Follow us on

twitter-logo2linkedin2


  
job-opportunities_Live
IN THIS ISSUE:
THE PANEL
The internal audit network panel
FEATURES
Audit Commission future still shrouded in mystery
Was the UK right to pass on Sarbanes-Oxley 404?
Look inside the new NHS audit committee handbook
Managing the audit department: resource management
Internal audit in further education
NEWS
Get elected!
Free learning resources from ACCA
Presenting the big picture
EVENTS
New networking forums and podcasts
FURTHER READING
Recommended reading
Search Previous Issues
Back to cover page »

Was the UK right to pass on Sarbanes-Oxley 404?

The UK chose to pass on adopting the US government’s strategy surrounding Sarbanes-Oxley 404. Has it been proved right? Tim J. Leech and Lauren C. Leech take an extended look at this key issue.

This article takes a detailed (6700 words) look at Sarbanes-Oxley 404, broadly broken down into four sections:

  • the ‘control-centric’ approach to reliable financial statements – what is it and what are its deficiencies?
  • what would a true ‘risk-centric’ approach to SOX 404 look like?
  • what US Congress, the SEC and PCAOB need to do to prevent the next major wave of unreliable financial reporting
  • the business case for the US, the UK and the world moving to a true ‘risk-based’ SOX 404 type approach (including four key reasons)
  • Opportunity for the UK to move forward.

Sarbanes-Oxley (SOX) Section 404 in the US calls for opinions from CEOs, CFOs and external auditors of US listed companies on ‘control effectiveness’ over financial reporting. Scores of the UK’s biggest companies listed in the US are forced to comply with these rules. Since 2004 SOX Section 404 has almost certainly proven to be the most costly regulatory intervention in the world in the history of securities regulation, costing companies and their shareholders tens of billions of dollars.

Unfortunately, since Section 404 was implemented, thousands of materially wrong financial statements supported by SOX Section 404 control effectiveness assurances have been issued, including assurances from CEOs and CFOs of financial institutions at the center of the 2008 global financial crisis and their auditors that controls supporting financial reporting were ‘effective’ in accordance with the dated and obsolete 1992 COSO Internal Control Integrated Framework. ‘Effective’ has been defined by the Securities Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) as capable of preventing even a single material error.

Shortly after SOX was enacted in July of 2002 Roger Hodgkinson, technical director at the Institute of Chartered Accountants England and Wales, wrote to the SEC raising serious concerns with the notion of external reporting on ‘control effectiveness’, saying ‘We sympathise with the SEC on many of the difficulties that it faces in arranging for the provision of pragmatic guidance on internal control reporting to implement the current requirements of the Sarbanes-Oxley Act. The combination of (a) a difficult concept (internal control) with (b) a requirement for measurement (effectiveness) for which there are no objective benchmarks, does not make for an easy solution.’

In 2004, after the release of SOX Section 404, the Turnbull Review Group (appointed by the Financial Reporting Council, the UK’s independent regulator for corporate reporting and governance) issued a position statement in June of 2005 rejecting the implementation of SOX 404 reporting requirements related to internal control effectiveness reporting in the U.K. Reasons cited at the time included:

1.15. In addition, in the Review Group’s opinion a requirement for a statement that processes are effective could be bound to lead to expensive testing and verification work to a low level of detail. The Review Group did not consider the benefit of such a statement to shareholders would be sufficient to recommend that it should be required, and was concerned that it might result in a focus on compliance rather than substantive assessment and management of risk, undermining what was seen as one of the main strengths of the Turnbull approach.

1.16. The Review Group received little encouragement from investors to recommend Section 404 style disclosures. Instead, investors stated they are looking for company-specific disclosures which provide them with some assurance that the key risks facing the company have been identified and are being managed, and which highlight areas of focus and improvement. The Review Group considered that this demand should in part be met by the new mandatory Operating and Financial Review (OFR).

(Review of the Turnbull Guidance on Internal Control, Consultation Paper, Turnbull Review Group, 16 June 2005, Page 4).

A key question that should be asked is whether the UK decision to reject SOX 404 ‘control effectiveness’ reporting in favour of one more focused on substantive assessment and management of risk generally was the right one. This article concludes that history has now confirmed that it was, indeed, the right decision.

