Sarbanes-Oxley and Section 404: Old Dog, New Teeth

The failures we have seen in the quality and integrity of financial reporting in corporate America are clear evidence that something was awry. It is the responsibility of corporate boards, managements, public accounting firms and regulatory agencies to put confidence back into the financial statements issued by our society's most significant entities. Although some would argue that Sarbanes Oxley went too far, it is also now evident that government action and the use of enforcement muscle was required, if for no other reason than to move toward rebuilding public trust. There is no doubt that Sarbanes Oxley, and in particular, Section 404, has increased the expense of doing business for public corporations; however, this is neither a new mandate, nor a superfluous one. All parties engaged in this process have previously ignored the mandate, and must now accept reality, and get past the complaining.

A little history?back in 1977, the Congress of the United States passed a piece of legislation commonly known as the Foreign Corrupt Practices Act (FCPA). That law is well know for mandating the American corporations regulated by Securities Exchange Commission (SEC) be prohibited from making any type of corrupt payments to agents of governments or corporations in foreign countries. The civil and criminal penalties were quite onerous, and most corporations changed their practices in order to avoid those penalties.

The action taken by the FCPA in 1977 was often characterized as the most extensive application of federal law to the regulation of business since the passage of the 1933 and 1934 securities acts. In light of reports that American corporations were "greasing" government officials in a number of countries, Congress had acted decisively in order to restore the reputation of American business and eliminate improper payments to foreign governments, politicians and political parties. A seldom-remembered aspect of that legislation was that the same corporations were mandated to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that?transactions are recorded as necessary to?permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and?to maintain accountability for assets."

This requirement got a great deal of press when the law was first passed, and many articles were written on how the new law would transform the way corporations managed and the way the public accounting firms audited. This was true for a short time, but the business world slipped back into its previous lack of concern for controls, and the public accounting firms conveniently allowed that slippage. Pressure for firms to maintain cost-effective (generally meaning lean) operations and pressure from firms to keep down auditing fees, caused the corporations and the audit firms to be at best, permissive in regards to compliance with the FCPA mandate.

In effect, the act had no teeth. All of the sanctions imposed were focused on punishing illegal payments, not for a failure to comply with the internal controls mandate. For 25 years, Congress, the SEC, public companies and public accounting firms essentially ignored a mandate in large measure because there was little or no enforcement action for a failure to comply. The academic leaders in the accounting profession have know for some time that there was a need to strengthen the systems of internal controls. In 1985, the Treadway Commission was asked to identify what caused fraudulent financial reporting and to make recommendations to reduce its incidence. The Commission's report included specific recommendations for management and boards of directors of public companies, the public accounting profession, the SEC and other regulatory and law enforcement bodies, and academics. The Commission made a number of recommendations that directly addressed internal control.

Importantly, the commission focused on the control environment, codes of conduct, competent and involved audit committees and an active and objective internal audit function. It also called for the sponsoring organizations to work together to create a framework for establishing and evaluating systems of internal controls. The result was the creation of the Committee of Sponsoring Organanizations of the Treadway Commission (COSO), which issued a report that outlined the principles for an effective system of internal controls.

Fast forward to the current rash of business scandals and the latest crises. This time the fear in Congress was so great that the mandate was restated; and this time, sanctions for non-compliance were included in the legislation. Now 25 years of neglect and sloppiness have caught up with the public and private sectors. The threat that corporate officers might actually be held accountable for failure and accordingly charged with civil and criminal penalties, in combination with a comprehensive regulatory system (Public Company Accounting Oversight Board) imposed on the accounting firms and a strengthened accountability by the SEC have now brought internal controls to the forefront.

The plain fact is, there is nothing new with SOX 404. Quality policy, practice and procedure documentation systems have always been the basis of sound internal controls and systems audits. The corollary fact is that corporations have generally given superficial attention to these programs, calling them unduly bureaucratic and unreasonably expensive. Over the last 25 years, we have not only ignored the law, we have also ignored sound management practice. All of this in the guise of being "cost-effective."

Sarbanes Oxley has obviously cost corporations huge amounts of money during this first year, but that is to be expected after 25 years of disregard for a well documented system of controls. In subsequent years the costs will be less, but there will still be a permanent increase in systems costs. Controls cost money and it is our own neglect that has created the need for corporate boards and managements to execute a major catch-up program.

The irony is that the COSO standard may not have been the best standard to impose on the audit process, but it was there and well documented when the Audit community needed to move quickly. With all the "push back" coming from the corporate community, there may well be some modifications that will make the audit process less onerous, but COSO does provide a basis for very much the same kinds of documentation that are imbedded in the standards of documentation found in best practices systems throughout the world. Corporate America simply needs to make the best of this mandate and use it as a launch point for continuous improvement of these controls so that they become both compliant and useful to effective management processes.

Just as with individual behavior, the way to get results in business is to either reward the results you seek, or to punish the results you want to eliminate. In government, more often than not, the sanction is more effective than the reward, or at least it is easier to deploy. We now have sanctions that threaten all participants in the process of establishing and evaluating the 25-year-old mandate for a system of internal controls. Those sanctions have commanded the attention of managements and boards alike; and SOX has been granted serious focus in every public company board room in America. Indeed, these standards are also spreading to non-public corporations, and even becoming a de facto standard for nonprofits as well.

There is little doubt that as time passes, effectiveness and efficiency will improve and thus limit costs, but they will never go away?that is, not as long as the enforcement teeth are still sharp. The sad commentary is that in the face of softer enforcement we disregarded a mandate for 25 years, and for this we are now paying the price.

Gerald Czarnecki, Chairman & CEO of the Deltennium Group, is a consultant, author and public speaker. A leading authority on corporate governance, Mr. Czarnecki conducts seminars and private boardroom sessions on Sarbanes-Oxley and the issues of governance that face boards of directors today. He also serves on the boards of directors of several large American corporations. For more information visit http://www.deltennium.com