Compliance: Is Sarbanes-Oxley Working?By Edward Cone | Posted 06-12-2006
Compliance: Is Sarbanes-Oxley Working?
Learning to Live With SOX
It seems like a straightforward enough question: is SOX working? Two years after the Sarbanes-Oxley Act (also called the Public Company Accounting Reform and Investor Protection Act of 2002) went into effect, there is a mounting supply of data on hand to throw at the query. But like so many seemingly simple questions, this one isn't. There are a lot of layers to peel back before any serious answer can be reached. The question invites more questions, such as, "What does 'working' mean?" "Working for whom?"
And to the extent that SOX might be working, are its successes worth the costs? One thing everyone agrees on is that the costs of compliance are much higher than had been estimated. After that, well, define "worth it."
One point of view is represented by Stephen Wagner and Lee Dittmar in their article, "The Unexpected Benefits of Sarbanes-Oxley," published in the April 2006 edition of the Harvard Business Review. They write: "A number of companies have begun to standardize and consolidate key financial processes, eliminate redundant information systems and unify multiple platforms; . . . automate manual processes; . . . better integrate far-flung offices and acquisitions; bring new employees up to speed faster; broaden responsibility for controls; and eliminate unnecessary controls."
Or not, according to a recent paper by Henry Butler and Larry Ribstein for the American Enterprise Institute, called The Sarbanes-Oxley Debacle: How to Fix It and What We've Learned (see
Even quantitative responses, from the number of earnings restatements by public companies since compliance with the law became mandatory (high), to the number of initial public offerings by companies in the U.S. capital markets (low), can be spun in different directions.
And as in so many things, where you stand may depend on where you sit. Groups with particular interests have definite opinions on the question. For audit firms, Sarbanes-Oxley has been called the Full Employment Act of 2002. IT workers with audit skills command a premium in the job market. SOX is working just fine for these folks. But investment bankers who haven't been getting those tasty IPO fees, and small companies forced to pay big dollars to comply? Not so much.
Of course, business and regulation and markets are complex subjects, and in the real world this question is not a binary function with a clear conclusionon or off, yes or no. But while acknowledging messy, multifactorial reality, and with some caveats and quibbles, we'll venture an answer to the question: Is SOX working? Yeah, it's working okay. Not perfectly, and not for everyone, but in a broad and measurable sense, the case for SOX is affirmative.
This is a holistic argument. It won't convince the IPO firms or the folks at the American Enterprise Institute. But as Wagner and Dittmar contend, the benefits of SOX go beyond avoiding scandals to rationalizing financial reporting that had grown ragged for a whole laundry list of reasons, including poor integration of merged companies, Y2K fixes, new technology that doesn't play nice with legacy systems, and complex, interconnected supply chains. As high SOX start-up costs are absorbed, the real benefits should accrue to companies with standardized processes and centralized systems that make compliance with regulations of all kinds an integral part of their cultures.
As Senator Paul Sarbanes (DMd.), one of the bill's cosponsors, said in March, "The benefits of compliance are emerging." He pointed to a CFO Research Services survey of 180 senior finance executives who identified "unexpected benefits from Sarbanes-Oxley compliance." Respondents said Sarbanes-Oxley enables them to manage risk better and uncover weaknesses in financial controls, while boosting operational performance. Let's walk through some of the pros and cons, the spin and the counterspin. Your mileage may vary depending on usage. I look forward to some full, frank discussion of this issue on my CIO Insight blog, "Know It All" in the weeks to come.
Working" Mean for SOX?">
What Does "Working" Mean for SOX?
The Sarbanes-Oxley Act was passed as a response to the financial scandals of the tech-bubble erathe Enrons and WorldComs and Adelphias and Tycos that shook investor confidence and besmirched the reputation of businesses everywhere. In response, Congress decided that the markets need firmer guarantees of corporate compliance with securities law.
If you need any reminders of how grim the situation seemed at the time, consider that the bill sponsored by Sarbanes and Representative Michael Oxley (ROhio), passed 423-3 in the House and 99-0 in the Senate. Speaking to a Consumer Federation of America conference in March, Sarbanes said, "Critics who now attempt to minimize the seriousness of the situation should not go unchallenged."
The law demanded several things of public companies, including personal statements by senior executives that their financial statements had been audited and were correct, and statements by internal and external auditors to the same effect. The biggest impact for most companies came from Section 404 of the bill, which details the roles of management and both inside and outside auditors in maintaining a company's internal controls.
Obviously, the markets have rallied (the Dow Jones Industrial Average is up more than 50 percent since its 2002 lows), which, by definition, means that investor confidence is higher. But it doesn't necessarily mean that investors are more confident because of stricter accounting regulations. The overall economy has recovered from recession, the bubble is a distant memory, inflation has been low, and money has been cheap.