In light of SOX 404’s massive costs, disappointing results, and hugely dysfunctional consequences this article proposes that US Congress enact a simple amendment to Section 404 to require CEO, CFO and external auditor opinions on the ‘effectiveness of risk management processes’ specific to the objective of reliable external financial reporting. This recommendation is consistent with but more specific than the position advanced by the Turnbull Review Group in 2005. 

A true risk-based approach would allocate resources to the most statistically probable root causes that account for the majority of materially wrong financial statements. The authors believe this small legislative change would result in significantly more reliable financial statements, reduce long-term Section 404 compliance costs, better align with the new global regulatory focus on risk management and risk oversight and, most importantly, restore global confidence in US corporate governance and global capital markets.  

Even if the business case for CEO/CFO and auditor certifications on risk management effectiveness representations proposed in this paper is not accepted in the US, the authors believe there would be a strong business case for Canada, Australia, the UK and Europe adopting this new corporate governance practice as part of the global move to international accounting and auditing standards. 

The ‘control-centric’ approach to reliable financial statements – what is it and what are its deficiencies?
In 2002, Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) stated:

(a) RULES REQUIRED. - The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934..to contain an internal control report which shall –

(1)  State the responsibility of management for establishing and maintaining an adequate control structure and procedures for financial reporting; and

(2)  Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of internal control structures and procedures of the issuer for financial reporting.

 (b) INTERNAL CONTROL EVALUATION AND REPORTING – With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestations shall not be the subject of a separate engagement. (Section 404)

The genesis of the SOX 404 legislation was drawn from conclusions of Commissions that studied the problem of unreliable accounting dating back to the late 1970s. Those commissions convened following three distinct waves of massively unreliable financial reporting in the US, including names such as Continental Vending, Equity Funding, ZZZZ Best, Penn Square Bank, WorldCom, HealthSouth, Enron, and many others. All of these Commissions called for management and auditor reports on ‘control effectiveness’.  25 years after the Cohen and Treadway Commissions first called for it, the Sarbanes-Oxley Act of 2002 made it the law of the land in the US in record breaking time creating impacts felt around the globe. Other countries, including Canada and Japan, have followed suit and now require management representations on ‘control effectiveness’. The UK, as mentioned earlier, emphatically rejected this strategy in 2005 as suboptimal and potentially dangerous.

The SOX 404 sections referenced above were initially implemented in the U.S. via the much maligned and criticized Auditing Standard No. 2 (AS2) enacted by the Public Company Accounting Oversight Board (PCAOB). The focus of AS2 was on documenting and testing controls. A word search analysis of AS 2 reveals that it uses the word ‘risk’ 98 times compared to 1802 instances of the word ‘control’.  When the implementation of this auditing standard resulted in the SEC’s original cost estimates of $91,000 per registrant escalating to millions of dollars per registrant, with the total cost of SOX 404 compliance running in the billions of dollars globally, the PCAOB was told by the SEC to come up with a more ‘risk-based’ approach.

The PCAOB, listening to the resounding global criticism of the cost of AS2, made a tentative attempt to respond to criticism. In Auditing Standard 5 (AS5), the current and dominant U.S. SOX 404 guidance, the word ‘risk’ appears 193 times versus the word ‘control’ which appears 943 times. No attempt were made by the PCAOB at the time, as far as public records and direct inquiries to the PCAOB by one of the authors reveal, to actually consult risk experts or international risk management standards to develop a true ‘risk-based’ approach. The fixation on documenting processes and testing controls in AS5 suggests that the PCAOB authors tried to modify their core thinking, but continued to approach their task drawing on out-dated auditing protocols and terminology that were originally developed in the late 1970s, based on the core tenets of COSO Internal Control Integrated Framework, a control framework developed around 1990-91, more than two decades ago.  The results, in terms of fixation on control processes and massive costs is exactly what the UK’s 2005 Turnbull Review Group cited earlier predicted would occur.

A section of AS5, PCAOB’s second attempt at SOX 404 implementation regulation, does suggest that auditors should complete a ‘risk assessment’, and states auditors should focus ‘more of his or her attention on the areas of highest risk’. (NOTE: presumably ‘more’ means more than auditors did using the guidance of AS2 which wasn’t much.) 

