Explorations of Specific Sarbanes Oxley Sections
Sarbanes Oxley Act (SOX Act 2002), also called the Public Company Accounting Reform and Investor Protection Act or Corporate and Auditing Accountability and Responsibility Act came to effect in July 2002 and applies to all public companies in U.S. The Act was intended “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws and for other purposes”. The SOX Act was drafted by Senator Paul Sarbanes and Representative Michael Oxley. The enactment was thought necessary as a result of several accounting scandals like Enron, Tyco International and WorldCom where investors lost their investments as a result of misrepresentations of the financial statements. The Act has eleven titles and has strict compliance requirements.
The Act led to the creation of the Public Company Accounting Oversight Board (PCAOB) which is meant to oversee and regulating the audit firms in order to protect the investors by ensuring that the auditors provide fair and independent audit reports (PCAOB, 2010). The enforcement of the Act is the responsibility of the Securities Exchange Commission (SEC). The Act was intended to protect investors by making the financial reporting more reliable by demanding more disclosures and more transparency. SEC endorsed PCAOB’s Auditing Standard 5 An audit of Internal Control over Financial Reporting that is integrated with an Audit of Financial Statements but also provided its own guiding section 13 (a) or 15 (d) Commission Guidance Regarding Management’s Report on Internal Control over Financial Reporting Under Section of the Securities Exchange Act of 1934in June 2007 (Public Company Accounting Board, 2010).
The Act achieves this by, strengthening the internal controls, introducing new levels of internal control, demanding full disclosure in the financial statements and more transparent corporate governance. The Act requires the Chief Executive Officers (CEOs) and Chief Finance Officers (CFOs0 to be more accountable for the financial statements by specifying more responsibilities in financial reporting and enhancement of strict internal controls. The annual financial reports should include an assessment of the internal controls of the organization. Non-compliance with the Act is varied for each section of the act but it will include penalties for the CEO and the CFO, being removed from the stock exchange listing, loss of Directors and Officer’s insurance or imprisonment.
Section 404 of the SOX Act 2002
Section 404 of the SOX Act 2002 is listed under Title IV (Enhanced Financial Disclosures) of the Act and refers to Management Assessment of Internal Controls. The section requires that public companies should publish within their annual reports on the adequacy of the organization’s structures and procedures of the internal controls for financial reporting as well as assess their effectiveness. This assessment of the procedures and structures on financial reporting and the effectiveness of the Internal Controls should be affirmed and reported by a registered accounting firm (AICPA, 2010).
This is meant to improve the transparency and reliability of financial reporting. The annual report should contain; a report on the management’s responsibility in instituting and maintaining strong internal controls; a report identifying a structure and framework the management has used in assessing the effectiveness of internal controls; a report on the management’s assessment of the internal controls; a disclosure report on any material weaknesses; a statement that the auditors have assessed and attested the management report, as well as the attestation report by the registered audit firm (U.S. Securities Exchange Commission, 2010). Section 404 also requires that companies should report on any major changes in internal controls that may have happened in the previous fiscal year.
SEC defines internal controls for financial reporting as “A process designed by, or under the supervision of the principal executive and principal financial offices and effected by the board of directors and the management, to provide reasonable assurance regarding the reliability of financial reporting and financial statements for external purposes and according to the generally accepted accounting principles (GAAP)” (American Institute of CPAs, 2010). Internal control for financial reporting includes the policies and procedures that there is accurate maintenance of records pertaining to the transactions that relate to the organization’s assets, the management can give the assurance that financial transactions are recorded according to GAAP rules and that receipts and expenditures are properly authorized; and finally that there is a structure to ensure there is early detection and overall prevention of unauthorized material transactions. The internal audit department forms part of the internal controls and assure the management and the audit committee on the effectiveness of the internal control structure.
