Checking on Sarbanes-Oxley

Michael Gips

8/1/2005 August 2005

Immediately after Enron and other corporate scandals broke, the public pushed for more accountability at the top. Congress responded with the Sarbanes-Oxley Act of 2002 (SOX). The legislation established stringent reporting requirements for public companies doing business in the United States, which are regulated by the Securities and Exchange Commission.

Investor groups welcomed the changes, but businesses have called them too costly to implement. Now companies are pushing for a narrower definition of “material weaknesses” in controls and the repeal of SOX provisions such as Section 404, which mandates independent opinions by auditors on management’s assessment of internal controls.

The high cost of SOX regulations is getting a lot of press. Reports of expenditures per company range from hundreds of thousands to millions of dollars, depending on the size of the enterprise. But World-Com’s fraud alone is estimated to be in the range of $9 billion to $11 billion. So it’s fair to ask: What about the vulnerability to fraud that SOX was intended to reduce? Is SOX compliance likely to pay dividends and might costs decline?

What’s not being reported in the many stories about SOX are the significant benefits beginning to accrue to business and shareholders, say experts in corporate fraud.

After an April roundtable at which business leaders discussed the act with the SEC, now-former SEC Chairman William H. Donaldson reported that “many companies have experienced benefits and improvements to their internal controls as a result of implementing these requirements,” and the heightened focus on internal controls is bound to boost the quality of financial statements, transparency, and investor confidence.

“Companies I deal with are finding great rewards” by identifying fraud through SOX regulations, says Andy Wilson, CPP, a Memphis-based fraud expert and member of the ASIS International Economic Crime Council.

Compliance has been costly in part because companies may be overdoing antifraud measures, says Toby Bishop, president of the Association of Certified Fraud Examiners (ACFE). Since SOX doesn’t prescribe specific controls, companies are taking a very broad approach to applying controls, he says.

Bishop points out that ACFE studies show that reporting mechanisms such as hotlines and a “values-based code of conduct supported by management” detect the vast majority of fraud cases. Putting more attention on these areas would make fraud detection more efficient, he says.

Wilson agrees, noting that the companies that have found SOX compliance far too costly have probably implemented measures that went well beyond the letter of the law. Part of the problem is that some consultants and suppliers have intentionally interpreted the rule broadly to help sell products and services.

Despite complaints about the cost of SOX compliance, it would be a mistake to roll back its provisions now, says Howard Silverstone, a director of Forensic Resolutions Inc., Marlton, New Jersey. Retreating from SOX without a comprehensive analysis of its effect would send a “bad message,” he states.

“If you roll back just one or two controls, it could be devastating, because people would lapse into a false sense of security” that fraud was under control.