Could Sarbanes-Oxley Benefit Non–SEC-Registrant Audits?

By Peter M. Drexler

E-mail Story Print Story

Non–SEC-registered entities, including governments and not-for-profit organizations, face pressures similar to those present in for-profit corporations to mismanage accounting, mislead their auditors, or influence auditor judgment with lucrative consulting projects. Third parties for nonregistrants, such as banks, venture capitalists, hedge funds, and regulators, are just as vulnerable to financial reporting abuses as are investors in publicly traded companies. Many nonregistrant companies must comply with loan and bond covenants, obtain financing, report to minority shareholders, and comply with regulations in ways that may create temptations to engage in accounting abuses.

Recent Audit Failures and Their Implications

Audit failures in the non-SEC sector of the economy do not receive the same media attention as the disasters at Enron and WorldCom have, but they exist just the same. Discoveries of fraud in Nassau County’s school system led New York State Comptroller Alan Hevesi to reinstitute the state’s school audit department and hire 89 auditors, because audit failures were so pervasive. It was 20 years ago that New York State first decided to rely on independent auditors when it discontinued its audits of school boards.

The James Beard Foundation’s executive director mismanaged that nonprofit organization, whose mission is to provide scholarships to aspiring chefs, by disbursing merely $29,000 in scholarships out of total revenues amounting to $5 million. Investigators found that the executive director had also misspent hundreds of thousands of dollars as well, and he has confessed to fraud charges.

There is no doubt that these organizations would have benefited from documented internal controls and capable auditors testing those controls and reporting on results. Perhaps independent audit committees would have selected more-capable auditors or would have been aware of abuses before they got out of hand. SOX section 209 clearly states that the act was not intended for “small and medium-sized” entities, but it did admonish state regulatory authorities to “make an independent determination of the proper standards applicable” for those entities not covered by the act.

The Texas State Board of Public Accountancy commissioned a task force to evaluate its public accounting statutes to determine whether SOX-type changes would or should be recommended. The executive summary of the task force report identified public interest entities (PIE) as those where significant numbers of stakeholders make investment, credit, or similar decisions—including pension plans, banks, insurance companies and school districts—and, therefore, would possibly benefit from reform. The description of PIEs could be expanded to include companies with gross revenues exceeding, perhaps, $10 million or assets exceeding $50 million.

Whether or not SOX-type legislation would result in improvements to corporate governance for PIEs or other nonpublic entities, the task force concluded that Texas “should not enact laws that unfairly impact the state economic climate compared to other states.” It also concluded that the only way effective reform should be enacted is through consistent national standards rather than “a myriad of state-specific standards.”

In other words, no state is willing to “go it alone” in adopting SOX-type reform of audits, for fear of losing business to other states, and the result of states adopting varying versions of reform would be regrettable. As it is, the auditing profession is diverging into two sets of audit standards because of SOX. However, the Texas Board’s report stated repeatedly that it would be glad to comply with national standards, which would logically flow, in my opinion, from the AICPA’s Auditing Standards Board.

Weighing the Cost

Are there benefits to be derived from the costs of complying with SOX? How can one measure the economic benefit of avoiding employee fraud or corporate bad acts that could result in billion-dollar class-action lawsuits? For example, Merck is embroiled in product-liability lawsuits that may result in losses exceeding $14 billion because it allegedly sold Vioxx while clinical tests indicated it increased the risk of heart attacks from prolonged use. SOX-type improved internal control administration and audit reporting may prevent other companies from making similar errors, but how can the value of improved corporate governance be measured?

Corporate malfeasance and fraud can occur within entities of any size. The common denominator is human nature and a willingness to exploit gaps in internal controls. While $11 billion was diverted from the Iraq oil-for-food program overseen by the United Nations, employee fraud also occurred at the aforementioned, relatively small James Beard Foundation.

According to the 2004 report by the Association of Certified Fraud Examiners (www.acfe.com), small businesses lose an average of 6% of their annual revenues to fraud. Companies with fewer than 100 employees suffered median losses of $98,000 a year. Yet, ironically, SOX corporate-governance reform is mandated for large, multinational corporations rather for than smaller entities, which are less likely to survive disasters such as expensive lawsuits or employee fraud.