What AS5 doesn’t do, is specifically require that external auditors determine statistically what the most common root causes of material accounting misstatements are generally; what are the most common root causes of misstatements for the business sector being audited; what are the most common causes of material errors in the books of the specific company they are auditing; or provide any substantial guidance on how to identify and assess the likelihood and consequence of risks to the reliability of specific account balances and supplemental note disclosures given the current ‘risk treatments’ in place.  

AS5 also doesn’t suggest auditors use authoritative guidance on ‘risk assessment’ provided by the globally accepted risk management standards, such as ISO 31000, or even the risk assessment approach recommended in the much criticized 2004 COSO ERM framework to identify and assess risks to the reliability of the financial statements. These risk focused assessment frameworks are not deemed to be ‘suitable’ SOX 404 frameworks at the current time by the SEC.

In the years following the introduction of SOX 404 compliance costs spiralled.  Unfortunately, as witnessed from the fallout of the 2008 global financial crisis, the massively high SOX 404 compliance costs did not produce significantly and consistently more reliable financial statements.

An Institute of Management Accountants discussion paper concluded:

In February 2007, Audit Analytics published, ‘2006 Financial Restatements: A Six Year Comparison’. One of the most profound trends highlighted in this report is that 512 U.S. Accelerated Filers (compa­nies with market capitalisation in excess of $75m) issued restatements in 2006 to correct one or more material errors in their original accounting filings with the SEC. With a total reported registrant population of 3,861 Accelerated Filers that rep­resents an error rate of 13.3%. Stated simply, the rate of material errors being corrected in original filings by Accelerated Filers in 2006 was more than one in every eight. (2008, p.5)

Ignoring for a minute the massively unreliable financial statements published by the companies at the heart of the 2008 global crisis, more current research suggests there have been some signs of progress. A 2010 report produced by Audit Analytics 2010 suggested that the frequency of restatements had improved from the dismal performance in 2006. Financial statements restatements issued by companies covered by Sarbanes Oxley 404 in 2010 at that time had improved to around 5% of registrants or, stated another way, one in every 20 randomly distributed management and auditor certified financial statements was later found to have material errors that required restatements under US GAAP. It is important to note that virtually all of the financial statements that had to be restated to correct material accounting errors contained CEO/CFO/External Auditor SOX 404 certifications in the original filings that stated the internal accounting controls over financial reporting are ‘effective’ in accordance with the dated 1992 COSO Internal Control Integrated Framework. ‘Effective’ is a term defined generally by the PCAOB and SEC as a conclusion that the controls that support the reliability of financial disclosures are capable of reasonably preventing even a single material accounting error/misrepresentation.

The cost of SOX 404 compliance today, while lower than costs experienced during the implementation stage, continues globally to be in the billions of dollars each year. SOX 404 compliance costs are so onerous that US Congress, via the 2010 Frank-Dodd Act, decided that in spite of the original SOX Act calling for Section 404 (a) and (b) to apply to all public companies, small cap public companies would be exempt from the complying with SOX section 404(b) that requires auditors attest to the effectiveness of controls.  

Although the SEC has made a few, what are best referred to as, poorly funded and half-hearted efforts to evaluate the cost/benefit of Sarbanes-Oxley section 404, what has not been done, at least not in any serious way, is  empirical research to determine the impact of SOX 404 compliance on the actual reliability of financial statements. (ie how much more reliable are financial statements post Sarbanes-Oxley than they were before SOX; how much more reliable are financial statements year over year; and how does the reliability of statements from US listed companies compare to other jurisdictions like Canada and the UK that have less onerous and costly compliance regimes)  This is true in spite of the fact that collectively over 19,000 US listed companies, including major corporations with headquarters in other countries including the UK, incur SOX 404 compliance costs in the billions of dollars each year, and the fact that accounting and auditing practices in the post SOX 404 world leading up to the 2008 global financial crisis are now coming under intense scrutiny. (NOTE: small cap U.S. listed companies are exempted from SOX 404(b) but must still comply with SOX 404(a).)

