Six Years of the Sarbanes-Oxley Act
Are We Better Off?

By William J. Dodwell

E-mail Story Print Story

Accounting Scandals

Reining in corporate financial reporting was justifiable. Beginning in late 2001, allegations of fraud and other improprieties by companies including Enron, Adelphia, WorldCom, Cendant, and Tyco seriously undermined investor confidence and contributed to stock market malaise. Concerns included concealing debt through unconsolidated off–balance sheet entities; manipulating revenue through creative application of derivative accounting rules; burying expenses in the balance sheet; and hiding bad receivables—all despite the scrutiny of management, public auditors, securities analysts, rating agencies, and investment bankers.

Although frauds have been in the spotlight, some problems arose instead from the interpretation of complex accounting rules. In some instances, management and auditor agreed on the accounting for certain transactions, only to be challenged in a politicized environment of prosecutors, regulators, and media. For example, hedge accounting, governed by SFAS 133, Accounting for Derivative Instruments and Hedging Activities, loomed large in some major restatements. But SFAS 133 is so cumbersome that the FASB is considering simplifying the standard. Other contentious issues are founded on subjective estimates of such things as loss and contingency provisions and amortization rates. To be sure, material financial misstatement was problematic, but because well-intended interpretations were sometimes second-guessed, it was not always malicious. Of course, any manipulation of those estimates to distort earnings and bonus calculations was reprehensible.

Accounting scandals have prompted the FASB to reevaluate certain inadequate standards. For example, it amended its consolidation rules under FIN 46(R) in a reaction to Enron’s machinations involving off–balance sheet special-purpose entities (SPE). And, as mentioned, the FASB is reassessing SFAS 133’s complex hedge accounting requirements.

Passage of SOX

As part of implementing SOX, the SEC created the Public Company Accounting Oversight Board (PCAOB) to oversee the auditors of publicly held companies, replacing the system of self-regulation through the AICPA. (The AICPA continues to set standards for accounting firms serving nonpublic companies.) Not meaning to reinvent the wheel, the SEC and PCAOB built on the internal controls framework established in 1992 by the Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting—more commonly called the Treadway Commission (after its chairman, James C. Treadway, Jr., a former SEC commissioner). In its effort to improve the accountability and effectiveness of the public audit, the PCAOB created Auditing Standard 2 (AS2), which was specifically designed to guide auditors in the evaluation of internal controls (AS5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, which superseded AS2, is discussed further below). In addition, the PCAOB made accounting firms subject to annual inspection to verify that their SOX certifications are supported by sufficient evidence.

At the enterprise level, SOX requires organizational assessments focusing on corporate governance over broad systemic firm-wide checks and balances, including risk management, communications, the whistleblower provision, and conflict-of-interest issues. Additionally, SOX requires the CEO and CFO to bear personal responsibility for the effectiveness of internal controls by signing off on the financial statements. Violations are subject to criminal penalty.

To redress the root causes of management accounting abuses at the transaction level, section 404 of SOX requires public companies to annually document and test internal controls and their associated business processes, remediate deficiencies, and assert the controls’ effectiveness in ensuring the accuracy of financial reporting. The outside auditor is then required to opine on that assertion as well as form an independent opinion on control effectiveness. Both management’s assessment and the auditor’s judgments are disclosed in the company’s annual 10-K report. (The SEC has repeatedly delayed the implementation date for nonaccelerated filers—companies whose market capitalization is under $75 million.)

Whereas SOX engendered some beneficial change, section 404 created a backlash, with corporate accounting departments across America challenging the excessive cost of compliance. Indeed, the very competitiveness of American business has been called into question because of SOX’s documentation and testing requirements. In six years of experience, representing for most companies two years of startup implementation and four years of certified audits, does SOX pass a cost-benefit analysis? Have the improprieties that prompted the legislation been substantially redressed? Can SOX’s requirements be mitigated to exempt the many innocent companies and identify the relative handful of guilty parties?

