Beyond Sarbanes-Oxley Compliance: Five Keys to Creating
Mark S. Beasley and Dana R. Hermanson
the requirements of the Sarbanes-Oxley Act, executives must
personally certify a public company’s financial results
(section 302) and soon will have to issue a report on the
effectiveness of the company’s internal controls over
financial reporting (section 404). Auditors will issue an
additional report attesting to management’s internal
controls report. In addition, the Sarbanes-Oxley Act contains
a number of provisions related to auditor independence (section
201), audit committee composition (section 301), and criminal
penalties for accounting fraud and related offenses (Title
VIII and Title IX).
compliance is costing companies significant amounts of time,
professional fees, and other resources. In the authors’
experience, executives seem to be grudging in their support
of Sarbanes-Oxley. Many
appear to view the law as an overreaction that will do nothing
more than increase the compliance burden on public companies.
In fact, only 30% of the respondents to a survey in CFO
Magazine thought that the benefits of Sarbanes-Oxley
would exceed the costs. Many other executives appear to
be looking only for ways to “stay out of trouble”
with Sarbanes-Oxley compliance, and view the situation as
involving only downside risk. While the legislation was
passed quickly and may be imperfect, if companies view implementing
and complying with the Sarbanes-Oxley Act as more than a
“check-the-box” type of exercise, it can provide
important, long-term benefits.
Context of Sarbanes-Oxley
clear motivation for the Sarbanes-Oxley Act was to combat
the financial statement fraud problem that continues to
plague the United States, as embodied by Enron, WorldCom,
Global Crossing, and too many others. In addition to the
impact of stock-based compensation, many have viewed the
causes of these frauds as overly powerful CEOs, weak boards
and audit committees, ineffective or compliant auditors,
weak internal controls and weak management of risks, and
soft penalties for accounting fraud perpetrators.
stated, Sarbanes-Oxley takes direct aim at the perceived
drivers of fraud by attempting to strengthen board and audit
committee oversight, increase auditor vigilance and independence,
strengthen internal controls and risk management, and create
accounting fraud penalties with a significant deterrent
effect. Accounting fraud disasters, if not discovered in
time, can cause damages into the tens of billions of dollars.
Keys to Value-Added Sarbanes-Oxley Implementation
authors believe that five keys are involved in implementing
Sarbanes-Oxley in a manner that goes beyond simply trying
to “get in compliance with the rules” (see the
Appreciate the goal behind Sarbanes-Oxley.
Understand the fraud disease.
Aggressively address ethical attitudes and the potential
for rationalizing fraud.
Consciously decide to go beyond simple compliance to improve
governance and controls.
Investigate and implement enterprise risk management (ERM).
the goal behind Sarbanes-Oxley. While the
mechanisms that the Sarbanes-Oxley Act put in place may
not be perfect, appreciating the overall goal of preventing
fraud can help build the right organizational mind-set regarding
implementation. In other words, executives should “buy
into fraud prevention, enhanced governance, control orientation,
and risk management” even if they think certain elements
of Sarbanes-Oxley are onerous or unnecessary.
buy-in is so critical because the consequences of financial
reporting problems are severe. For example, the 1999 study
sponsored by the Committee of Sponsoring Organizations (COSO),
Fraudulent Financial Reporting: 1987–1997 (Beasley,
Carcello, and Hermanson), found that more than half of companies
committing accounting fraud failed (e.g., bankrupt; defunct;
ownership change) within two or three years after the fraud
was disclosed. Failure to implement effective governance
and internal controls, or to effectively manage risks, can
also be disastrous. For
example, weak governance can lead to executive compensation
debacles such as the recent NYSE situation, and weak controls
can increase the risk of asset misappropriation and fraud.
As a result, minimizing fraud risk, enhancing governance,
strengthening controls, and effectively managing organizational
risks are worthy, value-adding goals, even in the absence
of the Sarbanes-Oxley Act.
the fraud disease. As described by J.K Loebbecke,
M.M. Eining, and J.J. Willingham, Jr., in “Auditors’
experience with material irregularities: Frequency, nature,
and detectability” (Auditing: A Journal of Practice
& Theory, Fall 1989), the fraud recipe contains
three ingredients: incentive, opportunity, and attitude/rationalization.
first ingredient, incentive, addresses whether executives
have a reason to commit accounting fraud. Common reasons
include compensation factors (stock options, bonus targets),
strong pressure to perform, and expectations analysts place
on the company. Putting pressure on executives certainly
is a good motivator, but it is important to recognize when
the pressure becomes so intense that people resort to fraud
to make the numbers.
second ingredient is the opportunity to commit accounting
fraud. The main deterrent to opportunity is strong internal
controls, the focus of section 404 of the Sarbanes-Oxley
Act. Controls should address routine transaction processing
and asset safeguarding, as well as estimates and assumptions
used in preparing the financial statements. If section 404
work improves internal controls, the side benefit should
be a reduced risk of accounting fraud.
third ingredient in the fraud recipe is attitude/rationalization.
In other words, can someone with a reason to commit fraud
and the opportunity to do so explain away such behavior?
Is the fraud okay because it saved jobs? Is it okay because
it happened only once and will be corrected in the future?
Is it okay because the CEO said “make the numbers
should view the organization through this lens of incentive,
opportunity, and attitude/rationalization. In addition,
the appendix to SAS 99, “Management Antifraud Programs
and Controls,” may be a helpful resource to those
seeking to understand and prevent fraud (see www.aicpa.org/download/antifraud/SAS-99-Exhibit.pdf).
