Saturday, August 26, 2006

Sarbanes-Oxley and optimal regulation

The Sarbanes-Oxley Act of 2002 was passed in the wake of the Enron and Worldcom scandals and has proven to be the most significant reform of U.S. securities laws since the first federal securities laws passed in the 1930s. If there is any section of this law that is most loathed (and every section is loathed by somebody), it is Section 404. The law itself is relatively innocuous:


(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Boiled down, the real objection is to paragraph (b). Since passage of the Foreign Corrupt Practices Act in the late 1970s, publicly traded companies were always supposed to have a system of internal controls. And, from an investor’s perspective, who wants to invest in a company where the company doesn’t have some way of telling where and how it is spending its money? Prior to Sarbanes-Oxley, companies would voluntarily pay management consulting firms millions of dollars in fees to develop better systems for sourcing and supplier management to track how corporate funds are spent and to identify ways this money might be wasted.

So what’s the problem with (b)? It’s the testing that auditors now require in order for them to attest to management’s assessment of its internal controls. Arguably, it doesn’t require anything that audit firms shouldn’t have been doing anyway. After all, if an auditor doesn’t test management’s assessment, what does it do? Check management’s math?

But in reality, after Arthur Andersen’s collapse, Section 404 is both a threat and a promise to auditors, and one that has gotten out of hand. Section 404’s threat is obvious. Public companies in the United States are the ultimate example of what Adolf Berle and Gardiner Means in the 1930s first called "the separation of ownership from management." Shareholders of large public companies may "own" it, but they don't run it or control most of its decisions. Accordingly, there is a very real risk that the managers of these companies will run off with (as Justice Louis Brandeis once called it), "other people's money." The independent public auditor is designed to keep this from happening. Theoretically, at least, the auditor works for the shareholders and confirms that the books management keeps about how the company is performing is up to snuff.

But you can see the problem. If the auditor attests to management’s controls and a meltdown occurs, the auditor is in trouble. On the other hand, auditing, traditionally, has been a low-margin industry—which is one of the reasons that audit firms dived so deeply into the type of management consulting that led to the conflicts of interest that brought down Andersen. Section 404 reverses this. Auditing now makes money, particularly if you can force an issuer to pay for all sorts of internal controls testing before you give over the vital attestation.

Partly to blame for all this is the Public Company Accounting Oversight Board. The PCAOB, formed out of the Sarbanes-Oxley Act, takes seriously its mandate to oversee and regulate the auditing industry. So seriously that its rules relating to Section 404 are unforgiving. It initially required audit firms to test an issuer’s controls for any expenditures over $6000. That means a company that spends billions of dollars each year on inventory pretty much needs to hold on to every receipt for more than $6000 if it wants to pass the sniff test with auditors. Actually, this sounds like good policy, but probably not the kind of thing we want chief financial officers to be directly involved in.

Further, the PCAOB refused to take hints to lighten up on this from the Securities and Exchange Commission, which has oversight authority over it. (It is a widely known secret that there is considerable tension between the SEC and PCAOB, aggravated to a considerable degree by the PCAOB’s previous chairman, Bill McDonough. Rumor has it that when SEC staff first broached the issue of SEC inspections of the PCAOB’s operations—a requirement of the Sarbanes-Oxley Act—McDonough stormed out of the meeting in a fit.)

The PCAOB has since offered some additional guidance on how audit firms should test an issuer’s internal controls, but it has not gone as far as many would like. Which brings up an interesting question: Obviously, in a costless world, investors would prefer that issuers have internal controls that track every single dollar of expenditures. For a company of any size, though, clearly this is impossible, or at least extremely costly. (Can you account for every single dollar you spend?) At the other extreme, a company of any size that loses track of millions of dollars is ripe both for fraud and for the bankruptcy courts. The question is, where does the value to the investor in robust controls exceed the cost to the company (and, accordingly, the investor) of those controls? Is this the kind of question that is company-dependent? And if it is, what does this mean for audit firms, since those who probably have the most information about the true costs of these controls (management) also have the most incentive to see that those controls are less adequate than might be economically most efficient?

No comments: