to the noisy withdrawal because ethics confidentiality rules at the state level would prohibit the disclosures required by the SEC. An alternative to the noisy withdrawal would require SEC reporting whenever a lawyer resigns out of frustration with a company for not addressing material problems.

New Metrics

Some argue that weaknesses inherent in GAAP-based financials and the lack of analyst skepticism are more fundamental problems than the act’s governance and accountancy focus. If more non-GAAP metrics were offered, reported results could become even more transparent. With better analysis of what information impacts value, analysts could consider information sources beyond narrowly conceived financial data sets when rating firms. Better diagnostic recommendations might emerge.

Analysis

The Sidebar classifies the 26 effects according to whether they are direct effects of the legislation, intended reactions to its provisions, or unforeseen effects.

Foley & Lardner surveyed 200 senior executives, 60% of whom thought that the reforms of the Sarbanes-Oxley Act have gone too far. Nonetheless, no immediate changes to the bill are planned. Oxley has stated that “No one should be under any illusions that we’ll revisit Sarbanes-Oxley anytime soon” and Sarbanes has said that Congress needs to see how the bill is working before it considers changes. Former SEC chairman Arthur Levitt says that the real test will come during the next bull market because that is when accounting fraud traditionally flourishes.

A full list of source materials referenced within this article is available upon request from the authors at sdelvecchio@cmsu1.edu.

CORRECTION

Our article above, “Ripple Effects of the Sarbanes Oxley Act” mistakenly stated that Ernst & Young “recently endured a six-month prohibition from accepting new public company clients.” In fact, the administrative law judge overseeing that proceeding has not yet issued a decision in this matter, and no such prohibition has been imposed.

The authors regret the error. The larger point we were attempting to make is that reducing the number of public companies’ options in obtaining audit services, which would be one consequence of such a limitation on a large firm, could have enormous negative consequences in the capital markets. We hope that point is not lost.