Skip to main content
Apr 30, 2008

Banking on a change?

Move to make worst parts of SOX voluntary for banks

When, in early March, North Carolina Senator Elizabeth Dole came out in favor of restricting Sarbanes-Oxley’s power over banks, she must have thought it a smart move – and it probably didn’t hurt that Bank of America and Wachovia are both based in her state. In particular, she is supporting a bill that would make Sections 302 and 404 voluntary for banks.

‘We must ensure that businesses and shareholders receive benefits from these regulations that are commensurate with the burdens they create,’ said a March 4 statement from her office. ‘This balance does not currently exist, and the costs of these requirements of Sarbanes-Oxley, while well intended, outweigh the benefits.’ She even went so far as to suggest that the focus on 404 had, in part, contributed to the negative impact of the sub-prime inspired credit crunch. And then came the Bear Stearns failure. Oops. Talk about bad timing.

The bigger question is whether this suggestion is evidence of the growing strength of a movement against Sarbanes-Oxley (SOX). Some say the regulation is breaking the back of American corporations, while others suggest that it serves some purpose. Still others believe it is increasing competitiveness of US financial markets by attracting investment from overseas. A handful of politicians are speaking out against burdensome regulation but at the same time, others are pressing for even greater government-led oversight of public companies. But even if the current political climate should prove unfriendly to new legislation, pressure from international markets may force reforms – and open entirely new areas of concern and liability.

Whether SOX places an undue burden specifically on banks is questionable. ‘Banks are exempt from registering under the [1934 Securities Exchange Act] because the theory is they’re adequately regulated by the banking authorities,’ says Neil Kaufman, a partner with Davidoff Malito & Hutcher as well as a former public company director. That said, many banks, particularly large ones, do register with the SEC because they are publicly traded. ‘If she’s proposing to exempt the big banks that are registered, that doesn’t make any sense to me. If she’s proposing to exempt the small banks, that doesn’t make any sense to me either because they’re already exempt. As usual, politicians aren’t making any sense.’

‘What [banks are] really getting killed on is not Sarbanes-Oxley,’ says Nick Tootle, a principal with accounting firm Kaufman Rossin & Co and leader of its Sarbanes-Oxley team. ‘It’s the anti-money laundering procedures and the know-your-customer procedures. That is where the resources are going these days.’

Even a regulation skeptic like Betsy Atkins, who sits on the boards of NASDAQ OMX Group, Chico’s FAS, Reynolds American, Polycom, and SunPower, and who has sat on bank boards, doesn’t see SOX as a major issue for large banks. ‘[The credit problem was the result of] a business decision by individual banks and lenders to build their revenue stream and decisions by the Federal Reserve and banking regulators to allow for looser credit standards,’ she says.

Nothing new

What seems strange in the claim is that the level of controls documentation mandated by SOX is old hat for many banks. ‘Before there was Sarbanes-Oxley, there was FDICIA, the Federal Deposit Insurance Corporation Improvement Act of 1991,’ says Chip MacDonald, a partner in Jones Day’s capital markets group. Banks submit annual reports certified by management and including information on adequate financial controls. Creating a second set of reports might be inconvenient, but the duplication shouldn’t have been an overbearing burden on bank management.

‘This reporting came into place in the early 1990s,’ says Randy Elder, a professor of accounting and director of the Lubin School of Accounting at Syracuse University. ‘During that time frame, I certainly had never heard any complaints about the onerous nature of those regulations. But when you think about who is being harmed by 404 and who would you want to grant relief to, financial institutions are the ones the public needs to have the greatest confidence in and where you want the greatest controls.’

Although there are still those who completely dismiss SOX as the cause of undue expense that brings nothing of value, many have the view that the true picture is more complex. ‘I think it has some value for investors because it forces the medium-sized and larger multinationals [with over $400 million in revenue] to have better internal controls in their international locations where they might not have had as rigid a set of [financial] controls,’ Atkins says. Still, she thinks that CEOs are driven to send more business overseas to increase profitability by reducing as much regulatory expense as possible.

Critics of SOX who have complained about the increased effect of the burden on smaller companies have had their victories, with the 404 compliance phase-in for companies with under $75 million market caps being pushed off again. ‘There’s actually a bill pending in Congress to move that $75 million threshold [for large accelerated filers] to $700 million,’ says Foley & Lardner partner Thomas Hartman. ‘It doesn’t have enough traction to pass.’

Ironically, as of last December, there were new auditing standards for private companies requiring auditors to gain a better understanding of a client’s financial controls, according to Tootle. ‘Non-accelerated filers [that have yet to fully implement section 404 reporting] have less requirements to understand and document their internal controls than the private companies.’

Foley & Lardner’s transaction and securities practice has performed some interesting analysis since the inception of the legislation, Hartman says. There was an internal learning curve that has largely taken place, and by now ‘the costs [from that part] have come down,’ he adds. Another component was that everyone had to feel their way through the new regulations in the first few years.

However, the big difference in the audit part of costs was likely from the prohibition against the audit firms also providing consulting services. The split was necessary, says George Aldhizer, an associate professor of accounting at Wake Forest University’s Calloway School of Business and Accountancy. ‘Consultants would come in and implement a new payroll system. The same firm comes in and does the audit. What if the payroll system is a piece of junk and providing completely unreliable information?’ he says. ‘How likely is it that the same firm will disclose that to management or to the public?’

When the audit firms saw that they would not have consulting revenues, they ‘increased audit fees by almost 38 percent in that year,’ Hartman says. ‘Many think that the audit firms were selling their audits at a loss to get the consulting work.’ (See the audit fees table from Foley’s 2007 SOX study, below.)

Aldhizer raises an additional reason for the initial cost of SOX: long-term neglect. ‘Management and the audit community had spent virtually no time looking at internal controls for at least 10 years,’ he says, even after ‘trillions of dollars’ in mergers and acquisitions during the 1990s. ‘A lot of the acquired entities had poor controls, which compounded the risk of inaccurate reporting and the amount of work that was needed.’ Plus, SOX does not allow auditors to use their judgment in what controls to audit.

Recently Aldhizer finished a study of SOX and what it has resulted in. ‘If you look at 2004 and 2005 – the first years that internal control opinions went out – there was a record number of earnings restatements during a period of tremendous economic expansion, global calm and stability,’ he says. ‘We had three times the number of restatements as during the dot-com, Enron and WorldCom debacles.’

There were 3,200 public companies that changed their auditors – about a quarter of all US public companies. Among SOX accelerated filers, the number was closer to one third. ‘What we found is that Section 404 was largely responsible for cleaning up a lot of the improper public reporting that was occurring during the economic expansion,’ Aldhizer says. ‘You name it: fictitious revenue recognition and or premature revenue recognition. Companies fell into the mindset of I’ve got to meet Wall Street expectations at all costs.’

A false sense of security?

But there is a limit on what anyone can expect the regulations to do. ‘Sarbanes-Oxley has done more harm than good, because investors do believe that Sarbanes-Oxley is protecting them, and it is not,’ says Tracy Coenen, a forensic accountant with Sequence Inc. ‘Audits are equivalent to checking the math, and trying to determine if accounting rules have been applied correctly. An auditor can’t pass every single transaction for the company in the year. It would be cost-prohibitive and impossible to do. If you’ve got a reasonably competent fraudster, what they’re doing is never going to surface in the audit.’

And, often, the person signing such statements may think that he or she is just pushing the envelope of allowable practices, not really taking something from another. ‘That’s why someone like Ken Lay could go to sleep at night; he didn’t think he was stealing,’ Hartman says

Even if Sarbanes-Oxley disappeared tomorrow, it would be no guarantee of a sudden return of international companies to US capital markets. ‘More than one blue ribbon committee in the last six months has made it clear that it’s litigation exposure and not Sarbanes that is having a greater effect on non-US companies launching their IPOs in the US,’ Aldhizer says. Concern over the current economic conditions in the country are likely also a major factor, as is the need to adopt GAAP accounting rules, as the US is the only major industrialized country that has not fully accepted new international accounting standards, thus requiring double sets of books. This may be changing soon as US regulators are relaxing laws and allowing greater use of IFRS by some companies.

