With all the talk about fraud in the last several years, you would think that companies are doing whatever they can to prevent fraud by employees, right? Think again. The number of companies that have radically increased their fraud prevention policies and procedures has not increased significantly since 2001 and 2002, the years in which fraud came to the forefront.
What about Sarbanes-Oxley? If you’re like many accountants, executives, and attorneys, you’re sick of hearing the words Sarbanes-Oxley. It goes by other names such as Sarbox and SOX, and these terms are equally worn out. Sarbanes-Oxley was the legislation that was to restore faith in the integrity of corporations and executives.
There are several schools of thought about what Sarbanes-Oxley has really done for investors and other users of financial statements. Sarbanes-Oxley supporters cite numerous improvements in companies since the legislation was enacted. Some professionals believe that any improvement in corporate governance is a good thing, and justifies the existence of the legislation.
Others feel that improvements have been made, but at too great a monetary cost. Still others believe that fraud is something that can’t really be regulated away, and a different solution is in order. Finally, there are those who believe that the legislation is largely without benefit while it places a tremendous burden on companies.
Results of Legislation
While new accounting regulations like Sarbanes-Oxley have forced companies to take a harder look at their controls over financial data, this has not created a significant fraud prevention effect. At the end of the day, Sarbanes-Oxley requires little substantive improvement in the way companies record and report financial information.
The process of complying with the legislation largely involves the documentation of procedures used within companies. However, improvements to internal controls weren’t mandated, so some companies made no enhancements to their control procedures.
The work mandated by such regulations has really created a paperwork exercise for companies. They have reams and reams of paper that document what and how the company does in regards to financial data and operations.
Yet that documentation itself doesn’t prevent fraud.
So if the regulations haven’t been effective in preventing fraud, then what was the point? I think, in many respects, Sarbanes-Oxley was feel-good legislation.
Investors and users of financial statements needed something to make them feel better after the big corporate frauds became public. It made sense that the government should step in and require companies to do something to fight the financial statement frauds committed by executives like those at WorldCom, Enron, and Tyco.
Yet in the rush to come up with something that would placate investors and the public at large, the legislation may lack the impact for which everyone was hoping. Instead of requiring companies to proactively prevent and detect fraud, the legislation largely requires just detailed documentation of procedures.
Along the way, Sarbanes-Oxley has cost companies hundreds of millions of dollars annually to implement. One estimate cited a total cost of more than $1 trillion to date. While this has been a coup for consultants, who helped with compliance, what value did it really add for the shareholders and other corporate stakeholders?
Although there may have been some value derived from the exercise, was it worth that total cost? The cost to maintain the Sarbanes-Oxley documentation from year-to-year should be significantly lower than the initial cost to comply, yet overall there has been a very significant cost to corporations.
While the legislation required little substantive changes to the way companies do business, proactive companies can find benefit from the work done to comply with Sarbanes-Oxley. Some companies have used this opportunity to improve their basic internal controls including enhancements to reconciliations and greater segregation of duties. Information security enhancements may also be made as executives are made aware of vulnerabilities.
Some companies have taken advantage of the opportunity to voluntarily improve period-end closing procedures and formalize the related accounting processes. The documentation required by Sarbanes-Oxley caused companies to evaluate some of these procedures and determine that more standardized procedures should exist.
Greater importance has been placed on the internal audit function of some corporations. The internal auditors are becoming a stronger presence in terms of auditing a company’s risks and controls, and their work is seen as adding more value to the organizations.
The board of directors, and the audit committee in particular, has begun to play a much more active role in many companies. The board is becoming more engaged in company activities, especially in the area of controls and governance.
While proactive fraud prevention efforts were not required, some companies elected to work on this area. As mentioned previously, the number of companies who significantly engaged in this type of work was small. However, those companies that did take advantage of the opportunity to improve anti-fraud processes are surely better off.
The Future of Regulation
While Sarbanes-Oxley compliance is required for only publicly-traded companies, private corporations and non-profits will not completely escape the burden of the legislation. Accounting and auditing regulations that mimic parts of Sarbanes-Oxley are being created for private companies, and compliance with them will soon be required.
Fraud is a problem that likely cannot be legislated away. Additional regulations may just cost companies more to implement, without any additional benefits related to fraud prevention and detection. In spite of this, additional regulations may still be enacted, as doing so can be seen as a positive response to the demands of the public.
Fraud prevention is probably something that is more properly corrected by a shift toward a more ethical corporate culture, in conjunction with policies and procedures that truly prevent fraud. Substantive internal control procedures that are specifically designed to reduce and eliminate fraud are the key, rather than just the creation of more paperwork.
Investors and users of financial statements should seek to align with companies that are aggressively working to improve their anti-fraud efforts even in the absence of laws and regulations. Fraud prevention is good for the business as a whole, and in the long run, companies that proactively prevent fraud will produce financial statements that are inherently more reliable.