Section 404(a) of the Sarbanes-Oxley Act, together with SEC rules implementing the provisions of the Act, require management to assess and report on the effectiveness of internal control over financial reporting (ICFR). It took a few years for the SEC to phase everybody in, but all public companies, large and small, are now subject to the requirement.
As pretty much everyone knows, however, S-0X 404 doesn't stop with a management report. Auditors get in on the action in Section 404(b). Therein is the lucrative requirement that an independent auditor attest to management's assessment regarding the effectiveness of their internal controls over financial reporting (ICFR). One person testifying before Congress has called the provisions of S-OX 404(b) the largest windfall to audit firm partners in history, and as I will soon describe, 6,000 more public companies await a new 'service' for which the benefits are, to be charitable, unclear.
Why S-OX 404(b) is Little More than Chicken Salad for Auditors
The corporate corruption scandals that got politicians moving on the Sarbanes-Oxley Act of 2002 were the result of fraud by CEOs and CFOs. ICFR can have little to no impact on the actions of the top executives, because they always possess the power to override internal controls, or sometimes to orchestrate collusive schemes that circumvent those controls. Thus, Section 404 cannot possibly do much to mitigate these particular sources of fraud risk; and there is no better example of that than Enron itself. I have been told (but have not verified) that Enron was the only public company to disclose with much pride and pomp that it paid its world-class, independent auditor to perform a separate evaluation of internal controls. Andersen's report was, of course, clean as a whistle.
No one should doubt as well, that Enron's relationship with its auditors wasn't much cozier than the norm, either. No matter who the client is, and especially if it is a big one, material weakness are generally only reported after an error has occurred; i.e., after a control has obviously failed. Thus, all the machinations to test ICFR, and prevent a control from failing, don't add much beyond the testing of account balances that occurs as part of the regular financial statement audit.
So, it remains questionable at best, that S-OX 404(b) has created a safer environment for investors to trade their shares. Auditors, on the other hand have been champing at their bits, waiting for the SEC to throw them some fresh meat: the 6,000-odd smaller public firms (technically, "non-accelerated filers) who are not yet required to pay for an ICFR report.
Chicken Salad Days Appear on the Horizon
The auditors received some good news on that front a few days ago when the SEC announced that the stay of execution for non-accelerated filers would be extended only until their annual reports for fiscal years ending on or after June 15, 2010. Chair Schapiro and one other commissioner also issued statements to 'assure investors' that no further extensions would be granted.
Indeed, the SEC's Office of Economic Analysis has completed the last of the SEC's go-through-the-motions machinations to steer S-OX 404(b) through the gauntlet of thousands of irate registrants who resent the additional audit fees imposed upon them -- and the additional hoops they must jump through. And, what did OEA's report have to say? As it turns out, not much at all. Although changes to SEC and PCAOB guidance may have reduced the cost of S-OX 404(b) implementation for companies that currently must comply, OEA did not even address the key question: whether the costs of complying with S-0X 404(b) has been less than the benefits, or whether benefits can be expected to exceed the costs of compliance for the 6,000 companies in line to be plucked. It must surely be the case for non-accelerated filers that initial implementation costs are most onerous, especially in an economic down cycle. But nothing so obvious and significant was to be found in the OEA's report.
The Skinny on the Costs and Benefits of Section 404(b)
If I were writing OEA's report, I might have begun and ended with the following modest, albeit virtually dispositive, back-of-the envelope calculation: The total value of all public traded equities in the U.S. is very approximately $14 trillion, based on information available from indexes published by Wilshire Associates. Let's conservatively assume that each and every non-accelerated filer has a total market cap of $75 million, which is the maximum market cap for a non-accelerated filer. Even under that very conservative assumption, 6,000 non-accelerated filers comprise (at the very most) only 3.2% of aggregate equity values.
In the best of worlds (i.e., assuming that there is real information in an auditor's attestation report) can the new fees that auditors will charge these 6,000 smaller companies provide loss protection that will cover the billions of dollars in aggregate fees? Don't bet on it.
In fairness, the SEC would say that their hands are tied; S-OX directs the SEC to require ICFR attestation reports from all public companies. So, what should really happen is for Congress to wake up and amend S-OX to permanently exempt non-accelerated filers from the requirements of Section 404(b). Will it happen? Don't bet on that one, either.
