Sarbanes-Oxley (SOx) made law what is best practice for all public companies or companies that issue public debt.
That includes “smaller” companies.
Some argue that the cost of SOx for companies under $75 million in capitalization – the thresholds mentioned in some legislation – is prohibitive. I would argue that identification of internal controls over financial reporting, documentation of them, and verification of their effectiveness is what’s owed to their shareholders and debt holders and is a reasonable cost of being public.
Isn’t there something perverse about soliciting public shareholder and debt holder investment but refusing to be accountable?
Section 404 was adopted with little controversy in 2002, and for good reason. It simply mandated that public companies report on the effectiveness of their internal financial controls, and that auditors render an opinion on them.
Since the law already required companies to maintain effective controls — and had done so since 1977 — it seemed unlikely that would increase costs much for any company that was already in compliance. And it was crystal clear that controls either did not exist, or were evaded, at WorldCom and Enron.
According to reports in the Huffington Post on October 28th, Rep. Carolyn Maloney (D-NY) originally proposed that firms with market capitalization less than $75 million be exempt. This loophole would have applied to about 55% of publicly-traded firms. How can 55% of the public companies be “small” companies?
Have the standards for listing on NYSE, NASDAQ, Amex loosened because they are chasing listing fees and sacrificing quality? Are too many companies allowed to have listings, even though they’re not ready, willing, or able to play in the big leagues?
Some think more cost benefit analyses will tell us definitively whether identifying internal controls over financial reporting, documenting them, and verifying their effectiveness is worth it. ”Small” business has effectively used the rhetoric of entrepreneurship and “small business is the key to the economic recovery” to imply that imposing regulations, responsibility, and their attendant cost on willing companies who want to take public investors’ money is somehow un-American.
Maybe the cost-benefit should have been done before going public?
Dear Mr. “It’s my company I can do whatever I like” President of a closely-held, family-owned company…
Dear CEO of a venture capital or private equity -backed development stage company…
Dear Mr. Entrepreneur, eager for the prestige and ego boost that comes with ringing the NYSE or NASDAQ bell….
Most chief executives of Aim companies will argue that their shares are undervalued, while investors will complain that small company stocks are illiquid. Both sides have a point, but the situation is even worse for the US companies that join the junior market.
They have usually come to Aim to avoid the burden of Sarbanes-Oxley – but the land of the free has a long regulatory reach. It has been felt by Protonex, a US fuel cell company that floated on Aim in June last year. Whole weeks, if not months, have passed without a single share trading.
Part of the reason is Regulation S of the US Securities Act of 1933. It effectively stops UK listed shares in a US-based company, which does not file accounts with the US Securities and Exchange Commission, from being traded through the Crest electronic settlement system.The restriction, which lasts for two years, stops US retail investors from buying the shares. At the same time many UK private client brokers refuse to deal in shares that have to be traded through an old-fashioned paper trail.
Scott Pearson, Protonex’s chief executive, is unhappy with the liquidity of the shares. Not unreasonably, he believes that further value would be unlocked “if only we can get the shares trading”.
And then there’s Overstock.com. More pixels have been wasted on a company that should not be public, should not still be listed, should have never been in business this long, and should have never attracted any reputable accounting firm to certify its financial statements. It’s not about Sarbanes-Oxley in many cases. It’s about companies that go public to raise capital to enrich management, pay off VCs, buy off owners, pay exorbitant bonuses, milk the company, then leave it to die. They resist oversight and playing by the rules. Internal controls over financial reporting, clear documentation of those controls, and verification of the effectiveness of those controls by management, with a judgement regarding management’s assertions, is just good business. For any size company that wants to take public investment.
Here’s an excerpt from a letter written to the SEC by a “Smaller Reporting Company,” one with only $5-6 million in public float (stock held by other than company officers, directors and other qualified insiders) and ~$120 million in market capitalization. Actually, it suggests an interesting compromise I had not seen suggested before: Let the shareholders vote for whether they want a separate opinion on internal controls from the auditors and want to pay for it.
Unfortunately, as it stands now, the efficiencies and slowing of fee increases that have finally been realized in the Sarbanes-Oxly 404 process came as a result of the integration of the opinion on the financial statements with the opinion on the internal controls over financial reporting in Auditing Standard 5. This was a change I disagreed with and I told Chris Cox that. It allows larger companies to have perpetual material weaknesses in internal controls, companies like GM and GE, and yet to continue to receive unqualified opinions on their financial statements. The weaknesses were deemed not material in the grand scheme of things, although we know now how well that assumption turned out for GM and GE.
There’s absolutely a higher risk in smaller companies for fraud and malfeasance due to poor or non-existent internal controls, lack of segregation of duties, lack of oversight by an independent auditor, non-arms-length transactions especially in legacy family owned or closely-held companies, and general legacy CEO intransigence regarding external interference in “my company.” You don’t hear as much about frauds in private companies because those frauds are handled quietly, with no transparency or accountability to anyone, even employees, creditors and other stakeholders.
When fraud or accounting manipulation occurs in a public company, no matter how small, the curtain is drawn, and all of the self-serving and selfish actions, if not illegal and unethical actions, of formerly insulated management become SEC, PCAOB, and plaintiff’s bar potential actions. The stakes are much higher and many smaller company management teams want the benefit of public ownership (additional capital) without the responsibility and accountability to outsiders that comes with it.
Tell that to the employees of Huron Consulting, a public company in Chicago, under $500 million in revenue. Huron is under SEC investigation, threatened by serious shareholder lawsuits, lost its three top officers, and weathering excoriation by the very clients they were put on earth to serve. Bad accounting, greedy management, and a rush to go public, as well as Andersen-stye hubris put this former high flyer in the dog house. Tell me they should not have, maybe, stayed true to professional services and partnership ideals and kept it small and simple.
Imposing Sarbanes-Oxley on all public companies should not be a cost-benefit decision but a slam-dunk regulatory decision. If a company doesn’t want to adopt the standard operating procedures and adequate systems of well-run accountable, transparent companies, then stay private. Caveat emptor will then be understood by your bankers, employees, customers and vendors.
I just received an email from Professor Steve Sutton, KPMG Professor at the Dixon School of Accounting, UCF and Professorial Fellow in Accounting & BIS at the University of Melbourne. He is also editor of the International Journal of Accounting Information Systems. He and two colleagues conducted a study supported by the IIA Research Foundation. They surveyed over 200 Chief Audit Executives. Their research results document through case studies and validated surveys that companies using effective Enterprise Risk Management practices have much less difficulty meeting internal control reporting requirements and that companies with effective Enterprise Risk Management practices have increased levels of organizational flexibility and better supply chain performance.
Professor Sutton: “I find the whole debate on being too onerous for smaller companies to be completely neglectful of public stakeholders.”
I agree, Professor. The discussions about SOX exemptions for smaller companies seem to be too often motivated by selfish desires of company management to preserve cash for their own benefit, not about their duty and obligation to preserve the integrity of financial results for public shareholders.
@1 They both had weaknesses that were labeled material weaknesses from an internal controls assessment perspective that must not have been deemed material enough to change the opinion on the overall financial statements. In particular, both had inadequate accounting staff and expertise for the kinds of transactions they were doing. Derivatives transactions, for example, that are material should be accounted for correctly by competent staff. And these are big companies. What’s their excuse?
My problem with SOX is that it didn’t go far enough — it stopped at internal controls over financial reporting and didn’t address other internal controls over operational issues such as purchasing, travel & expense reporting, timekeeping, payroll, etc.
I think we are at odds, generally, with our viewpoints on Sarbanes-Oxley, Francine. In general, I agree with your concept that if Sox is to exist, then it should be applied to all public companies to achieve the stated objectives of the Act. However, I take a more organic approach to the concept of oversight. I believe that you should expect a certain degree of integrity from Senior Management of public companies and hold them accountable therefore. Relying on oversight to provide investor confidence just allows for finger pointing and clouds the issue. Management with bad intentions will exploit the system regardless of whether Sox exists or not. Just my opinion based on my experiences. Just wrote about this on my blog at AccountingNation.com in fact. Still, a very well thought out posting. Thanks for the good read.
