If I never hear the words “Sarbanes-Oxley” again, I could live the rest of my life in peace. Sarbanes-Oxley (SOX or SarbOx for short) has been around or just over five years, and it seems that no discussion of fraud or corporate governance is complete unless it has been mentioned. Are you as sick of it as I am?
I might feel a little bit differently about hearing “Sarbanes-Oxley” if I felt that the legislation has really worked. But I don’t. No offense to Mr. Sarbanes and Mr. Oxley, but SOX was a knee-jerk reaction to a big problem, and it didn’t turn out as well as it could have if the legislators had taken more time in planning it.
The legislation was implemented with a goal of protecting retail investors in public companies. It was supposed to create certain standards for the financial reporting process, and to ensure that outside auditors are truly independent and are providing quality audits. Corporate executives now must “certify” financial results, and with each signature they are personally responsible for the accuracy and completeness of the financial statements. Boards of directors are now required to have outside, independent directors, and to have a financial expert on the audit committee.
All in all, the legislation has been very costly to businesses. Quite literally, billions of dollars have been spent on SOX compliance activities in public companies. Smaller public companies have been hit even harder by the legislation, as their costs to comply are reportedly proportionately higher than the costs at larger companies.
Where did SOX go wrong? Well if you ask the individuals and firms who now making a living off Sarbanes-Oxley work, it didn’t go wrong. It’s fabulous and fraud has been reduced.
If you ask those of us who investigate fraud for a living, many of us will tell you that it really hasn’t prevented or reduced fraud. It requires a lot of paperwork, but that doesn’t reduce fraud. Fraud is prevented and reduced by substantive procedures within companies that are specifically designed to reduce fraud.
But isn’t that what SOX does? No, it’s not. SOX requires companies to document their control procedures – those things that are supposed to ensure that the financial statements are accurate and reliable. If the control procedures are deficient, management has two alternatives. They can correct those deficiencies or they can report to the world that their controls are bad.
In the real world, public companies have spent thousands of hours documenting procedures and their effectiveness. Proactive companies have decided to implement policies and procedures specifically aimed at preventing fraud, but those decisions have been largely voluntary. Many companies have done little to improve as SOX only requires big improvements.
Boards of directors have become more involved in the companies they oversee. They have become more informed on financial matters, and the audit committees have become a bit more proactive in overseeing the activities of executives. In general, there is more oversight of executives and more analysis of the financial results of companies. This, of course, is a good result (even though it could have been even better).