IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Book Proposal Guidelines
IT Today is brought to you by Auerbach Publications

IT Performance Improvement



Networking and Telecommunications

Software Engineering

Project Management


Share This Article

Free Subscription to IT Today

Powered by VerticalResponse

Information Technology Control and Audit, Third Edition
How to Achieve 27001 Certification: An Example of Applied Compliance Management
The Effective CIO: How to Achieve Outstanding Success through Strategic Alignment, Financial Management, and IT Governance
Data Protection: Governance, Risk Management, and Compliance
IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement
Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI
Information Security: Design, Implementation, Measurement, and Compliance

The Sarbanes-Oxley Act and Its Aftereffects

by Dimitris N. Chorafas

The focused and effective management of exposure has been conspicuously absent among companies who, in recent years, have become embroiled in scandals and bankruptcies. This highlights the importance of the quality of corporate governance as a crucial consideration for all organizations, with management ethics, internal control, and the audit function being at the kernel of an evaluation. News items in the first years of this century highlighted the problems of poor accountability and of management malfeasance in large listed companies. However, the underlying issues are just as prevalent in smaller listed and unlisted firms. Moreover, because external auditors looked the other way in some of these scams, their role came under public scrutiny.

Conflict of interest has been a particularly touchy point. In many cases, its origins were found in the fact that, for several decades, external audit firms have been performing a variety of consultancy roles for the same companies they audit, thereby becoming too close to the client and losing objectivity in the push for profitability.

The aftermath of such inadequacies is magnified by the fact that companies today operate in a fast-moving environment. Changes in terms of products, markets, and technology present both opportunities and risks, with the result that many firms seize the opportunities but are far less sensitive to the risks, including those of malfeasance and biased judgment.

In the decades before the Sarbanes-Oxley Act (SOX) made it untenable for an investment banker to sit on his or her client company's board, such board seats were much sought after by bankers as a way of gaining the most insight into the client's strategic thinking and its prevailing financial staying power. This practice also helped to ensure that the investment bank walked away with the lion's share of the client's business.

The cases of Enron, Adelphia Communications, and WorldCom in the United States and of Parmalat in Europe-to name just four-are too well known to be described here in detail. The Enron scandal of December 2001 was followed in short order by WorldCom, whose report of $7 billion in fictitious profit dwarfed Enron's concealment of a "mere" $1.8 billion in debt. By the end of 2002, the list of companies with questionable financial reporting included AOL, ImClone, Merck, Qwest, Tyco, Xerox, and Arthur Andersen, a powerhouse certified public accounting firm that was severely weakened following prosecution for its lax practices while auditing Enron and eventually went out of business.

The ripple effect of accounting scandals, auditing scams, and fake financial reporting shook the business community and bent the resistance to tougher legislation by a myriad of lobbyists. In a climate of public mistrust to business because of widespread creative accounting practices, the Sarbanes-Oxley Act was passed in July 2002 by the U.S. Congress. The act established rigorous corporate governance rules and set specific expectations on the reliability of financial statements of firms whose shares are traded on U.S. stock exchanges.

Section 302 of the act requires CEOs and CFOs to certify the dependability of their firms' financial statements, including whether their entities have (a) effective systems of internal control related to external financial disclosures and (b) procedures capable of notifying both external auditors and their audit committees when significant control deficiencies are detected in these systems. Section 404 of the Sarbanes-Oxley Act demands that a firm's external auditor must report on the reliability of management's assessment of internal controls. Both Sections 302 and 404, however, have raised important questions. For instance:

  • How many and what type of control deficiencies can the CEO and CFO not report to external auditors and the company's audit committee without violating the act?
  • What is the threshold above which the Securities and Exchange Commission, and civil courts, will act?

There are, as well, complex technical issues connected to SOX that should be well understood to provide a defensible legal course. For their part, certified public accounts must exercise great care in deciding on the need to qualify statements. Lack of qualification will essentially be tantamount to agreeing with the opinion reached by the CEO and CFO when forming the CPA's response on the issue of control effectiveness.

There are good reasons to believe that the accuracy in reporting huge losses for 2007 by Citigroup, Merrill Lynch, Bear Stearns, MBIA, Ambac, and many other well-known financial companies can be found in the rigorous requirements imposed by the Sarbanes-Oxley Act. The act made it mandatory that the CEO and CFO sign the entity's annual financial statements and assume full personal accountability for their figures and contents.

