The bankruptcies of Enron in 2001 and Worldcom in 2002 were due, in large part, from financial reporting irregularities. The sheer magnitude of Enron’s collapse (Enron had revenues of over $100 billion), the nature of some of their accounting practices, and complicity of other firms who turned a “blind eye” to the questionable transactions, created a crisis in confidence for investors who rely upon the financial statements of publicly traded companies in making investment decisions. In short, investors no longer had confidence in the financial statements being prepared by companies, and audited by public accounting firms.
USA Sarbanes-Oxley Act of 2002 “SOX”
In order to restore confidence in U.S. capital markets, the Sarbanes-Oxley Act of 2002 “SOX”, came into on July 31, 2002. The law was sponsored by Senator Paul Sarbanes, and Congressman Michael Oxley. The law is far-reaching and comprehensive, but its basic objective is to strengthen corporate governance and restore public confidence. Amongst other things, SOX requires the following of the CEO and CFO of publicly traded companies 1) they must personally certify the accuracy of the financial statements, 2) they must certify that the internal controls are designed to prevent or detect material errors and have been operating effectively, and 3) they must provide documentation that supports the certifications. SOX 302 is the section that covers the above certification requirements. Another section – SOX 404 goes further – it requires that companies’ external auditors offer an opinion on the company’s assessment of its internal controls. This is the most contentious component of SOX as it greatly increases the audit scope and therefore the costs for compliance for companies.
Another significant change brought about by SOX was in the area of conflict of interest. A post mortem review of Enron by the SEC revealed that numerous stakeholders, including public accounting firms, investment bankers, rating agencies and analysts were not able to be objective in their dealings with Enron for fear of losing lucrative fees. Enron’s public accounting firm – Arthur Andersen, provided considerable consulting services to Enron, and this clouded their professional skepticism and objectivity in offering opinions on financial reporting. In order to prevent conflicts of interest between the company and its public audit firm, audit firms can no longer provide other consulting services to the companies that it audits. The public accounting firms are now regulated by the Public Company Accounting Oversight Board (PCAOB), a board made up of five members appointed by the Securities and Exchange Commission (SEC), whose primary role is to oversee public accounting firms and their relationships with public companies. The mandate of the PCAOB includes; 1) registering public accounting firms, 2) establishing code of ethics, 3) inspecting registered public accounting firms, and 4) imposing sanctions.
The initial wave of certifications in the U.S. pertained to large companies and became effective for 2004. The guidance provided by the SEC to external auditors and companies was based on Auditing Standard #2 which was very “prescriptive”. AS#2 detailed the steps required for companies to become compliant, and for their audit firms to offer their opinion on the company’s assessment of internal controls. AS#2 also held that internal controls had to be designed so that the likelihood of material error was “remote” – in other words the bar was set very high. Consequently, there was an enormous amount of time and money dedicated to the SOX certification processes in the US, which by some estimates had large companies spending close to $4 million in 2005 to become compliant. These costs have been reduced in the ensuing years but are still significant. As a result, during late 2007, Auditing Standard # 5 was released by the SEC. AS#5 essentially reduces the burden by requiring that internal controls provide a reasonable assurance (compared to remote chance) of preventing material errors. It also provides that companies should take a “top down” approach by reviewing the major items and drivers on their financial statements and focusing on those risk areas. Furthermore, “entity level” controls should be included in the overall internal control framework. Entity level controls pertain to the “tone at the top” of the organization and the measures that are in place at head office to ensure the review and accuracy of financial information.
So, has all the time and money been worth it? This has been and continues to be a debated issue, but I will weigh in with my opinion – yes it has most definitely improved and restored investor confidence in public markets! And, if it prevents future Enron’s, where thousands of honest, hard working people were duped and lost their life savings, it is well worth it. The costs and efficiencies of compliance will improve over time, and the SEC is being flexible in this regard. Recently the SEC indicated SOX compliance for U.S. small cap public companies will be deferred until 2009.
The SOX implications to Canadian companies is quite profound and is discussed elsewhere in further detail (See C-SOX / Bill 198). At a glance, just know that Canadian legislation that is very similar to SOX, was introduced in Canada in 2002, and that 2008 is the year where full compliance for all publicly traded companies listed on the TSX will be required.
Edelkoort Smethurst Schein CPA’s LLP would be happy to assist with any questions or requirements regarding SOX or Bill 198.