Since the Sarbanes-Oxley Act was passed in the summer of 2002, there has been a steady stream of criticism and objections from a wide range of players.
The business community claims the additional costs caused by SOX 302 and 404 are choking off much needed risk taking and profit creation. The Europeans—led by a very vocal Sir Digby Jones, director general of the Confederation of British Industry—claim that SOX is yet one more example of American imperialism and arrogance. Directors of U.S. listed companies are threatening to quit boards in droves to avoid the heightened accountability and personal liability. CFOs, controllers and tens of thousands of employees working on compliance projects are wilting under the heavy initial SOX workload. And technical papers written by dozens of corporate governance experts—including one I authored that was featured here in Compliance Week—have outlined numerous technical flaws in the way the legislation has been interpreted and deployed to date by the SEC and PCAOB.
The Problem Is, SOX Is Working
In spite of continuing efforts to sway U.S. politicians, the SEC, and PCAOB from the path they embarked on in 2002, there is growing, irrefutable evidence that SOX is, in fact, working.
Financial disclosures from U.S. listed companies are more reliable. Profit-management gamesmanship has been curtailed. CFOs and CEOs are far more reluctant to push the limits of generally accepted accounting principles. Restatements of previously published financial results have increased dramatically. Thousands of companies have in 2004—and will in 2005—for the first time publicly disclose serious deficiencies in the controls they have in place to ensure investors and other stakeholders are provided with reliable financial information.
The evidence continues to mount that disclosures being produced under the new U.S. SOX regime are, in fact, more reliable than those not produced with similar discipline.
At a global level, the most profound result of the SOX regime is that the external audit profession in the U.S. is now producing significantly more reliable opinions on published financial statements than their external auditor counterparts around the world. This is a development that will reshape corporate governance and the auditing profession as we know it.
It means, quite simply, that U.S. audited financial statements for publicly listed companies are now, on balance, more reliable than those being produced currently for private companies in the U.S., in the public sector, in the not-for-profit-sector, and for public companies in other countries around the world that have not yet adopted a SOX-like regime.
More certainty (or less uncertainty) that financial statements are true and reliable should, all other things being equal, translate in to a lower cost of capital and higher share prices. Financial disclosures issued by companies in countries not adopting a SOX-like audit regime will be less reliable. Private companies, not-for-profits, and governments at all levels around the world will face a decision: Adopt a SOX-like regime, or pay a risk premium for capital.
The Evidence To Date
And here's proof:
Restatements are up dramatically in the U.S.
The Huron Consulting Group released the results of a study on financial restatements on January 20, 2005, that stated the number of restatements to companies’ financial results spiked 28 percent last year. The number one reason for the spike: The additional scrutiny, rigor and consequence imposed by SOX. Companies are starting to come clean that prior period disclosures were materially flawed. There is no similar trend occurring in countries not under a SOX regime. This means either U.S. companies have been, on balance, bigger liars than the rest of the world, or investors in other countries are still unaware of the extent that public companies listed in their domicile have stretched the truth about their financial status in the past and external auditors have either not caught it or overlooked the problem.
Disclosure controls far worse than one would expect.
Over 500 U.S. listed companies including many with primary listing in other countries around the world disclosed serious external disclosure control deficiencies in 2004. This number is expected to grow in to the thousands in 2005. In each instance where a major deficiency has been reported in disclosure controls, improvements will have to be made. The result of these improvements will be that the reliability of financial disclosures in the future will be even better. Just imagine how many companies in other countries around the world currently have similarly seriously flawed external disclosure controls but investors are being kept in the dark on the risk they take relying on the information being disclosed.
The extent of the work required has been massive.
The evidence is clear that very few public companies anywhere in the world had formally assessed the strengths and weaknesses in all of their external financial disclosure systems with much rigor and formality prior to SOX. This is why so much work has been required to meet the SOX/SEC/PCAOB expectations. Companies and other organizations not on SOX-like governance regimes can continue to avoid rigorous risk and control documentation and assessment of their disclosure controls ... at least for now.
Credit agencies are recognizing the importance of strong disclosure controls.
Moody’s in October, Standard & Poors in December, and Fitch in January have all published papers acknowledging the importance of the new, improved SOX disclosure regime. What they haven’t publicly stated yet is the very obvious conclusion that audited financial statements produced under non-SOX regimes, including those produced for private companies, not-for-profit, governments, and in other countries are, on balance, less reliable than those that are. This will come soon.
