Subscribe to QUMAS Communications QUMAS Compliance Room Blog
Media Center Printer Friendly

Sarbanes-Oxley Reform — Is SOX reform about to take off?

Peter Madigan investigates proposals for long-awaited changes to the Sarbanes-Oxley Act

January 1st 2007 / Vol 8 No 1

GIVEN the palpable anger and frustration that the Sarbanes-Oxley Act (SOX) has stirred up in the US business community in the past few years, it is easy to forget that the law was passed relatively smoothly, with little opposition from US corporations.

Back in 2002, with the US still reeling from the raft of accounting scandals that had broken the previous year, the law appeared to be another irritating regulation to which firms would have to comply, but a relatively benign one. Yet the law, and a then little-known provision within it entitled Section 404, was built upon one key assumption that turned out to be largely incorrect, and stirred up a hornet's nest that has been buzzing ever since.

US businesses have been subject to laws mandating the need for strong internal controls for many years. In the drafting of SOX, legislators naturally expected that internal controls were relatively robust across all fields of industry.

"Pre-SOX, management were required to state that they had internal controls in place in their financial report, but that was all they had to do – say they had them in place," says Dave Richards, president of the Institute of Internal Auditors. "Section 404 asked whether those controls were properly implemented and being tested and although many people thought their controls were adequate, 404 told them they weren't."

It was thus that the true cost impact of SOX announced itself. The adoption of Auditing Standard No. 2 (AS2) by the Public Company Accounting Oversight Board (PCAOB) in March 2004 was a watershed moment, as firms realised just how onerous and costly this prescriptive approach to both internal and external audit could be.

"The problem really was that without crisp guidance from the Securities Exchange Commission (SEC) and the PCAOB, external auditors swung the pendulum to the extreme by auditing absolutely everything in order to protect their reputations," says Brian Cleary, vice-president for marketing at software provider OpenPages.

After two long years of often heated protests from American businesses, the SEC and the PCAOB last month released new guidance proposals for managers and a new auditing standard to replace AS2 for external auditors. Although hardly amounting to a wholesale relaxation of reporting rules, they include some key changes that seek to address the most commonly cited SOX complaints and aim to lower compliance costs.

Principles-based approach

The fundamental change in both the SEC and PCAOB guidance is a shift away from the prescriptive box-ticking exercise that characterised the first two years of SOX enforcement, and onto a more focused emphasis on the areas that pose the biggest risk of financial misstatement.

"We wanted to see a greater focus [on] risk-based internal control reporting so we do not have to do the same test year-on-year on a given control, even though absolutely nothing has changed in that 12-month period to alter its effectiveness," says Dave DeBrunner, senior vice-president at Fifth Third Bank.

The SEC has moved to remedy this. Management is now directed to focus on those areas it deems to be high risk, without wasting time revisiting low-risk areas that need no such attention. The PCAOB guidance recommends external auditors do the same, but that recommendation does not necessarily mean auditors have to follow it.

"Whether or not the relaxed rules will make a difference depends on how they are used – both management and auditors have to exercise judgement in these matters. This guidance will only start to change things depending on how it will be implemented," says Larry McAlee, director of enterprise risk management at Sovereign Bank.

Although the proposed new auditing standard is "designed to focus the auditor on the most important matters, increasing the likelihood that material weaknesses will be found...and eliminates audit requirements that are unnecessary to achieve the intended benefits", according to the PCAOB, the auditor still has the autonomy to continue working as it has done for the past two years, should it want to.

Surely then, despite the time and money to be saved by management in examining its internal controls, the fact that an external auditor can draw out the length of its investigation – for reputational or monetary purposes – means the cost-saving potential of the new auditing standard is severely impeded. Some quarters claim, however, that this is the least of the mistakes that have been made in the new proposals.

Missed opportunity

"The PCAOB has removed the requirement for an external auditor to evaluate management's audit of internal controls, but left in place the requirement for the auditor to carry out its own evaluation, essentially repeating what management has already done – that makes no sense to me," says Richards.

"The requirement for a full external audit should have been scrapped and the evaluation of management's control attestation retained," he continues. "The external audit is where the vast majority of the compliance costs are coming from – why spend all that money to do once again what management has already done, when an auditor could simply evaluate the accuracy of management's internal report for a fraction of the cost and the same result?"

Richards' point is a good one. While the old method of having an auditor verify management's own assessment only to then carry out their own seems pointless, it is only a little less absurd to remove the examination of management attestation and keep the requirement to conduct an independent audit. Of course it is vital that internal controls are checked by a third party, but it seems truly nonsensical to keep the most onerous and repetitive features of AS2 while abandoning the more efficient and economical element of the rule.

"I don't know what the thinking was behind this decision from the PCAOB – it runs counter to what the rest of the world is doing," Richards adds.

The problems with the new proposals run beyond relatively resolvable issues, such as new requirements under the new auditing standard. There are more ingrained flaws within the proposals that run into the very fabric of what the SEC is trying to achieve with its management guidance.