Conducting regular, honest assessments of the organization’s
fraud risks can go a long way toward preventing fraud.
address attitude/rationalization. Perhaps
the most difficult fraud ingredient to address is attitude/rationalization,
because it is an unobservable mind-set. As a result, it
deserves special attention.
the greatest danger companies face in financial reporting
is that top managers and other employees can rationalize
certain questionable behaviors that subsequently escalate
into outright fraud. Research indicates that many accounting
fraud cases begin with activities that might be characterized
as in the gray zone: not completely acceptable, but not
clearly inappropriate. For example, the company may try
to boost revenues through special payment terms and pressuring
customers to accept orders just before year-end. In later
periods, the company resorts to bill-and-hold schemes, secret
side agreements, and ultimately recording fictitious revenues.
did the company get there? By rationalizing its behavior
along the way, and incrementally moving toward outright
fraud. Something that started out as a one-time trick to
get the company through a tough period ultimately brings
the company down when the fraud is uncovered.
way to prevent such disasters is to build the right ethical
attitude in the organization and not allow people to rationalize
gray-zone behavior, so the descent down the slippery slope
toward fraud, the “black zone,” never begins.
The challenge for corporate America is to define its core
values (ethical attitude) and to communicate these to employees,
in both word and deed. The Sarbanes-Oxley Act pushes companies
in this direction by requiring disclosure of whether the
company has adopted a code of ethics for senior financial
officers and whether the code has been waived. In addition,
the whistle-blower provisions of Sarbanes-Oxley should help
to uncover ethical lapses in the organization.
considering the ethical attitude, the following are helpful
questions for companies to address:
Does the company have clearly defined ethical boundaries
that are communicated to employees?
How would others describe the company’s ethical
boundaries relative to the gray zone and the black zone?
What types of accountabilities are present for those who
suffer an ethical lapse?
Does top management’s day-to-day behavior support
or undermine the stated ethical attitude and boundaries?
compliance: Improving governance and controls.
Companies that do the bare minimum necessary for compliance
with law will realize little in the way of benefits from
Sarbanes-Oxley implementation. They are wasting an important
opportunity, and one may question whether such companies
are establishing a culture of ethics, transparency, and
a commitment to reliable financial reporting.
in a recent Directorship article (“Avalanche
of Corporate Governance Reforms Challenges Audit Committee,”
June 2003), Mark Terrell and Scott Reed of KPMG’s
Audit Committee Institute caution audit committees about
focusing only on compliance: “As they deal with the
many implications of the reforms, audit committees should
beware [of] one distinct danger: that they will become swamped
by—and inordinately focused on—compliance for
compliance’s sake, rather than focusing on activities
to enhance the effectiveness of their oversight function.”
seeking to go beyond simple compliance can take two important
steps as they address Sarbanes-Oxley-related issues. First,
in addition to making required structural changes to the
board and key committees, companies can explore governance
best practices to enhance their governance processes. Several
sources, such as the Conference Board (Commission on
Public Trust and Private Enterprise), the Business
Roundtable (Principles of Corporate Governance),
the Corporate Governance Center at Kennesaw State University
(21st Century Governance Principles), and CalPERS
(U.S. Corporate Governance Principles), document
useful best practices for boards and executives to consider.
In this vein, executives should view stronger governance
not as a foe, but as an organizational protector.
companies can leverage their section 404 internal controls
work to actually improve controls. Beyond simply documenting
controls, justifying their current controls, and issuing
reports on control effectiveness, companies should ask themselves
what could go wrong, what controls are in place to prevent
or detect such problems, and what residual risk remains
unmitigated by controls. In other words, turn section 404
work into a substantive, honest evaluation of the company’s
exposure to risks. In particular, these lessons should inform
evaluations of accounting fraud risks, because weak controls
create a greater opportunity for fraud.
and Implement Enterprise Risk Management (ERM)
preceding steps—addressing fraud risk, attacking attitude/rationalization,
and improving governance and controls—can prepare
a company for a final, significant step that the authors
expect many organizations will soon take: investigating
and then implementing ERM. ERM investigation is a natural
extension of a value-added Sarbanes-Oxley implementation.
to the recently released COSO exposure draft, Enterprise
Risk Management Framework (www.erm.coso.org),
“Enterprise risk management is a process, effected
by an entity’s board of directors, management and
other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within its
risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”
other words, ERM is about considering what events could
prevent accomplishment of organizational objectives and
then determining how to address these events. ERM goes beyond
internal controls to provide a system to address organizational
risks in a comprehensive fashion, as opposed to dealing
with individual types of risks, and such as IT risks, financial
reporting risks, and legal risks. The overall goal is to
provide reasonable assurance of achieving organizational
objectives in four areas—strategy, operations, reporting,
and compliance—in the spirit of preventing disasters
and maximizing entity value.
work public companies are currently doing to comply with
section 404 reporting provides an excellent framework that
can be leveraged to think about broader risks facing the
enterprise, beyond just financial reporting risks. Going
beyond simple Sarbanes-Oxley compliance requires top management
and the board of directors to understand the value of reduced
fraud risk, enhanced governance, strengthened controls,
and effective enterprise risk management. Sometimes this
will be a tough sell. In such cases, often it will be up
to CPAs and other financial professionals to lead the charge
on pushing beyond a “check-the-box” Sarbanes-Oxley
S. Beasley, PhD, CPA, is a professor and the director
of the Enterprise Risk Management Program at the North Carolina
State University department of accounting, Raleigh, N.C.
Dana R. Hermanson, PhD, is a professor at
the Kennesaw State University department of accounting, Kennesaw,
Ga. He is also a research fellow of the Corporate Governance
Center at the University of Tennessee.