Cutter IT Journal first took a look at Sarbanes-Oxley (SOX) and similar governance mandates back in our September 2005 issue. Back then, we focused the debate on the potential value, costs, impacts, and implications of compliance with such laws and regulations. In this issue, we discover how SOX compliance initiatives are turning out in the real world. Is SOX the costcreating, value-destroying nightmare everyone feared? Or has it yielded what it promised — stronger internal controls, better documentation of financial and business processes, and more board involvement in corporate direction?
"The final area of debate is this: given the cost and the complexity of implementing SOX, at the end of the day, is it worth it?"
-- Robert N. Charette, Guest Editor
SOX Stinks
SOX is an ongoing nightmare — a cost creator and value destroyer. It needs radical change, if not outright repeal.
SOX Is Super
SOX is the small investor’s best friend. It may be costly to implement, but the cost is worth it to ensure trustworthy and transparent financial reporting.
Opening Statement
As the Public Company Accounting Reform and Investor Protection Act of 2002 -- better known as Sarbanes-Oxley (SOX) -- enters its fifth year, the debate on whether its potential benefits are commensurate with its very real costs unrelentingly continues. Even different regulatory agencies within the US government can't seem to agree on whether SOX has been a net gain or loss. For instance, in testimony before the US Congress in September 2006, US Securities and Exchange Commission (SEC) Chairman Christopher Cox said that "while initial implementation efforts resulted in significantly greater-than-anticipated costs, compliance with Section 404 produces significant benefits." Section 404, as you may recall, requires public companies to implement internal controls on their financial transactions and information and for the companies' auditors to certify to the controls' effectiveness.
Cox called the problems that many companies have reported in regard to implementing Section 404 the one "notable exception" in an otherwise good piece of legislation, while former Congressman Michael Oxley, coauthor of SOX and recently retired chairman of the House Financial Services Committee, blamed the supposed cost problems on "overzealous implementation" by auditors.
On the other hand, this past November, former chairman of the US Federal Reserve Board, Alan Greenspan, voiced his opinion that SOX Section 404 is a "nightmare" that is a "cost creator with no benefit I'm aware [of]" and that it should be completely revamped. Similarly, US Treasury Secretary Henry Paulson also noted last November that overlapping regulation and accounting rules such as SOX have placed the US in "danger of creating a thicket of regulation that impedes competitiveness," adding that the country needs to find a "regulatory balance." Even the liberal Congressman Barney Frank, incoming chairman of the House Financial Services Committee, supports the idea that SOX burdens need to be reduced, especially for small companies.
In the September 2005 issue of Cutter IT Journal, we focused the debate on the potential value, costs, impacts, and implications of compliance with new governance regulations and laws like Sarbanes-Oxley and Basel II. In this issue, we have focused again on many of these same issues, but now with an experienced, real-world perspective in specifically dealing with SOX in the steady-state operational -- rather than startup -- phase. We are especially pleased to present views from those who are on the front lines of companies having to deal with implementing SOX, not only here in the US but in Europe as well.
The recurring issues that all our contributors discuss fall into three general categories:
1. The costs of SOX implementation.
2. Uncertainty as to which kinds of financial-related information need to be controlled and which types of controls are necessary and sufficient to meet the intent of SOX.
3. The ultimate value of SOX so far -- has it been worth the costs and turmoil created?
Not surprisingly, these are the same issues that most public companies report are plaguing them as well.
COSTS OF SOX
The cost of implementing SOX has been a major point of contention since the law's passage in July 2002. After SOX was passed, the US Congress called on the SEC to estimate its implementation cost. In 2003, the SEC estimated that the cost of complying with Section 404 would be only five hours of work per annual and quarterly SEC filing per public company. After companies sounded howls of protest at the absurdity of that initial estimate, the SEC increased its estimate to 383 hours of extra work per company or, it projected, about US $91,000 per year per company on average (excluding additional auditor fees, which the SEC concluded would be negligible).
The law firm Foley & Lardner has been keeping track of SOX compliance costs. It has reported that in 2005, the costs of compliance (CoC) for companies with over $1 billion in revenue averaged $11.5 million, while CoC for companies under $1 billion in revenue averaged $2.8 million. Foley & Lardner said that these CoC averages were down about 6% and 16% from those in 2004 for companies above and below $1 billion in revenue, respectively. The firm's early 2006 CoC estimates appear to be down some from 2005, but not as significantly.
