THREE YEARS LATER: LESSONS FROM SARBANES-OXLEY
John Tepper Marlin, Ph.D.
Adjunct Professor of Business Ethics, Stern School of Business, NYU
(This article is based on remarks prepared for a Master Class on Corporate Social Responsibility and the Law to be conducted by MHCi at the Liberal Club, London, May 25, 2005)
On July 19, 2002 WorldCom became the largest company ($107 billion in assets at time of filing) ever to go bankrupt, on the heels of Enron’s bankruptcy ($63 billion in assets) in late 2001. Washington regulators and legislators got to work to teach corporate America a lesson. What was the result of their efforts?
First, based on pre-existing anti-fraud statutes, the Justice Department’s Corporate Fraud Task Force was able to obtain more than 500 corporate fraud convictions or guilty pleas from 900 defendants within two years. These convictions included more than 60 top corporate officers, including WorldCom CEO Bernard Ebbers, who will be sentenced in June 2005. Enron’s CEO goes to trial in January 2006.
Second, despite the fact that existing anti-fraud laws seemed to apply to the actions of executives that led to the bankruptcies, Congress added a new regulation, the Sarbanes-Oxley Act. With an astonishingly rapid turnaround, President Bush signed the law within two weeks of WorldCom’s bankruptcy. At his “photo op,” the puzzling words “Corporate Responsibility” were repeated many times on the backdrop to his televised appearance.
Pain is being is meted out and the public thirst for punishment is being slaked. It is time to ask: “What are the enduring lessons of Sarbanes-Oxley?”
What Sarbanes-Oxley Requires
Sarbanes-Oxley was far from an expression of Corporate Responsibility, which is a voluntary corporate effort to achieve standards higher than are required by law. On the contrary, Sarbanes-Oxley is a straightforward increase in regulation of public companies. It requires greater power for independent directors. It imposes higher standards for conflicts of interest of outside auditors. It requires greater transparency in reporting.
Two sections of the Act are the most frequently discussed:
–Section 302 requires certification by the CEO and CFO of all financial statements (already required for 10-Q reports).
–Section 404 requires a management review of internal controls, which is then audited for adequacy of controls and disclosure of any material weaknesses.
A less-noted feature of the law is a sleeper, namely the registration of auditing firms. This could be of major significance because what must be registered may be de-registered. Auditing firms are now effectively subject to accreditation by the Public Company Accounting Oversight Board (PCAOB), which is a not-for-profit corporation whose head is appointed by the SEC, which also assesses and collects the fees to support the PCAOB and reviews its budget.
The Impact of Sarbanes-Oxley
Interviews with corporate financial officers indicate that the combination of continuing publicity about prosecutions under existing anti-fraud laws and the new rules under Sarbanes-Oxley have increased the power of CFOs. Corporate managements are resigned to paying to fix weaknesses in their internal controls, and auditors are able to command higher fees to pay for the extra time they need to audit internal controls.
A benefit may be seen in a gradual return of investor confidence, as indicated by a rise in mergers and acquisitions activity in the second half of 2004.
But the costs have been great. Prosecutory zeal led to one of the five auditing firms being put out of business. Arthur Andersen has shrunk to about 200 partners after it was convicted of obstruction of justice over its work for Enron. The firm has appealed this conviction to the Supreme Court, which in April 2005 gave a hearing to the idea that the Federal prosecutors in the case overreached. Since it is difficult for new entrants to get to be big enough to do multinational audits, the loss of Arthur Andersen is serious and perhaps was unnecessary.
Meanwhile, the high costs of Sarbanes-Oxley, especially section 404, are leading to corporate grumbling about the pendulum having swung too far. The whole point of 404 was to generate more resources for internal controls, but this has led to audit fees increasing markedly. Reports of a doubling of fees over pre-2002 levels are common and one firm’s CFO reports that fees are expected to more than triple. This is especially burdensome in that audit fees represent only one-fourth of the overall cost of compliance, the largest share being company spending on bringing internal controls into compliance. The aggregate cost of compliance with Sarbanes-Oxley in 2004 has been estimated by AMR Research at $5.5 billion.
On the other hand, this cost is tiny when compared with the loss of shareholder value from companies where fraud has been found. A substantial fraction of the $170 billion in the combined assets of Enron and WorldCom (at the time they filed for Chapter 11 relief) was destroyed. Something had to be done to restore confidence in the U.S. capital markets.