In my opinion, Sox is a joke. Companies institute a barest minimum level of controls, that are worded in such a way that they are almost guaranteed to never have a material weakness as a result of control testing. Instead of trying to use SOX as a means of improving a company’s operations, processes and procedures. Companies view it as a mandated colonoscopy, an uncomfortable and expensive procedure that focuses on trying to find problems that may not be present, and when problems are found, they are usually not big enough to mean much.
@2: The opinion on Internal controls has nothing to do with the opinion on the financial statements. They are completely separate, however the PCAOB has been trying to encourage the accounting firms to rely on controls to reduce substantive testing when they issue unqualified opinions on controls, If there is a material weakness in controls, the auditor would simply perform more substantive testing and not rely on controls (High control Risk).
You and I disagree here. I say repeal SOX outright. It’s a waste of money. Surprise, surprise, the firm I work with has clients coming under 404 with market caps up to $310 million. So? I see both ends of this. As an investor, I say it’s a total waste of money. So, I’ll lose some fees. SOX has ruined auditing. Why? Virtually no one, particularly the PCAOB fools knows how to substantiate anything. ICFRS is a Peat Marwick fantasy from the early 1990s. It gives the public the idea that internal controls exist. Top management can always override them. Enough,.
Doesn’t Huron prove that SOX just does not work. Not preventatively, not punitively. Was in not also claimed that Enron would have been SOX compliant for the most part. Adding layers of the same paperwork is like adding bandaids onto cancer. People like Henry Kissinger said the laws needed to deal with cases like Enron were already on the books. And so many years after SOX is passed, we have Enron and Worldcom x 1000.
Whats the solution? Maybe there isn’t one. Bill all the fees you can before your firm closes down. Then consider farming.
IMHO SOX is killing auditing. I see SOX testers from big 4 and in industry who have absolutely no idea how to audit. The approach is to take a list of pre-determined controls and test. Judgement and creativity go out of the window. If a test does not “pass” they can’t explain what the issue is apart from the fact the checklist says so. Try to get them to explain the impact of an issue, or the risk and that’s a whole different story…….just look at the number of entities where findings from internal or external auditor SOX testing seem to bear no resemblance to findings from consultants and internal audit who actually go into detail….
I have seen a number of entities who have “clean” 404 opinions with no SD/MW because the audit / controls partners don’t want to upset their clients. Feel protected as a stockholder now?
I don’t see SOX as very different from other controls testing, they just got to milk the client for more $. SAS112 and A-123 are the same things: controls. I love that people at my Big 4 firm do absolutely no testing for 112. A superstar senior manager had 19 adjustments and there isn’t a material weakness? Really? Idiots.
I think the government should start an oversight agency. They can fine the firm up to 1% of the engagement fees for trivial errors and the firms cannot appeal. For more aggregious errors, up for 3% of the total engagement fee should be at risk and the firms can fight those. It will pay for itself. Then the government won’t have to assume any liability if there is a failure – cause they are just out giving fines.
@Sceptical – Accountants/auditors dont care (or at least not concerned much with) about leadership decisions being made. The focus here is on financial statements. They audit the financials, not the “business decisions” management makes. So that’s why it’s important to have adequate financial controls. Auditors care about decisions only to the extent that controls surrounding the financials will be affected.
A bad business decision reported correctly has no effect on SOX. Understanding Leadership decisions is an important step in planning a financial statement audit in order to ensure that the appropriate financial statement risks are identified and addressed.
I’m with you. Sox 404 testing is just “check the box” stuff. In my opinion the quality of audits has declined in recent years. I attribute this to Sox. Why? CPAs coming up the ranks now do not know how to SUBSTANTIATE anything. Most CPAs know nothing about moden portfolio management, rates of return, the capital market line, etc. I’ll say it again, Sox is a waste of money and a Big 87654 and consultants boondoggle. Kill this monster.
