On July 30, there will be an important anniversary for the world of compliance. It was 15 years ago, following massive accounting scandals and corporate culture free-falls at Enron and WorldCom, that Congress enacted the Sarbanes-Oxley Act.
SOX required corporations' annual financial reports to include an Internal Control Report. It created the Public Company Accounting Oversight Board, and made it a crime to destroy records to hide illicit behavior. The law also imposed criminal penalties for certifying misleading or fraudulent financial reports.
Amid recent talk by both Congress and the Securities and Exchange Commission about encouraging capital formation and helping more companies go public, the SOX birthday party means it is once again under a microscope. Critics of corporate compliance burdens are extending efforts to scale back demands of the Dodd-Frank Act to the foundational legislation.
Amid all this is a baseline question: After a decade-and-a-half, is SOX working? The answer, much like SOX itself,is a bit more compliated that it might at first appear.
“There has definitely been an improvement in the issues around ethics and compliance,” says Don Fancher, a principal with Deloitte Financial Advisory Services. “I also think there is a lot more awareness amongst employees and third parties that these issue are important. Sarbanes-Oxley does get a certain amount of the credit for bringing that to bear.”
In time for the SOX anniversary, Deloitte has published new survey data on global corporate ethical behavior and compliance.
More than half (52.4 percent) of C-suite and other executives say global corporate ethical behavior has improved since the enactment of SOX in July 2002, according to a recent Deloitte poll. Yet, challenges remain as only 41.3 percent of execs say their organizations' global ethics cultures are strong.
Executives say the biggest challenges to employees complying with global ethics programs include inconsistency of clear, concise, and frequent ethics program communications and training for all employees (28.5 percent); a lack of incentives for ethical behavior and repercussions for unethical behavior (16.3 percent); varied ethical postures of third parties with whom employees regularly interact (14.8 percent); and differing ethical standards for various employee groups (12.5 percent).
The results also reveal that only 32.5 percent of the C-suite and other executives who were polled are “highly confident” their organizations’ employees will report unethical behavior.
“As we've seen for decades, no organization is immune to unethical behavior," Fancher says. “But, the field of ethics compliance is evolving as professionals' skillsets, technologies to help hone and monitor programs, and multi-jurisdictional regulator coordination all improve. Now is a great time for global organizations to take a hard look at modernizing their ethical compliance programs—particularly for those relying heavily on employees to report misconduct.”
The Deloitte report includes questions to ask of global ethics programs:
Do all leaders support the program?
Is the whistleblower hotline or speak-up line evolving?
Are employees surveyed to gauge ethics culture?
Is third-party due diligence conducted annually at minimum?
There is definitely more that can be done or that should be done, but things are certainly better today than they were 15 years ago,” Fancher adds. “There is still the need to modernize compliance programs.”
That modernization, he says, needs to focus on culture risk within the organization.
“There is always going to be culture risk, but what are you doing to identify the hotspots for those areas of risk? Obviously, you need an active hotline. You need to have tone at the top in the organization that promotes the use of that speak-up line and really encourages employees and third parties , to use it,” Fancher says. “You also need to incorporate better and stronger analytics and technology to really assess the data that is coming back.”
“The more you promote a helpline, the more active it is,” he adds. “You need cognitive capabilities to segregate and parse out that data into what matters and what doesn’t, getting rid of the false positives so you can really focus on the important data, dive down into it, understand it, and really mitigate the risks.”
New, anniversary-driven research from Protiviti finds that time devoted to SOX compliance activities increased for a majority of organizations, and for two-thirds of these companies, hours increased markedly, underscoring that compliance remains a key focus area of operations.
The study, conducted by the global consulting firm, polled more than 450 chief audit executives, and internal audit/finance leaders and professionals at U.S. listed public companies. It explores the impact of SOX on businesses and how they are dealing with the law in terms of regulatory compliance.
The key takeaway from the study is that the hours required for SOX compliance continue to go up for companies of all sizes. Meanwhile, responding to the continuing compliance burden, Republicans in Congress have initiated efforts to reconsider SOX.
In June, a subcommittee of the House Financial Services Committee held a hearing entitled “The Cost of Being a Public Company in Light of Sarbanes-Oxley and the Federalization of Corporate Governance.”
The hearing examined the benefits, as well as the costs and burdens, realized by public companies. It was also a stated prelude “for considering legislative proposals to promote capital formation and ease unnecessary regulatory burdens faced by U.S. public companies.”
Tom Farley, president of the New York Stock Exchange, testified that Congress should do away with the audit of internal control for all public companies.
“That’s something that exists today under the Jobs Act for emerging growth companies, and we’re suggesting let’s extend that to all companies,” he said.
In addition, Congress should “narrow the definition of internal control” under Sarbanes-Oxley to reduce the scope of the reporting requirements on public companies, he said. The PCAOB, in his opinion, should not pass any new rules or regulations that could in any way burden public companies.”
“Public companies must meet significantly more complex regulatory requirements than their private counterparts, both during the IPO process and after a company goes public,” Farley said. “While NYSE applauds smart regulation to ensure the protection of issuers and their investors, we also believe in a regulatory environment that supports a healthy, robust pipeline of companies that seek to become and remain public, which in turn will benefit job growth all across the nation.”
The NYSE, he added, “supports the stated goal of SOX to foster the accuracy of financial reporting.” That doesn’t mean, however, that SOX is above review itself.
“Compliance with SOX Section 404, specifically, has proven to be a significant hurdle,” Farley said. “Designing, implementing, and maintaining complex systems required to satisfy SOX’s internal controls over financial reporting requirements can command millions of dollars in outside consultant, legal, and auditing fees, in addition to other internal costs.”
“Public companies are devoting more time and resources than ever to grapple with administrative procedures and controls mandated by SOX Section 404, which disproportionately affect small and midsize companies,” he added.
Thomas Quaadman, executive vice president of the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness, struck a similar note.
“The mandate in the law’s Section 404 to audit “internal controls,” as interpreted broadly by the PCAOB, remains a major concern for nearly every company considering going public on U.S. stock exchanges,” he said. “SOX, as the law is colloquially known, has caused auditing costs to double, triple, and even quadruple for many firms…Nearly every S-1 that I have read makes prominent mention of the costs Sarbanes-Oxley imposes on companies seeking to go public.”
“The trivial minutiae that Section 404 requires companies and their accountants to document—at high cost—has done little to prevent massive mismanagement or outright fraud at troubled firms,” he added. “Companies fully subject to SOX rules, such as Countrywide Financial and Lehman Brothers, still published misleading financial reports and imploded in scandal during the financial crisis—which occurred five years after the law was enacted.”