In response to a spate of financial reporting and other corporate governance scandals, the Sarbanes-Oxley Act of 2002 (“SoX”) was adopted by the United States Congress and signed by then-president George Bush. Once implemented, it had pervasive effects on how publicly-held companies in the U.S. are governed, including impacts on the membership and duties of board audit committees. SoX has not been universally appreciated, however, in particular the usurping of private-sector rule-making for auditors, which was lodged with a new, nominally private but actually government-controlled entity, the Public Company Accounting Oversight Board (“PCAOB”), which is overseen by the U.S. Securities and Exchange Commission, which governs public securities offerings and markets. One challenge to SoX (on constitutional grounds) has now swound its way through the federal courts to the U.S. Supreme Court, where it was recently decided.
On June 28th, the U.S. Supreme Court ruled in the matter of Free Enterprise Fund v. PCAOB, finding that Congress went beyond its powers in establishing the PCAOB as part of SoX. The narrow 5-4 decision did not invalidate all of SoX, nor even the entire PCAOB, but rather dealt only with the president’s power to dismiss Board members. As a practical matter, SoX remains intact, and the PCAOB will continue to set rules for audits of publicly-held companies. Those hoping to be liberated from SoX were disappointed, and doubtless will continue to complain that its various provisions, particularly the required auditor certification of registrants’ internal controls, are costly to comply with, oppressive, and unnecessary.
But, what would have happened had the Supreme Court decided to strike down, or severely gut, SoX in the final week of its 2009-10 term? In fact, such a ruling would likely have had little to no actual impact on auditor behavior. The added mandates imposed on auditors, which were first seen as cost-prohibitive and valueless, have now been mastered and fully integrated into standard audit procedures; and the benefits have been grudgingly recognized by most auditors and reporting entities.
In the authors’ view, the auditing profession has progressed immensely since 2002, and the clock can’t be turned back. SoX forced the auditing profession to address weaknesses in its standards as well as failures of performance and enforcement. After eight years, even a suspension of the requirements would not have portended a return to the less rigorous audit procedures of yesteryear.
Audit Failures, More Than Sarbanes-Oxley, Led to Changes in Practice
Audit failures have undoubtedly occurred throughout history, but the late 1990s and early 2000s witnessed a near-epidemic of these unfortunate occurrences, which had increasingly costly consequences for investors, creditors, and the auditing firms themselves. The ultimate price was paid after the Enron and WorldCom frauds, which precipitated the collapse of Arthur Andersen, once one of the nation’s premier accounting firms. Arthur Andersen was never able to recover from the actions of its rogue employees and the reputational harm done to it, even before its ultimate criminal conviction (later vacated) following the Enron fiasco.
Accounting firms were put on notice that fundamental change was necessary when Congress passed SoX. To the firms’ general credit, they did embrace SoX’s provisions, most notably by finally paying substantive attention to registrants’ internal controls over their respective financial reporting processes – something given only lip service in the past, notwithstanding the central role the concept of internal controls has played in the auditing standards for half a century or longer. While it took some time to get the requirements and auditing procedures right (internal controls audits were much too expensive in the first several years, and the original PCAOB standard, AS 2, caused ‘overkill’ and had to be superseded by AS 5), a stable platform of rules and processes is now in place.
Although SoX may have been the proximate cause of the vast changes made to auditing practice, the ultimate cause was the multiplicity of audit fiascos begat by inadequate or incompletely implemented auditing procedures, failure to maintain the appropriate attitude of professional skepticism, and inattention to audit risks, including risk of fraud. New standards, greater awareness of the risks facing auditors and of the heavy penalties imposed by the market on those who do not perform, and more than eight years of experience under SoX have affected auditors’ behavior, for the better. Removing the rules and sanctions imposed by SoX, at this point in time, would have been akin to removing the training wheels from a bicycle: auditors, like young riders, have learned the necessary lessons and can proceed on their own, if need be, with reduced risk of tipping over into audit failure.
SoX Has Helped Restore Investor Confidence in Auditors’ Work and Opinions
Until the audit failures of Arthur Andersen were revealed, only sporadic thought had been given to the relationship dynamics between companies and their external auditors – typically getting attention only after revelations of specific, earlier audit failures. Accounting firms had been able to generate significant fees by providing both audit and non-audit work to clients, and had been able to deflect periodic regulatory efforts to limit their ability to perform consulting for attest clients. Indeed, the profession had successfully made the argument that knowledge gained from engaging in peripheral services actually would make the auditors more effective in their primary role, and thus performing a range of services was a benefit, not a risk to objectivity. (This argument contradicted another popular argument made by the profession: that firms would erect a “Chinese wall” to separate auditors from staff performing ancillary services, which would preclude a loss of objectivity but also, of course, would prevent information sharing.)
