September 1, 2007

Unintended Consequences

Five years after Sarbanes-Oxley jacked up auditing costs for public companies, its authors defend the landmark law for restoring investor confidence.

Five years after Sarbanes-Oxley jacked up auditing costs for public companies, its authors defend the landmark law for restoring investor confidence.

It has been more than five years since the Sarbanes- Oxley Act was signed into law in the aftermath of the accounting fraud epidemic that brought down Enron Corp., Worldcom and other large public companies. It sailed through Congress with only three dissenting votes in the House and was hailed as the most significant securities legislation since the 1930s.

The Public Company Accounting Reform and Investor Protection Act of 2002, also known as Sarbox or sometimes just SOX, created a board to police accounting industry practices, strengthened rules to ensure the independence of corporate auditors, raised accountability standards for corporate officers and directors, and enhanced the quality of financial reports issued by publicly held companies. The law was intended to restore confidence in accounting practices at publicly held companies and curb the personal use of corporate funds by arrogant or “imperial” chief executive officers.

But almost immediately, unintended consequences— mountains of paperwork and high compliance costs—became apparent to corporate executives struggling with the law’s complexities. One of the biggest problems was Section 404, which directs managers at public companies to review and assess internal auditing controls every year. Strict interpretation of this section contributed to the high cost of compliance.

Sarbox has proved to be a windfall for public accounting firms, especially the Big Four, which have been freed by aspects of the law to add billable hours, boost fees and reduce collaborative services at will. Boston-based AMR Research estimates that companies spent $6 billion complying with SOX in 2006 (essentially unchanged from the 2005 level), with 39% of that going to internal workforce, 32% to technology and 29% to external consulting.

Sarbox energized a range of critics including former Federal Reserve Board Chairman Alan Greenspan, Treasury Secretary Henry M. Paulson Jr. and New York City Mayor Michael Bloomberg. Greenspan, speaking at a November investor conference, said that Sarbox was “a cost-creator with no benefit I’m aware of.”

Chief financial officers at publicly held service centers agreed during a recent Forward panel discussion that the new law achieves its goal of improving the quality of company financial records (see “Great Expectations”). But they complained about the excessive cost, punitive interpretations of the law by accounting firms that seem more interested in their own well-being than their clients’ and loss of a consultative relationship with public accounting experts.

“We’re paying significantly more than we used to,” says Karla R. Lewis, executive vice president and chief financial officer of Reliance Steel & Aluminum Co. in Los Angeles. “When I got our quote for this year and saw the total hours, my comment was, ‘Those hours—with what they relate to in full-time equivalents— that’s almost my entire corporate accounting staff.’”

Across the corporate world, in the United States and also in Canada, where companies that want to do cross-border business often must certify their books as Sarbox-compliant, the complaints have been loud, persistent and anguished. They also have been heard. July changes to U.S. Securities and Exchange Commission (SEC) guidelines on Sarbox implementation may direct auditors—especially at smaller companies— to focus on major issues, not minutiae, and in the end, save those companies money.

It is still to be determined whether these changes go far enough to mitigate the cost and complexity of compliance.


To understand how Sarbox came into being, flash back to the fall of 2001 when Enron, once one of the country’s most admired companies, collapsed in a bewildering array of accounting chicanery, financial deceit and lies by its top executives.

The tidal wave that broke over the Houston-based energy giant also swept away the prestigious accounting firm Arthur Andersen, which was found guilty of obstruction of justice related to shredding Enron audit documents, although that verdict was later overturned. At the time of the initial verdict in 2002, there was a clamor in Congress for legislation to ensure that fraud—in Enron’s case, hiding transactions off the balance sheet to enrich managers and mask the company’s true financial condition— would never happen again.

“The goal all along was to restore confidence,” says Michael Oxley, the former Republican congressman from Ohio who co-authored the legislation with former Democratic Sen. Paul Sarbanes of Maryland. “The U.S. capital markets had just lost $8 trillion, four times the GDP of France.” Fifteen percent of mutual funds were redeemed by nervous investors, he adds. “The goal was to provide transparency and to remove the uncertainty that was overhanging the market.”

Oxley, now a partner in the Washington, D.C., office of Baker Hostetler LLP, says that when Sarbox was signed into law by President George W. Bush on July 30, 2002, the Dow Jones average was slightly above 7,000.

“I don’t want to be like the rooster who takes credit for the sunrise, but the increase in investor confidence was a big factor here,” he says.

What about the barrage of criticism leveled at Sarbox by corporate executives and academics? “People do not appreciate what was happening in the markets back in 2001 and 2002,” Sarbanes says. “The precipitous loss in investor confidence exceeded anything the U.S. had witnessed since the 1930s. You had phony earnings, inflated revenues, conflicted Wall Street analysts. It was a systemic breakdown, a total breakdown.”

Sarbanes argues that many companies have used the law to locate weaknesses in their operations and improve them. “Despite all the grumbling, the reform has been well worth the trouble,” he says. As the former Maryland senator sees it, many companies with weak internal controls “have nipped a lot of problems in the bud.”

He also suggests that the recent changes by the SEC will ease the burden on companies. “We’re hopeful about that,” he says. “The objective is to move away from checking every box, dotting every ‘i’ and crossing every ‘t,’ and to focus on the material risks.”

Oxley and Sarbanes point to shortcomings in the way Sarbox was implemented by the agencies responsible for implementing the law—the SEC and the Public Corporate Accounting Oversight Board (PCAOB), a new agency created by the law itself. Oxley, in particular, has zeroed in on missteps by the SEC and PCAOB, such as casting too wide a net instead of focusing on the internal controls that pose the biggest risk of misstatements.

Oxley says he doesn’t think Congress needs to change the law. The sharp rise in compliance costs, he says, has been driven not by the requirement for internal controls but rather the requirement for validation and certification by outside accountants. “My job now is to continue to push the SEC and the PCAOB to make it work and to achieve a better cost-benefit ratio,” Oxley says. “You have a two-part system where the internal audit and the internal controls … are subject to oversight and re-evaluation by an outside auditor. That's what is driving most of the costs.”

In practice, accounting firms have taken a conservative stance in assessing “material” weaknesses and often “have not done a good risk-based audit,” Oxley asserts. But he adds that recent steps have been taken by the SEC to alleviate this and to reduce excessive costs.

PCAOB Chairman Mark W. Olson said in a statement that SOX, “has been vital to the renewed investor confidence in financial reporting that we have seen over the past few years.” SEC Chairman Christopher Cox was unavailable for an interview but, in speeches, has defended the law for restoring integrity while acknowledging problems that needed to be fixed.

Auditing firms took a strict interpretation of the law and didn’t distinguish between relatively minor material weaknesses and ones that could cause a company to implode, in the way of Enron or WorldCom. “What the SEC wants to do is say, 'Let's take a realistic look at this and see what are the highest risks down to the lowest, and go after the higher risks first,'” Oxley says.

But he agrees with Congressional critics who blast the “onesize- fits-all” mentality embraced by the SEC and PCAOB. “They are right,” he says. “It goes back to the failure of regulators to scale down the requirements for small companies.”

A survey by Financial Executives International (FEI), a trade association representing 15,000 CFOs and other senior finance executives, reported that companies with a market value of less than $100 million were expected to spend 2.55% percent of their revenue complying with Sarbox versus only 0.16% of revenue for companies with market values topping $1 billion.

“There is a strong record showing that the costs of complying with Section 404 are large and disproportionately high for small public companies,” Thomas M. Sullivan, chief counsel for advocacy at the Small Business Administration, said at a Senate Small Business Committee hearing in June. He asserted that the excessive cost of Section 404 “may restrict a new generation of small innovative companies from seeking capital in the U.S. capital markets.”

An FEI survey in May found that Section 404 compliance costs are declining, but that audit fees remain virtually unchanged. The association polled 200 large companies, with revenues averaging $6.8 billion, and pegged average costs for Section 404 compliance at $2.9 million in fiscal 2006, a 23% decrease from 2005.

Companies reported that they required an average of 18,070 people hours internally to comply with Section 404, a 10% drop from the previous year. But audit fees for 404 averaged $1.2 million in 2006, less than 1% below the 2005 figure.

Of all the Sarbox snarls, none was bigger than the liability issue and the related definition of “material” and “significant” when referencing events that impact a company’s profit. Virtually no guidance was given in the legislation itself or in the standards produced by the PCAOB on how to determine if an event is material or significant, or whether it is simply a minor occurrence with no significant impact.

The new SEC guidelines offer a definition of significant deficiency as one that is less severe than a material weakness, yet important enough to merit attention.

On a broader basis, the new standards are less prescriptive and direct auditors to focus on what matters most. “Management and audit committees now can engage in a more meaningful dialogue with their auditors to ensure that auditors are focused on what matters—risk and materiality— and not on rote compliance with a rulebook,” the SEC said.

Will the new rules make a difference? Lewis is skeptical because Reliance's auditors said they have taken the guidelines into account, “and there are no savings to us.”

Stephen Bainbridge, a law professor at University of California, and author of the recently published book, “The Complete Guide to Sarbanes- Oxley,” says the rule changes will help some, but not as much as the SEC would like to believe.

“I think the potential collision comes when you ask the question, ‘Who in the company decides how much money is spent on this?’ The board and the managers are on the hook legally, but at the end of the day, that money is coming out of the bottom line. It’s shareholders’ money.”