Taming Sarbanes-Oxley

November 21, 2006 from Ventana Research – “Ventana Research believes public companies are the winners in the latest set of reforms regarding interpretation and enforcement of the Sarbanes-Oxley Act. This not to say the act is dead, but as we noted earlier this year, it is clear that the compliance pendulum is swinging away from stringent controls. The changes that the United States Securities and Exchange Commission (SEC) recently indicated it will make (or is seriously considering) will make compliance much less onerous for larger public companies, and it now appears likely that small public companies will be exempt from having to file.

Recently, the SEC indicated it would unveil major changes to rules governing implementation of the Sarbanes-Oxley Act (SOX). Calls for tossing out or implementing a major overhaul of SOX section 404 began in 2003, not long after Congress passed the law, as companies felt its impact on their annual auditing processes and the cost associated with compliance. Predictably, as memories of the financial scandals of the early decade fade and Sarbanes-Oxley opponents continue to blare their message, pressure has been building for reform. Most larger companies have gone through two cycles of audits under the law, and they have been lobbying heavily to change how it is enforced. In particular, many firms are dissatisfied with what they see as a nitpicking approach by their auditors. There seems to be general agreement that companies should be able to use a top-down, risk-based approach that matches risks with the cost of specific controls and other mitigation techniques. However, even after the Public Company Accounting Oversight Board (PCAOB) made it clear in its revisions to Accounting Standard 2 that auditors were to take steps to make the process less onerous, companies continue to report issues.

The SEC and PCAOB already have taken some steps to make the auditing process less time-consuming and expensive, and the issue now is how much further they will go in easing 404 compliance requirements. One mandate that appears likely to disappear is that companies periodically test and document their internal controls before their auditors examine them, a time-consuming and therefore expensive task. Another change will be explicit instructions to auditors that materiality matters. In auditing, “materiality” is the term used to describe the significance of financial statement information to decision-makers. Something is material if, through omission or misstatement, it is likely to influence or change a decision by, say, an investor or lender. A third change will be exemption of smaller companies (“non-accelerated filers” with market capitalization under $75 million) from 404 audits. Earlier this year, SEC Chairman Christopher Cox elected not to follow the advice of a committee that it should exempt these companies, but now it appears he will reverse his position.

Changes in Sarbanes-Oxley enforcement do not alter the basic requirement that companies must have well-controlled financial processes (and the IT systems to support them). However, with the emphasis shifting to a top-down, risk-based approach to controls, companies are likely to save staff time and external audit fees. In our view, the modifications also do not change the need for companies to simplify and rationalize their financial controls, to automate many of the repetitive tasks they now handle in spreadsheets and to control those that remain in use. Unfortunately, we expect most companies now will put off making many worthwhile process changes that they would have implemented if a comprehensive” audit approach had remained in force. How all of this will affect consultants and software vendors selling “Sarbanes-Oxley solutions” remains to be seen. We think those whose value proposition has been real business benefits beyond mere compliance will fare better than those perceived to be useful only for streamlining and documenting the internal audit. Sarbanes-Oxley still has life as a political football. We assert it never would have prevented fraud led by senior executives, such as occurred at Enron, Qwest and WorldCom. When the next high-level financial scandal erupts, though, we expect the current reforms will be blamed.

180 View – We said last month that “It’s about time that the auditors provided some real value in their review of internal controls.” It looks like they will soon have no choice if they expect to continue to offer this service.