The SOX Act applies to all sizes of companies. However, the small companies had a longer compliance period as they may not have the financial power to meet the requirements in short notice and were expected to start complying by April 2005 as compared to the other companies had to comply one year earlier. There were no exemptions of the internal controls reporting requirement but only extensions of the compliance dates for foreign firms. Foreign firms with a market capitalization of more than $700 million were to comply by July 2006 while those with a market capitalization of less than this were to comply by July 2007. Registered investment companies are exempted by the SOX Act from submitting the internal control report and so are the asset-backed issuers are exempted from filing the internal controls reports as generally their reporting on financial statements is different from the other types of businesses.
The Effect of the Regulation
The practicality of the SOX 404 has been criticized by businesses and the lawmakers. The increased regulation requirement is one of the reasons it has been criticized as this has resulted to additional costs for the companies, and the impact being more serious for the small companies as the costs are disproportionate as compared to the big firms. The critics have argued that the regulatory and compliance costs far outweigh the benefits. The costs are related to the maintenance of internal controls and the costs of paying the independent registered accounting firm that does the attesting. A survey conducted in 2007 by Financial Executives International reported that the average compliance cost for section 404 was $1.7 million (Florham, 2007).
The same survey indicated that the audit fees for the same period had also increased by 1.8 percent as compared to the year 2006. These compliance costs include an increase in audit fees, directors and officer’s insurance, legal costs, directors’ compensation costs and reduced productivity as the staff were being trained on the compliance rules. These has led to proposals to make amendments and two Amendments were adopted by the Financial Services Committee; the first one requires GAO to perform a cost-benefit analysis on the compliance and regulatory costs on non-accelerated filers (companies with a market capitalization between $75 million and $250 million) and the second one would requires the exemption from section 404 by non-accelerated fillers the small companies to be exempted from and requires the Securities and Exchange Commission (SEC) to device affordable ways for compliance for non-accelerated.
Assessing the effect of the SOX Act has not been easy as the timing of the implementations of the Act requirements coincided with other financial, economic and political changes (Iliev, 2010). However using a quasi-experiment that compared companies that had submitted their first management reports (MR) and those that did not, Iliev concluded that complying with section 404 of the Act resulted to more conservative reporting and increased audit fees of 98 percent for small firms. Iliev used the regression discontinuity analyses and compared the buy-and-hold returns of the MR filers and non-filers of the small firms, Iliev concluded that the returns were 17 percent lower for the filers than for the non-filers.
A similar experiment was conducted for the foreign firms nearing the 2006 compliance deadline with a cutoff of $700 million. The results of this experiment concluded that the audit fees for those foreign firms that did not submit the audit report was 30 percent less than those that did and the discretionary accruals were less by 2.3 percent. These two experiments showed that the costs of SOX compliance are higher than the benefits. The expectation of improved financial reporting was to safeguard investments. As such SOX 404 implementation should ideally led to a positive change on the earnings per share (EPS).
According to Iliev those companies that filed the management report had a higher percentage reduction of approximately 19 percent in the EPS as compared to those that did not file the MR. This means that the filers had lost their discretion in reporting. The foreign firms and small firms reacted positively with the extension of the compliance date and negatively to the fact that the Act was after all going to be implemented. The above reasons lead to the conclusion that the SOX 404 compliance resulted to increased costs, a decrease in discretionary earnings, and a decrease in stock earnings. Thus the costs outweigh the benefits.
After recognizing these negative effects on compliance the PCAOB advised that auditors should shift from the detailed bottom-up assessment to top-down approach which is more risk based and which the board recognizes to be more effective. This approach starts at the financial statements level and concentrates more on the transactions which need more focus rather than digging deep on transactions which may not produce material defects.
