Years of the Sarbanes-Oxley Act
Are We Better Off?
By William J. Dodwell
AUGUST 2008 - More
than six years have passed since Congress enacted the Sarbanes-Oxley
Act (SOX) in the wake of the Enron collapse and other corporate
debacles that shook the investor community and the general public.
Facing political pressure to act, the U.S. House of Representatives
and the Senate quickly passed a package of reforms by near-unanimous
approval. But complaints from many companies about the implementation
burden have challenged the value of SOX and raised the question,
“Are we better off?”
corporate financial reporting was justifiable. Beginning in late
2001, allegations of fraud and other improprieties by companies
including Enron, Adelphia, WorldCom, Cendant, and Tyco seriously
undermined investor confidence and contributed to stock market
malaise. Concerns included concealing debt through unconsolidated
off–balance sheet entities; manipulating revenue through
creative application of derivative accounting rules; burying expenses
in the balance sheet; and hiding bad receivables—all despite
the scrutiny of management, public auditors, securities analysts,
rating agencies, and investment bankers.
frauds have been in the spotlight, some problems arose instead
from the interpretation of complex accounting rules. In some instances,
management and auditor agreed on the accounting for certain transactions,
only to be challenged in a politicized environment of prosecutors,
regulators, and media. For example, hedge accounting, governed
by SFAS 133, Accounting for Derivative Instruments and Hedging
Activities, loomed large in some major restatements. But
SFAS 133 is so cumbersome that the FASB is considering simplifying
the standard. Other contentious issues are founded on subjective
estimates of such things as loss and contingency provisions and
amortization rates. To be sure, material financial misstatement
was problematic, but because well-intended interpretations were
sometimes second-guessed, it was not always malicious. Of course,
any manipulation of those estimates to distort earnings and bonus
calculations was reprehensible.
scandals have prompted the FASB to reevaluate certain inadequate
standards. For example, it amended its consolidation rules under
FIN 46(R) in a reaction to Enron’s machinations involving
off–balance sheet special-purpose entities (SPE). And, as
mentioned, the FASB is reassessing SFAS 133’s complex hedge
As part of
implementing SOX, the SEC created the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditors of publicly held
companies, replacing the system of self-regulation through the
AICPA. (The AICPA continues to set standards for accounting firms
serving nonpublic companies.) Not meaning to reinvent the wheel,
the SEC and PCAOB built on the internal controls framework established
in 1992 by the Committee of Sponsoring Organizations (COSO) of
the National Commission on Fraudulent Financial Reporting—more
commonly called the Treadway Commission (after its chairman, James
C. Treadway, Jr., a former SEC commissioner). In its effort to
improve the accountability and effectiveness of the public audit,
the PCAOB created Auditing Standard 2 (AS2), which was specifically
designed to guide auditors in the evaluation of internal controls
(AS5, An Audit of Internal Control Over Financial Reporting
That Is Integrated with An Audit of Financial Statements,
which superseded AS2, is discussed further below). In addition,
the PCAOB made accounting firms subject to annual inspection to
verify that their SOX certifications are supported by sufficient
At the enterprise
level, SOX requires organizational assessments focusing on corporate
governance over broad systemic firm-wide checks and balances,
including risk management, communications, the whistleblower provision,
and conflict-of-interest issues. Additionally, SOX requires the
CEO and CFO to bear personal responsibility for the effectiveness
of internal controls by signing off on the financial statements.
Violations are subject to criminal penalty.
the root causes of management accounting abuses at the transaction
level, section 404 of SOX requires public companies to annually
document and test internal controls and their associated business
processes, remediate deficiencies, and assert the controls’
effectiveness in ensuring the accuracy of financial reporting.
The outside auditor is then required to opine on that assertion
as well as form an independent opinion on control effectiveness.