“Unfortunately, as it stands now, the efficiencies and slowing of fee increases that have finally been realized in the Sarbanes-Oxly 404 process came as a result of the integration of the opinion on the financial statements with the opinion on the internal controls over financial reporting in Auditing Standard 5. This was a change I disagreed with and I told Chris Cox that. It allows larger companies to have perpetual material weaknesses in internal controls, companies like GM and GE, and yet to continue to receive unqualified opinions on their financial statements.”
I do not know whether your ever audited financial statements or just worked in the consulting arm of the Big 4, but from the above mentioned statements, it does not seem like you correctly understood AS No. 2 or AS No. 5 and thus got your facts straight as a business journalist. AS No. 5 did not integrate the audit opinion on the financial statements with the audit opinion on internal control over financial reporting. AS No. 5 requires a separate opinion on the effectiveness of internal control over financial reporting and a separate opinion on the financial statements. The predecessor auditing standard of AS No. 5, AS No. 2, required three audit opinions: one on the financial statements, a second opinion whether management’s assessment of the effectiveness of internal control over financial reporting is fairly stated and a third opinion on the effectiveness of internal control over financial reporting. Both under the old AS No. 2 and under the new AS No. 5 a companies can have an unqualified opinion on their financial statements while having a separate opinion that its internal control over financial reporting is ineffective. Even before the days of having a separate opinion on internal control over financial reporting, auditors audited parts of internal control over financial reporting during their audit of the financial statements in order to determine the timing and the extend of substantive audit procedures. Back then and now, when they see that internal control is ineffective, they compensate it by doing more substantive audit procedures, such as tests of details of transactions (e.g. confirmation letters for bank deposits, securities deposits, interest income, receivables, debt, observing stock-taking, etc.). The opinion that matters most to investors is whether the financial statements are OK. In th old days the auditor had the choice to select whether tests of controls (i.e. of internal control) or substantive tests were more efficient for invididual parts of the financial statements. Section 404(b) effectively removed this choice to select which type of audit procedures were the most efficient in order to provide an opinion on the financial statements.
If the cost of regulatory measures for the protection of investors is born by those investors, then the cost should not exceed the benefit to the investors. In the case of increased audit fees and other increase internal costs, those costs result in lower cash flow to service interest and to repay debt (for investors in debt) and in lower net profit for the equity investors. I disagree that companies that cannot bear the increased cost of section 404 should not have access to the public capital markets at all and diagree that they should check whether they can bear the cost before going public. Investors can make their own decision whether they want to invest in small companies and they can compensate for it by demanding a risk premium by paying less for shares or asking for a higher interest spread (that’s what banks do). In addition, the SEC could have considered alternative more cost-effective (i.e. efficient) regulatory measures to reach the same goal. One would be to force disclosure about any adjustments to the draft financial statements that were presented to the auditors that the auditors require to be made before the financial statements are filed with the SEC and to require disclosre about the reasons for those adjustements. Prior to section 404 and in the case of small companies those adjustments were only disclosed to management and probably to the audit committee of the board of directors, but not to investors. Without action by the audit committee (companies with no listing on a national securities exchange are not require to have one). sloppy management in the finance department could continue for years and errors were only corrected when the auditors discovered them during their audit of the financial statements. This will also show investors that there is a quality problem in financial reporting and will increase pressure on the company to beef up its finance department (and to probably fire the CFO). In addition, the SEC could require that any restatements to interim and annual (unaudited preliminary disclosures and final filed) are more prominently disclosed in periodic or ad-hoc reports and that “stealth restatements” are no longer possible. Another measure would be to lower the standard for civil enforcement by the SEC to mere negligence in maintaining books and records and in maintaining effective internal control over financial reporting and to have vigorous enforcement of companies that tend to make to many errors. This would also be a strong incentive to hire competent people in the finance department and to take prompt action if they do not do their job properly.
No, I was never an external auditor, although much of my work over the years has been in the internal controls area, especially automated controls enhanced/enabled by ERPs. And I have also worked and led internal audit teams and Sarbanes-Oxley engagements.
My reference to the internal control opinion and the financial statement opinion under AS5 comes from the title of the standard itself. The audits are combined and the bottom line is the financial statement opinion.:
“An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements”
and the objective that was stated when it was enacted:
“Integrating the Audits
6. The audit of internal control over financial reporting should be integrated with the
audit of the financial statements. The objectives of the audits are not identical, however,
and the auditor must plan and perform the work to achieve the objectives of both audits.
