This story is Part 1 in a three-part series on how corporate finance has changed since the Sarbanes-Oxley Act was passed.
In July of 2002, President Bush traveled to New York and spoke to a rapt audience just a stone’s throw from Ground Zero. Pledging to punish those wrongdoers whose misdeeds and acts of destruction threatened the American way of life, he unveiled a plan to battle the “moral confusion and relativism” that had proven “devastating” to so many innocent people.
His remarks had nothing to do with the terrorist attacks of the previous September. Rather, he was addressing Wall Street in the wake of the Enron and WorldCom scandals, and describing a host of programs to restore investor confidence at a time when the Dow Jones industrial average languished at just over 9,000.
Three weeks after he laid out a strategy to, as he put it, “move corporate accounting out of the shadows,” the President signed the Sarbanes-Oxley Act of 2002 into law. Far from ending the spate of corporate scandals, however, that event signaled the beginning of a long and often tortuous effort to reform the governance, auditing, and reporting practices of American businesses. “Sarbox represented a tectonic shift in the focus of securities regulation,” says James Cox, a law professor at Duke University. “It reached right into company boardrooms and mandated certain requirements about how companies operate. No one thought that was a place securities law could go.”
Indeed, what seemed at the time a hastily drafted effort to shore up perceived weaknesses in corporate accountability has proven instead to be the most significant piece of securities legislation to appear in at least half a century. But that significance has come at a price, both in dollars (estimated to run in the billions and even, by one disputed measure of lost market capitalization, trillions) and in effort, as companies have expended countless hours complying with the law — or trying to.
Those efforts continue, and five years later it is still not clear when, exactly, the dust will settle. In fact, while many lawmakers, academics, and securities experts praise the impact of Sarbox, most CFOs take a far dimmer view. A recent survey conducted by CFO magazine in conjunction with Duke University’s Fuqua School of Business found that fully three-fourths of CFOs believe the act should be reformed or repealed, and nearly as many believe the costs have outweighed the benefits. The level of frustration expressed actually exceeds that found in earlier surveys — a surprise, given that earlier surveys were conducted during a time of soaring audit fees and substantial confusion about compliance.
CFOs aren’t alone in their frustration. Like an infant being inoculated for the first time, the business community’s initial response to Sarbox was a sort of silent scream; today its wailing can be heard far and wide, in the form of cries for relief issuing from a host of committees and trade associations. But in the wake of new guidance from the Securities and Exchange Commission regarding Section 404 — which has been by far the most vexing requirement of Sarbox — and the Public Company Accounting Oversight Board’s approval of Auditing Standard No. 5, which clarifies how external auditors should handle their Section 404 responsibilities, it’s unclear whether regulators or lawmakers will take any further significant actions.
Two Short Paragraphs
Any piece of legislation as broad as the Sarbanes-Oxley Act — its 30,000 words spell out nearly 70 distinct requirements — is bound to have some unintended consequences, but few could have predicted how much pain the 172 words of Section 404 would inflict on Corporate America.
“It’s just two short paragraphs,” says Sen. Paul Sarbanes (D–Md., retired), who sponsored the Senate’s version of the act. But those paragraphs “left a lot to the regulators” in terms of translating vaguely worded demands for an “attestation” of an “assessment” of “effective internal controls” into actual practice.
Some might be tempted to say malpractice. Auditing fees skyrocketed as accounting firms took a better-safe-than-sorry approach and looked for weaknesses not only in financial reports but in the IT systems and sundry other nooks and crannies of corporate operations that feed into financial statements. Large companies saw audit fees climb 66 percent between 2003 and 2005, and, of course, spent millions on consultants, IT systems, and internal resources in order to comply.
The lesson? “Section 404 is the poster child for how not to implement a demanding compliance requirement,” says Cox. “Lawmakers knew Sarbox would be costly,” he says. “In fact, it was designed to be. But the folly of regulators was to not take a tiered or incremental approach, or to adopt a much longer time horizon.”
Instead, even with varying deadlines (and subsequent extensions) for accelerated and nonaccelerated filers (that is, large and less-large companies), auditing firms found themselves too short-staffed to handle the intense demands of internal-controls audits. That set off a talent crunch that persists to this day, both for audit firms and corporations, and is expected to remain for years to come.
CFOs blasted Section 404 as an “efficiency tax” that added no value. Five years on, it’s interesting to note that their initial projections of doom and gloom actually fell short of the mark. In 2003, before Section 404 kicked in, only 13 percent of companies expected their total cost for meeting Sarbox requirements to top $1 million annually. Earlier this year, the Financial Executives Research Foundation found the average audit attestation fee alone to be $1.2 million.
But CFOs have been heard, at least to a degree. In May the SEC issued new guidance that advocates a “risk-based” approach to Section 404, one designed to focus company and auditor attention on materiality and the “reasonable possibility” of a misstatement. The PCAOB’s new standard for auditors is designed to follow a similar path away from the much-maligned “checklist” scrutiny of every piece of corporate minutiae imaginable in favor of risk-based audits tailored to a company’s “facts and circumstances.” PCAOB deputy chief auditor Laura Phillips estimates that the new rule could result in a 10 percent reduction in related audit fees, because the previous standard “was encouraging more work than was necessary.” But Cynthia Fornelli, executive director of the Center for Audit Quality, a trade group that represents almost 800 publicly traded accounting firms, cautions, “It’s dangerous to speculate about the cost savings” at this point.
It may also be dangerous to speculate about any further relief. As Cox sees it, the recent actions of the SEC and the PCAOB have “gone a long way toward defusing the outcry.” What’s more, he says, the reports generated by the Committee on Capital Markets Regulation, the U.S. Chamber of Commerce, and others, which argue that the high costs of Sarbox compliance are harming U.S. companies in the capital markets, “have gotten little political traction.”
What traction exists, in fact, seems to be moving in the opposite direction. As CFO went to press, several SEC commissioners were scheduled to appear before Rep. Barney Frank’s House Committee on Financial Services to explain why the SEC appears to be catering to business interests rather than the investing public.
The fiercest critics of Sarbox argue, however, that the investing public is, in fact, not the beneficiary but the principal victim of the legislation. “The bottom line is that Sarbox was so poorly conceived,” says Stephen Poss, a senior partner with law firm Goodwin Procter in Boston and co-chair of the firm’s securities litigation and SEC enforcement practice group, “that if it were a prescription drug, the label listing the side effects would be longer than the act itself.”
Sarbox, he charges, has resulted in “a massive transfer of shareholder wealth to accountants and lawyers, and has transformed corporate boards from wise counselors focused on bold strategies for growth into ‘nanny boards’ that wag their fingers at managers and take no risks.”
Poss cites the boom in private equity as one inauspicious consequence of Sarbox. “The story of the U.S. capital markets over the past 50 years has been one of democratization,” he says, as mutual funds, 401(k) plans, and discount brokerages have allowed a substantially wider swath of the public to participate in equity markets than ever before. Now they are being squeezed out, he claims, as companies look to escape “huge permanent layers of overhead” by going private or listing overseas.
But Poss agrees with those who are far less critical of Sarbox that there appears to be little political will at the moment to make major changes. “I’d like to see the pendulum swing further back,” he says, “but I think progress in that regard will be slow.”
Indeed, as the Sarbanes-Oxley Act of 2002 celebrates its five-year anniversary, its supporters appear to feel very comfortable in singing its praises.
“I give Sarbox high scores,” says Dana Hermanson, a professor of accounting at Kennesaw State University, in Georgia. “It promotes accountability on many levels, and its provisions make tremendous sense.” Hermanson says that corporate “whining over Section 404” has obscured and even “tainted” the salutary effects of Sarbox. “One reason that 404 has proved so costly,” he says, “is that many companies simply had lousy internal controls.”
Comments like that no doubt please Sarbanes, who bristles at the suggestion that the act has proven costlier and messier than anticipated due to the speed with which it was pushed through Congress. “We held 10 hearings over two months,” he says. “We worked on it very intensely, and promptly, but we were also careful and thoughtful, and had the benefit of a number of blue-ribbon commissions and many experts who had been looking at ways to improve corporate governance for a long time.”
In April, Rep. Michael Oxley (R–Ohio) told CFO that “99.9 percent of the complaints you hear [about Sarbox] are about 404.” The problem hinges not on the two short paragraphs of the act, he says, but on “the 330 pages of regulations” that the PCAOB produced in response. At the time, he predicted that the impending overhaul of Auditing Standard No. 2 would satisfy those complaints and leave little cause for further criticism.
Now that that has come to pass, both Sarbanes and Oxley hope that the law that bears their names will get some credit. “The act has made the role of CFO even more significant than it already was,” Sarbanes says. “At the time we were drafting it, one school of thought held that we should punish the bad apples and let that serve as a deterrent, but by that time the damage has been done. The goal of the law is to make sure gatekeepers act as gatekeepers and bad actors are screened out by barriers such as good internal controls and sharp audits.”
“If you look at total market cap in July of 2002 versus today, it’s pretty hard to argue that Sarbox has been a detriment to growth and prosperity,” Oxley adds.
Cox of the Duke Law School agrees. “The best studies have shown that a company’s cost of capital goes down as the quality of its governance and compliance efforts goes up,” he says. “Most people are now running away from the studies that have painted a dire picture of the impact of Sarbox.”
“If nothing else,” Hermanson says, “the last five years have shown that accounting matters. In the 1990s, the attitude was that accounting did not matter and that audits were a commodity. That’s changed tremendously.”
Despite their continued skepticism about the value of Sarbox compliance, even CFOs seem willing to give it some credit. Bud Robertson, CFO of Progress Software, says that “there have been some benefits. For one, it has improved our processes. And it has also helped everyone in the company understand how serious these issues are, because now it’s not just finance saying it, it’s the SEC saying it.”
Robertson bears the distinction of being the first CFO ever to be quoted on a Sarbox-related matter in these pages. In September 2002 he voiced concerns that legislators had “gone completely overboard in trying to fine-tune every possible behavior,” and went so far as to say “I might reconsider my profession” in response to the huge increase in regulatory demands.
Five years later he’s still on the job, although many of his fellow CFOs have, in fact, bailed out for private firms, early retirement, or other Sarbox-free havens. There can be no doubt that whatever the benefits of Sarbox may be, and however close we may be to final resolutions of Sarbox sticking points, CFOs and corporate finance departments have paid a high professional and personal price for leading their companies toward a new era of stricter controls and superior corporate governance. They face additional challenges, from finding (and paying for) qualified staff to refining their relationships with auditors to grappling with the rise of private-equity firms.
But if Cox is right and calls for major reforms are landing on deaf ears in Washington, then CFOs may have little choice but to adopt their own version of the Serenity Prayer — driving Sarbox costs down where they can, and accepting the price, and value, of better internal controls when they can’t.
“I agree with remarks that Paul Volcker has made,” Sarbanes says, “warning that a ‘collective amnesia’ is setting in as the markets improve, prompting everyone to forget about the real pain that the accounting scandals produced. Investor confidence took a real blow at the time of Enron and WorldCom.” In forcing companies to make “a major departure from past practices,” Sarbanes says, “we introduced a system of checks and balances that provides important safeguards” against fraud or related abuses.
Of course, he adds, “there is no such thing as a guarantee.”
Scott Leibs is a deputy editor of CFO.
Five Years of Sarbox