Both management’s assessment and the auditor’s judgments
are disclosed in the company’s annual 10-K report. (The
SEC has repeatedly delayed the implementation date for nonaccelerated
filers—companies whose market capitalization is under $75
engendered some beneficial change, section 404 created a backlash,
with corporate accounting departments across America challenging
the excessive cost of compliance. Indeed, the very competitiveness
of American business has been called into question because of
SOX’s documentation and testing requirements. In six years
of experience, representing for most companies two years of startup
implementation and four years of certified audits, does SOX pass
a cost-benefit analysis? Have the improprieties that prompted
the legislation been substantially redressed? Can SOX’s
requirements be mitigated to exempt the many innocent companies
and identify the relative handful of guilty parties?
against SOX’s section 404 requirement to document internal
controls and test them annually came from far and wide. First,
companies smarted from having to incur massive preparatory costs
associated with hiring employees and consultants, and installing
new computer systems. Then they bristled at the perceived excessive
implementation requirements and ambiguous SEC and PCAOB guidance.
The question became, “How much documentation and testing
is necessary?” The following addresses this question and
constitutes a framework for evaluating the time and cost burdens
of documentation and testing eventually broached by AS5:
of a SOX audit of internal controls and a traditional audit
of financial statements. What is the difference, and is
there too much overlap? One might argue that a SOX audit focuses
on processes and structures that govern the effectiveness of
internal controls over the financial reporting process. By contrast,
a financial audit focuses on assessing the fairness of the actual
financial statements. Of course, auditors have always considered
internal controls in designing their financial statement auditing
procedures. But now SOX requires auditors to consider them as
a separate objective in its own right. Question: Would further
integrating SOX audit and financial statement audit procedures
be more efficient?
of both management and SOX testing of internal controls. Auditors
thought that AS2 limited how much they can rely on a company’s
own SOX testing. Therefore, they must conduct considerable testing
of their own selected samples, and must also verify a sampling
of management’s tests, to provide an adequate basis for
their opinions. That limited ability to rely on management’s
work results in higher costs. Question: Should auditors
rely more on management’s test results?
between management and the external auditor over risk-assessment
and testing methodologies. Although the regulatory guidance
acknowledges the role of management’s judgment in assessing
risk, judgment is subjective and sometimes does not reconcile
with an auditor’s independent assessment. The scope of
SOX work depends on risk assessment and the definition of an
internal control. For example, some companies do not distinguish
controls from procedures. Furthermore, SOX applies only to key
controls, but the distinction from non-key controls is not codified
and is therefore entirely a matter of judgment. Depending on
how key controls are defined, they may be significantly more
numerous than necessary, rendering individual documentation
and testing overly burdensome. Other subjective scope parameters,
such as business process taxonomies and materiality thresholds,
also influence the workload. Because internal controls and test
methodologies are not definitively codified in the SOX guidance,
management and the auditor may differ in their risk assessments
and in the relative scope and extent of documentation and testing.
outside auditor is the final arbiter of the scope needed to support
an opinion, management may invest substantial time and money in
work that it considers unnecessary based on its intuitive knowledge
of the day-to-day operation of internal controls. Question:
How extensively must internal controls be tested to establish
assessment of SOX centers on a cost-benefit analysis that takes
into account the relative significance of each positive and negative
item. The following are the tradeoffs, some of which are more
definitive than others.
profit margins and retarded economic growth from management
compliance costs, higher audit fees, and the opportunity costs
of forgoing more productive activities.
redundancy between the work of management and the outside auditor.
- A stressful
scramble for new auditors as accounting firms drop certain clients
when reevaluating their acceptance and retention policies. Smaller
companies are particularly vulnerable.
competitiveness in capital raising and business investment as
newly public companies list their shares on foreign exchanges
and foreign companies expand overseas instead of investing in
the United States in order to avoid the SOX burden.
issue prompted several studies on the effect of regulation, litigation,
and ambiguous accounting rules, including those commissioned by
the Treasury Department and one by U.S. Senator Charles Schumer
of New York and New York City Mayor Michael Bloomberg. Those studies
were predicated on the supposition that excessive regulation,
including SOX, adversely affects the U.S. financial markets and
New York City’s status as financial capital of the world.
of this view, including former SEC Chairman Arthur Levitt, claim
this “capital crisis” is unfounded. And Treasury Undersecretary
Robert Steel pointed out that a highly disproportionate share
of global mutual fund and hedge fund assets resides in the United
States. In addition, he said futures contracts traded on U.S.