7. In an integrated audit of internal control over financial reporting and the financial
statements, the auditor should design his or her testing of controls to accomplish the
objectives of both audits simultaneously –
• To obtain sufficient evidence to support the auditor’s opinion on internal
control over financial reporting as of year-end, and
• To obtain sufficient evidence to support the auditor’s control risk
assessments for purposes of the audit of financial statements. ”
I don’t make this stuff up.
Although the standard allows for two separate reports/opinion documents, I do not see that as often post AS5. Typically, unless there are numerous material weaknesses, the reports and opinions are combined. Even if they are issued separately, there is no discussion or disclosure of how or why an opinion of “ineffective” controls did not lead to a qualified opinion on the financial statements, even though now the audits are “integrated.”. That is the disconnect I do not agree with.
I remember Auditing Standard 2 and the three opinions that were on three different pages. Now there’s usually only one page, with a separate paragraph and info about any material weaknesses and an unqualified overall opinion in the cases I cited. I listened to Chris Cox tell me that in the case of GE and GM the material weaknesses in internal controls that were cited were enough to be classified as material for internal controls perspective and material enough to mean that the internal controls were “ineffective”, (the “adverse” language went out after AS5) but that the material weakness was not enough to cause a qualified overall financial statement opinion. I asked him what the thresholds were in those cases, how the decision was made. He said it was a negotiation between the auditor and the client. That felt wrong to me and still does.
My argument about the use of cost-benefit to decide worthiness of regulatory measures is this: The cost of regulatory measures is not viewed by management to be borne by investors but by management themselves in lower profits and therefore lower incentive compensation. That’s where the outside public investors are screwed. The result for them is the same except the company is less controlled and more in service to management than the shareholders. That is unless the majority of shares are held by management and insiders and then it should not be public at all. They’re just using the public markets to suck capital out of unsuspecting outside investors who have no say or influence in how the company is run.
While the audit opinion on internal controls can be issued in the same document, they are still two seperate and independent opinions. Integrated audit means that both audits should be conducted at the same time, the testing of controls for SOX should be used to support lower control risk, and therefore result in less substantive auditing, which should partially offset the additional audit fee requirements.
If it is discovered that Sr Management has stolen from the company (ie: they overrode controls and wrote themselves a check for $1 Million without having earned it), this would be a material weakness because they committed fraud, however as long as it was reported properly in the financial statements there would be an unqualified opinion issued on those financial statements (Controls failed, however the financial statements are correct).
A financial satement unqualified opinion could also be given if management makes a error on the fiancial statements that is detected by the external auditor and corrected on the financial statements prior to the statements being issued and the external auditor does not believe that internal controls would have detected the error.
The only time I see a qualified opinion being issued in relation to a control failure would be if the control failure resulted in some type of scope limitation (ie: there was a scope limitation on inventory price due to the company not maintaining adequate records and there being no way to get pricing information for the inventory, assuming inventory is material this would possibly be a material weakness and a qualified opinion).
From your answer it became a bit clearer what you wanted to say.
>”there is no discussion or disclosure of how or why an opinion of “ineffective” controls did not lead to a qualified opinion on the financial statements, even though now the audits are “integrated.”. That is the disconnect I do not agree with.”.
That is because PCAOB auditing standards do not require an explanation of audit procedures that were taken in response to the identification of material weaknesses in internal control over financial reporting. However, auditing standards have always required to tailor the timing and extent of substantive audit procedures to the result of tests of controls. An auditor always had to obtain sufficient competent evidence to support his or her opinion on the financial statements. As long as the auditor compensates control weaknesses by doing more substantive procedures in order to get the evidence that the financial statements are OK or what amounts need to be adjusted to make them OK, everything is fine (and audit standards explicitly require this). Often substantive procedures (such as confirmations of amounts from a third party) provide stronger evidence than testing a sample of control executions relating to a mere sample of transactions. The bottom line is, that the investor knows that the financial statements are fine.
