My friend Francine McKenna wrote yesterday on her blog, re:The Auditors, about what Sarbanes-Oxley has accomplished:
My contention is that Sarbanes-Oxley has at least raised the tone and tenor of the conversation about internal controls and about common sense, tried and true, reasonable practices for financial reporting to shareholders and other stakeholders. Sarbanes-Oxley has raised the expectations, to an appropriately high level, of corporate governance and ethical, non- self-serving behavior of corporate executives. Sarbanes-Oxley has given stakeholders the tools to bring the hammer down on irresponsible, non-responsive, fat headed, cigar chomping, belligerent, insular, seemingly untouchable “big swinging sticks.” The Tone at the Top as improved in most major corporations and their professional advisors, if not by design then by default – the fear of prosecution.
I don’t disagree with Francine. Greater awareness of fraud and a focus on internal controls, along with better governance and more diligence about the tone at the top… these are certainly good accomplishments. But they’re not nearly enough.
I’m concerned because Sarbanes-Oxley hasn’t actually reduced fraud. Isn’t that what it was all about? It was a response to the big frauds at public companies like Enron and WorldCom. According to the SEC’s statement about the legislation:
The Act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the “Public Company Accounting Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.
You’re probably wondering how I know Sarbanes-Oxley hasn’t reduced fraud. Several studies have demonstrated it. Ernst & Young’s 2006 Global Fraud Survey results stated:
Since our 8th Global Fraud Survey in 2003, corporations have expended significant resources to assess and improve their internal controls. The concentrated efforts of those charged with governance, internal and external auditors, regulators, law enforcement and others, have led to considerable progress in preventing and detecting fraud. Corporations believe that they are better positioned to deter and detect fraud than ever before.
Despite this belief, there is little evidence that clearly indicates fraud has reduced. In fact, one in five of the companies that we interviewed experienced significant fraudulent activity in the past two years.
The Association of Certified Fraud Examiners 2008 Report to the Nation on Occupational Fraud and Abuse shows that controls implemented largely because of Sarbanes-Oxley simply aren’t playing a big part in detecting instances of fraud:
Despite increased focus on anti-fraud controls in the wake of Sarbanes-Oxley and mandated consideration of fraud in financial statement audits due to SAS 99, our data shows that occupational frauds are much more likely to be detected by a tip than by audits, controls or any other means. Forty-six percent of the cases in this Report were detected by tips from employees, customers, vendors, and other sources. Tips were also the most common means of detection in 2002, 2004, and 2006.
And then there is this shocking finding in the same report from the ACFE. Companies that had the controls mandated by Sarbanes-Oxley had a larger financial statement frauds, the type of fraud that the SOX legislation was aimed directly toward:
SOX-Related Controls for Financial Statement Fraud Cases
Sarbanes-Oxley was passed in response to several large financial statement fraud schemes, and, as such, the Act mandates the implementation of specific controls targeted toward preventing and detecting financial statement manipulation. Accordingly, we analyzed the impact of SOX-related controls in all reported cases of financial statement fraud in our study. We found that the presence of these controls was not correlated to a decrease in the median loss for financial statement fraud schemes; in fact, for all controls except hotlines, the converse was true. Organizations with these controls in place experienced greater fraudulent financial statement manipulations than organizations lacking these controls. Additionally, organizations that had independent audit committees and those whose management certified the financial statements actually took longer to detect the fraudulent financial misstatements than their counterparts without such controls.
I’ve long said that Sarbanes-Oxley has done little to nothing to really prevent fraud in public companies. There have been some small benefits as a result of the legislation, as Francine correctly notes, but I contend that these improvements came at too high a cost.
But what incentive is there for anyone in the auditing field to admit this? Firms are making billions of dollars in fees from Sarbanes-Oxley consulting, and so there is no good reason for them to declare SOX an utter failure.
I’ll do it for them: Sarbanes-Oxley is an utter failure. But I’ll just be waved off as a know-nothing independent consultant who doesn’t really understand how important SOX is. It’s easier to claim that I don’t know what I’m talking about, than for auditing firms to prove to the world that they have added real, measurable value to public companies with their SOX work. That’s because they can’t prove any such thing.