exchanges and dollar-denominated foreign-exchange derivatives
domestic capital spending as companies compensate for SOX compliance
stock ownership as companies avoid SOX by taking themselves
private through stock repurchase or through sale to private-equity
firms. Other companies exempted themselves by issuing stock
on a 144A private placement basis to a few large institutions
rather than the general public.
concentration is not necessarily bad. Typically, private-equity
portfolio companies, unfettered by pressure to produce short-term
results, take on greater risk to produce better returns than public
companies. However, some bemoan the inequity of those outsized
gains devolving only to the few rather than the larger investor
- SOX work
conducted after the initial implementation tends to yield diminishing
returns in succeeding years after control weaknesses are corrected.
- SOX audits
promote transparency and ensure reliable financial reports.
They have uncovered many material weaknesses in internal controls
that have contributed to a dramatic rise in the number of financial
restatements. SOX-driven correctives and disclosures inspire
greater investor confidence and ultimately support a more efficient
capital allocation process.
- The potential
consequences of a failed SOX audit motivate companies to maintain
higher quality transaction controls and corporate governance
that might not otherwise exist. Those consequences apply particularly
to the cost of capital, because failure to comply with SOX potentially
affects stock prices, borrowing rates, and bond ratings. Thus,
the fear of failure results in extra assurance for investors.
- The SOX
review forces companies and auditors to place greater emphasis
on the control environment and its ongoing continuity. Section
404 adds process evaluation to traditional account validation,
and holds both management and its public auditors more accountable.
- The exercise
of maintaining extensive documentation of internal controls
required by SOX section 404 potentially fosters a better control
mindset among accounting staff. This mindset can sometimes lead
to control process rationalization and streamlining.
- SOX documentation
is a good tool for training new personnel. It also serves as
disaster recovery backup and a means of communicating internal
control information to those responsible for its execution.
to widespread criticism, the PCAOB issued AS5 in 2007 to replace
AS2 as guidance for independent auditors in the interest of a
more practical evaluation of controls over financial reporting.
This standard, in combination with the SEC’s concurrent
guidance for management evaluation of internal controls, Interpretive
Guidance for Management, established a better principles-based
framework for aligning the views of management and the outside
auditor. In view of the speed with which SOX was assembled, regulators
knew from the beginning that it was a work in progress that would
require refinements over time. The following describes the current
AS5 recommends that auditors adopt a top-down, risk-based
approach to evaluating internal controls that focuses on the most
likely sources of risk; that is, scalable to the size and complexity
of the organization, and integrated with the audit of financial
statements. This is in contrast to the bottom-up, prescriptive
approach to assessing risk and identifying internal controls under
AS2, which started at micro-level exposures and inductively established
overarching controls at the financial statement level. AS5 requires
less documentation and testing in a more cost-effective assessment
that eliminates excessive scrutiny while retaining focus on the
serious financial reporting risks posed by weak internal controls.
materiality in assessing misstatement risk and greater attention
to entity-level and fraud controls. In addition, AS5 recognizes
that some companies need strict SOX standards while others need
less stringent standards. Thus, auditors may now acknowledge this
distinction and make SOX standards commensurate with a company’s
risk to achieve reasonable assurance at less cost. Previously,
a one-size-fits-all approach applied to all public companies,
with some preliminary accommodation for smaller companies.
envisioned by AS5 include:
testing to more fully encompass the objectives of both the audit
of internal control and the audit of financial statements simultaneously,
where each audit informs the other;
more on the work performed by others for the purpose of management’s
assessment of internal controls; and
selectively conducting walkthroughs as a means of understanding
the nature of misstatement risk.
companies (i.e., nonaccelerated filers), the SEC recently provided
further relief by deferring the independent auditor’s attestation
of management’s report on the effectiveness of internal
controls over financial reporting for fiscal years ending on or
after December 15, 2009.
