My friend Francine McKenna wrote yesterday on her blog, re:The Auditors, about what Sarbanes-Oxley has accomplished:
My contention is that Sarbanes-Oxley has at least raised the tone and tenor of the conversation about internal controls and about common sense, tried and true, reasonable practices for financial reporting to shareholders and other stakeholders. Sarbanes-Oxley has raised the expectations, to an appropriately high level, of corporate governance and ethical, non- self-serving behavior of corporate executives. Sarbanes-Oxley has given stakeholders the tools to bring the hammer down on irresponsible, non-responsive, fat headed, cigar chomping, belligerent, insular, seemingly untouchable “big swinging sticks.” The Tone at the Top as improved in most major corporations and their professional advisors, if not by design then by default – the fear of prosecution.
I don’t disagree with Francine. Greater awareness of fraud and a focus on internal controls, along with better governance and more diligence about the tone at the top… these are certainly good accomplishments. But they’re not nearly enough.
I’m concerned because Sarbanes-Oxley hasn’t actually reduced fraud. Isn’t that what it was all about? It was a response to the big frauds at public companies like Enron and WorldCom. According to the SEC’s statement about the legislation:
The Act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the “Public Company Accounting Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.
You’re probably wondering how I know Sarbanes-Oxley hasn’t reduced fraud. Several studies have demonstrated it. Ernst & Young’s 2006 Global Fraud Survey results stated:
Since our 8th Global Fraud Survey in 2003, corporations have expended significant resources to assess and improve their internal controls. The concentrated efforts of those charged with governance, internal and external auditors, regulators, law enforcement and others, have led to considerable progress in preventing and detecting fraud. Corporations believe that they are better positioned to deter and detect fraud than ever before.
Despite this belief, there is little evidence that clearly indicates fraud has reduced. In fact, one in five of the companies that we interviewed experienced significant fraudulent activity in the past two years.
The Association of Certified Fraud Examiners 2008 Report to the Nation on Occupational Fraud and Abuse shows that controls implemented largely because of Sarbanes-Oxley simply aren’t playing a big part in detecting instances of fraud:
Despite increased focus on anti-fraud controls in the wake of Sarbanes-Oxley and mandated consideration of fraud in financial statement audits due to SAS 99, our data shows that occupational frauds are much more likely to be detected by a tip than by audits, controls or any other means. Forty-six percent of the cases in this Report were detected by tips from employees, customers, vendors, and other sources. Tips were also the most common means of detection in 2002, 2004, and 2006.
And then there is this shocking finding in the same report from the ACFE. Companies that had the controls mandated by Sarbanes-Oxley had a larger financial statement frauds, the type of fraud that the SOX legislation was aimed directly toward:
SOX-Related Controls for Financial Statement Fraud Cases
Sarbanes-Oxley was passed in response to several large financial statement fraud schemes, and, as such, the Act mandates the implementation of specific controls targeted toward preventing and detecting financial statement manipulation. Accordingly, we analyzed the impact of SOX-related controls in all reported cases of financial statement fraud in our study. We found that the presence of these controls was not correlated to a decrease in the median loss for financial statement fraud schemes; in fact, for all controls except hotlines, the converse was true. Organizations with these controls in place experienced greater fraudulent financial statement manipulations than organizations lacking these controls. Additionally, organizations that had independent audit committees and those whose management certified the financial statements actually took longer to detect the fraudulent financial misstatements than their counterparts without such controls.
I’ve long said that Sarbanes-Oxley has done little to nothing to really prevent fraud in public companies. There have been some small benefits as a result of the legislation, as Francine correctly notes, but I contend that these improvements came at too high a cost.
But what incentive is there for anyone in the auditing field to admit this? Firms are making billions of dollars in fees from Sarbanes-Oxley consulting, and so there is no good reason for them to declare SOX an utter failure.
I’ll do it for them: Sarbanes-Oxley is an utter failure. But I’ll just be waved off as a know-nothing independent consultant who doesn’t really understand how important SOX is. It’s easier to claim that I don’t know what I’m talking about, than for auditing firms to prove to the world that they have added real, measurable value to public companies with their SOX work. That’s because they can’t prove any such thing.