If the AICPA were to adopt SOX-type audit standards such as independent audit committees, internal control documentation, and auditor opinions or restrictions on auditors providing consulting to clients, it would not have the force of law to enforce those changes. But that is not the point. Qualifications to audit reports highlighting SOX-type corporate-governance shortcomings would make financial reports of nonpublic entities more transparent. It would be up to interested third parties to decide how to handle SOX-type shortcomings.

For example, auditing standards for cooperatives and condominiums require the auditor to disclose whether the corporations have estimated the remaining lives and replacement costs of common property. In most cases, disclosures of noncompliance are tolerated by interested parties, but if a condominium board were to apply for major financing for improvements to its facilities, the credit institution might require the condominium to assess the remaining lives of its facilities as a condition of obtaining the loan. In this case, the audit qualification merely adds transparency to the condominium’s financial statements.

In like manner, nonpublic entities’ audit reports disclosing the lack of independent audit committees, internal auditors, documented and tested internal controls, and so forth would provide readers of those financial statements with increased transparency. It would be up to interested parties, such as minority shareholders and financiers for small and medium-sized corporations; major contributors; nonprofit boards; and, in the case of school boards and municipalities, taxpayers, to demand improved corporate governance. Unqualified audit reports would indicate that the auditors and the entity had complied with a set of rules similar to SOX.

Should mom-and-pop grocery stores have to comply with Sarbanes-Oxley? The answer is less obvious. Assume a noncomplying mom-and-pop grocery has been audited. The audit report qualifications would list the lack of independent audit committee, internal auditors, documented and tested internal controls (along with material internal control shortcomings such as lack of inventory control and bookkeepers with too much power), and the fact that the auditor had provided bookkeeping and accounting system consulting services. (The auditor would have tested internal controls in the normal course of the audit.) The owner-operator would probably not be concerned with the audit report disclosures, but might increase oversight over the bookkeepers and lock the storeroom doors. At this point, the cost of the audit or corporate governance due to SOX standards would be close to zero.

Let us next assume that this mom-and-pop grocery store is successful and the owner opens a second location across town, using the cash flow and accumulated savings. The owners then decide to open a third store, and apply for a loan from their bank. The loan officer, in reviewing the latest audit, would notice the lack of inventory controls and require that the owners install a computerized cash register and inventory system before approving the loan.

The store continues to grow and prosper, and the owners realize that their operations would benefit from economies of scale with more stores, supported by a warehouse operation. To obtain this level of financing, the owners propose that a multimillion-dollar bond be privately placed with an insurance company. The investment officer would note the lack of internal auditors and audit committee and demand their implementation as a condition of approving the bond deal. If the next step for the store is to go public and receive financing through an IPO, then the store is well along the way of complying with SOX.

SOX-type reforms added to audit standards would merely result in the increased transparency of nonpublic entities, and compliance would come when interested parties notice shortcomings and recommend compliance. The cost of compliance grows as the entity expands. Each stage in the entity’s growth is accompanied by the appropriate improvements to corporate governance. If the entity does not grow, its audit costs would remain roughly the same or would increase slightly due to a greater awareness of internal controls.

Opportunities and Vulnerabilities

Should CPAs in public practice be opposed to SOX-type reform for nonpublic audits? According to this author’s conversation with an external reporting manager of an SEC company, SOX auditors have gained a higher degree of control over the audit and held their ground in disagreements over accounting treatment. This is a good thing for auditors and their clients. The accounting profession has not lost consulting business as a consequence of SOX. The firm conducting the audit is merely not the same one dispensing consulting services to any one SEC client, and companies have turned to multiple firms. CPAs will always be the first choice when companies want to develop tax strategies, update their accounting systems, or pursue similar plans.

This author’s recommendation is that the AICPA establish a dialogue with its membership and designate a task force to evaluate whether various SOX sections would aid the audit process for nonpublic companies and whether their corporate governance could be improved, remembering that nonpublic companies’ vulnerabilities to bad acts and fraud are just as threatening to them as they are to SEC registrants.

Nonregistrant entities can surely benefit from improved corporate governance that the framers of SOX found lacking at SEC companies.