These reductions in costs were similar to those reported by other organizations that track SOX CoC data. The Hackett Group, a well-known corporate benchmarking company, estimates that the average CoC today is about 2.5% of a company's revenue, down from 3% a year ago. However, it attributes the CoC reductions mostly to internal organizational cost reductions: the fees paid to outside auditors actually have risen steadily since SOX's passage.
Of course, the reported CoC above don't include the indirect costs involved. For instance, in its CEO 2007 annual report, the New York Stock Exchange (NYSE) Group states that compared to three years ago, 89% of the public company CEOs it surveyed are spending more time on compliance/regulatory issues, 72% are spending more time reporting to the board, and 58% are spending more time on shareholder relations [5]. Furthermore, 27% are spending less time on daily management and customer relations. Some 39% of CEOs indicate that higher compliance costs have resulted in delays and/or cancellations in their efforts to grow their businesses. Unsurprisingly, given that they have to sign off on their company's financial statements, 99% of the CEOs believe that they are at greater personal legal risk than ever before. The NYSE Group annual report also states that CEOs expect to spend as much, if not more, time on regulatory/compliance matters in 2007 as they did in 2006, and 91% expect that this will impact their ability to grow their businesses.
COMPLEXITY, CONFUSION, AND UNCERTAINTY
There seems to be widespread agreement that the costs of compliance with SOX have been primarily driven by uncertainty about how to interpret Section 404. In May 2006, SEC Chairman Cox stated that a large part of the problem could be traced to the poor guidance given to interpreting Section 404: "Auditing Standard No. 2 [AS2] gives guidance to independent auditors tasked with determining whether a company's internal controls are effective. No similar guidance, however, exists for companies and for their management. And in the absence of direction from us, companies have been basing the assessment of their controls on AS2."
A study on SOX compliance cost drivers released in October 2006 by the Institute of Management Accountants seems to back up this contention [4]. The study, conducted by Parveen Gupta of Lehigh University, found that two-thirds of the surveyed organizations listed "the lack of practical guidance from the SEC or other professional organizations on how to decide what constitutes an effective (or ineffective) internal control system" and the "redundant testing of internal controls" as the two major compliance cost drivers.
A major problem has been that AS2 focuses on controls over individual transaction processes rather than overall company-wide controls. This has led many auditors to view every financially related transaction as a source of potential material weakness that must be tightly controlled, regardless of the potential material impact of the transaction. This has caused disagreement between companies and their auditors over what should be internally controlled. In one instance, a company listed 500 internal controls it thought were necessary, while its auditor thought that some 60,000 were required.
This "bottom-up" view to implementing a control regime is in opposition to what the SEC has consistently instructed auditors to do, which was to perform a top-down risk assessment and concentrate their examination of the effectiveness of internal controls on those areas posing greatest financial/material risk. As I have written previously on the problems involved in risk-based auditing [3], given that the auditors and their companies now face both personal and corporate legal risk if something significant is missed during an audit, this SEC direction has generally been ignored.
Reinforcing the auditors' perception of a large legal liability if an audit is performed poorly, mortgage company Fannie Mae this past December filed suit against its former auditor, KPMG, alleging malpractice for approving error-filled audits. As a result of these poor audits, Fannie Mae has had to wipe $6.3 billion in profits off its books, pay $400 million in fines to regulators, and spend over $1 billion to correct its books. Fannie Mae in turn wants $2 billion in damages from KPMG.
VALUE OF SOX
The final area of debate is this: given the cost and the complexity of implementing SOX, at the end of the day, is it worth it? Has investor confidence been improved?
According to the NYSE Group's 2007 CEO annual report, the answer seems to be no [5]. Only 6% of the CEOs it has surveyed believe that SOX, along with accounting and other governance-related regulations, has produced benefits for investors.
Individual investors are a little more positive, but they are not entirely convinced either. In an October 2006 Wall Street Journal Online/Harris Interactive poll of active investors, 49% agree that they can now trust companies to provide complete and accurate financial information, while 42% disagree, and 9% are not sure. Furthermore, 32% of investors polled think SOX has been effective in improving financial transparency, 24% say it hasn't been effective, and 44% are not sure.
The latter result of "not sure" may be because the SEC and Public Company Accounting Oversight Board (PCAOB) have been releasing data that shows corporate restatements have been continuing at a record pace. It is estimated that some 1,300 companies will issue financial restatements, compared to 1,195 in 2005 and 201 in 2001. However, the SEC and PCAOB attribute less than 5% of the restatements to fraud or deliberate error, which makes many wonder whether SOX is effective or overkill.
SOX's cost, complications, and legal liability have also helped sparked a trend of public companies being taken private. One example is the Vermont Teddy Bear Company. Elisabeth B. Robert, the company's chief executive, explained that the company was going private because, "As a private company, Vermont Teddy Bear will no longer face the challenges of a company trying to comply with increasingly complex and costly public company requirements. We will have more time and resources to devote to growing our business." Since SOX, a number of major companies have decided to go private or have been taken private, including Hertz, Toys "R" Us, Kinder Morgan, Equity Office Properties Trust, Reader's Digest, and HCA. According to the Financial Times of London, in 2006, over $38.8 billion of listed capital was withdrawn (i.e., de-equitized) from the NYSE and a further $11 billion from Nasdaq, which is twice the amount it lost in 2005.
Furthermore, a number of foreign companies have opted to de-list from US stock exchanges because of the difficulty in complying with SOX. A greater problem has been that foreign companies are now refusing to be listed on US exchanges.
This can be readily seen by the number of companies that are deciding to raise money on foreign public markets rather than in the US. For instance, only two of the world's 25 largest IPOs were listed in the US in 2006. While there were 224 IPOs in the US that year, there were 651 in Europe -- almost a complete reversal of what happened prior to SOX. And of the 123 international firms that were deciding to list in either London or New York, 91 decided to list in London.
But many others have argued that even with all the headaches involved, SOX has been beneficial. In an April 2006 Harvard Business Review article titled "The Unexpected Benefits of Sarbanes-Oxley," authors Steve Wagner and Lee Dittmar from Deloitte argue that companies now have stronger internal controls, better documentation of their financial and business processes, more board involvement in corporate direction, better relationships with partners and suppliers, and more effective manual and automated internal controls [7].
In addition, MIT Sloan School Professor Ryan LaFond and his coauthors released a study in October 2006 stating that while SOX does add costs to business, firms with strong financial controls are rewarded in the marketplace by having access to lower costs of capital, by as much as 150 basis points [1]. The Hackett Group in November 2006 also reported that organizations that have strong compliance controls spend only half what typical companies do on compliance.
While many public companies have decided to go private because of the costs and troubles involved in implementing SOX, ironically, several private companies have moved to embrace large parts of it. These companies believe they can benefit from improving their internal controls and financial processes, and they think that getting access to low-cost capital is reason enough to go the SOX route.
Furthermore, a report by the Stanford Law School released in January 2007 has found that, in 2006, only 110 federal class-action lawsuits allege security fraud, a 37% drop from 2005 and a 43% drop from the 10-year historical average of 193 [6]. The report, which credits SOX, estimates that the amounts of alleged fraud have also dropped precipitously from $93 billion in 2005 to $52 billion in 2006, which is also far below the $124 billion 10-year historical average.
The stock options backdating scandal that began in late 2005 and really blew up in 2006 has also emphasized the need for strong corporate governance regulations. Over 150 companies have been implicated in backdating stock options to their corporate executives, and many of these incidents occurred after SOX was put into place. As a result, many high-profile CEOs have had to resign, and a large number of companies have had to restate their previous years' finances.
Heating up the options scandal issue further, in December 2006 a study was published that indicated that company directors, not only executives, in 460 companies also benefited from stock option backdating [2]. This has caused many in Congress to wonder aloud whether corporate directors -- who, under SOX requirements, were supposed to be independently watching over possible executive malfeasance -- might need more oversight themselves.
Finally, lest anyone think corporate governance is going to go away anytime soon, home improvement company Home Depot fired its Chairman and CEO Robert L. Nardelli for poor performance earlier this month; he was also given a $210 million severance package. To many in Congress, this appears to be an obscene amount of money for rewarding failure. Congressman Frank has promised to hold hearings on CEO pay this spring. By autumn, one can expect to see some legislation proposed to deal with CEO pay -- especially given that next year is a presidential election year in the US.
ON THE SOX FRONT LINES
The issues above are discussed from a working-level perspective in this month's articles. We start the issue with "Cut the SOX Clutter with IT Best Practices" by Niel Nickolaisen. Nickolaisen is the CIO and director of internal audit for a $1 billion energy and building products company. In the article, he describes the hard, very personal journey he and his company have taken in implementing SOX. Nickolaisen talks about the many challenges involved in understanding what SOX requires, the intense debates he has had with auditors over what is material and what is not, and the eventual benefits SOX has wrought in spite of the "perfect storm" of overly complex regulations, competing goals, and the high costs involved.
