SOX reforms, redundant or reliable
The general feeling is that SOX legitimated some of the challenges it was supposed to address. Accountability, transparency, shareholder protection, auditor independence, objectivity, and professional skepticism are a few of the positive effect of SOX that has finally strengthened business oversight.
Whenever new legislation require companies to establish administrative controls and other compliance activities businesses are usually divided in two categories. One group focuses on basic compliance to the regulations, eventually finding that operating with a coherent framework, improves controls that lead to better quality data.
Other businesses understand the full meaning of the compliance activity, divide it in smaller projects of Good Governance, Risk Management, disclosures, financial and audit committees, IT security, etc. In other words, SOX and its scolded section 404, required them to think strategically, modernize their controls and processes and produce a long term plan for their IT security (e.g. one platform). These companies achieve greater efficiency, security, and eventually produce cost savings.
Investors have always insisted on certain fundamental accounting and control processes and procedures when businesses need their money or invest it on their behalf. Documentation, testing and providing evidence of compliance is an arduous process, if sloppy organizations have to start from scratch as many companies had to, simply because their process documentation was not in the correct order.
Procedure rather than Substance
Compliance activities like good governance, risk management (GRC) does create value. Most people believe that GRC has increased shareholder wealth. Implementing GRC is a learning process and a journey that requires the confirmation at the top of the corporate pyramid. As the various components of GRC unfold, executives find that there is still much more work and processes that need to be in order, because GRC issues become more complex and with complexity, there are unintended consequences.
In the course of the 10 years, we have seen companies fail because they never developed financial discipline, and some even thought that they are beyond that. Had we seen the implementation of strict controls and risk management disasters like AIG (2004), Madoff and Lehman Brothers (2008), Satyam Computer Services (2009), and the following credit and financial crisis (2010-) would probably had limited consequences to the investors and companies probably would have sustained their businesses over time.
Always ahead of its time
In a survey, by Cass Business School of 18 high profile corporations with an aggregate pre crisis value was over $6 trillion, 7 companies faced bankruptcy, 11 Chairmen and/or CEO lost their jobs, and in 16 cases the management personally suffered financial penalties or fines, and 4 executives received prison sentences.
Those companies on the other hand that considered SOX as a cost/benefit question regarding how well their systems performed and conducted detailed audits of their internal control systems and used consultants or external auditors to document and evaluate their processes and controls found it both costly and inefficient. After SOX was enacted, there were indications that companies were off listing because they could not afford the audits.
One of the more controversial provisions in SOX, was section 404, that with its only 146 words was in many precise with its focus on internal control in addition to financial compliance.
Therefore like many other substantial activity or cost improvement projects, if these are not implemented correctly, executives tend to focus on procedure rather than substance and blame the regulations for the absurd results. Mature companies on the other hand use the components of GRC combined to improve the substance of the decision and attention is on accountability and material effects rather than process.
10 positive elements of SOX
There are a whole lot of reforms that Sarbanes-Oxley has put into operation.
- Improved audit quality in spite of a reduction of total audit costs, because of their work performed by staff to comply with Section 404.
- Stakeholder and investor confidence in businesses and financial statements,
- Implementation guidance issued after Audit Standard 5 was Europeanized to a principles-based approach, and that has improved the overall US audit processes
- Audit committees are doing a better job than before SOX due to the strengthened role of independent audit committees and corporate governance.
- SOX has stepped up the assumed level of control at the Board of Directors level. Since SOX required to assess the attitude of business people, especially top management, toward risk and accuracy, they had to make sure that the internal processes and systems are working and that there was adequate documentation that financial statements were in order.
- Internal control over financial reporting framework has improved since compliance with Sarbanes-Oxley Section 404 became a requirement
- Companies are still attempting to improve the quality of internal controls and the effectiveness and efficiency of their compliance processes
- Added emphasis on IT and automation of internal controls to achieve significant process improvement and cost savings
- SOX introduced a qualitative aspect on top of the hard-core testing to make sure that the right tone at the top in some risky IT processes required more testing.
- SOX look alike type was introduced in many countries and thereby providing the international investor with assurance
Sure there was a cry of the negative elements of SOX that high audit fees and the heavy reliance on contractors to prepare documentation and testing and that SOX removed all the commonsense elements, and companies had to document and verify documentation at an incredibly detailed level.
There were some elements of overkill or thoughtless due to the interpretations of remote possibility or material weakness. However, later iterations gave value to the definitions. But that is history.
Let's just celebrate the anniversary and for a moment glorify SOX for enhancing the understanding of control design, operating effectiveness and internal audit's ability to perform audits that confirm that organizations have the compliance process well-managed and under control.
About the author.
Kersi Porbunderwalla is secretary general of Copenhagen Compliance® and Copenhagen Charter®. After his early retirement from ExxonMobil, Kersi has been involved in several Global Good Governance, Risk Management and Compliance (GRC) and SOX Projects for multinationals like IBM, Shell, BP, Volvo and others. He continues to implement GRC journeys for a variety of clients to develop custom tailored GRC folder that includes methodologies, roadmaps, and specific solutions to assignments, training and certification.
Kersi conducts workshops, seminars and conferences that focus on developing and implementing GRC applications & frameworks into operational environments. He is a consultant, instructor, researcher, commentator and practitioner on 4 continents.