SARBANES-OXLEY: 14 YEARS ON
The Sarbanes-Oxley Act was introduced in 2002 in the US to provide assurance about the accuracy and completeness of financial statements in the wake of a variety of accounting scandals involving Enron and Arthur Andersen, among others. The intention was to provide investors and shareholders with confidence in a company’s financial reporting.
The initial introduction of the rules for companies registered with the Securities and Exchange Commission (SEC) in the US was significantly more onerous than anything prescribed before, with the bar being raised on ensuring key controls were in place and could be supported by evidence for all processes impacting financial statements. It also placed criminal liability on company directors, prompting them to ensure that appropriate control environments were maintained.
The regulation sent SEC-registered companies racing to their external consultants for advice on how to upgrade their financial-control procedures while recruiting heavily for newly created internal control departments. Being one of the first major internal-controls regulations that put criminal liability on directors, it clearly focused their minds.
Initial implementation focused on quality rather than quantity, as regulators and companies grappled with what the regulation meant and how much evidence and control was required. Companies preferred to ensure that they over- rather than under-complied.
However, after a few years companies became smarter, and regulators started to appreciate that; vast amounts of control documentation and evidence did not necessarily lead to better control environments. The focus was increasingly put on a risk-based approach to assurance. Companies were asked to properly scope the processes that fed into their financial statements and identify which areas were the most risky in terms of financial misstatement and fraud. Processes that were complex, areas in which judgement was used and manual processes that were open to human error were seen as focal points on which companies and auditors paid the most attention in order to ensure that their control environments were robust.
This allowed a more efficient and streamlined approach that focused on areas of real risk rather than a catch-all approach. The acceptance that Sarbanes-Oxley was here to stay allowed its internal control environments to become the norm within global organisations, particularly US-listed ones.
Now in 2016, what is the state of play? Has Sarbanes-Oxley been a success?
There have been many corporate failures since the Enron and Arthur Andersen debacles and the introduction of Sarbanes-Oxley, and many have pointed out that this is another failure of internal controls within major corporations. However, it must be remembered that Sarbanes-Oxley had a very focused remit; it was designed to ensure that the financial statements that companies registered with the SEC were materially correct. This has largely been successful. Major corporate accounting scandals involving large organisations have been relatively limited. That is not to say that there haven’t been many other corporate-governance issues that have had a significant impact on companies. The global financial crisis (GFC) being the prime example!
However, the crimes that were committed by large corporations in later scenarios were never meant to be identified by Sarbanes-Oxley regulation. Other compliance regulations have been introduced with increasing regularity to counter the grey areas and unfair practices, and to mitigate risks to the wider economy, shareholders and customers from corporate malpractice.
The world has, however, moved on in understanding how to ensure corporate compliance. Sarbanes-Oxley is quite prescriptive in terms of the approach that should be taken to ensure that financial statements are materially correct, and many subsequent assurance and compliance regimes have taken similar approaches. Yet as a whole, prescriptive approaches are like trying to catch a stream of water with a sieve. They are focused on specific issues or areas, an approach that while closing one loophole or malpractice allows management to find other ways of bending the rules or operating in grey areas to improve their profit margins.
This has been recognised by regulators around the world, and regulation is now far more focused on culture and management accountability than on prescriptive control measures. Although these are still important, if you can embed within a company’s culture that employees should do the right thing, treat customers fairly and not take short cuts, this is a far more effective tool than putting prescriptive measures around specific issues.
Company managers, if they put their minds to it, are far more effective at understanding and controlling their businesses than regulators are. When they regard as priorities controlling their businesses and acting with integrity, financial scandals are far less likely to happen. Without this, there will always be white rabbits who “pop out of the hat” in areas previously unregulated.
In summary, Sarbanes-Oxley has given far more rigour to companies in establishing robust internal-control frameworks for financial reporting, and subsequent accounting scandals have been limited in large organisations. Yet the focus is now on ensuring that companies operate within a culture, set by senior management, of good corporate governance and being a model corporate citizen. This is the way forward and will hopefully limit future corporate malpractices. However, there will always be a white rabbit in the hat!