What upsets me the most is that chair Schapiro is once again catering to the wishes of the Big Four instead of affecting much needed reform, as she has pledged to do. Schapiro should use her bully pulpit to inform Congress that they have created an obvious case of excess regulation. Notwithstanding the sorry fact that S-OX 404(b) has devolved into a waste of time for all issuers, to extend it to non-accelerated filers would be nothing less than criminal.
Instead, of rushing to require ICFR audits, why don't we just sit back and wait to see how many non-accelerated filers will voluntarily submit to an examination of their ICFR – just like Enron did.
Tom,
I'm surprised to see you coming out so harshly against 404(b). I understand your consternation at the windfall the auditors received form what's been don so far. However, the auditors who will perform these services for the small companies are not the Big 4 or even the next tier, but the smaller, regional firms. Although registered with PCAOB because of having public clients, their participation has been limited thus far.
There are numerous benefits to Sarbanes-Oxley, not all of which can be reduced to raw numbers to easily compare to the hard costs. One is the heightened awareness by amangement that there are costs and penalties to accounting manipulation, even if it does take the plaintiff's bar to impose them most effectively.
And yes, so much of what Sarbanes-Oxley is intended to do is limited by the all powerful executive override. But if the auditors did what they are supposed to do - start at the top with the risk assessment, assess entity level controls first - we would have a lot more companies and their manipulating management stopped in their tracks. Auditors are not calling out these executives, not resigning from engagements, not refusing to work for corrupt companies, not issuing going concern opinions, not upsetting the status quo because they are beholden to management and their fees instead of serving the shareholder. The tools, the frameworks, the opportunity are all there. I criticize the auditors, not for doing a job that needed to be done - forcing companies to document, and improve and stand behind their internal controls over financial reporting - but for what they don't do. Their public duty.
Posted by: Francine McKenna | October 07, 2009 at 06:53 AM
I searched for the keywords "internal control" in Enron's annual report on form 10-K in the SEC's EDGAR system and came up with zero hits. I did not find any additional assurance report by their auditors or an assessment of internal control by Enron's management.
You hit the nail on the head concerning the SEC's study on the costs and benefits of section 404. The SEC's Office of Economic Analysis and its Office of the Chief Accountant completely missed the boat by not asking and answering the key research questions that are the basis for deciding on an exemption of non-accelerated filers from section 404 (or at least 404(b)). Those questions should be: How much is the estimated cost average long-run annual cost or compliance with section 404(a) and with section 404(b) for NON-ACCELERATED filers? Do investors/analysts that actually invest in NON-ACCELERATED filers think that the benefits outweigh the costs when they are provided with the cost estimate when the question is asked so that they can make an INFORMED decision? After all if the investors bear the costs of investor protection regulations through reduced net profits or reduced cash to service interest payments, then the cost of regulation should not exceed the benefits that these investors perceive coming from this regulation.
Guess what? The SEC explicitly says that it does not answer the first question in its study without explaining why it does not. There are numerous articles on the determinants of audit fees that use multiple linear regression models. It would be quite easy to build such a model from data of small accelerated filers that could act as a proxy for non-accelerated filers to determine the audit fee increase that is attributable to section 404(b). You then simply plug in the non-accelerated filer's financial determinants (total assets, inventories and receivables divided by total assets, number of consolidated subsidiaries) plus the section 404(b) factor determined in the first step, and guess what, you get an estimated audit fee for the non-accelerated filer.
The SEC said that they even interviewed 30 people from investors, lenders, security analysts and rating agencies about the costs and benefits. However, the SEC admits that those investors and analysts do not even invest in non-accelerated filers and thus have no experience with this group. In addition, the SEC admits that the people they asked have no information about the issuers' cost of complying with section 404(b). It's likely that most people will see some benefit, but without information how much the net profit to investors or cash for interest payments will be reduced, the interviewees are asked to fish in the dark.
Prof. Aldhizer, who was tasked by OEA to do the study told me that it had been put on hold for a while. In my opinon, the SEC is late and has completely missed the boat with its study design to provide information that is relevant to the Commissioners' decision.
Posted by: Georg Merkl | October 09, 2009 at 05:27 AM
I think Sarbox is a scam and should repealed. The belief in the magic of internal control to eliminate fraud, is just that, a belief in magic.
Posted by: Independent Accountant | October 12, 2009 at 04:17 PM
Francine:
I'm surprised to see you NOT coming out harshly against 404(b) (to the extent that it matters).
I’m glad you understand Professor Selling’s consternation at the windfall the auditors received from what's been done so far, but that’s not the core issue.