For the most part, the ability to offer consulting services was preserved until the advent of SoX. Investors and the pubic had been shocked and dismayed to learn, for instance, that Andersen’s roughly $50 million in annual Enron fees were half-derived from more lucrative consulting services for its audit client, suggesting to many that its independence and objectivity had been compromised as a consequence. SoX thus barred auditors from providing eight defined categories of services, on the grounds that those services would impair independence, or would result in the auditors auditing their own work, or would place the auditors in the role of management of their clients.
Other varieties of non-audit services may still be provided, subject to pre-approval by the registrants’ respective board audit committees. The practical effect has been that, apart from tax consulting (which always has been a natural adjunct to audit work), auditors no longer provide the former range of non-audit services common in the past, thus averting the appearance of, and risk of actual, loss of independence.
It would be imprudent for either companies or their outside accounting firms, even if SoX was eliminated, to behave in a manner which could once again raise concerns about independence. Today, as a result of SoX and of other SEC rules, there is greater transparency surrounding the relationship between external auditors and their clients, and the potential for auditor objectivity to be compromised is more limited. Since many or most clients have now established strong relationships with other providers of these non-audit services (commonly, other CPA firms not engaged in the audit), even if the prohibition were lifted, the old arrangements would not likely be revived.
SoX Has Led to the Development of Improved Auditing Procedures
Prior to SoX, auditors worked in an environment where perfunctorily performing audit steps was often accepted. The use of checklist and checkbox audit templates was the norm, and these were often over-relied upon, obviating the apparent need to apply expert audit judgment. Consequently, auditors had more latitude to roll-forward the testing from prior years and to conduct minimal investigations into certain management assertions, unless specific ‘red flags’ were observed that triggered a need for expanded testing.
Revisions to the auditing standards, mostly made as part of the “risk auditing” rules that became effective in 2007, would continue in force regardless of whether SoX was retained or not. Auditors now conduct audits that place heavy emphasis upon their consideration of those aspects of the reporting entity’s operations that are susceptible to fraud, mismanagement, and loss. This has led to the creation of more robust audit programs that require more creative auditing and investigation through the use of modeling and analytical procedures. Greater attention must also be given to the existence and effectiveness of key controls that the client has in place to ensure the accuracy of its financial reports. Certain matters, such as revenue recognition, are automatically deemed to be “high risk” and thus subject to expanded audit attention, even if controls are found to be in place and working.
The changes in auditing requirements and various “best practices,” which largely were imposed or adopted in response to audit failures, financial frauds, and the imposition of SoX, are now fully integrated into professional procedures, and would not be relaxed even had SoX been overturned by the Supreme Court.
Auditor Vigilance Regarding Departures from GAAP and IFRS Has Increased
Audits result in an expression of opinion about whether the entity’s financial statements have been presented in accordance with U.S. generally accepted accounting principles (GAAP), or, where appropriate, with another comprehensive basis of accounting. Numerous audit failures served as evidence that auditors had not always gained the requisite level of expertise about the particular accounting issues affecting their client’s industry and the GAAP requirements applicable thereto. This failure to receive adequate training or to achieve adequate proficiency likely contributed to at least some of the audit lapses made public over the years.
Recent events suggest that the U.S. will begin to require financial reporting under International Financial Reporting Standards (“IFRS”) in the not too-distant future (perhaps in 2015). In the meanwhile, the U.S. and international standard-setters are engaged in an effort to converge U.S. GAAP and IFRS. Either convergence with or outright adoption of IFRS will make financial reporting rules more “principles-based,” and thus more reliant on preparers’ and auditors’ judgments. To the extent that this eventually makes auditors more engaged in applying reasoning about the substance of reporting entity transactions and the appropriate accounting therefor, this will serve to further improve the quality of audits. This will occur without regard to the status of SoX.
The auditing profession has undergone a great transformation since the passage of SoX. Costly lessons have been learned by many or most auditors, and changes already made to auditing standards, and those to come to financial reporting standards, have served to force improvements in behaviors, attitudes, and intellectual involvement in the conduct of audits. These changes are fundamental and are not temporary in nature. Consequently, even if the Supreme Court had struck down SoX, the positive impact it has already had on the auditing profession would have continued into the future.