Moreover, the notion that Congress could overturn Sarbanes-Oxley seems far-fetched, at least while there is news about a financial crisis largely caused by the imprudent action of executives. ‘I think what the SEC and policy-makers are going to pay attention to is what investors say,’ particularly when the institutional investors effectively represent millions of voters, says James DeLoach, managing director of risk consulting firm Protiviti.

‘Since 2002 when it was first introduced, [Sarbanes-Oxley has] taken a lot of shots, and it’s still standing,’ says Todd Markus, vice president of accounting and finance and enterprise governance at consulting firm Accretive Solutions. ‘I don’t think there’s anything left to overturn SOX that hasn’t been tried already.’

Nonetheless, an indirect approach might have an effect. After the Bear Stearns bailout, Secretary of the Treasury Henry Paulson has suggested overhauling the regulation of financial institutions. Part of his proposal is merging SEC with the Commodity Futures Trading Commission (CFTC) and moving the SEC’s set of rule-based regulations to the principles-based one that the CFTC has used since the Commodity Futures Modernization Act of 2000.

Principles-based regulation has become a mantra among many looking for regulatory reform. Instead of compiling page after book after library shelf of specific rules, as happens with the SEC, corporate regulation would move more toward the model used in the European Union. The heart of regulatory action becomes underlying principles that companies are required to follow. However, they have wide latitude in how they carry out compliance. The hope of proponents is that corporations could dump many of the activities they consider useless, freeing resources for actual profit-making activities.

It sounds good, and there are those arguing that the principles approach has proven itself as more robust than the rules approach. ‘There is no amount of regulation that can get by malfeasance or lackadaisical business practices,’ says Peter Teuten, president of Keane Business Risk Management Solutions. ‘However, the consensus is that attaining objectives is by far and away the most effective methodology of obtaining compliance,’ assuming that regulatory authorities have sufficient resources and auditors learn to audit based on principles. In fact, the new international financial reporting standards are principles-based.


Skirting the law

But how well would principles-based regulation work in the US? A look at business history in this country might make one think twice. ‘Tell me, exactly how many internal controls does the Sarbanes-Oxley Act impose?’ asks Gary Brown, chair of the corporate department of Baker, Donelson, Bearman, Caldwell & Berkowitz, as well as the former special counsel to the US Senate Committee on Governmental Affairs in the 2002 Enron investigation. ‘Zero. All Sarbanes-Oxley did was say you now have to prove you have them.’ It was actually the Foreign Corrupt Practices Act of 1977 that required internal controls. Any company that had to create its controls had essentially ignored the earlier requirements. ‘Maybe principles-based [regulations’ good] outweighs the bad, but if [companies are] not going to follow the rules, why are they going to follow the principles?’ he asks.

There is also a potential concern for any corporation in such a shift. Under rules-based regulation, a business can establish a good-faith effort to follow any given set of rules, many of which offer safe harbor provisions for compliant organizations. However, under principles, there is no fixed set of rules that can serve as an affirmative defense. A class action attorney might be able to challenge whether the organization actually had done its best in understanding and interpreting the principles and then in operating under them.

‘Our system today is built around safe harbors,’ Markus says. ‘Everyone wants a piece of safe ground they know they can stand on when things go bad.’

Changing from rules to principles would also upend virtually all the regulatory compliance work that corporations have undertaken. They’d essentially have to restart and, of course, document everything they had done to provide the defense in case of lawsuit.

Even with the pressures for principles-based regulation, don’t expect it any time soon. Such change would require action by Congress, and unless the political mood – and perceived behavior of companies – changes soon, any action would likely be far off. Despite moves such as that by Senator Dole and her fellow North Carolina representative Walter Jones, chances are that Sarbanes-Oxley, at least for major corporations, will continue to be a part of business for years to come.

Erik Sherman

Erik Sherman regularly covers business and technology for national and international magazines and is also a book author and playwright