Under its new principles-based approach, the SEC proposes that management evaluate such controls "to determine whether there is a reasonable possibility that a material misstatement" could be made in reporting.

The proposals also repeatedly refer to management's "use of judgement" to identify risks and produce documentation to back-up why particular controls warrant scrutiny while others do not. While this is certainly a refreshing and welcome change from the turgid prescriptivism of the existing rules, it is not hard to see problems arising.

"What is meant by 'reasonable possibility' of misstatement? How do you define such a vague term?" asks Kevin Ludwick, head of regulatory services at compliance software vendor Qumas. "Even if the SEC is satisfied with the documentation management provides to justify their decisions, what happens in the event of private litigation from shareholders? There are still a lot of questions left unanswered."

At this stage, both the SEC guidance and the PCAOB's new auditing standard are nothing more than proposals. Companies have until February to respond to the new rules, and it seems likely there will be a flurry of activity from firms to have amendments made before the proposals are finalised.

This is not to say the changes aren't welcome; they are, and undoubtedly there will be noticeable savings for businesses both large and small. The problem is that there appears to be a feeling among US businesses that the SEC and the PCAOB could have gone further but failed to take advantage.

"The proposals were supposed to be about moving the focus onto risk and making sure that internal controls are not bogged down in minutiae. These changes might take some of the rough edges off SOX, but if the guidance really is too vague, I can see the issue being picked up by Congress," says Patrick McGurn, vice-president at US firm Institutional Shareholder Services.

Although the SEC has been keen to make changes to SOX compliance without Congressional involvement in the issue, the Democratic seizure of power in both Houses last November may make the possibility of legislative involvement more likely. Both Representative Barney Frank, chairman-elect of the House Financial Services and Nancy Pelosi, incoming Speaker of the House, have been vocal in their criticism of SOX in recent months and the role it has played in damaging US competitiveness.

"I think there is a fear at the SEC that SOX might turn into a political football. While the Republicans controlled Congress, the Commission had political cover to get things done, but now with the Democrats in power, that might change," continues McGurn.

"I think there is enough leadership in the party from the likes of Barney Frank and Nancy Pelosi that proceedings could get underway. They will take time to absorb the guidance and mull it over, but if they decide to make changes, I imagine this could be something they tackle in their first 100 days in office," he concludes.

IPO flight

Tellingly, a secondary announcement from the SEC, released just two days after it unveiled its guidance proposals, seems to indicate the Commission is aware of the interest in SOX on Capitol Hill, and is keen to allay any Congressional fears about how the law is affecting US capital markets.

On December 15, the SEC confirmed that companies listing on US markets for the first time, both domestic and foreign firms, would be exempt from Section 404 compliance for their first year trading as a public company.

Ostensibly, this allowance was made to allow companies "to prepare their first annual report without the additional burden of having to comply with Section 404." Despite the Commission's newfound concern for newly public firms, there is suspicion that this move is more likely a gesture designed to encourage companies to list on the US capital markets.

"This is clearly an attempt to draw in companies that otherwise wouldn't list in the US or would remain private," says Ludwick. "It is not that London or other markets are better than New York, it is simply that SOX has brought the strengths of other markets more sharply into focus, and consequently the US has lost initial public offerings (IPO)."

Foreign exchanges have certainly experienced a bumper year for IPOs. According to a report from Ernst & Young last month, Hong Kong and London were the top two destinations for new listings in 2006, claiming 17% and 15% of all global public offerings respectively. New York lagged in third place with only 11%. Of the 10 biggest IPOs, only MasterCard, the eighth largest offering, chose to list in the US.

While it would surely be incorrect to assume SOX is the dominant factor in businesses turning to non-US markets, undoubtedly it has played a part. This is something that will snag the attention of the 110th Congress, and it will be interesting to see whether the Democrats deem legislative change necessary for New York to reclaim its position as the market of choice for the world's biggest public offerings.

The willingness that the SEC and the PCAOB have shown in adapting their requirements to respond to the concerns of businesses is certainly encouraging and there can be little doubt that a shift towards a more principles-based approach to SOX compliance will result in cost savings for both large and small businesses.

Nonetheless, the feeling that the regulator could have gone further seems widespread, and we can expect to see trade associations and firms responding in a forthright manner to the proposals before the consultation period shuts next month. Unless the role played by external auditors is further scaled back and assurances are given that a risk-based approach adopted by management will also be implemented by independent auditors, it seems unlikely that dissenting voices will be silenced.

"Businesses will grumble about the cost of SOX in any event, but if they can begin to see the value that compliance brings to their business, they will get on with things. It's all about illustrating that the cost is equal to the value the company derives from it," says Ludwick.

The new proposals are a step in the right direction certainly, but whether they are enough to ease the complaints of business remains to be seen. The battle over SOX is far from won. OR&C