 

What would a true ‘risk-centric’ approach to SOX 404 look like?
Simply put, a true risk-centric approach to SOX 404 would use a ‘risk-based targeting[1]’ approach to allocate assurance resources, and would manifest attributes of an ‘enhanced risk management’ framework, such as the description offered in Annex A of the International Standard ISO 31000 Risk Management – Principles and Guidelines, considered by most experts to be the world’s leading risk management framework. The approach would be specific to the overall objective of producing materially fault-free financial reporting.

The current approach to SOX 404 mandated by the SEC and PCAOB, while claiming to be ‘risk-based’, is not in fact risk-based, at least not from the perspective of risk management professionals and standards. This conclusion is supported by the following authors’ observations:

  • registrants are currently forced by the SEC rules to use the dated and obsolete 1992 COSO Internal Control Integrated Framework, a ‘control framework’, not a risk framework, as the primary assessment criteria to complete the assessment
  • the vast majority of SOX 404 assessments today are done with no attempt to utilize statistical information on the most likely areas where material accounting  errors and irregularities occur
  • the vast majority of SOX 404 assessments do not direct assurance resources to assessment and testing areas proportionate with their statistically probable and highest impact risks
  • the current standards do not require a formal review when SOX 404 control opinions and the supporting external audit opinions are found to be wrong to determine what went wrong and why
  • the current SEC and PCAOB standards provide virtually no guidance on how to actually identify risks that threaten the reliability of the financial statements as a whole, or specific account balances and note disclosures, and how to identify and analyse the likely effectiveness of the ‘risk treatments’ in place to mitigate those risks.

In addition to the global risk management standard ISO 31000, other efforts are underway currently, including efforts by the Institute of Internal Auditors (IIA)  and Open Compliance & Ethics Group (OCEG), to develop formal guidance management and auditors can use to assess whether an organization has, or doesn’t have ‘effective risk management processes’. Whether the approach used should result in a binary opinion (i.e. effective/ineffective), like the one currently required by SEC/PCAOB SOX 404 regulations, or ordinal (i.e. providing a numeric or other form of information on the degree to which the processes manifest effectiveness) is one of the major points of debate. It is fair to say that the “how to do it” knowledge is still at an embryonic stage.

(NOTE: In December 2010 the IIA published a practice guide on reporting on effectiveness of risk management processes and on August 29, 2011 announced plans to launch a new Certification in Risk Management Assurance (CRMA) in 2013 to better prepare internal auditors for true “risk-focused work).)

For the definition of risk based targeting above to be true for the objective of producing reliable financial reporting with the SEC defined tolerance of zero material errors, companies would need to determine themselves, or be told by the SEC, or a source recognized by the SEC as legitimate, what areas of their financial disclosures, and the financial statements of others in their business sector, have historically shown the highest statistical probability of being materially misstated and why. Information on which elements of public company financial statements most frequently require restatements is available currently from only one credible source in the U.S, a company called Audit Analytics

There is currently no reliable source for reliable and empirical information on the most statistically probable root causes of accounting errors and irregularities. Outside of the US other countries, including Canada, the UK, Australia, Europe, and elsewhere do not currently have any reliable source that is statistically tracking and reporting details on material errors found in published financial statements through restatements and information on the root causes of those misstatements. The absence of reliable information on the statistical root causes of accounting misstatements is, in itself, indicative of the lack of regulatory focus on determining the real risks that threaten the goal of reliable financial reporting.

The amount of disclosure companies and auditors must make when material errors in prior period disclosures are discovered is highly variable around the world and generally limited.  (NOTE: The usefulness of information on restatements should improve substantially once all information on restatements filed by public companies is categorized using globally accepted XBRL taxonomy. This will allow the areas impacted by restatements to be electronically tagged. This in turn will open up opportunities to do statistical analysis at a company level, business sector level, national level and international level on the statistically most probable areas of auditor certified unreliable disclosures.) 

Historical information on the most likely areas of material error in a company’s disclosures and the root cause(s) of those errors/irregularities would have to be supplemented by efforts to identify new emerging risk areas that could produce ‘potential adverse impact’ in the future (eg the stock option backdating scandals and the problems at the heart of the 2008 global crisis, including collateral-backed securities and others).  Identifying what is generally referred to as ‘emerging risks’ requires drawing on risk management processes recommended by organisations like the Bank for International Settlements, more commonly referred to as BIS, to identify emerging risks, including risks in new products, services, systems and other areas .

