Sometimes overlooked in the debate about SOX are the contributions it has made in generating a greater focus on improved corporate governance and stronger ethics and compliance programs. Needed improvement in audit quality is a continuing concern.
The Sarbanes-Oxley Act (SOX) of 2002 was enacted following a series of failures involving various functions designed to protect the interests of the investing public. Containing several highly controversial provisions, SOX created a total revision of the regulatory framework for the public accounting and auditing profession and provided guidance for strengthened corporate governance. It was considered to be the most far-reaching legislation affecting public corporations and their independent auditors since the 1930s.
SOX is widely credited for strengthening at least two major areas of investor protection:
(1) CEO and CFO responsibility and accountability for all financial disclosures and related controls; and (2) increased professionalism and engagement on the part of corporate audit committees. Yet some continue to question its overall value, citing, as an example, its failure to prevent the situations that led to the financial crisis of 2008.
One of the most controversial aspects of SOX Act is Section 404, which requires company management to provide assertions of effective internal control over financial reporting and for the company's independent audit firm to attest to those assertions.
Congress has been repeatedly pressured to ease this requirement, which it did with the Jumpstart Our Business Startups Act (JOBS Act), passed by Congress and signed by President Obama April 5, 2012. The JOBS Act contained a provision that eliminated the SOX Section 404 requirements for organizations that meet the definition of an emerging growth company.
Aside from requiring management's assertions and the auditor's attestation, SOX Section 404 also requires public companies to disclose whether or not they have adopted a code of ethics applicable to their senior financial officers. For companies listed on the New York Stock Exchange (NYSE), this requirement has been expanded to require listed companies to adopt and disclose on their websites a code of business conduct and ethics for directors, officers, and employees and to promptly disclose any waivers of the code for directors or executive officers. The NYSE also provides a list of topics that ethics codes should cover. NASDAQ has adopted similar requirements. All these requirements have significantly elevated the visibility of ethics and made a strong ethical culture a best practice for organizations of all sizes and types.
The significance of a strong ethical culture to organizational success has been the subject of many of my articles. An ethical culture makes it easier to attract the most qualified employees and minimizes the cost of employee turnover and retraining, which results in optimal productivity and higher profitability. The benefits of a strong social, environmental, and ethical reputation also resonate with a growing number of consumers who want to patronize such firms.
Audit Firm Performance
When evaluating the overall effectiveness of SOX, a vital consideration to make is whether the performance of independent auditors has improved over the last ten years. The importance of auditor performance is seen in the fact that the first subchapter of the act provides for a body "to oversee the audit of companies that are subject to the securities laws, and related matters, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports." Whether the revised oversight structure adequately regulates public company auditors appears to be an open question even after so many years.
Since auditing became a distinct occupation many hundreds of years ago, auditors have functioned largely as self-regulating professionals. Prior to SOX, important decisions regulating the profession were made largely or exclusively by the auditing industry, its firms, and auditors themselves. These included:
- Setting the bar for entry into practice.
- Promulgating the auditing and ethical standards that auditors should employ.
- Determining the quality of performance in using those audit standards.
- Determining whether an auditor violated ethical standards
- Disciplining those who failed to practice properly.
When SOX was enacted, the practice of public accounting was divided into audits of publicly held companies and all other entities. SOX established the Public Company Accounting Oversight Board (PCAOB), an independent body under the oversight of the US Securities and Exchange Commission (SEC). The PCAOB was given the mission to set and enforce practice standards for a new class of firms "registered" to audit publicly held companies. Standards for not-for-profit and governmental entities continue to be set by the industry itself.
An annual speech by the PCAOB chairman has been the only public evaluation of the quality of performance of audit firms. These reports have expressed only general comments, not comprehensive statistics. In 2011, PCAOB Chairman James Doty stated that PCAOB inspectors had reviewed more than 2,800 engagements of the largest audit firms and "discovered and analyzed hundreds of cases involving what they determined to be audit failures." An audit failure is a defined term describing the most serious deviations from proper practice.
In his 2012 report, Doty noted",Inspections continue to reveal an unacceptable level of deficiencies." He added that audit regulators around the world had "identified a gap between the purpose of the audit and its fulfillment" because of the possibility that "firms' cultures still impliedly encourage auditors to sell services to their audit clients and, if so, legal or illegal, whether such goals undermine the appropriate state of mind for auditors." These generalizations don't instill confidence in the users of professional auditing opinions.
The general requirement in SOX that all findings resulting from PCAOB inspections be held confidential hinders any analysis of perhaps the key measure of audit quality: audit failure. Public reports of annual inspections of specific audit firms contain no details of findings on individual clients. This protects the firm in case of actual or threatened litigation. The PCAOB does have the power to "unseal" portions of the confidential information if it finds that subsequent improvement efforts are "unsatisfactory concerning any particular criticism."
An example of a firm providing unrelated nonaudit services that could impair its independence involves Ernst & Young (E&Y) and the US Chamber of Commerce (USCC). A report by E&Y containing macroeconomic estimates of potential future changes in the US economy was sponsored by four industry organizations: the Independent Community Bankers of America, the National Federation of Independent Business, the S Corporation Association, and the USCC. These economic estimates were designed to show the possible detrimental effect on US jobs and investment by allowing the "top tax rates paid by business owners to rise sharply starting January 1 of next year." The results have been widely publicized by some industry and political lobbying groups, including several of the sponsoring organizations, though it isn't mentioned on the USCC website.
E&Y signed USCC's publicly available Form 990 not-for-profit tax return, which leads one to assume that E&Y is USCC's auditor. Yet in SEC Release 33-8183",expert services unrelated to the audit" is one of the nonaudit services considered likely to impair an accounting firm's independence if provided to an audit client. One could argue then that an engagement designed as an instrument to directly foster the USCC's mission "to advance human progress through an economic, political, and social system based on individual freedom, incentive, opportunity, and responsibility", which the E&Y report appears to be, falls within the scope of services prohibited by SOX for public company audits and is problematic for other clients.
In an unrelated case of audit failure, on February 8, 2012, the PCAOB announced the censure of E&Y and imposed a $2 million penalty for faulty audits of Medici Pharmaceutical Corporation for 2005, 2006, and 2007 financial statements, its largest civil money settlement to date. It also assessed censure sanctions on four E&Y partners for varying time periods. The respondents neither admitted nor denied the PCAOB findings and didn't consent to make the case public.
An analysis of firm performance reported in PCAOB firm inspections appearing in Between the Numbers showed a 20 percent rate of audit failure at E&Y for 2010, more than double the rate in the 2009 inspections. Compliance Week reported even higher audit failure rates at other large firms based on 2010 PCAOB inspections: 22 percent at KPMG, 39 percent at PricewaterhouseCoopers, and 45 percent at Deloitte. Presuming the sample of engagements selected by PCAOB inspectors for analysis is reasonably representative of all audit work performed by the firms, these statistics don't engender the confidence necessary for investors to trust the validity of financial information they are receiving.
To be fair, a great deal of the effectiveness of SOX depends on the vigor to which it's enforced. Questions remain as to whether the SEC's and Department of Justices's enforcement of SOX has been sufficient. A July 30 article in The Wall Street Journal notes that SOX's "biggest hammer - the threat of jail time for corporate executives who knowingly certify inaccurate financial reports - is going largely unused."
Although SOX has been successful in increasing corporate focus on a strong ethical culture in publicly owned companies, there's room for improvement in audit firm performance as well as the PCAOB's process for assessing and reporting on it.