Senior management and boards have radically increased their oversight diligence under the SOX regime.
Recent studies and reports on audit committee behavior are unanimous that audit committees of U.S. listed companies are meeting more frequently, getting radically better data on the state of internal control, and asking better questions. Audit committee counterparts in public companies in other parts of the world still don’t have the same incentives to improve their game.
What Needs To Happen Next
Since U.S. listed public companies are now producing the most reliable external financial disclosures in the world, they should be rewarded for their efforts. Or, stated another way, countries, companies, governments, and not-for-profits that continue to produce external financial disclosures under the older, looser, less reliable financial disclosure and audit regimes should be penalized for lower quality or less reliable financial disclosures.
Audit opinions should be graded.
Currently, external auditors continue to give audit opinions on financial statements produced by private companies, governments, and foreign-listed companies just as they have in the past. What they are not clearly telling readers is these are “Grade B” audit opinions or worse. The "Grade A" audit opinions, at least in a relative sense, are coming from the SOX and SOX-like regimes. Because of the extra work and care required from both management and external auditors, these opinions cost more, but come with higher comfort that the numbers and footnote disclosures are in fact reliable and truthful. All users of financial statements should be alerted to the difference in audit opinion quality. The external audit standard setters inside outside of the U.S. should force external auditors providing opinions to warn readers in simple, unambiguous language that audit opinions provided on financial statements under non-SOX and SOX-like regimes are less reliable or more risky. A simple grading system—with grades "A," "B," and "C"—for external audit opinions linked to the likely reliability of the opinion would work fine.
Cost of capital should be adjusted.
Since financial statements play a key role when assessing credit worthiness, credit agencies need to adjust the credit ratings they assign to reflect the increased chance financial statements are wrong when they are produced without the "Grade A" SOX or SOX-like assurances.
Stock analysts and investors need to understand and reflect the risk premium.
Since investments are made virtually around the clock on a global-basis, the investment community needs to recognize that they are now working with more reliable financial disclosures from U.S. listed companies than those produced elsewhere. The closer a country’s disclosure and governance standards are to the U.S. SOX 302/404 regime, the lower the risk premium should be. An example is Canada. Canada is slowly moving to a slightly diluted form of SOX 302/404 governance over financial disclosures produced by companies listed on Canadian exchanges. The revised requirements were released in exposure drafts on Feb. 4. This will result in more reliable disclosures than those produced under the old Canadian audit regime but will still be without the discipline imposed by the audit opinion required by SOX Section 404 until late 2006 at the earliest. Canadian regime auditor opinions will be better than disclosure produced under the looser and less rigorous current European external auditor system but, not as reliable as a full U.S. SOX regime. Perhaps Canadian audit opinions should be assigned "Grade B" status for now, and audit opinions on financial statements produced in Europe, Australia, Asia and other countries that have no form of SOX 302/404 type regime should be "Grade C" audit opinions.
External audit standard-setters in other countries need to react.
Readers of audited financial statements need to have a better understanding of the audit process used to arrive at an opinion. If management and external auditors do not formally document, examine, test, and assess an entity’s financial disclosure control systems—if they rather continue to rely on a "catch me if you can" management regime and a relatively weaker audit planning and risk assessment process—then readers of those financial statements should be told that this is a "Grade C" audit opinion. They should also be warned that the audit failure rate of this approach has proven to be quite high. As long as users of the external audit opinions know the risks that accompany "Grade A," "Grade B" and "Grade C" financial statement audit opinions, they can decide whether to invest or not, lend or not, risk rate the return premium, and other steps.
The axiom “no pain, no gain” applies to reliable financial disclosures.
It is important that U.S. listed companies—and those in other countries that adopt similar SOX 302/404 regimes—be rewarded for the pain and effort they must endure to increase the reliability of financial statement disclosures. Those countries that want to continue under looser and less reliable governance regimes should be able to do so as long as users of financial disclosures are clearly told they are getting "Grade B," "Grade C" or worse assurance on the reliability of financial disclosures from external audit firms. An efficient market that fully understands the difference between "Grade A" financial statements and "Grade C" financial statements will do the rest.
The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.
No comments yet