The same sort of uncertainty about the value of SOX applies to the lack of big accounting meltdowns. The wave of huge scandals has abated since SOX became law, but it's hard to pin down the role of SOX in preventing the kind of high-dollar chicanery that went on in the recent past. Coincidence is not causality, you can't prove a negative, and so on.
Maybe the scandals stopped for other reasons, and maybe they'll show up again when the economy turns south. As the Wall Street Journal editorial pageno fan of SOXpointed out in May, all of those famous turn-of-the-millennium miscreants were prosecuted under pre-SOX laws (and that includes Enron Corp.'s Kenneth Lay and Jeffrey Skilling, who went down hard in a Texas courtroom last month). Meanwhile, the showpiece SOX-driven case to date, the trial of HealthSouth Corp. CEO Richard Scrushy, failed to return a conviction.
Robert Prentice, a professor at the University of Texas McCombs School of Business, compares SOX to the expensive and highly annoying Homeland Security regime instituted after Sept. 11, which has seen no further hijackings but has had an unknowable effect on that outcome. "You know how much a metal detector in an airport costs, and how much you pay the people," he says. "But you don't know how much these precautions save. In the same way, we'll never know if SOX prevented a big fraud from happening. And if there is a major case, we won't know if SOX prevented others from occurring at the same time."
Prentice gives Sarbanes-Oxley a cautious thumbs-up, based on things like evidence of decreased earnings management by companies since the law passed, increased investor confidence thanks to CEO certification of results, and improved liquidity. "We're starting to see some interesting stuff in the literature," he says. "These are the things that Congress wanted to do." Prentice also cites improved accuracy of stock analyst recommendations, and says, "SOX is Congress telling auditors and directors and analysts, for Christ's sake, do your job, take it seriously. That alone is worth something. Do the benefits outweigh the costs? Well, I can say there are a lot of benefits, even if you cannot at this time make a grand conclusion."
SOX by the Numbers
SOX by the Numbers
One measure of Sarbanes-Oxley's effectiveness is the rising number of earnings restatements since the law went into effect. Glass, Lewis & Co. LLC is a San Francisco-based firm that tracks the volume of do-overs by public companies. Its March 2006 report, "Getting It Wrong the First Time," shows 1,295 restatements of financial earnings in 2005 for companies listed on U.S. securities markets, almost twice the number for 2004. "That's about one restatement for every 12 public companiesup from one for every 23 in 2004," says the report.
Research analyst Mark Grothe, the study's primary author, sees a direct correlation between SOX and the wave of restatements. "It's precisely because of the heightened auditing standards mandated by Sarbanes-Oxley that investors today are getting a true sense, finally, of just how much work remains to be done before they can feel confident about the accuracy of the financial statements prepared by corporate managers," he writes.
"These restatements aren't just about revising subjective judgments or complying with esoteric, complex accounting pronouncements. In hundreds of instances, they stem from basic misapplications of simple rules or critical breakdowns in corporate controls and competencies. . . . Careful scrutiny of these controls, through independent testing and reporting by outside auditors, is what Section 404 of Sarbanes-Oxley mandated. By and large, this testing is what uncovered the weaknesses."
Mike Lofing, another Glass, Lewis analyst, says he believes the number of restatements will drop off over time, although perhaps not to a pre-SOX level. "There was a lot of catch-up going on, and there were probably a lot of controls that should have been in place but were not," he says. "Once those controls are in place, it becomes maintenance."
Are the restatement numbers really such a clear-cut argument for the power of SOX? The Securities and Exchange Commission says that only 12 percent of companies restating their financial reports last year gave SOX Section 404 as the reason for the restatement. But that figure is itself extremely squishy. Just 50 percent of restating companies gave a reason of any sort for their redos, so the overall percentage driven by Section 404 may be much higher. Meanwhile, panelists at an SEC roundtable in May argued that the vast majority of restatements have no material effect, as measured by the response of the stock price, but that the relationship between restatement and "material weakness" in the underlying numbers and process is "almost axiomatic."
Another way of measuring the impact of restatements is by considering the subsequent behavior of the companies involved. Wayne Landsman, a professor of accounting at the University of North Carolina's Kenan-Flagler Business School, has been studying the relationship of companies that restate their financial reports to moves by those companies to different accounting firms. "Most of the switches by companies are lateral among the Big Four firms," he says. "Auditors aren't dropping companies that restate for being too risky from their client rolls."
Landsman says he has a hard time attributing causality for behavior by companies and investors directly to SOX, and he eschews simple answers. "In economics, it's a social welfare question, like evaluating a tax bill. It hurts some and helps some. Is it having its intended effect? We don't know what we would have observed without it."
: SOX and the IPO Market">
Burnt Offerings: SOX and the IPO Market
Included in that hard-to-attribute category, he says, is the relative dearth of initial public offerings in the SOX era. But critics of the law, from Wall Street to Capitol Hill, have been quite willing to blame SOX for the IPO drought. Writing in the Wall Street Journal in May, Senator Jim DeMint (RS.C.) and Representative Tom Feeney (RFla.) said that Sarbanes-Oxley is "discouraging U.S. companies from raising capital by going public, which denies them a greater ability to expand and hire new workers. And some businesses that were public when the law was passed have concluded they would rather cut off their access to capital than comply with Sarbox. Since 2002, 75 community banks have gone private, while large companies such as Vivendi have simply de-listed in the U.S."
There are some weaknesses in this analysis, starting with the increasing robustness of the U.S. IPO market. May was the liveliest month for public offerings since the bubble burst, and the first five months of 2006 saw almost 20 percent more IPOs than the comparable period of 2005. But the complexity runs much deeper than this newfound bullishness. The capital markets are awash in an unprecedented amount of private money, providing companies with attractive alternatives to public offerings. Says one partner at a New York City private equity fund, "We are putting good deals on the table, and not coming close because other private investors are so eager to buy these companies. The need to tap the public markets for capital is just not there like it was in the past."
And again, it may be that fewer public offerings represents a successful side of SOX, not a failure. "If you can tie the number of IPOs to SOX, perhaps it shows that firms should have more controls in place before they have access to public markets," says Gregory Bell, a group vice president at CRA International, a Boston-based research and consulting firm that developed a survey of accounting firms and their audit clients.
The Real Problem with
The Real Problem with SOX
At last, an unchallenged fact: SOX implementation is a lot more expensive than the regulators promised it would be. The initial estimates were about $91,000 per company for Section 404 compliance. Not even close: the CRA study showed that the average direct cost of complying with Section 404 at large companies (defined by a market cap of $700 million or more) was $8.5 million in 2004, while companies in the $75 million-to-$700 million range spent an average of $1.2 million. Smaller companies are not yet required to comply with Section 404.
Bell says those costs declined by as much as 44 percent for 2005. "It would not surprise us to see costs continue to decline," he says. "Maybe not as much as between year one and year two, but given the learning curve and the one-time costs, it should become more of a maintenance issue."
None of which changes the fact that SOX compliance is very hard on smaller companies. It not only costs them a relative fortune, but it may solve some problems that don't exist for investors, who already know that smaller companies probably carry greater risks than their larger, more-established counterparts.
Alan Musso is the chief financial officer of Targacept Inc., a development-stage biopharmaceutical firm in Winston-Salem, N.C., that went public on the Nasdaq exchange earlier this year. Obviously, his company wasn't deterred by the regulatory costsTargacept won't be required to comply until the end of 2007, a year after issuing its first annual report as a public companybut they are a big deal, nonetheless, for a young company with limited revenues to date. "We're not excited about the compliance costs, but it didn't change our plans," he says. "We would have to spend maybe $250,000 to $400,000 in the first year, and then there's the ongoing cost. That's hard to digest, because we don't see it adding value." He calls the regulations a "distraction that takes money away from developing our products."
It's not that small companies don't need or have strong financial controls, says Musso. Targacept has robust financial and accounting systems from Microsoft Corp.Great Plains (now Dynamics), he says, but it has not had to spend on the auditing processes. Still, Musso believes that SOX may push some businesses in the right direction. "Companies may be building themselves in a higher quality way around the SOX standards," he says. "But the challenge for companies like ours is the one-size-fits-all solution. We're not as complex as a large company. A lot of what SOX is trying to accomplish at a company our size is done just by having the CEO and CFO certify results, because at a company our size they actually know what's going on."
Relief may be on the way for smaller companies. An SEC advisory committee recommended in late April that companies with revenue of less than $125 million, and a market cap of under $128 million, be exempted from Section 404, and midsize firms exempted in part.
Senator Paul Sarbanes has challenged the recommendations, saying they exempt too many companies, that the committee included too few investor advocates, and that there may not be a statutory basis for the exemptions. "Fortunately, vigorous opponents of the recommendation have stepped forward," he told the Consumer Federation gathering in March.
Sarbanes may be correct that the SEC is suggesting too much of a revision to his namesake law, but it seems a move in the right direction. Such massive regulation is an uncertain science, and even if it is beneficial in general, there is certainly room for improvement.