It seems nobody wants to be public anymore since the reporting requirements are just a disaster.
Today I open up the web to find that Outback Steakhouse and the Four Seasons Hotels both want to go private.
SOX passed under a Republican Congress and President. If the Republicans lose tomorrow, add this to the reasons. With Republicans like this, who needs Democrats?
Dang, I thought this was going to be about Chicago or Boston baseball.
Anyway, is it fixable?
Also, what do you think should have been done, or should be done, to restore public confidence in corporate reporting after Enron, Worldcon and others?
**SOX passed under a Republican Congress and President. If the Republicans lose tomorrow, add this to the reasons. With Republicans like this, who needs Democrats? **
Art, in my profession (C.P.A) there is a strong movement to include private companies (particularly large ones) into the same reporting requirements as the Public ones so they may be just delaying the inevitable.
SOX is an attempt to give the public a sense of security (it is a false sense). You can’t legislate morality, and the main causes of company failure is greed.
Good news for the private equity community though
.
“Also, what do you think should have been done, or should be done, to restore public confidence in corporate reporting after Enron, Worldcon and others?”
Good question, that is way beyond my pay grade to address intelligently.
I will however dispute that public confidence was bad, even in the wake of those messes. There are always going to be thieves. SOX won’t fix that.
**Also, what do you think should have been done, or should be done, to restore public confidence in corporate reporting after Enron, Worldcon and others? **
I think a few things would help, Limit the use of tying Corporate bonuses to stock performance. Limit the influence (not sure how) of Wall Street. They predict a stock price, and if the company does not meet the expectations, the price tumbles, which of course gives management an incentive to ensure the stocks meet the earnings targets. Prevent companies from paying employees in their own stock for IRA purposes.
The current reporting requirements and Internal Control testing helps but you cannot prevent (or detect) fraud if their is collusion amongst top executives. You have to remove the incentive and there is too much influence from Wall Street by setting expectations based on earnings (and specifically revenue).
**Anyway, is it fixable? **
Sure, remove the requirement for external auditors to give their opinion on the company’s internal controls.
Also, what do you think should have been done, or should be done, to restore public confidence in corporate reporting after Enron, Worldcon and others?
Lock up those directly involved in the fraudulent books. Take a closer look at how the “analysts” report their “opinions/rankings”.
If SOX is so important to the safety of the individual investor then why is it not required for the smallest (under 700 mil market cap) public companies? Aren’t these the riskiest companies?
Although, I hope that SOX never goes away. It’s good for my job security!
Arthur, you’re just a little too far out in front onthis one. What is SOX, for us less informed individuals?
Thanks.
SOX is short for Sarbanes Oxley, the financial “reform” measure for public passed in a panic in the wake of Worldcom, Enron and a few other financial scandals.
Predictable disaster. Foreign companies have stopped listing here. Public companies are going private. It seems lots of small companies are not going private. All of this is to avoid the pain and cost of SOX.
Anyway, is it fixable?
Sure, remove the requirement for external auditors to give their opinion on the company’s internal controls.
Do you feel that without that requirement there is a minimum level of review? Greed is a powerful thing, and since the first days of accounting there have been people trying to game the system. But in an economy such as ours, driven by the motors of corporate finances, how do we provide levels of accountability?
Do you feel that without that requirement there is a minimum level of review? Greed is a powerful thing, and since the first days of accounting there have been people trying to game the system. But in an economy such as ours, driven by the motors of corporate finances, how do we provide levels of accountability?
It doesn’t really matter what controls one puts into the system. If top management as a whole is corrupt, they will circumvent those controls and no one will be the wiser. Also, I would say that currently the external auditors are only doing a minimum level of review.
If you read any audit opinion there is a clear statement that the auditors are not asserting that fraud is not present. If you have collusion within your company the only way for the external auditors to find it is auditor luck.
I think that having the executives (CEO, CFO) sign a statement attesting to the effectiveness of their internal controls puts them on the hook if anything happens. Your honest executives are going to push for a strong internal control structure because of this. Your greedy ones will find ways around their internal controls and then hope they don’t get caught. By signing the attestation that provides another hook for prosecutors to indict/try/convict the crooked executives.
**Anyway, is it fixable? **
Tyrius is making good points.
As an Auditor also, I think there is an expectation gap between what the public thinks auditors do and what we really do. We are not hired to find fraud but are really there to assess where the potential for fraud is, and if we happen to “stumble” across it, we have to investigate further.
