New SEC chairman Jay Clayton gave his first speech last week, to the Economic Club of New York—a wide-ranging address that touched on a litany of topics, from cybersecurity to enforcement to Clayton’s favorite subject, “capital formation,” which is code for relaxing rules for IPOs.
We could spend days dissecting all 3,865 words of his speech. This day, however, we’re going to focus on a subjects most dear to compliance officers: Clayton’s thoughts on the costs of compliance, and whether previously enacted rules are still worth the benefit.
To my reading of Clayton’s speech, the single paragraph that captures his views about SEC rulemaking and the costs of compliance is this:
“As the SEC evolves alongside the markets, however, we must remember that implementing regulatory change has costs. Companies spend significant resources building systems of compliance, hiring personnel to operate those systems, seeking legal advice concerning the design and effectiveness of those systems, and adapting the systems as regulations change. Shareholders and customers bear these costs, which is something that should not be taken lightly, lest we lose our credibility as regulators.”
It’s a clever piece of positioning, because it’s both correct and misleading simultaneously. Implementing regulatory change does have costs; including all the personnel, technology, and effort that Clayton mentions above. Shareholders and customers do bear those costs. And in the past the SEC has indeed whiffed on its estimates of compliance costs, most notably with its famous prediction in 2003 that Sarbanes-Oxley compliance costs wouldn’t amount to more than about $92,000 per filer. We all know how that turned out.
At the same time, however, shareholders and customers also reap the benefits of good compliance programs—and that’s where it gets tricky, because while Company A might bear the costs of compliance, Companies B, C, and D might reap the benefits.
For example, if Company A implements a rigorous FCPA compliance program, that’s going to cost Company A hard money. But if Company A disregards FCPA compliance and starts bribing its way to more business, that’s business that Companies B, C, and D might not get, even if they have a superior product. That’s money the shareholders at those companies don’t see, and better products at better cost that customers of those companies don’t get. (I won’t even get into the moral imperative that lax enforcement of anti-bribery law hurts the poor.)
Let’s put more factual numbers to that abstract concept. The costs of SOX compliance are well above that $92,000 estimate the SEC made years ago. According to Protiviti’s annual SOX compliance survey for 2017, large accelerated filers spent an average of $1.14 million; non-accelerated filers spent $700,000. Compliance costs are trending down for larger filers, but still rising for smaller ones. Calculated as compliance costs per dollar of revenue, the burden is painful for small filers, and far higher than the SEC’s original estimates for everyone.
Where Compliance Costs Come From
Unwelcome numbers, and we can certainly do more to cut compliance costs. But remember that the corporate frauds of Enron, WorldCom, and Tyco in the early 2000s (the frauds that led to passage of SOX in the first place) cost investors an estimated $500 billion in market cap. The goal of SOX was to reduce the proliferation of financial restatements, which can catch investors by surprise and whack your 401(k) balances before you even hear about the meltdown on Twitter.
That reduction in financial restatements has happened: from 459 in 2005 when filers were first coming to terms with their poor state of corporate accounting, and restating all over the place; to only 51 in 2016, because internal control has improved so much. That, in turn, leads to better pricing of shares in the stock market, lower costs of capital, and more reliable earnings for “Mr. and Mrs. 401(k)”—the quaint personae that Clayton mentioned last week, as the people he wants to defend.
Clayton is right to want to defend them. But just about every 401(k) investor I know (especially anyone who endured the pre-SOX dot-com bubble and its subsequent implosion) would be content with slower growth and less volatility over time, rather than huge pops from a lucrative IPO that then goes belly up four or six quarters later. That is what strong compliance, with SOX or FCPA or many other laws, brings about.
Now, could we still work to cut compliance costs? You bet. Let’s use another example Clayton mentioned last week: CEO certifications.
Clayton is right to say that CEO certifications for SOX compliance sounds like a straightforward idea (who isn’t in favor of the CEO saying he or she has confidence in the company’s numbers?) that costs more in practice. The CEO requires divisional chiefs to sub-certify the accuracy of their numbers and controls, who then require sub-sub-certifications of department heads, and so forth on down the line.
Suddenly everyone has to certify everything, and we have emails zipping back and forth with Word documents or Excel spreadsheets that get lost, misunderstood, or forgotten. My personal favorite is when a superior certifies the effectiveness of an operating-level control before subordinates certify the underlying transactional controls. Or when Bob documents an ineffective control without consulting Sue and her compensating control, because Sue is on vacation. And pity the internal control executive tasked with collating all these certifications into something holistic that the audit firm or the CFO can review.
Two Compliance Roads Diverged...
That’s a mess. One solution could be an SEC study to revisit the costs of all that compliance, and presumably some relaxation of the compliance burden. (Clayton is a Republican chairman in a Republican administration, after all.) Go this route, and my bet would be some directive to the PCAOB to slow-roll enforcement of audit standards around internal control of financial reporting.
Or companies could embrace better financial software that didn’t exist 10 years ago, that you can rent via the cloud today from any number of vendors. You could use person-specific URLs that drive control owners to a pre-designed form, with pre-defined logic so Bob can’t approve his control until Sue returns from vacation, or the VP can’t certify until all the department heads finish their work first. Then the back-end software totals up all that certification for a faster, more accurate report to the CEO, CFO, audit firm, and audit committee. (And don’t forget, if more companies do this, integrating M&A acquisitions will get easier, too.)=
The best solution, of course, is somewhere between these two paths. The software is only going to get smarter in the future, to let these admittedly over-simplified examples work in the real world. And the real world is only going to get more interconnected in the future, too; so those investors in Companies B, C, and D will have even more at stake in the good conduct and compliance of Company A. Neither of those things are going to change. The best way forward will respect and acknowledge those realities.
Will Clayton’s SEC respect and acknowledge them too? Let’s look forward to his next speech and see.