>”but that the material weakness was not enough to cause a qualified overall financial statement opinion. I asked him what the thresholds were in those cases, how the decision was made. He said it was a negotiation between the auditor and the client. That felt wrong to me and still does.”
Well, if I remember AS No. 5 correctly, the determination of the materiality threshold for the ICFR audit opinion is the same as the materiality threshold for the audit opinion on the financial statements. For both purposes, the audit client can argue with the auditor, but the auditor has the final say (if he is willing to take the risk of p….ing off the client and potentially losing the client). Cox is a lawyer and used to be a congressman, so I would not expect to get very technically savvy answers to audit related questions from him
I see your point that the management of an issuer is less worried about ICFR because they have more inside knowledge than an investors and are often even in the position to override ICFR to cook the books. However, from the point of view of an investor, you still want that the cost of a regulatory measure to protect the investor does not exceed the benefit if the cost is ultimately born by the investor. And you want that the SEC picks the regulatory measure with the best cost-benefit relationship amount different regulatory measures with the same investor protection objective but with different costs and benefits. The problem is that the SEC never provided investors in or analysts of non-accelerated filers with an estimate of the cost of compliance with section 404 (e.g. it reduces net profit by X%) and then asked them whether they perceive any benefit and whether this benefit is worth this cost in their opinion. In fact, the SEC did not even bother to hold an open meeting to decide on the postponement of section 404(b) for non-accelerated filers and to discuss the results of the latest cost-benefit study of the SEC. They also did not bother to issue a proposed rule and to solicit public comment on their plan to postpone and on the cost benefit study. The SEC’s own rules of practice only allow it to skip proposed rules and open meetings in the case of less important issues, but how would they know without first looking at the costs and benefits. If you look at the SEC’s recent cost-benefit study, you will see that they obtained data from accelerated and large accelerated filers on the cost of compliance with section 404. Since non-accelerated filers did not have to comply with section 404(b) yet, there is no actual cost data there. However, using standard regression models from audit fee research, they could have easily made an estimate of the cost of compliance with section 404(b) for non-accelerated filers based on the data from accelerated and large accelerated filers and cost determinants from non-accelerated filers, deducted it from the profit before tax from the latest annual report, applied the average tax rate from the latest annual report to this decreased profit before tax and calculated the % reduction in net profit due to the section 404 costs for non-accelerated filers. In the study, the SEC says that they interviewed a small number of investors/analysts about perceived benefits of section 404, but the SEC even admits that none of those investors/analysts invest in non-accelerated filers. Also investors/analysts typically do not know the cost of compliance with section 404 because it is not disclosed in annual reports. The SEC would have needed to interview investors/analysts in non-accelerated filers and to present them with the estimated cost of compliance with section 404 as a % reduction of their net profit and then asked them how they perceive the cost-benefit relationship in light of those costs. Without knowing the costs, one cannot say whether the benefits justify the costs. The rules concerning rulemaking (Paperwork Reduction Act, Regulatory Flexibility Analysis, etc.) would require the SEC to look at costs and benefits and to especially evaluate the impact on small businesses, but they have not done this for small companies although they know that their initial cost estimate back in 2003 was off. According to the professor that was commissioned by the SEC with the study (Prof. Aldhizer), SEC staff even told him to put the study on hold. It seems that after the change in the SEC chairman, the SEC either did not take the study a serious as under former chairman Cox or they wanted to wait for the view of the new commission or until they had a clearer picture who would get the top jobs at the Office of the Chief Accountant and the Office of Economic Analysis who were involved in the study. I am not amazed that congress jumped in, since the SEC was not a stellar example of openness concerning this issue and in disclosing the reasons for their decision on this issue.
Thanks for your new comment and thorough discussion.