A sample of macro-level risks at the root of some of the most significant accounting mis-statements in history, based on the authors’ experience and research, includes the following: 

  1. CEO and CFO have significant financial incentives to falsify and/or inappropriately manage financial results
  2. senior management and boards have major financial incentives to direct or overlook backdating of stock options
  3. senior management directs improper/fraudulent post-close journal entries to manage profits and/or hit earning targets disclosed to the market
  4. management overrides controls to hit bonus targets or prevent loss of positions
  5. audit committees have financial incentives not to ask management tough questions
  6. accounting staff are not current on accounting standards/GAAP
  7. management lacks the appropriate knowledge and skills to deal with accounting for complex or significant judgement related transactions
  8. in-house accounting personnel lack the necessary training and experience to deal with the scope and complexity of the organisation’s operations
  9. the external audit team’s objectivity is compromised by conflicts of interest
  10. external audit team lacks appropriate knowledge/skills, and/or the courage to challenge management’s assumptions.

With some modest research funding (modest in comparison to cost of failure) this illustrative list could be refined and list in order of frequency/consequence the most significant risks that have been at the root of major financial misstatements of US listed public companies over the past 20 years. 

One of the few attempts to date to empirically examine this area was published in 2008 by Marlene Plumlee and Teri Lombardi Yohn, An Analysis of the Underlying Causes of Restatements.

Unfortunately, other than the Plumlee and Yohn paper, very little empirical research on the topic exists today. This is likely true because of the political sensitivity of completing serious research on auditing failure given the funding audit firms provide universities and the fact that there are significant barriers to completing that research, most notably litigation risk to companies and external auditing firms that would have to cooperate. These barriers would need to be addressed by SEC endorsement and regulatory support and sufficient funding.

Following the issuance of an IMA discussion paper on attributes of a true risk-based approach to SOX 404 in September 2006, a formal request was made to the SEC by the one of the authors of this paper to modify their SOX 404 guidance to allow the use of ISO 31000, a generally accepted risk assessment framework. Arguably, ISO 31000 is better equipped to meet the SEC defined ‘suitability’ criteria than the three control frameworks currently sanctioned by the SEC. (COSO 1992, CoCo 1995 and Cadbury/Turnbull 1994.) The SEC’s response at the time was they were only prepared to offer a response if a request to use ISO 31000 as a ‘suitable’ framework for SOX 404 assessments was made by a registrant via their pre-ruling process. (NOTE: The SEC has refused all requests from one of the authors of this article to produce the evidence they have relied on when they concluded in 2004 that COSO 92, CoCo 95 and Turnbull 94 meet their stated framework ‘suitability criteria’).

 

What US Congress, the SEC and PCAOB need to do to prevent the next major wave of unreliable financial reporting
To improve the reliability of financial reports, including the external audit opinions that accompany them, this article proposes three relatively simple steps.

Step 1: Congress makes a simple amendment to Section 404 of the Sarbanes-Oxley Act of 2002
To implement a true risk-based approach capable of reducing the number and magnitude of material errors in financial statements we recommend SOX 404 be amended by Congress to read as follows:

SEC. 404. MANAGEMENT ASSESSMENT OF FINANCIAL REPORTING RISK MANAGEMENT PROCESSES.

(a) RULES REQUIRED. – The Commission shall prescribe rules requiring each annual report required by Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 USC 78m or 78o(d)) to

contain risk management effectiveness report, which shall –

(1) state the responsibility of management for establishing and maintaining adequate risk management

processes for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the risk management processes of the issuer for financial reporting.

b) RISK MANAGEMENT PROCESSSES EVALUATION AND REPORTING.