Thank you for speaking the truth.
The fact is that SOX is treated as just another “problem” by the vast majority of managers of publicly-held corporations. External audit firms and SOX consulting firms simply have used the law as another way of bilking clients out of enormous amounts of additional money.
There was never any real endorsement of the substance behind the legislation, rather form has been assiduously adhered to and no benefit to shareholders has been seen in most publicly-traded companies.
I left a job I loved last April, because I was being harassed by my boss for refusing to make control gaps in the company’s network security (which left the company enormously vulnerable to fraud by collusion, and customer’s financial information at high risk of being stolen) “go away” and this is the third job on which I have been in which I uncovered similar irregularities during the course of completing my SOX audit duties (I worked at both Freddie Mac and Fannie Mae, and knew that both those companies were rotten to the core by the end of July of 2006).
I am now looking for work with government, in the not-for-profit sector, or in management accounting. My experience tells me that any auditor who actually takes his job seriously and who actually believes an internal SOX audit should report what actually exists at a company risks being forced out of his job. I have found that there is no real independence of internal audit departments in most public companies, and that the people who are running those departments are in the pockets of management, completely beholden to CFO’s and Controllers for advancement of their careers, and usually members of management teams promoted into those “independent” positions. Come on, people! No one is going to turn in his/her buddy. People just don’t act that way. There’s no reward in it!
Add to that problem the fact that external audit firms, especially the Big 4 Firms, complete work that is about as shoddy as it comes and you have a guarantee for failure of Sarbanes-Oxley. It turns out that the issues I uncovered in 2007 at my last employer had been reported in the internal audit of 2005 (which had only been partially completed), but because of the arrogance of the external auditor on the engagement, and due to the failure of the contracting firm completing the internal audits in that year, no one actually understood the issues, and while they were in the company’s summary of control deficiencies, no one on the external audit side actually “got” the problem. When my former boss simply removed those items from the summary of control deficiencies for my former employer in 2006 no one noticed.
Along I come, completing good work, competently and cogently writing test procedures, work papers, and documentation of findings and all of the sudden the external auditors understand the gravity of the control gap, and start making waves about material weaknesses or inability to rely on IT controls for the company. In the end I had to resign my job, and the external auditors are most-likely earning double what they earned in 2007. My former boss has received yet another promotion (she’s now a Sr. VP of the company). I’ve been out of work since April.
Sarbanes-Oxley is a joke, unless people like the former CEO’s and CFO’s of companies like Freddie, Fannie, Bear-Stearns, etc. all go to jail for a very long time. In addition, the only way the law will actually work is for external audit firms’ relationships with their clients to be completely transformed. I’m an advocate of financial statement audits becoming the responsibility of the US Government, frankly.
Until those things happen, investing in the stock market is a crap game for the average Joe/Jill. Corporate executives will continue to report in ways that help them to pump up their compensation packages, and external auditors will rubber-stamp what those executives do, for the most part.
I believe that SOX and the PCAOB are band-aids that do not address the underlying poor state of the auditing profession, including the issue of independence. I cannot understand how a CPA Firm can be considered truly independent in either appearance or reality when that CPA Firm is hired/paid by the client. This is like a professional baseball time being allowed to hire and pay for their own umpires.
In my opinion, the CPA Firm that is hired/paid by the client is an “external”, not an “independent” auditor, and should be so designated, together with an explanation for the distinction, in an Annual Report.
Public companies could be assessed amounts that will fund audits by a governing authority – with the hiring, payment and control of the auditing firm being accomplished by that authority. This would help provide true independence and the protection of shareowner investments that should be occurring.
Richard J. Hamill, Sr.
Foundation for Audit Excellence
Pingback: Koss Corp. Fraud: Defending Grant Thornton? No. : Sequence Inc. Fraud Files Blog
Pingback: Compliance Week article: Koss Fraud Spotlights Small Filers’ Internal Control Issues : Sequence Inc. Fraud Files Blog
Pingback: Sequence Inc. Fraud Files Blog