Impact on private companies
The SOX requirements and enforcement applied on to private requirements. The only private companies that were affected were those that were planning to be enlisted in the stock exchange, those that were merging with public companies, those issuing public registered debt and those conducting business with the Government entities. However the SOX rules have been accepted by several companies as “best practices”. Thus private companies are faced with pressure to comply from auditors, quality independent directors who may want to join these private companies, and investors. The pressure to comply as regards to SOX 404 is on strong internal controls and retention of proper documentation. Voluntary compliance by private companies is considered a way of reducing risk and is viewed positively by insurance providers, banks and lenders
The SOX has highly been criticized as being too expensive especially for the small firms. However the compliance has its advantages. The proponents of SOX 404 have argued that the requirement on improved internal controls will lead to improved and transparent financial reporting, that the improved internal controls benefit all the stakeholders (U.S. Securities Exchange Commission, 2010). The financial reports are more accurate and they reflect the true picture of the organization. This is an advantage to the investors as they can make their investment decisions from an informed point of view. Again transparency leads to lower cost of capital as lenders or potential investors have increased confidence in the reliability of the financial statements. The internal control requirement has helped in identifying the vulnerabilities that had been present in the Information Technology area in most companies (Rittenberg and Miller, 2009). Again the proponents have argued that the compliance costs were only overwhelming at the early stage of implementation and these costs are likely to reduce in future. These costs are expected to reduce as companies shift from human-based auditing to an increased use of IT in audit.
Some of the more specific control improvements include; an all rounded control environment that involves the management, the board of governors and the audit committee; more intense antifraud activities; more accurate and correct transaction entries, quick correction of computer errors; segregation of duties and more serious reconciliations of accounts, and an improvement of the audit trail. On specific internal control categories a research by IIA Research Foundation indicated an improvement in the control environment category and on the anti-fraud processes (Rittenberg and Miller, 2009). Control environment assesses the operating style, the ethical values of the top management and the responsibility and effectiveness of the board of governors and the audit committee. The disclosure involves assessing if the amount in the financial statements is in existence, is complete, and if the rights and obligations of the represented figures are correct.
An example of a company that complied with SOX act and was positive on its effect is General Electric. General Electric (GE) spent approximately $30 million on section 404 compliance and the CFO had this to say about it, “GE had good controls before this, but it [section 404) has added more rigor, it certainly gives CEO and me more confidence when we are signing off on the results” (Rittenberg and Miller, 2009).
The management of Chevron has a statement on their website that indicate the management responsibility for the financial reports and stating that the financial statements have been audited by a registered audit firm, Pricewaterhouse Coopers LLP as per the requirements of PCAOB (Chevron 2007).
Brady Corporation is an example of a company that is making use of IT in its attempt to reduce the compliance costs. Brady Corporation uses the software AssureNet GL that it uses to reconcile its general ledger reconciliations, a requirement of the internal controls. The company’s Financial Director, Todd Endres said, “Before we had AssureNet GL we had no visibility into how our 60 reporting units were performing. Now, I know reconciliations are completed… I’m notified if reconciliations are delinquent. When it comes to SOX 404 compliance, this solution is leading edge”. This shows that with proper technology what seems a daunting task will be reduced which will reduce the cost and release labor for other duties (Trintech 2010).
The financial costs may outweigh the benefits. This is bound to change in the long run as companies and other stakeholders look for ways to reduce the costs and with improved efficiency. Auditors should make use of technology to make it easier and faster but with more efficiency to carry out the internal controls audit. The requirements have led to winning back investors confidence that had been eroded after the high profile accounting scandals. The managers should learn the lessons learnt and improve on the internal controls and the reporting through, involving the line managers in the internal control improvement, improved planning, making use of the internal audit, involvement of the management, reduction of external costs and management leadership (Rittenberg and Miller, 2009). This will in future result to benefits for the investors. On the other hand the Regulatory Agencies should devise ways to make the process more friendly and acceptable by providing more guidance, emphasizing more on a more risk-based approach in auditing and introducing special compliance requirements for small firms. With these recommendations section 404 of the SOX act will attain the goal for which it was intended, winning the investors confidence and at a cost that is favorable to all the stakeholders.