Backlash

The reaction against SOX’s section 404 requirement to document internal controls and test them annually came from far and wide. First, companies smarted from having to incur massive preparatory costs associated with hiring employees and consultants, and installing new computer systems. Then they bristled at the perceived excessive implementation requirements and ambiguous SEC and PCAOB guidance. The question became, “How much documentation and testing is necessary?” The following addresses this question and constitutes a framework for evaluating the time and cost burdens of documentation and testing eventually broached by AS5:

• Duplication of a SOX audit of internal controls and a traditional audit of financial statements. What is the difference, and is there too much overlap? One might argue that a SOX audit focuses on processes and structures that govern the effectiveness of internal controls over the financial reporting process. By contrast, a financial audit focuses on assessing the fairness of the actual financial statements. Of course, auditors have always considered internal controls in designing their financial statement auditing procedures. But now SOX requires auditors to consider them as a separate objective in its own right. Question: Would further integrating SOX audit and financial statement audit procedures be more efficient?
• Redundancy of both management and SOX testing of internal controls. Auditors thought that AS2 limited how much they can rely on a company’s own SOX testing. Therefore, they must conduct considerable testing of their own selected samples, and must also verify a sampling of management’s tests, to provide an adequate basis for their opinions. That limited ability to rely on management’s work results in higher costs. Question: Should auditors rely more on management’s test results?
• Disagreement between management and the external auditor over risk-assessment and testing methodologies. Although the regulatory guidance acknowledges the role of management’s judgment in assessing risk, judgment is subjective and sometimes does not reconcile with an auditor’s independent assessment. The scope of SOX work depends on risk assessment and the definition of an internal control. For example, some companies do not distinguish controls from procedures. Furthermore, SOX applies only to key controls, but the distinction from non-key controls is not codified and is therefore entirely a matter of judgment. Depending on how key controls are defined, they may be significantly more numerous than necessary, rendering individual documentation and testing overly burdensome. Other subjective scope parameters, such as business process taxonomies and materiality thresholds, also influence the workload. Because internal controls and test methodologies are not definitively codified in the SOX guidance, management and the auditor may differ in their risk assessments and in the relative scope and extent of documentation and testing.

Because the outside auditor is the final arbiter of the scope needed to support an opinion, management may invest substantial time and money in work that it considers unnecessary based on its intuitive knowledge of the day-to-day operation of internal controls. Question: How extensively must internal controls be tested to establish reasonable effectiveness?

Cost-Benefit Analysis

The ultimate assessment of SOX centers on a cost-benefit analysis that takes into account the relative significance of each positive and negative item. The following are the tradeoffs, some of which are more definitive than others.

Costs.

• Smaller profit margins and retarded economic growth from management compliance costs, higher audit fees, and the opportunity costs of forgoing more productive activities.
• Certain redundancy between the work of management and the outside auditor.
• A stressful scramble for new auditors as accounting firms drop certain clients when reevaluating their acceptance and retention policies. Smaller companies are particularly vulnerable.
• Diminished competitiveness in capital raising and business investment as newly public companies list their shares on foreign exchanges and foreign companies expand overseas instead of investing in the United States in order to avoid the SOX burden.

The competitiveness issue prompted several studies on the effect of regulation, litigation, and ambiguous accounting rules, including those commissioned by the Treasury Department and one by U.S. Senator Charles Schumer of New York and New York City Mayor Michael Bloomberg. Those studies were predicated on the supposition that excessive regulation, including SOX, adversely affects the U.S. financial markets and New York City’s status as financial capital of the world.

Opponents of this view, including former SEC Chairman Arthur Levitt, claim this “capital crisis” is unfounded. And Treasury Undersecretary Robert Steel pointed out that a highly disproportionate share of global mutual fund and hedge fund assets resides in the United States. In addition, he said futures contracts traded on U.S. exchanges and dollar-denominated foreign-exchange derivatives also predominate.

• Reduced domestic capital spending as companies compensate for SOX compliance costs.
• Concentrated stock ownership as companies avoid SOX by taking themselves private through stock repurchase or through sale to private-equity firms. Other companies exempted themselves by issuing stock on a 144A private placement basis to a few large institutions rather than the general public.

Ownership concentration is not necessarily bad. Typically, private-equity portfolio companies, unfettered by pressure to produce short-term results, take on greater risk to produce better returns than public companies. However, some bemoan the inequity of those outsized gains devolving only to the few rather than the larger investor community.

• SOX work conducted after the initial implementation tends to yield diminishing returns in succeeding years after control weaknesses are corrected.

Benefits.

• SOX audits promote transparency and ensure reliable financial reports. They have uncovered many material weaknesses in internal controls that have contributed to a dramatic rise in the number of financial restatements. SOX-driven correctives and disclosures inspire greater investor confidence and ultimately support a more efficient capital allocation process.
• The potential consequences of a failed SOX audit motivate companies to maintain higher quality transaction controls and corporate governance that might not otherwise exist. Those consequences apply particularly to the cost of capital, because failure to comply with SOX potentially affects stock prices, borrowing rates, and bond ratings. Thus, the fear of failure results in extra assurance for investors.
• The SOX review forces companies and auditors to place greater emphasis on the control environment and its ongoing continuity. Section 404 adds process evaluation to traditional account validation, and holds both management and its public auditors more accountable.
• The exercise of maintaining extensive documentation of internal controls required by SOX section 404 potentially fosters a better control mindset among accounting staff. This mindset can sometimes lead to control process rationalization and streamlining.
• SOX documentation is a good tool for training new personnel. It also serves as disaster recovery backup and a means of communicating internal control information to those responsible for its execution.

Regulatory Relief

In response to widespread criticism, the PCAOB issued AS5 in 2007 to replace AS2 as guidance for independent auditors in the interest of a more practical evaluation of controls over financial reporting. This standard, in combination with the SEC’s concurrent guidance for management evaluation of internal controls, Interpretive Guidance for Management, established a better principles-based framework for aligning the views of management and the outside auditor. In view of the speed with which SOX was assembled, regulators knew from the beginning that it was a work in progress that would require refinements over time. The following describes the current incarnation.

Auditors. AS5 recommends that auditors adopt a top-down, risk-based approach to evaluating internal controls that focuses on the most likely sources of risk; that is, scalable to the size and complexity of the organization, and integrated with the audit of financial statements. This is in contrast to the bottom-up, prescriptive approach to assessing risk and identifying internal controls under AS2, which started at micro-level exposures and inductively established overarching controls at the financial statement level. AS5 requires less documentation and testing in a more cost-effective assessment that eliminates excessive scrutiny while retaining focus on the serious financial reporting risks posed by weak internal controls.

AS5 emphasizes materiality in assessing misstatement risk and greater attention to entity-level and fraud controls. In addition, AS5 recognizes that some companies need strict SOX standards while others need less stringent standards. Thus, auditors may now acknowledge this distinction and make SOX standards commensurate with a company’s risk to achieve reasonable assurance at less cost. Previously, a one-size-fits-all approach applied to all public companies, with some preliminary accommodation for smaller companies.

Other efficiencies envisioned by AS5 include:

• Designing testing to more fully encompass the objectives of both the audit of internal control and the audit of financial statements simultaneously, where each audit informs the other;
• Relying more on the work performed by others for the purpose of management’s assessment of internal controls; and
• More selectively conducting walkthroughs as a means of understanding the nature of misstatement risk.

For smaller companies (i.e., nonaccelerated filers), the SEC recently provided further relief by deferring the independent auditor’s attestation of management’s report on the effectiveness of internal controls over financial reporting for fiscal years ending on or after December 15, 2009.

Management. At the same time AS5 was released, the SEC provided parallel advice for management in its Interpretive Guidance for Management, which codifies a more efficient approach to evaluating the effectiveness of internal controls in detecting and preventing material financial misstatement. The guidance centers on a top-down, risk-based approach to first identifying risk and then evaluating the design and operating effectiveness of the transaction- and entity-level controls. This specific guidance enables management to adopt a more efficient and independent evaluation of the effectiveness of internal controls rather than just deferring to AS5 details for fear of not satisfying the auditor.