At the same time AS5 was released, the SEC provided
parallel advice for management in its Interpretive Guidance
for Management, which codifies a more efficient approach
to evaluating the effectiveness of internal controls in detecting
and preventing material financial misstatement. The guidance centers
on a top-down, risk-based approach to first identifying risk and
then evaluating the design and operating effectiveness of the
transaction- and entity-level controls. This specific guidance
enables management to adopt a more efficient and independent evaluation
of the effectiveness of internal controls rather than just deferring
to AS5 details for fear of not satisfying the auditor.
is permitted to exercise greater judgment in deciding on appropriate
methods and procedures that address the likelihood and potential
magnitude of financial misstatement. This streamlined assessment
eliminates the redundant review of multiple controls over a particular
reporting risk. This means more flexible documentation and testing
standards in the production of adequate evidentiary matter keyed
to the degree of perceived misstatement risk posed by error or
fraud. Furthermore, management’s procedures may differ from
those adopted by the independent auditor. Further efficiency is
achieved in subsequent years because management now evaluates
only changes in risks and controls in an updated assessment, rather
than recreating the entire process.
2006 the SEC issued its Final Report of the Advisory Committee
on Smaller Public Companies. This issuance established risk-based,
scaled securities regulation for companies in the lowest 6% of
market capitalization, which represent the majority of public
companies. One accommodation was a temporary exemption from SOX
section 404. In its place, these companies became subject to new
guidance on internal controls over financial reporting issued
by COSO. This document was a guide on how small companies should
apply the 1992 COSO framework pending the development of a SOX
internal control framework specifically designed for smaller companies.
report recommended that the PCAOB amend AS2 to provide cost-effective
relief for small companies, to include testing to find only material
weaknesses, and to integrate internal control and financial statement
audits. The SEC also urged the PCAOB to ensure that public audit
firms incorporate this relief in the internal control reviews
of client companies.
In June 2007
the SEC released its SOX interpretive guidance on management’s
evaluation of internal controls for smaller companies in conjunction
with the release of AS5 by the PCAOB. The SEC did not exempt small
companies from SOX compliance as some had hoped. Rather, sympathetic
AS5 management guidance formally acknowledged that all companies
with less than $75 million of public equity can independently
scale their SOX assessments to the circumstances of their business
without having to mime the auditing standard as before. Additionally,
the SEC will monitor implementation of AS5 in the PCAOB’s
inspections of audit firms. To ensure that smaller companies no
longer bear a disproportionate burden, the SEC was expected to
conduct a cost-benefit study of the new standards. But is the
new guidance definitive enough to avoid disagreements with auditors?
AS5 and the
accompanying management guidance establish a framework for evaluating
internal controls more efficiently through a top-down, risk-based
approach. The guidance emphasizes a holistic view of risk that
identifies enterprise-wide vulnerabilities and gives greater consideration
to fraud controls. The current approach comprises the following
assessment. Focus on exposures to material financial
misstatements that take into account their probability through
error or fraud, especially management override. Consider the
complexity of processes and dependence on judgment. Evaluate
entity-level and IT controls. Consider the vulnerability of
manual operations, including spreadsheet applications, which
are pervasive in smaller companies. Under AS5, the auditor’s
independent risk assessment, established through appropriate
inquiry, observation, document inspections, and walkthroughs,
should align with management’s self-assessment founded
on daily operations.
identification. Identify only key controls that
address material exposures consistent with the company’s
size, complexity, and operating structure. Document the design
of those controls.
effectiveness. Test both design and operating
effectiveness. Focus on the most operative control that addresses
particular material exposures consistent with the risk assessment,
not all such controls. AS5 emphasizes broader, higher-level
controls that might warrant 100% testing over lower-level controls
that would involve sampling methodologies. Document test procedures
and findings to produce evidence that is consistent with the
nature, timing, and extent of those controls.
Resolve and retest significantly deficient controls.
Communicate findings to the board of directors, and report deficiencies
to the parties responsible. Distinguish design deficiencies
from operating deficiencies. Assess the relative seriousness
of deficiencies in terms of the impact on the financial statements
and classify them as a significant deficiency or a material
As a means
of applying these concepts efficiently, AS5 cites a risk-assessment
methodology that had already been in practice for several years.
This approach involves assigning taxonomies to particular processes
and controls to establish an overall risk profile in a risk-control
matrix format. Specifically, risk assessment starts with identifying
significant accounts and disclosures, and then mapping them to
business processes that are classified by degree of risk and complexity.