If you go back to my post about my question and answer to Cox,I mention that I was quite surprised and pleased at the detailed topics that were the subject of his speech that day. So when he gave a flippant and dismissive response to my question, it definitely called into question in my mind the SEC’s commitment to enforcing the rules already on the books. http://retheauditors.com/2008/04/21/questioning-cox-mission-accomplished/
That doesn’t mean Sarbanes-Oxley was not a weak and incomplete piece of legislation. Given what it intended to do, it provided details and full instructions that fell far short. I’ve talked about that too, in particular with regard to the revolving door problem for those who serve the PCAOB. http://retheauditors.com/2009/03/15/looking-out-for-me-myself-and-i/
But my argument is that what SOx intended to do was something that needed to be done. The law has had an important intended benefit in spite of all the troubles – it scared the hell out of a cadre of executives who will now think twice about fudging given the higher penalties. The law also separated the wheat from the chaff – well run companies who had no trouble implementing at a decent cost and never complained from those who keep whining because they do not want to be held accountable. It forced the hand of the GM’s and GE’s of the world who can no longer hide and obfuscate their bad accounting indefinitely.
“…the auditor has the final say (if he is willing to take the risk of p….ing off the client and potentially losing the client.”
You’ve said it yourself in this statement. In the end, the tide has gone back out. The auditors had the upper hand for a while and were able to charge much higher fees given the lack of direction, the uncertainty, and what was at stake, but now they desperately don’t want to be fired. The recession and the auditors’ own lobbying for more rules (Auditing Standard 5) means there is less ambiguity and less chance for them to really have the final say. Both the SEC and the clients pushed Auditing Standard 5 to save money and it has – by putting pressure on the auditors to step up and work more efficiently. My argument is they have also been forced to cut fees on audits by cutting scope and experts out so they can still make a profit on flat or declining revenues for each client and fewer clients. I doubt that has been good for the investor. Assuming the investor still needs an audit opinion to make their investment decisions.
“The bottom line is, that the investor knows that the financial statements are fine.”
I wouldn’t take that guarantee to the bank anymore. Pun intended.
In most cases, a qualified opinion on the effectiveness of internal control over financial reporting together with an unqualified opinion on the financial statements means “There is a mess and we found some errors, but since you corrected those errors in the financial statements like we told you, the financial statements are now OK after those corrections had been made”. The downside is that unless they fix their controls and more importantly the root cause behind the problem (which is often staff that needs to trained or replaced), errors can happen again and maybe the next time the auditor won’t discover those errors.
I think you can pretty much achieve the same thing without having a full blown audit of the effectiveness of internal control over financial reporting, by having a regular audit of the financial statements (that includes tests of most of the controls) and forcing the issuer to disclose the amount, nature and reasons for any adjustments that the auditor identified during his audit and that had to be made to the final issues financial statements. That would also shed sunlight on issuers who have trouble with their internal control over financial reporting.
Some oberservs in the media confuse the Sarbanes-Oxley Act with section 404 (I am not referring to you here) and some have started a hype that SOX itself is going to be repealed when only certain small issuers are exempt from one subsection out of almost one hundred sections in the act. One section that has not had much media coverage is the onle that shortened the number of days after which transactions in equity securities including stock option awards have to be disclosed by officers, directors and significant shareholders. This section effectively made stock-option backdating much more difficult because the window of time to which you can backdate and thus the chance to find a low stock price in the past has narrowed to a few days. I think the provisions that have provided more budget/staff to the SEC (and thus increased the chance of getting caught), that have strengthened its arsenal of sanctions and that have increased criminal penalties are perhaps the most important parts of SOX. However people still commit fraud or cheat investors, but I think it has moved away from corporations to the financial industry and complex products and funds. Omitting potentially material negative information from securities prospectuses, having sloppy internal controls over information that goes into the historic return track record in the prospectus, having no effective whistleblower protection, etc. are the things that are going on now. Compared to the auditors banks and asset managers are much more ethically challenged and they usually get away with it.
Thanks for reminding me about how Sarbanes-Oxley also closed the window for stock options backdating. The change in reporting requirements for granting of options has really reduced the possibility of manipulation of dates and prices.
Francine McKenna (@retheauditors on Twitter) is a CPA, writer, speaker and subject matter expert with more than twenty-five years of experience in consulting and professional services including tenure at two Big 4 firms, both in the US and abroad. She is a two-time Gerald Loeb Award finalist and a frequently quoted freelance journalist. For more info, click the "About" link at the bottom of this page.