Our second article is a conversation Cutter Senior Consultant Scott Stribrny had with a senior executive responsible for a leading midsized corporation's internal support systems. The senior executive agreed to talk as long as he was not identified, a fact that highlights the continued sensitivity of talking publicly about SOX. Their wide-ranging conversation touches on the impact that SOX had on the IT applications and operations at this executive's company, the "nightmare" they went through at the beginning of SOX implementation, and what they would have done differently. Interestingly, the company has gone from public to private, but it is still applying SOX-required internal controls.
Our third article takes a European perspective on SOX. In "Surfing the SOX Wave Thanks to CMMI," Laurent Janssens and Peter Leeson talk about how a Belgian subsidiary of a major international financial organization approached SOX compliance. They discuss how the organization viewed SOX not as an additional constraint, but as an opportunity to complement its internal process improvement efforts. Using both the CMMI® model and COBIT® framework, along with clearly establishing a management perspective that SOX represented a major process change request, SOX implementation proceeded relatively smoothly and created several organizational benefits.
Our final article is "Complying with Sarbanes-Oxley: Addressing the IT Issues and Risks," written by Mahesh Raisinghani of Texas Woman's University and Bhuvan Unhelkar of the University of Western Sydney. Professors Raisinghani and Unhelkar discuss the challenges of SOX compliance, and specifically the issues related to IT support in its compliance.
I think you will agree that these articles vividly bring home some of the real-life issues companies have had to face in implementing SOX, and I hope they will give you a better appreciation for what is actually happening out there on the SOX front lines.
POSTSCRIPT: REGULATORY REFORM
As we were putting together this issue of Cutter IT Journal, changes to SOX were being announced. SEC Chairman Cox disclosed in late November 2006 that given the cost, the complexity, and the disagreement about the benefits of the law, "significant changes" would be coming to SOX. Cox said that the changes "will be aimed at ensuring that the internal-control audit is top-down, risk-based, and focused on what truly matters to the integrity of a company's financial statements. They will provide guidance for both companies and their auditors to permit common-sense reliance on past work and on the work of others."
In December 2006, the SEC further announced that corporations will not need to test internal processes that have low material impacts, and that it will provide new, flexible guidance based on the size and complexity of companies' business operations. The SEC wants company management and external auditors to use good judgment and primarily focus on areas that create the greatest opportunities for corporate fraud.
Also in December 2006, the US Department of Justice (DOJ) revised its charging guidelines in bringing in corporate prosecutions. While the DOJ still insists that a corporation is no different a legal entity from an individual, it promises it will be more circumspect when thinking about indicting corporations. Once a company is indicted, it is basically out of business, as happened with accounting firm Arthur Andersen, whose conviction for obstruction of justice in the Enron case was overturned by the US Supreme Court.
Furthermore, the PCAOB will provide external auditors with new internal-control testing guidance that it hopes will relieve some of the costs of compliance. The PCAOB wants auditors to concentrate on issues that have a "reasonable possibility" of producing a material weakness in a corporation's finances. It also wants auditors to look at how a corporation closes its books, especially if executive management's financial rewards are based on hitting set financial targets. The PCAOB has also stated that auditors no longer should have to concur on management's assertion that its company's internal controls are effective.
Both the SEC and PCAOB think that audit costs will eventually come down, but not for at least another two years, as corporate management and auditors again try to figure out how many controls are enough. These changes came on top of other changes that include making it slightly easier for foreign companies to de-register from the US stock exchanges and rethinking the cost/benefit approach to corporate regulations. Only time will tell what the impacts of these changes, if any, will be on corporate governance.
REFERENCES
1. Ashbaugh-Skaife, Hollis, Daniel W. Collins, William R. Kinney, Jr., and Ryan LaFond. "The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital." Working paper, April 2006 (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=896760).
2. Bebchuk, Lucian, Yaniv Grinstein, and Urs Peyers. Lucky Directors. Harvard University Law School, December 2006 (www.law.harvard.edu/programs/olin_center/corporate_governance/papers/lucky_directors.pdf).
3. Charette, Robert N. "Sarbanes-Oxley Update: Risk-Based Auditing." Cutter Consortium Enterprise Risk Management & Governance E-Mail Advisor, 2 June 2005.
4. Gupta, Parveen. COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices. Institute of Management Accountants, 2006.
5. NYSE CEO Report 2007. NYSE Group, August/September 2006.
6. Securities Class Action Case Filings, 2006: A Year in Review. Stanford Law School Securities Class Action Clearinghouse and Cornerstone Research, January 2007.
7. Wagner, Steve, and Lee Dittmar. "The Unexpected Benefits of Sarbanes-Oxley." Harvard Business Review, April 2006.