Saturday, December 02, 2006

Reforming the Reform: Sarbanes-Oxley Edition

On reread, this is an excruciatingly boring post.

Tigerhawk, who has been weirdly diligent in addressing the shortcomings and opportunity costs of SOX, notes that some Democrats (who are probably concentrated in NY and Conn.) are looking to reform the notoriously expensive SOX. The costs are so high, that it's probably driving corporations to list their stock on foreign exchanges, the most popular of which is the London Exchange.

Cutting to the chase: the first problem SOX was aimed at is management malfeasance, and to correct that, the law requires the CEO and CFO to personally vouch for the statements of financial position. Further, it creates civil and criminal liability for wrongly certifying certain statements about compliance with regulation. While there is a mens rea requirement (the false certification must be knowing or willful), even the risk of being unsuccessfully prosecuted is risk enough to register in a jurisdiction where, other things being equal, one doesn't assume that risk.

The real meat of SOX, though, is in section 404 of the law, which requires extensive testing of internal controls (internal controls are those procedures that aim at preventing error or fraud. An example would be managerial oversight of the person actually cutting the checks). This section is extraordinarily expensive and, as my colleagues tell me, also extraordinarily boring for the auditor. This is where I think SOX misses the boat. As I see it, the real problem that SOX should have aimed at isn't the dearth of internal control testing; in fact, an audit of entities that aren't covered by SOX generally has enough testing of internal controls to attest to the adequacy of internal controls. Section 404, then, provides a series of diminishing returns.

Instead, the real problem, in addition to executive malfeasance, is the cozy relationship between auditing firms and their clients. It's basic common sense that a firm has fairly strong incentives to avoid irking its clients, and this is exactly what caused Arthur Anderson to pass on correcting Enron's wildly dishonest accounting.

So how do we remedy this deleterious coziness?

One suggestion that's frequently floated is to require corporations to regularly rotate auditing firms. If you know you're not going to have a corp as a client in a few years, there's less reason to hide any shenanigans that may be found. But is that right? Well, it might be if not for the little fact that corporations share information with one another, and an auditing firm will have an incentive to create a "business-friendly" reputation. This is exacerbated by the fact that there are only a handful of auditing firms with the size and sophistication to audit corps that are big enough to be publicly traded. That means that the rotation is so small that a corp will inevitably end up with the same auditing firms over and over. In that environment with such fierce competition, a business-friendly reputation is of paramount importance.

What's SOX's answer? It created a quasi-governmental entity, the PCAOB, to oversee auditing firms. One of its more important roles is to, in effect, audit the auditors by reviewing the audit workpapers, the primary work product that forms the basis of the auditor's conclusions that the financial matters are accurately disclosed.

Here's where auditor sloppiness (if not abetting of fraud) comes into play. It can be very easy for an auditing firm to just say that it tested items thoroughly even if it didn't (this was a problem with Arthur Anderson's audits of Enron, for instance). If a firm did that, the PCAOB would be none the wiser after looking through the audit workpapers. Fixing that problem is simple: require auditing firms to provide evidence that they tested what they say they tested (if I say that a sample of checks were correctly written, to document that I'd actually stick copies of those checks into the workpapers). This would enable the PCAOB to, in effect, reaudit the corporation - this should enhance both the integrity of the corporation and the auditing firm by adding transparency to the relationship between the two.

Do this, eliminate Section 404 internal control testing, and the rest takes care of itself.