Management is permitted to exercise greater judgment in deciding on appropriate methods and procedures that address the likelihood and potential magnitude of financial misstatement. This streamlined assessment eliminates the redundant review of multiple controls over a particular reporting risk. This means more flexible documentation and testing standards in the production of adequate evidentiary matter keyed to the degree of perceived misstatement risk posed by error or fraud. Furthermore, management’s procedures may differ from those adopted by the independent auditor. Further efficiency is achieved in subsequent years because management now evaluates only changes in risks and controls in an updated assessment, rather than recreating the entire process.

Smaller Public Companies

In April 2006 the SEC issued its Final Report of the Advisory Committee on Smaller Public Companies. This issuance established risk-based, scaled securities regulation for companies in the lowest 6% of market capitalization, which represent the majority of public companies. One accommodation was a temporary exemption from SOX section 404. In its place, these companies became subject to new guidance on internal controls over financial reporting issued by COSO. This document was a guide on how small companies should apply the 1992 COSO framework pending the development of a SOX internal control framework specifically designed for smaller companies.

The 2006 report recommended that the PCAOB amend AS2 to provide cost-effective relief for small companies, to include testing to find only material weaknesses, and to integrate internal control and financial statement audits. The SEC also urged the PCAOB to ensure that public audit firms incorporate this relief in the internal control reviews of client companies.

In June 2007 the SEC released its SOX interpretive guidance on management’s evaluation of internal controls for smaller companies in conjunction with the release of AS5 by the PCAOB. The SEC did not exempt small companies from SOX compliance as some had hoped. Rather, sympathetic AS5 management guidance formally acknowledged that all companies with less than $75 million of public equity can independently scale their SOX assessments to the circumstances of their business without having to mime the auditing standard as before. Additionally, the SEC will monitor implementation of AS5 in the PCAOB’s inspections of audit firms. To ensure that smaller companies no longer bear a disproportionate burden, the SEC was expected to conduct a cost-benefit study of the new standards. But is the new guidance definitive enough to avoid disagreements with auditors?

Best Practices

AS5 and the accompanying management guidance establish a framework for evaluating internal controls more efficiently through a top-down, risk-based approach. The guidance emphasizes a holistic view of risk that identifies enterprise-wide vulnerabilities and gives greater consideration to fraud controls. The current approach comprises the following modalities:

• Risk assessment. Focus on exposures to material financial misstatements that take into account their probability through error or fraud, especially management override. Consider the complexity of processes and dependence on judgment. Evaluate entity-level and IT controls. Consider the vulnerability of manual operations, including spreadsheet applications, which are pervasive in smaller companies. Under AS5, the auditor’s independent risk assessment, established through appropriate inquiry, observation, document inspections, and walkthroughs, should align with management’s self-assessment founded on daily operations.
• Controls identification. Identify only key controls that address material exposures consistent with the company’s size, complexity, and operating structure. Document the design of those controls.
• Controls effectiveness. Test both design and operating effectiveness. Focus on the most operative control that addresses particular material exposures consistent with the risk assessment, not all such controls. AS5 emphasizes broader, higher-level controls that might warrant 100% testing over lower-level controls that would involve sampling methodologies. Document test procedures and findings to produce evidence that is consistent with the nature, timing, and extent of those controls.
• Remediation. Resolve and retest significantly deficient controls.
• Reporting. Communicate findings to the board of directors, and report deficiencies to the parties responsible. Distinguish design deficiencies from operating deficiencies. Assess the relative seriousness of deficiencies in terms of the impact on the financial statements and classify them as a significant deficiency or a material weakness.