Associated controls are characterized by relevant assertions,
such as valuation, existence or occurrence, and presentation and
disclosure. Controls are also evaluated by posing “What
could go wrong?” questions that contemplate possible financial
misstatement and fraud scenarios.
In the past,
some risk-averse auditors might have dismissed this model, favoring
more-traditional benchmarks of risk exposure, such as a financial
statement category’s percentage of total assets or revenues.
But now that the methodology has the PCAOB’s imprimatur,
all auditors can rely on it as a means of streamlining the SOX
process in a top-down assessment. Or not. A certain dissonance
between management and auditors concerning respective risk assessments
may be inevitable, especially in manually intensive operating
environments common to smaller companies.
of SOX would be complete without addressing the public audits
that failed to detect many of the problems that led to the well-chronicled
scandals. Through its inspection program, the PCAOB seeks to evaluate
the quality of the auditing process, thereby holding firms accountable
for correcting their mistakes and upgrading their methodologies
in future audits. In particular, the PCAOB cites significant failures
to properly apply AS2 in evaluating management assertions and
the effectiveness of internal controls. Its reports will also
call out improperly applied Generally Accepted Accounting Principles
(GAAP), a failing that affects the financial statement audit as
Treasury Department, the SEC, the PCAOB, and the FASB—strive
to balance management cost, auditor liability, and investor protection
to achieve effective and efficient prevention and detection of
material accounting fraud and error. Can SOX accomplish this?
Refco’s misstatement, for example, occurred some years after
SOX was enacted. And the existence of SOX arguably did not directly
help expose stock option backdating. In the effort to balance
effectiveness and efficiency, only time will tell whether AS5
Years and Counting
the number of financial restatements of the last several years,
the traditional financial statement audit alone is not enough
to assure the investor community. A separate SOX examination of
internal controls helps fill the gap by providing additional assurance
where controls are strong and raising awareness of the potential
for future problems where controls are lacking.
Are we better
off after six years of Sarbanes-Oxley guidance? To some extent,
implementation has prevented and detected more of the problems
that gave rise to SOX. AS5 and the companion SEC management guidance
codify the integration of the SOX examination with the annual
financial statement audit, and promulgate a risk-based tailored
approach to SOX documentation and testing requirements. Theoretically,
both the PCAOB and the SEC documents mitigate previous excesses
and balance the guidance for management and auditor—with
a special accommodation to the plight of smaller companies. The
practical implementation, however, is a continuing question mark.
In any case, prospective compliance that relies on a SOX infrastructure
already in place is much less onerous than the initial implementation.
the new latitude afforded management in making more independent
assessments of its internal controls, companies may still have
to present evidence to convince professionally skeptical auditors.
On the other
hand, do the new rules dilute the SOX process to the extent that
auditors defer to management’s self-assessment, and curtail
scrutiny as they depart from certain benign redundancies of AS2
standards? Have the concessions made in the name of cost compromised
the benefits? Does the narrower scope encompassing fewer controls
and abbreviated tests founded on subjective materiality have a
limited effectiveness? Future PCAOB inspections and media reports
of new or nonexistent scandals and ineffective audits will be
the final proof.
of course, will disingenuously ascribe the next business calamity
to ineffective SOX implementation, perhaps expecting a panacea.
A case in point is the fallout from the ongoing subprime credit
crisis. While the recent spate of massive portfolio write-downs
might seem to indicate failed risk-management controls, the problem
is largely founded on illiquidity and the inability to establish
fair value in the absence of willing buyers and available funding.
The valuation of impaired mortgage securities is an accounting
issue made problematic by anomalous market conditions plagued
by uncertainty. The writedowns are not generally the result of
failed internal controls, but rather a wholesale market repricing.
In the final
analysis, truly cost-effective SOX examinations will better protect
investors and contribute to better-functioning capital markets
that will benefit the economy at large. But the optimal balance
between the costs and the benefits may always be elusive.
J. Dodwell, CPA, led several SOX section 404 implementations
and performed numerous other financial control assessments as a
management consultant to financial services companies.