In reality, external auditors are not really independent, we are paid by the client and if you are paid, you cannot be completely independent. With audit fees reaching into the multi-millions of dollars, it’s easy to see how “independent” audit firms can look the other way, if there is a questionable transaction. Most instances of fraud are found out internally and that will never change.
There was talk of having the entire function controlled by a government body to ensure the audit fees do not impair independence but that seems to be dying.
I think the best form of internal control is a strong Board of Directors and a strong Internal audit function but all the best plans are going to go to waste if those at the top are committed to fraud. Sometimes you just have to hire honest people.
One other stupid requirement is the IT general controls. Whoever decided to add the entire COBIT as part of the IT general control requirement for SOX was a moron of the worst level.
Really, are the financial statements going to be impaired if a daily backup fails?
Let me reiterate though that SOX is GOOD. Job security and a high wage and all that. I’m not going to complain too much.
I’m a retired veteran of the public company game. I am an advocate of fewer and simpler regulations to protect the public. SOX is just another hurdle to clear and the next wave of wrongdoing will inspire another wave of well meaning and clueless legislation.
It’s a bad idea to lull the public into a sense of false safety with a thick reg book. As “insiders” our duty was to navigate the regs in order to get the company from point A to B in the way that best benefits the company. More regulations only mean more creativity from our side of the street and less transparency for the public. We didn’t like it either, it’s the creativity that gets you, it’s almost always a gray area.
The entire COBIT set of standards is not required for SOx purposes (Thank goodness). The latest version of the ITGI - IT Control Objectives for Sarbanes-Oxley is actually farily reasonable as to what it recommends, but it still up to individual companies to determine what is reasonable or not.
Are the financials going to be inaccurate if a daily backup fails. maybe, depending on what it was and did the system go down. If your SAP system fails on the day before you report your financials, and cannot be restored, do you think that might make a difference?
The latest version of the ITGI - IT Control Objectives for Sarbanes-Oxley is actually farily reasonable as to what it recommends, but it still up to individual companies to determine what is reasonable or not.
It seems to be more up to the individual auditing companies to determine what is reasonable or not. I was being a little sarcastic in the entire COBit. That thing is HUGE!!!
**If your SAP system fails on the day before you report your financials, and cannot be restored, do you think that might make a difference? **
What if a meteor crashes through your corporate offices and annihilates your entire finance group? How would you report then? Guess we better get on those meteor proof offices! 
Anyways, if you can’t get yesterday’s backup go to the day before, if not get the last weekly. You’ll be in the right ballpark and if worst comes to worst you delay filing.
I know you were only making a joke, but we faced a similar situation. Our entire settlements department (bar the Manager) was in 1 WTC on 9/11 and we had to face the task of rebuilding our settlements systems in 2 days with only 1 person to guide us.
Maybe we should have made a rule that only 50% of the team was allowed in the office at any one time
BTW, I agree with you - SOX is a pain and you can’t have every contingency covered in any reasonable sized plan.
The latest version of the ITGI - IT Control Objectives for Sarbanes-Oxley is actually farily reasonable as to what it recommends
You do realize that it is still 128 freaking pages long! What the current implementation of SOX fails to take into account is likelihood. Instead, they toss out a “recommendation” which the audit firms have basically mandated and no critical thinking is allowed to determine the likelihood of a problem. This goes back to your SAP failure example. The likelihood of SAP crashing and losing all of the data is extremely small. The likelihood of the backup tape failing is even smaller. The likelihood that the previous day’s backup tape also fails is just as small. Add all of these together and you get a risk likelihood of such a small amount that it isn’t really worth considering.
I actually agree with you that many auditors don’t actually think when they are taking the “industry standard” guidance and apply it to the individual company being audited. The biggest PITA for Sox is this whole notion around “if it isn’t documented, it doesn’t exist”. Do we really need someone to print out the syslog as evidence that they are reviewing it? And who the hell cares if the system adminsitrator is investigating (and documenting the investigation) of failed login attempts. All that does is tell you that someone couldn’t get access. The system did its job…fantastic!!
(BTW, the ITGI doc is 128 pages, but the recommended control procedures section is a lot less than that).
Backups is a bit of a silly example. It is very easy to test those control procedures, and is stuff that every company does anyway, and they are important. There are plenty of other targets that are much more difficult to implement, marginal value (if you don’t do it, what is the impact), and difficult to test the effectiveness of.
Remember that SOx needs to start from the inherent risk, and is basically assessing the control risk. If you don’t do backups at all, and SAP were to fail, what would the impact be?? That is the question that the compliance program needs to answer.