The Sarbanes-Oxley Act has created several unintended consequences including, in my opinion, eliminating many basic company controls it was intended to enhance in the first place.
Sarbanes-Oxley (SOX) became law in 2002 and was shortly followed by more regulation and the creation of the Public Accounting Oversight Board (PCAOB). SOX has created many interesting dynamics and consequences, which I will elaborate on in this post. Initially, public companies struggled with how to define a “control” to document that could be used to monitor compliance with Sarbanes-Oxley. I related it to one of my past roles where I was required to read two magazine articles a quarter to maintain my technical knowledge. The way the control was written, it seemed I could read any magazine article to maintain compliance and I was uncertain how an article in People or Cosmopolitan was going to help fulfill this control. SOX regulators and my supervisor both needed to tighten up the definition of “control.”
Since 2002 there has been significant, well-documented analysis of the requirements related to SOX, leading to very specific rules and oversight. The result in the public sector is that the audit team who is auditing for compliance now must to try to keep the regulators from sending them letters and questions about controls that may not be the most strategic as it relates to the health of the company. The auditors then, in turn, have their hands full during the audit process reviewing these types of controls, making it harder for them to add value and help with overall strategy. They have less time to step back and analyze the numbers in a way that results in a critical eye on the company’s financials, as they are auditing to the specific regulation to prevent the SEC from having a reason to come after them.
The increased regulation has flowed into the AICPA audit guidance, enhancing the rules of all audits; consequently, the cost of audits has increased for public and private sector companies. One of the most impactful changes has been the enhancement of the rules around auditor independence, including:
- The auditor can no longer prepare the accounting records of the company they are auditing at all. Twenty years ago, if an auditor identified a small issue or difference, that auditor could determine what adjustment was required and make the entry to the financial statements. Now the auditor must communicate the finding to the client and request they analyze to determine what the entry should be and submit the entry to the auditor. Especially in smaller companies, the staff may not have the specific expertise to carry this through. These types of delays in the audit process drives the cost up.
- The public company can not hire partners and managers on the audit team while they are working on the audit. Twenty years ago, public companies would frequently hire professionals from their audit firm who were already familiar with their company and the culture. The SEC was concerned this impacted independence because if the auditor is expecting to be hired and receive a large salary, they may not work with complete independence.
- The peer review regulation has been enhanced, requiring even the smallest audit firms participate in peer reviews. However, a small CPA firm has a difficult time allocating the time to either host a peer review of their work or go to another firm to perform a peer review on their work.
Those were some of the enhancements. Now for the unintended consequences of regulation:
- Partners in big CPA firms are leaving the practice as they are tired of dealing with the PCAOB inquires while still having to complete their audit responsibilities.
- The number of companies entering the public market with IPOs has declined over time as they are unwilling to incur the cost to comply with public reporting. This trend reversed in 2018; there has been an increase in IPOs as noted in the EY Global IPO trends Q4. Most of the increase is in the healthcare and technology sectors as you can see in this report from EY.
- The typical entrepreneurial growth company does not have the disruptive technology and the ability to attract multi-billion-dollar valuations. Take Farfetch (FTCH), for example, who commanded the initial $6.2 billion valuation after the first day of trade in September 2018, with a $112 million loss in 2017. Farfetch’s valuation will make it worth the increased regulation of a public company. This example is the exception rather than the norm.
- The cost of an audit for both public and private companies has increased significantly. As a result, many companies subject themselves to an audit when it is necessary. Recently, I learned of a company that was required to get an audit to comply with the buy-side due diligence of their potential acquirer. The cost of the audit was double the original estimate, significantly delaying the sale closing.
- Private Equity firms struggle getting through buy-side due diligence without having audit reports or typical systems infrastructure and controls upon which they have historically relied. The standard of requesting an audit has been lowered and the Quality of Earnings (“QOE”) report is being used more often.
- Public company accounting and finance executives are expending valuable energy managing to the specific concerns of the PCAOB, leaving inadequate time and mental space to think strategically and apply judgment to controls in their environment.
- The companies electing not to have an audit due to the cost may not have proper data and information to run the business day-to-day, which an audit would reveal.
- By choosing not to pay for an audit and the value a third party brings by reviewing their controls, the company may not have adequate controls, leaving companies more vulnerable for fraud and embezzlement.
- High growth companies have grown without the benefit of audits and may be using a combination of QuickBooks and an Excel spreadsheet explosion to maintain their records. The accounting team may not be reconciling balance sheet accounts and applying proper month end closing process. When the company seeks outside investment or desires to implement an exit strategy, they may find themselves in a situation where they must get an audit completed. The cost of an audit will likely be enormous at that point, as the books are probably not ready for an audit and chances are the existing staff may have never gone through a process of preparing a company for an audit.
SOX and PCAOB are certainly necessary in the United States regulatory environment. Public reporting and transparency are necessary for investors to be properly informed. The regulation should be reviewed and “right-sized” for the current environment. It is a shame that a few companies with less-than-stellar ethics, like Enron, led to a set of rules that has grown into such a powerful force. The PCAOB is not strategically focused on keeping businesses in business, and C-level executives should be pushing back for regulations that help businesses and against those controls that waste time.
Private companies that feel they are unable to afford an audit should keep their books and records so they are auditable. Basics such as monthly bank and balance sheet reconciliations and proper month end cut off should be a normal business practice.
Other articles of interest: