"Improved controls are not by themselves an end goal," notes Mark Plichta, a partner in the corporate governance practice of law firm Foley & Lardner (and a CPA).
As we celebrate the 10th birthday (or did at the end of July ... or, more likely, didn't at all) of Sarbanes-Oxley, one of my wishes for finance, risk and compliance professionals is to keep Plichta's point in mind during the next decade.
Aside from all of its plusses and minuses, Sarbanes-Oxley represents a set of business regulations that gave rise to a compliance industry. (No matter how vehemently SOX critics argue that the rules hampered business, SOX helps boost the bottom line of many, many software and services companies.) Compliance is not a productive end goal; it's a necessity, an ongoing exercise designed to enable much more productive goals, such as investor confidence and risk-taking.
I caught up with Plichta to reflect on SOX's impacts and to get a read on the extent to which companies have moved beyond treating compliance as an end goal.
Eric Krell: Aside from the initial confusion followed by the taxing nature of early compliance efforts, what are a few ways Section 404 of Sarbanes Oxley has affected -- both positively and negatively -- publicly listed companies in the past decade?
Mark Plichta: There are certainly still significant ongoing costs to Section 404(a) (company assessment) and Section 404(b) (auditor attestation) compliance, even if those costs are less than the costs of the initial compliance efforts. Looking beyond cost, a recurring theme of Sarbanes-Oxley is policies and procedures and their documentation, and that is certainly the case for Section 404 compliance.
It is likely that all public companies had to establish new policies and procedures and document existing or new policies and procedures to comply with 404. Some of these improvements were to basic controls like account reconciliations or better segregation of duties (SoD). Other improvements were to information technology (IT) systems and controls embedded therein, an area where great strides have been made in the last decade.
Finally, beyond actual control improvements, some companies experienced intangible improvements as a result of Section 404, such as better awareness of internal controls and a better internal control environment. But improved controls are not by themselves an end goal.
Rigorously identifying, isolating and quantifying the benefits of Section 404 compliance is a complex task, and it is not clear that these benefits outweigh the costs. Some public companies have enjoyed substantial improvement in internal controls that may have prevented a material misstatement in their financial statements. A smaller group of companies have enjoyed enhancements in IT or other controls as a result of Section 404 that resulted in management having access to better data and therefore better managing the company.
More importantly to companies generally, several surveys of executives conducted after 404 was implemented found that executives believed that Section 404 increased investor confidence in the years following the implementation of Sarbanes-Oxley, although one can't help but wonder if increased investor confidence was really due to Section 404 or to the typical cycle of decline and resurgence in investor confidence following significant market declines and/or financial scandal.
Also, many public companies already had strong internal controls before Sarbanes-Oxley. These companies have experienced Section 404 as an exercise in documentation and marginal improvements to internal controls. For these companies, the real benefits of Section 404 are relatively small, especially compared to the costs.
The Public Company Accounting Oversight Board (PCAOB), created by Sarbanes-Oxley, was supposed to bring a much more rigorous level of oversight to the work of external auditors. What sort of impact has the PCAOB's work in recent years had on companies?
Plichta: The PCAOB's impact has continued to increase over the last decade. Following the creation of the PCAOB, for the first time in the United States there is a systematic system beyond peer review for reviewing and monitoring the quality of public accounting firms and their work. However, there are anecdotal concerns that as a result of this review and monitoring, auditors are auditing with an eye to the PCAOB and its review rather than attempting to conduct quality, efficient audits. While in many cases these two goals are aligned, that is not necessarily the case. Further, such concerns beg the question of the appropriate relationship between public accounting firms and the agency or agencies overseeing such firms.
In addition, the PCAOB's recent consideration of rules regarding mandatory audit firm rotation raises important issues and has engendered much debate. Of course, there would be significant costs and other practical issues as a result of mandatory audit firm rotation. The proposal also raises an important corporate governance issue. Currently the audit committee of a public company has authority for, and is responsible for, selecting, retaining and terminating the company's registered public accounting firm. Mandatory audit firm rotation would in the minds of some erode the audit committee's authority to select, retain and terminate such firms.
Are there any other less prominent provisions (compared to Section 404) of the Sarbanes-Oxley Act that have had a significant influence on financial reporting and investor confidence?
Plichta: One enhancement that has had an impact that surprised me is the requirement that certifications of the principal executive officer and principal financial officer must be filed by companies as a result of Sarbanes Oxley. Even prior to Sarbanes-Oxley, a company's principal executive officer and principal financial officer had to sign the company's annual reports on Form 10-K, and typically at least one of them signed the company's quarterly reports on Form 10-Q. Yet the certification requirement focused the attention of the officers on their responsibilities for the contents of those periodic reports, including the financial statements in particular, in a way that signing the reports themselves had not.
Sub-certifications by other officers and employees and other procedures sprang up to allow the officers to sign the certifications. Further, some studies concluded that the certifications had a positive effect on investor confidence.