As a means of applying these concepts efficiently, AS5 cites a risk-assessment methodology that had already been in practice for several years. This approach involves assigning taxonomies to particular processes and controls to establish an overall risk profile in a risk-control matrix format. Specifically, risk assessment starts with identifying significant accounts and disclosures, and then mapping them to business processes that are classified by degree of risk and complexity. Associated controls are characterized by relevant assertions, such as valuation, existence or occurrence, and presentation and disclosure. Controls are also evaluated by posing “What could go wrong?” questions that contemplate possible financial misstatement and fraud scenarios.

In the past, some risk-averse auditors might have dismissed this model, favoring more-traditional benchmarks of risk exposure, such as a financial statement category’s percentage of total assets or revenues. But now that the methodology has the PCAOB’s imprimatur, all auditors can rely on it as a means of streamlining the SOX process in a top-down assessment. Or not. A certain dissonance between management and auditors concerning respective risk assessments may be inevitable, especially in manually intensive operating environments common to smaller companies.

PCAOB Oversight

No review of SOX would be complete without addressing the public audits that failed to detect many of the problems that led to the well-chronicled scandals. Through its inspection program, the PCAOB seeks to evaluate the quality of the auditing process, thereby holding firms accountable for correcting their mistakes and upgrading their methodologies in future audits. In particular, the PCAOB cites significant failures to properly apply AS2 in evaluating management assertions and the effectiveness of internal controls. Its reports will also call out improperly applied Generally Accepted Accounting Principles (GAAP), a failing that affects the financial statement audit as well.

Limitations

Regulators—the Treasury Department, the SEC, the PCAOB, and the FASB—strive to balance management cost, auditor liability, and investor protection to achieve effective and efficient prevention and detection of material accounting fraud and error. Can SOX accomplish this? Refco’s misstatement, for example, occurred some years after SOX was enacted. And the existence of SOX arguably did not directly help expose stock option backdating. In the effort to balance effectiveness and efficiency, only time will tell whether AS5 has succeeded.

Six Years and Counting

Considering the number of financial restatements of the last several years, the traditional financial statement audit alone is not enough to assure the investor community. A separate SOX examination of internal controls helps fill the gap by providing additional assurance where controls are strong and raising awareness of the potential for future problems where controls are lacking.

Are we better off after six years of Sarbanes-Oxley guidance? To some extent, implementation has prevented and detected more of the problems that gave rise to SOX. AS5 and the companion SEC management guidance codify the integration of the SOX examination with the annual financial statement audit, and promulgate a risk-based tailored approach to SOX documentation and testing requirements. Theoretically, both the PCAOB and the SEC documents mitigate previous excesses and balance the guidance for management and auditor—with a special accommodation to the plight of smaller companies. The practical implementation, however, is a continuing question mark. In any case, prospective compliance that relies on a SOX infrastructure already in place is much less onerous than the initial implementation.

Notwithstanding the new latitude afforded management in making more independent assessments of its internal controls, companies may still have to present evidence to convince professionally skeptical auditors.

On the other hand, do the new rules dilute the SOX process to the extent that auditors defer to management’s self-assessment, and curtail scrutiny as they depart from certain benign redundancies of AS2 standards? Have the concessions made in the name of cost compromised the benefits? Does the narrower scope encompassing fewer controls and abbreviated tests founded on subjective materiality have a limited effectiveness? Future PCAOB inspections and media reports of new or nonexistent scandals and ineffective audits will be the final proof.

Some people, of course, will disingenuously ascribe the next business calamity to ineffective SOX implementation, perhaps expecting a panacea. A case in point is the fallout from the ongoing subprime credit crisis. While the recent spate of massive portfolio write-downs might seem to indicate failed risk-management controls, the problem is largely founded on illiquidity and the inability to establish fair value in the absence of willing buyers and available funding. The valuation of impaired mortgage securities is an accounting issue made problematic by anomalous market conditions plagued by uncertainty. The writedowns are not generally the result of failed internal controls, but rather a wholesale market repricing.

In the final analysis, truly cost-effective SOX examinations will better protect investors and contribute to better-functioning capital markets that will benefit the economy at large. But the optimal balance between the costs and the benefits may always be elusive.

©2009 The New York State Society of CPAs. Legal Notices