When you wrote “However, the auditors who will perform these services for the small companies are not the Big 4 or even the next tier, but the smaller, regional firms. Although registered with PCAOB because of having public clients, their participation has been limited thus far.”, I’m not sure how that addresses the core objections in the post, which focus on the ineffectiveness and lack of positive benefits relative to a costly retrospective evaluation which offers no control over executive override, which you concede by writing “And yes, so much of what Sarbanes-Oxley is intended to do is limited by the all powerful executive override.”.
If you believe that the oft-delayed requirement for smaller companies to comply with 404(b) is somehow justified because windfalls will now accrue to the entire domain of public company auditors rather than just the first-tier, I think that’s a problematic expectation. The stratified implementation is a recipe for greater Big 4 profits.
When smaller firms, dealing with inherently more problematic clients (i.e., companies with smaller and less specialized corporate accounting staff and therefore more difficulties with COSO) start making ICFR attestations, they will do so with the steep part of the learning curve in front of them. It’s entirely possible that will cause smaller firms to have more adverse PCAOB examinations and direct more audited to seek the experience of the Big 4. Simply put, the Big 4 have a significant “first mover” advantage in dealing with ICFR attestations and 404(b) presents barriers to entry. I think this will tend to ossify the “Big 4 and everybody else” structure of the public accounting industry.
Further, I hope I’m wrong, but there are signs of “regulatory capture” with the PCAOB and its tendency to staff from Big 4. The board may be required to have a majority non-CPA composition, and we can question the wisdom of making being inexperienced and unqualified as the prime qualification to regulate an industry; however the job requirements for PCAOB staff often more than subtly require elite firm management experience as a principal experience requirement.
You then proceed to assert “There are numerous benefits to Sarbanes-Oxley, not all of which can be reduced to raw numbers to easily compare to the hard costs.” That might be true in some respect; but if INQUANTIFIABLE; these benefits should have identifiable and observable effects that make their value QUALIFIABLE. Where are these qualifiable benefits? Moreover, there’s evidence from economic studies that these costs are causing real harm; companies “going dark” or failing to go public in the first place-restricting their access to capital markets and reducing investment opportunity to the public.
I am also skeptical of your statement that Section 404(b) provides a “heightened awareness by management” of the “costs and penalties to accounting manipulation”. My reaction to this is “huh”? There have been generally applicable federal securities laws since 1933 with onerous penalties for violation. Since then, every successive piece of legislation, their preambles or the speeches of sponsors gravely intones about the need for “order” or “integrity” or “honesty” in securities markets with the implicit promise that whatever proposal is being floated will prevent the next big fraud. With each succeeding fraud we get more laws, regulations and rules.
There might be a temporary abatement; but time will make less SOX less conspicuous and the calculations of the dishonest won’t be affected by its existence at all. We know from SAS 99 that fraud has three elements; and no airtight prevention.
From a profession aspect; the worst aspect of SOX is the subordination of the accounting profession to the bar. I suspect you realize this as you write “even if it does take the plaintiff's bar to impose them most effectively”. I didn’t sit for the CPA to be a subordinate handmaiden to lawyers. If I wanted or could even tolerate the abstractions and imprecision of the law; I would have “Esq.” after my name, not “CPA”, as it seems far more rewarding and less fraught with professional peril. The judgment that will be required with 404(b) in smaller companies looks like a field day for the legal profession. Indeed, I now understand the comments I saw on a public affairs cable channel after Sarbanes-Oxley’s passage in which a speaker joked to a legal conference that Sarbanes-Oxley really should’ve been named the securities attorneys’ full employment act.
As a practical matter, I think of my now several year old memories from my brief time in the Big 4 back in the early days of SOX. I remember binders full of lists of controls generated by specialized software and long hours mindless checking the associated boxes, often with minimal thought due to time constraints. I was part of a huge staffing rush, the costs of which were of course passed on to clients. As an older non-traditional hire, I was flatly and publicly informed my employment was a direct result of Sarbanes Oxley that the firm I worked for had never hired staff over the age of 40 before the rush to staff for SOX. (I of course walked away shaking my head wondering if this individual realized that statement was an indictment of an industry begging for an Age Discrimination in Employment Act action)
Perhaps AS5 has limited the mindless check-the-box aspect of the ICFR, but based on evidence and experience I still suspect that it adds little value to the investing public, but much to the billable hours of the external auditor.
Posted by: Superheater | October 15, 2009 at 07:27 AM