Companies distressed by higher audit fees have nowhere to turn if they are unwilling to hire a second-tier auditing firm like Grant Thornton LLP or BBO Seidman LLP or Eisner LLP—which is an option unlikely to appeal to companies with revenues of $1 billion or more. The Big Four firms, overwhelmed by the workload, in 2004 resigned from auditing 210 public companies, an increase from 152 in 2003 and 78 in 2002.
Implications for Non-US based Companies
The negative impact of Sarbanes-Oxley is most serious for small companies and foreign companies traded in the United States. They have been given an extra year to comply but even so the initial burden can be considerable. The cost of being public for a company with under $1 billion revenues increased 130 percent between 2001 and 2003, to more than $2 million, according to the law firm Foley & Lardner, and this estimate may be low based on May 2005 discussions with CFOs of some small companies. The increased cost can be a double-digit percentage of profits for companies with under $200 million in revenues, prompting thoughts of delisting.
For foreign companies the extra requirements for being listed in the United States come as a surprise and the costs are unwelcome. Overseas antipathy toward Sarbanes-Oxley is not only a matter of the expense. Perhaps more irksome is the fact that the new requirements are the result of problems that originated in the United States and that overseas companies are now required to comply with at least two different sets of regulations, one of them being an intrusion into their operations by a foreign Congress. A question for smaller listed companies, is whether the price of access to U.S. capital is too high.
In the swirl of controversy over Sarbanes-Oxley, what long-term lessons are emerging? The following three lessons show that there is some cross over between the new law and Corporate Responsibility.
1. Avoid becoming the weakest link
The first lesson is not to be the weakest link. Arthur Andersen had the weakest controls over its offices of the Big Five auditing firms. When the hue and cry arose about the two largest bankruptcies in history, and both were found to have been engaged in fraud (in Enron’s case sophisticated fraud, in WorldCom’s case elementary fraudulent booking of expenses to the tune of $3.8 billion), and then they were found to be audited by the same firm, it was natural for fingers to be pointed toward Arthur Andersen, which appeared to be the common denominator.
When the constabulary comes on the scene of public outrage, the natural urge is to placate the crowd with swift justice. The prosecution of Arthur Andersen may in retrospect have been overzealous, as the Supreme Court now with hindsight seems to be thinking. But any kind of pardon now would be too late; the hangman has done his work.
Moral: A program of Corporate Responsibility is one way to make sure your company is not the weakest link in the corporate chain.
2. Peer review doesn’t bite
Auditing firms were not accredited before Sarbanes-Oxley. Individual auditors qualified for the CPA designation but auditing firms themselves were subject only to peer review. Arthur Andersen had just been peer-reviewed in 2001. The reason that peer review by itself doesn’t work—especially when the peer group is (or was) just five firms—is that peer reviewers quickly understand that the Nash Equilibrium in this game is a clean opinion for all members of the group. It does not pay to be an harsh peer reviewer because when the tables are turned, the biter will be bit.
Even internally, within Arthur Andersen, peer review didn’t work. Houston was the weak link of the Andersen offices but didn’t think it had to listen to concerns from other offices of the company.
Moral: If you want high standards, don’t rely on peers to self-enforce. Just as idiosyncratic corporate Codes of Conduct provide no assurance to stakeholders about actual corporate behavior, peer reviews are unreliable. Third-party reviews against agreed-on standards are essential.
3. Certifiers require licensing, auditors need accreditation
The problem with the external audits of the auditors themselves is that accountability was lacking:
–Incentives were perverse, i.e., they were biased toward self-protection, not compliance.
–Peer reviews did not generate the threat of loss of license for firms that were not complying with generally accepted auditing standards.
For the first time now, auditing firms are subject to registration by an outside body, the PCAOB, which can “de-register” firms. The PCAOB is therefore now a de facto accreditation body, with all of the clout of the SEC behind it.
Accreditation bites, as universities have found. This has also been the direction of the Corporate Social Responsibility movement, as factories and farms are being certified to higher standards and the certifiers face loss of their license to certify (de-accreditation) if their certification standards are found to have been dropping to unacceptable levels.
So we can now make sense of the puzzling slogan behind President Bush when he signed the Sarbanes-Oxley Act three years ago. He was following the example of the Corporate Responsibility movement, which has been steadily moving in the direction of accredited certification. The President was creating a Government accreditation body for auditors.
Moral: The watchdogs must be watched and their license to be watchdogs must be revocable. Certifiers must be accredited.
If you would like to sign up to receive our Monthly Feature on a regular basis: