Sarbanes-Oxley Benefit Non–SEC-Registrant Audits?
Peter M. Drexler
2006 - Reacting to the accounting abuses observed at Enron,
the writers of the Sarbanes-Oxley Act of 2002 (SOX) felt
a need to enhance the independence of SEC financial statement
audits by shifting responsibility for audit oversight and
auditor selection to an audit committee composed of three
independent directors, and prohibiting auditors from providing
certain consultation services to audit clients. Congress
alsoaddressed corporate internal controls by mandating that
managements of registrant companies document and test internal
controls over financial reporting and that auditors issue
opinions on management’s internal control efforts.
entities, including governments and not-for-profit organizations,
face pressures similar to those present in for-profit corporations
to mismanage accounting, mislead their auditors, or influence
auditor judgment with lucrative consulting projects. Third
parties for nonregistrants, such as banks, venture capitalists,
hedge funds, and regulators, are just as vulnerable to financial
reporting abuses as are investors in publicly traded companies.
Many nonregistrant companies must comply with loan and bond
covenants, obtain financing, report to minority shareholders,
and comply with regulations in ways that may create temptations
to engage in accounting abuses.
Audit Failures and Their Implications
failures in the non-SEC sector of the economy do not receive
the same media attention as the disasters at Enron and WorldCom
have, but they exist just the same. Discoveries of fraud
in Nassau County’s school system led New York State
Comptroller Alan Hevesi to reinstitute the state’s
school audit department and hire 89 auditors, because audit
failures were so pervasive. It was 20 years ago that New
York State first decided to rely on independent auditors
when it discontinued its audits of school boards.
James Beard Foundation’s executive director mismanaged
that nonprofit organization, whose mission is to provide
scholarships to aspiring chefs, by disbursing merely $29,000
in scholarships out of total revenues amounting to $5 million.
Investigators found that the executive director had also
misspent hundreds of thousands of dollars as well, and he
has confessed to fraud charges.
is no doubt that these organizations would have benefited
from documented internal controls and capable auditors testing
those controls and reporting on results. Perhaps independent
audit committees would have selected more-capable auditors
or would have been aware of abuses before they got out of
hand. SOX section 209 clearly states that the act was not
intended for “small and medium-sized” entities,
but it did admonish state regulatory authorities to “make
an independent determination of the proper standards applicable”
for those entities not covered by the act.
Texas State Board of Public Accountancy commissioned a task
force to evaluate its public accounting statutes to determine
whether SOX-type changes would or should be recommended.
The executive summary of the task force report identified
public interest entities (PIE) as those where significant
numbers of stakeholders make investment, credit, or similar
decisions—including pension plans, banks, insurance
companies and school districts—and, therefore, would
possibly benefit from reform. The description of PIEs could
be expanded to include companies with gross revenues exceeding,
perhaps, $10 million or assets exceeding $50 million.
or not SOX-type legislation would result in improvements
to corporate governance for PIEs or other nonpublic entities,
the task force concluded that Texas “should not enact
laws that unfairly impact the state economic climate compared
to other states.” It also concluded that the only
way effective reform should be enacted is through consistent
national standards rather than “a myriad of state-specific
other words, no state is willing to “go it alone”
in adopting SOX-type reform of audits, for fear of losing
business to other states, and the result of states adopting
varying versions of reform would be regrettable. As it is,
the auditing profession is diverging into two sets of audit
standards because of SOX. However, the Texas Board’s
report stated repeatedly that it would be glad to comply
with national standards, which would logically flow, in
my opinion, from the AICPA’s Auditing Standards Board.
there benefits to be derived from the costs of complying
with SOX? How can one measure the economic benefit of avoiding
employee fraud or corporate bad acts that could result in
billion-dollar class-action lawsuits? For example, Merck
is embroiled in product-liability lawsuits that may result
in losses exceeding $14 billion because it allegedly sold
Vioxx while clinical tests indicated it increased the risk
of heart attacks from prolonged use. SOX-type improved internal
control administration and audit reporting may prevent other
companies from making similar errors, but how can the value
of improved corporate governance be measured?
malfeasance and fraud can occur within entities of any size.
The common denominator is human nature and a willingness
to exploit gaps in internal controls. While $11 billion
was diverted from the Iraq oil-for-food program overseen
by the United Nations, employee fraud also occurred at the
aforementioned, relatively small James Beard Foundation.
to the 2004 report by the Association of Certified Fraud
small businesses lose an average of 6% of their annual revenues
to fraud. Companies with fewer than 100 employees suffered
median losses of $98,000 a year. Yet, ironically, SOX corporate-governance
reform is mandated for large, multinational corporations
rather for than smaller entities, which are less likely
to survive disasters such as expensive lawsuits or employee
the AICPA were to adopt SOX-type audit standards such as
independent audit committees, internal control documentation,
and auditor opinions or restrictions on auditors providing
consulting to clients, it would not have the force of law
to enforce those changes. But that is not the point. Qualifications
to audit reports highlighting SOX-type corporate-governance
shortcomings would make financial reports of nonpublic entities
more transparent. It would be up to interested third parties
to decide how to handle SOX-type shortcomings.
example, auditing standards for cooperatives and condominiums
require the auditor to disclose whether the corporations
have estimated the remaining lives and replacement costs
of common property. In most cases, disclosures of noncompliance
are tolerated by interested parties, but if a condominium
board were to apply for major financing for improvements
to its facilities, the credit institution might require
the condominium to assess the remaining lives of its facilities
as a condition of obtaining the loan. In this case, the
audit qualification merely adds transparency to the condominium’s
like manner, nonpublic entities’ audit reports disclosing
the lack of independent audit committees, internal auditors,
documented and tested internal controls, and so forth would
provide readers of those financial statements with increased
transparency. It would be up to interested parties, such
as minority shareholders and financiers for small and medium-sized
corporations; major contributors; nonprofit boards; and,
in the case of school boards and municipalities, taxpayers,
to demand improved corporate governance. Unqualified audit
reports would indicate that the auditors and the entity
had complied with a set of rules similar to SOX.
mom-and-pop grocery stores have to comply with Sarbanes-Oxley?
The answer is less obvious. Assume a noncomplying mom-and-pop
grocery has been audited. The audit report qualifications
would list the lack of independent audit committee, internal
auditors, documented and tested internal controls (along
with material internal control shortcomings such as lack
of inventory control and bookkeepers with too much power),
and the fact that the auditor had provided bookkeeping and
accounting system consulting services. (The auditor would
have tested internal controls in the normal course of the
audit.) The owner-operator would probably not be concerned
with the audit report disclosures, but might increase oversight
over the bookkeepers and lock the storeroom doors. At this
point, the cost of the audit or corporate governance due
to SOX standards would be close to zero.
us next assume that this mom-and-pop grocery store is successful
and the owner opens a second location across town, using
the cash flow and accumulated savings. The owners then decide
to open a third store, and apply for a loan from their bank.
The loan officer, in reviewing the latest audit, would notice
the lack of inventory controls and require that the owners
install a computerized cash register and inventory system
before approving the loan.
store continues to grow and prosper, and the owners realize
that their operations would benefit from economies of scale
with more stores, supported by a warehouse operation. To
obtain this level of financing, the owners propose that
a multimillion-dollar bond be privately placed with an insurance
company. The investment officer would note the lack of internal
auditors and audit committee and demand their implementation
as a condition of approving the bond deal. If the next step
for the store is to go public and receive financing through
an IPO, then the store is well along the way of complying
reforms added to audit standards would merely result in
the increased transparency of nonpublic entities, and compliance
would come when interested parties notice shortcomings and
recommend compliance. The cost of compliance grows as the
entity expands. Each stage in the entity’s growth
is accompanied by the appropriate improvements to corporate
governance. If the entity does not grow, its audit costs
would remain roughly the same or would increase slightly
due to a greater awareness of internal controls.
CPAs in public practice be opposed to SOX-type reform for
nonpublic audits? According to this author’s conversation
with an external reporting manager of an SEC company, SOX
auditors have gained a higher degree of control over the
audit and held their ground in disagreements over accounting
treatment. This is a good thing for auditors and their clients.
The accounting profession has not lost consulting business
as a consequence of SOX. The firm conducting the audit is
merely not the same one dispensing consulting services to
any one SEC client, and companies have turned to multiple
firms. CPAs will always be the first choice when companies
want to develop tax strategies, update their accounting
systems, or pursue similar plans.
author’s recommendation is that the AICPA establish
a dialogue with its membership and designate a task force
to evaluate whether various SOX sections would aid the audit
process for nonpublic companies and whether their corporate
governance could be improved, remembering that nonpublic
companies’ vulnerabilities to bad acts and fraud are
just as threatening to them as they are to SEC registrants.
entities can surely benefit from improved corporate governance
that the framers of SOX found lacking at SEC companies.
M. Drexler, CPA, is retired. During his 38-year career
he worked as an auditor, controller, and internal auditor
at several companies, including an SEC registrant.