Indeed, no better example of the Sarbanes-Oxley impact can be found than the financial reporting on the aftereffects of the 2007 crisis in the subprime mortgage market, which created a torrent of red ink and brought many of the world's bigger banks against the wall. This was a crisis created single-handedly by the banking industry, rather than being due to an external event like sovereign bankruptcies in emerging markets.

When the bubble of the subprime mortgages blew in July/August 2007, it was revealed that the chief executives of Citigroup, Bear Stearns, Merrill Lynch, Morgan Stanley, UBS, and many others had

  • Assumed an excessive amount of credit risk,
  • Used irrelevant credit ratings for their judgments,
  • Overleveraged their institutions with an inordinate amount of debt, and
  • Employed a shamefully low level of risk management.

Through their policies with subprime, "no doc," and "Alt-As" lenders, they also practically brought to bankruptcy millions of U.S. homeowners while also spoiling the capital of their own institutions to the tune of billions of dollars. In the aftermath, the U.S. Supreme Court considered extending liability for corporate fraud to any company that did business with a U.S. corporation that defrauded its investors.

Back in 2002, many persons suggested that compliance with SOX would be a costly enterprise, although few openly expressed the opinion that business pressure would eventually be instrumental in changing some of the Sarbanes-Oxley provisions. Yet this is exactly what happened in mid-2007, under fire from lawmakers and business groups, who blamed the Sarbanes-Oxley Act for driving the costs of compliance higher and pushing firms to relocate to less-regulated markets overseas.

In May 2007, the Securities and Exchange Commission announced new guidelines along with a revised auditing standard from the Public Company Accounting Oversight Board (PCAOB). These guidelines and standards have aimed at ending more than a year of debate over whether the law's costs outweigh its benefits.

The PCAOB is an independent panel formed under the Sarbanes-Oxley Act. Its recent guidelines aim to reduce auditor testing by encouraging accountants to rely on work that companies have already done. Established in 2003 in the United States as a regulator to oversee the auditors of publicly listed companies, the PCAOB is one of the items mandated by the Sarbanes-Oxley Act, with the authority of revising standards that CPAs should use when auditing a company's internal controls over financial reporting. In this capacity, PCAOB oversees the U.S. accounting profession.

One of the new PCAOB auditing standards (AS) established by SOX, specifically AS5, was aimed to ease the burden of Sarbanes-Oxley compliance by making it less prescriptive and more scalable according to size of the company. The SEC, which oversees the PCAOB, wants AS5 to make life easier for the roughly 6,000 smaller companies with market capitalizations of less than $75 million, while most large, publicly listed companies are required to comply with Sarbanes-Oxley. These large companies have learned how to live with SOX and absorbed the law's initial implementation costs.

To maintain uniformity in the application of the law and fence off efforts to create loopholes, Christopher Cox, SEC's chairman, has resisted demands from members of Congress to exempt small companies from the law. Instead, he tried to reduce corporate audit fees by eliminating a requirement that accountants assess how companies review their internal control.

While undoubtedly greater rigor on auditing does not come free of cost, it would be wrong to judge Sarbanes-Oxley in a unilateral way. "What was going on was so twisted and so perverse that more than five months after WorldCom went bankrupt several analysts expressed the opinion that the company would not survive independently in the long term," said a senior executive of an investment firm. "It will probably be spring or summer before it has its books in order."

WorldCom's huge fraud made use of the fact that there are gray areas in accounting standards on how to capitalize expenses for the different financial outlays. Its case, however, is neither the first nor will it be the last case of that nature. Accounting literature lists numerous events of aggressive and improper capitalization of expenses. Among experts, the majority opinion has been that, on two counts, there was no doubt that WorldCom broke the spirit and the letter of the law on accounting principles.

The Sarbanes-Oxley Act not only improved the reliability of financial reporting, but also made it much harder for firms to get private securities fraud claims thrown out of the bankruptcy courts, as used to happen routinely. External auditors are now required to provide opinions on the effectiveness of internal control in a company's financial statement, and had better get more efficient in internal control assessment by employing individuals with a wide range of experience, helping the client company to identify key exposures in the armory of internal controls.

To deal with potential management malfeasance, there is no alternative to critically reviewing the control environment, including organizational and governance issues; human resources; monitoring procedures; and more-covering not only financial, but also operational matters such as authorization procedures and segregation of duties, internal auditing information practices, and information technology policies able to assist management in decision making and in internal control.

About the Author

Measuring and Improving Performance: Information Technology Applications in Lean Systems
From IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement by Dimitris N. Chorafas. Auerbach Publications, 2009.

© Copyright 2009-2010 Auerbach Publications