– With respect to the risk management processes assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Step 2: the SEC issue new guidance on how to assess the effectiveness of the risk management processes that support the objective of materially fault free financial reporting.
The SEC would need to amend its current guidance for management and describe how to evaluate the effectiveness of a company’s risk management systems that support the core objective of issuing materially fault free financial disclosures. This would need to include methods that are accepted by the global risk management community. This guidance would need to require, at a minimum, that the risks that statistically have been at the root of materially wrong financial statements over the past 50 years be identified and assessed, as well as statistically probable risks, including emerging risks, relevant to a company’s specific business sector and personal accounting restatement history. Once a list of statistically material risks is produced, management would need to, as a minimum, evaluate the likely effectiveness of the current ‘risk treatments’ in place to mitigate the statistically most dangerous risks to reliable financial disclosures. Any SOX 404 work done to date that can be linked to the most statistically probable/high consequence risks to the goal of materially fault free financial reporting would still be relevant.

Step 3: the PCAOB issue new guidance for external auditors on how to assess and opine on the effectiveness of a company’s risk management processes.
Once the SEC has issued sufficiently detailed guidance for management on how to complete their assessment of the effectiveness of their risk management processes that support the goal of reliable financial disclosures auditors should be able to use the same criteria to independently opine on the effectiveness of the company’s risk management processes supplemented by guidance how to assess and report on the effectiveness of management’s risk management processes. The IIA issued a practice guide in December 2010 proposing how internal auditors should assess and report on the effectiveness of risk management processes, and announced on August 29, 2011 they will be launching a new professional certification – Certification in Risk Management Assurance in 2013.

 

The business case for the US, the UK and the world moving to a true ‘risk-based’ SOX 404 type approach
The three steps proposed above to transition from the current control-centric approach to a true risk-based approach would be relatively inexpensive to implement by legislators. There would however, need to be significant changes to the current process/control centric SOX 404 and Canadian equivalent NI 52-109 assessments being done today by over 24,000 US and Canadian listed companies. This would entail some initial short-term incremental implementation costs to determine and address the statistically probable root causes of material errors and irregularities. The approach used by tens of thousands of external auditors and tens of thousands of internal SOX 404 assessment staff around the world would also have to change.

Reliable information on the root causes of materially wrong financial statements would need to be developed, analysed and used to better identify, measure, and track risks to reliable reporting, ideally linked to XBRL tags to allow for sophisticated computer analysis. The real significant risks to the objective of materially reliable financial statements would need to be identified, including sensitive risks, such as ‘CEO and CFO collude and manipulate earnings’, ‘CFO/controller isn’t technically current’, ‘accounting staff aren’t adequately qualified and/or trained’, ‘external audit team lacks required experience and knowledge’, ‘external audit staff’s objectivity has been compromised’, and the adequacy of the risk treatments in place re-evaluated. Radical change is rarely easy to implement, and US Congress and other global political bodies may be reluctant to embark on this path in the absence of a persuasive business case.

A list of key reasons why US Congress should take the bold step of amending the wording of SOX 404 includes:


REASON #1 – the current control centric approach to SOX 404 costs a lot and produces a high failure rate
To date, no country in the world other than the US has accepted the cost/benefit business case for SOX 404(b) that requires a separate external auditor opinion on ‘control effectiveness’. The UK, in 2005, explicitly rejected SOX 404 because of its assessment of costs and benefits. Only the US has elected to require a separate auditor opinion on control effectiveness. In spite of the US requiring two separate and very costly opinions on ‘control effectiveness’ – one from a company’s CEO and CFO, and the other from the company’s external auditor each year, there is no empirical support that this costly approach produces any more reliable results than the assurance strategies adopted in countries like Canada and the UK. Neither of these countries requires a separate opinion from the company’s external auditor that financial reporting controls are ‘effective’. Both emphatically rejected adopting the equivalent of SOX 404(b) based on cost/benefit analysis done by regulators in those countries. In spite of companies being forced to spend tens of billions of dollars opining on control effectiveness there is also no empirical research the authors of this paper are aware of that demonstrates that US listed financial statements are statistically more reliable in the post SOX 404 world than they were before SOX 404 was enacted.

The truth is that there is clear evidence that thousands of US listed companies that have spent billions of dollars to implement the current control centric approach to SOX 404 have published materially wrong financial statements since SOX was implemented. Annual reports from the US-based Audit Analytics continue to confirm that, while the numbers of materially wrong financial statements published by US listed financial statements have decreased since peaking in post-SOX 2006, the total dollars of misstated balances each year continues to be a staggering number. If the balance sheets of the organizations at the root of the 2008 global financial crisis that have been assessed by some as ‘technically correct, but massively wrong’ are included in the misstatement total, it is literally an ‘earth-shaking’ number. 

REASON #2 – the current control centric approach misses the really big risks
In the years leading up to the global financial crisis of 2008 companies around the world accumulated trillions of dollars of assets whose value was directly linked to one key assumption – the US housing market would continue to rise indefinitely. 

Figure 1, featuring an index of American housing prices going back to 1890, published by Yale economist Robert J. Shiller, provides a graphic illustration of why that assumption should have been regularly and aggressively questioned as a key risk by both management of the companies at the center of the global financial crisis and their external auditors (Tapscott, B and Tapscott, D, 2008). 


Sarbanes Oxley

Figure 1: A history of US home values
(Source: Shiller, Robert J. (2006) Irrational Exuberance. 2nd edition)

In addition to identifying risks to asset valuations, including the risk of a correction, there should have also been formal analysis of the ‘risk treatment’ strategy in place in all companies impacted by that chart to manage the risk the trend line would not continue to rise forever.  In cases where this risk was ‘financed’ or ‘transferred’, the ability of the counterparty to absorb the risk in the even the chart below reversed should have similarly been rigorously examined. The risk management processes related to the asset value assigned to these assets should have been rigorously examined and opinions provided to the board on the effectiveness of the risk management processes and the adequacy of the risk treatments in place. No evidence has been produced that this step was done as part of the massively expensive SOX 404 control effectiveness assessment process.

What is certain is that billions of dollars was spent during the run-up period of 2005-08 on internal and external staff testing controls linked to line items of those companies’ financial statements that have never been, and are likely never to be, the source of material errors. By way of illustration, very few companies or their external auditors identified the reward systems in companies at the root of the global crisis as material risks to the reliability of the financial statements. Commissions have also identified deficient board oversight of risk as another major root cause. Based on research done by one of the authors of this paper SOX 404 control effectiveness assessments have rarely, if ever, determined that any US listed company has a deficient audit committee (Tim Leech, Parveen Gupta, Control Deficiency Reporting: Review and Analysis of Filings during 2004. Financial Executives Research Foundation http://www.leechgrc.com/pdf/)  Major commissions in the US and globally are unanimous that reward systems and deficient risk oversight are two of the root causes of the financial crisis. 

A true risk-centric approach that included the SEC stipulating the statistically most probable and significant risks to reliable financial reporting would have at least stood a chance of identifying this type of risk. History demonstrates that control centric SOX 404 testing using the now dated COSO 92 control framework as criteria completely missed the mark. COSO 92 puts very little emphasis on the importance of aligned reward systems or rigorous board oversight of risk management processes including those used to ensure reliable financial reporting. (NOTE: COSO announced plans in late 2010 to update the 1992 COSO Internal Control Integrated Framework. However it is important to note that the COSO chair stated ‘This project is not intended to change how internal control is defined, assessed, or managed, but rather provide more comprehensive and relevant conceptual guidance and practical examples.’)

REASON #3 – the current approach isn’t aligned with ERM methods
In companies that are working on implementing some form of enhanced ERM to better manage risks of all types they face a significant problem. The SOX 404 assessment approach required by the SEC and PCAOB is not aligned with generally accepted risk assessment methods and terminology. If a company uses enterprise risk management software to manage  and report on the state of risk they must have one module for SOX 404 work and a separate system or module for other elements of ERM. This means that companies must implement a pure form of risk assessment approach across all of their operations using the type of approach in ISO 31000 or COSO ERM, except for the objective of publishing materially fault free financial statements. For that objective they must use the type of methods prescribed by the SEC and PCAOB that their external auditors will accept, including the use of the dated and obsolete COSO 1992 Internal Control Integrated Framework which does not use modern risk management terminology.

The need to use separate terminology and approach creates yet another ‘silo’ – the ‘SOX 404 control effectiveness silo’. Silos are another one of the global crisis root causes identified by major commissions. The SOX 404 silo today must use terminology and approaches that are inconsistent with those used to implement ERM in virtually all other areas of the company. In essence work units must learn two different languages – SOX 404 control centric terminology, and another for ERM based on the type of terminology found in ISO 31000 and the related ISO Guide 76. This creates considerable additional expense and confusion. The SEC now requires proxy disclosures related to risk oversight, and boards will be asking management whether they believe risk management to be effective for all aspects of the company, except the goal of reliable financial reporting. For that dimension the board receives management’s opinion on control effectiveness, not risk management effectiveness.

REASON #4 – assure the world that the US is taking tangible steps to fix one of the root causes of the global crisis
The general global consensus is that the roots of the global financial crisis were planted and nurtured in the US through a confluence of factors, including political support for the creation and support of gigantic organisations like Freddie Mac and Fannie Mae charged with making housing affordable to poor people; reward structures in the major US financial institutions at the root of the crisis; deficient regulatory oversight; accounting standards and auditing practices that allowed for accounting deception vehicles like the now infamous REPO 105 transactions; deficient capital requirements and regulatory oversight; and others.

The dramatic decline of the US dollar relative other major currencies around the world is evidence of a decrease in global confidence in the US governance and political systems.

What hasn’t yet been acknowledged, perhaps as a result of the enormous influence of the major auditing firms, is the role the accounting and auditing frameworks, including the costly SOX 404 regime currently in place in the US, played in the period leading up to the global financial crisis. If the US is to regain its position as the biggest and most trusted economy in the world dramatic steps need to be taken. One of those steps could be to acknowledge that, in spite of imposing costs in the tens of billions of dollars on US listed companies all over the world through SOX 404 as a solution to unreliable financial reporting, that massively costly and arguably obsolete solution hasn’t worked very well in terms of assuring investors financial statements are more reliable. Recognising this fact, US Congress, rather than attempting to continue to defend and maintain a costly regulatory regime that doesn’t work very well, can take dramatic steps and replace the current control centric SOX 404 process with one that focuses on, and better treats, the truly material risks to the goal of reliable of financial disclosures. 

 

Opportunity for the UK to move forward
In light of the dismal US experience with SOX 404 what is clear is that the UK should not waver on its original logic for rejecting SOX 404 and adopt the same type of ineffective control effectiveness reporting regimes implemented in the US and, to a lesser extent, Canada and other countries. Given the current ‘political paralysis’ in the US and the significant influence of the major accounting firms on accounting regulations, Congress may be unwilling to amend SOX 404 to focus on assessing and reporting on the effectiveness or risk management processes. What the UK should do in light of the arguments advanced in this article is elevate the importance of effective risk management and seriously consider the business case for CEO/CFO/auditor public reporting on the effectiveness of a company’s risk management processes related to the specific objective of reliable financial reporting.  

Whether the UK is willing to extend the original premise of the Turnbull Review Group for rejecting SOX 404 (ie not detracting from the more appropriate focus on the effectiveness of risk management processes) to more tangible and specific external reporting requirements on the effectiveness of risk management processes specific to the goal of reliable external reporting is still in question. Recent inquiries led by the House of Lords in the UK suggest some willingness in the UK to challenge the accounting/auditing status quo. 

At a minimum, taking leadership in building foundation information on the most statistically probable root causes of material accounting misstatements could be a first step forward.

Only time will tell whether any country is willing to move past the dated and largely ineffective approaches of attempting to assess and report on the effectiveness of ‘internal control’ and focus on the far more important issue of the effectiveness of risk management processes specific to the objective of reliable financial reporting. However, with the global economy seemingly standing on the brink, there has never been a better time to take a positive step forward to prevent the next global wave of unreliable financial reporting.

Tim J. Leech FCA CIA CFE – managing director global services, Risk Oversight Incwww.riskoversight.ca and Lauren C. Leech CA CIA CFE

(NOTE: this article is a condensed and adapted version of a longer paper by Tim Leech and Lauren Leech for the International Journal of Disclosure and Governance titled Preventing the next wave of unreliable financial reporting: Why US Congress should amend Section 404 of the Sarbanes – Oxley Act)



[1] Risk-Based Targeting: Allocation of funds and other resources to areas identified as having the highest actual or potential adverse impact. Source: Business Dictionary.com http://www.businessdictionary.com/definition/risk-based-targeting.html, accessed April 2011.

Share article online ยป