Well, it’s started. Congress and the Securities and Exchange Commission have begun plotting ways to roll back corporate compliance and governance practices. The Sarbanes-Oxley Act is a top priority.
New SEC chairman Jay Clayton fired the starting gun on July 12, when he gave his first public address as chairman. He laid out eight concerns that will guide his leadership, and troubles with the costs of compliance (“the costs of a rule now often include the cost of demonstrating compliance”) ranked as No. 7.
He gave the example of CEO certifications to comply with a law, and the subsequent sub-certifications that have now emerged as standard compliance practice. Clayton didn’t name SOX, but clearly it is the prime example.
We have more, however. The following week, the House Financial Services Committee held a hearing on the costs of compliance with SOX. Republican lawmakers bemoaned the relatively low number of IPOs in the United States (relative to the inflated number of IPOs in the 1990s just before the dot-com collapse), and complained that laws like SOX prevent retail investors from hitting “the lottery tickets” of a lucrative IPO that pops on its opening day. (Nevermind that retail investors in the dot-com bubble never had access to IPO shares at the opening price; investment bankers parceled out those guaranteed lottery tickets to preferred clients.)
Compliance officers can see where this is heading. Clayton and congressional Republicans are going to mount an offensive on the costs of SOX compliance, as an excuse to weak internal control rules so more companies can be taken public.
At some point, then, you might need to defend the benefits that come with SOX compliance— which are numerous, and which help a company stay public. So let’s take a look.
Remember: SOX Works
Since we’re celebrating the 15th anniversary of the Sarbanes-Oxley Act anyway, let’s take a moment to remember why Congress enacted this law in the first place. The goal of SOX was to reduce the occurrence of financial restatements, by placing more responsibility for accurate financial reporting upon senior executives, the board of directors, and external auditors.
That’s all that SOX is about. That’s the purpose of all these whistleblower programs, audit committee meetings, internal control audits, and so much more. It’s to improve the reliability of financial reporting, so investors don’t get burned as they did first in the dot-com stock market collapse, followed by the massive corporate frauds of the early 2000s.
And here’s the part nobody likes to admit: SOX works.
The best collection of evidence for that point comes from Audit Analytics, which tracks pretty much every corporate financial disclosure in the universe. Every spring it publishes an analysis of financial restatements. Its 2017 report, capturing 16 years of data, indicates that by every metric we could imagine, financial restatements keep receding as a risk to investors.
First, financial restatements are down in absolute numbers. Severe restatements, that require a Form 8-K disclosure, have fallen for nine consecutive years, to only 130 in 2016. Less severe “revision restatements” (where a company adjusts numbers in a filing, without prior 8-K disclosure) fell from 686 in 2006 to 470 in 2016. Revision restatements now account for 78 percent of all restatements, up from 32 percent in 2005—which is a good thing, because it means the number of severe restatements is falling so rapidly.
The number of issues identified in a restatement has fallen from 2.42 in 2005 to 1.55 in 2016. The average number of days restated has fallen; the average length of time necessary to do the restating has fallen. The percentage of restatements that result in no material change to the income statement went from 37 percent in 2007 to 59 percent in 2016.
Again, you get the picture. SOX compliance went into effect in 2004, leading to a spike in restatements in the mid-2000s. As companies then mastered compliance and their internal control over financial reporting improved, the risk of restatement has receded. SOX has accomplished what lawmakers wanted it to do.
Talking About Costs and Benefits
When we have conversations about the costs and benefits of compliance, we need to keep the discussion in that frame: whether the costs of strong internal control over financial reporting do or don’t exceed the benefits of more reliable financial reporting.
That won’t be easy. The costs of SOX compliance are more clear: audit fees, software maintenance costs, staff hours devoted to internal control documentation and testing, and so forth. The benefits are diffuse: less likelihood of restatement, simpler restatements when one does happen, better access to capital (because your earnings are more reliable), more appreciation from equity analysts following your company, lower meeting fees for audit committees that don’t meet as often.
SOX critics will, inevitably, say that those benefits would exist anyway without compliance burdens like Section 404(b) of SOX, the audit of internal control over financial reporting. Therefore the benefits of SOX compliance are fewer, which means the costs are relatively higher—so why not do away with those pesky requirements such as 404(b)?
Answering that question won’t be easy, either. The best ways to total up compliance costs and benefits across the whole realm of publicly traded companies are enormously complex; we’d need to examine fees spent on audit committee meetings; the gaps between quarter end, filing of earnings release, and filing of 10-Q; fees paid to external auditors, per dollar of revenue; outside legal costs in the event of restatement; and so forth. Then we’d need to compare all of that among non-accelerated filers, exempt from Section 404(b); to accelerated filers, which aren’t. (I’ll take stabs at those analyses in future posts.)
Within your own company, however, compliance officers who want to quantify the costs and benefits of SOX compliance should emphasize a few points:
- How do your own financial reporting risks track to the most common causes of financial restatements among your peer group? (Examples: debt, quasi-debt, and warrants have been the top cause of restatements for more than 10 years. Revenue recognition is always among the top five causes, and a huge rewrite of the revenue recognition standard goes into effect in less than five months.)
- What is the average cost of restatement per dollar of revenue for companies in your peer group? Consider the restatement’s adjustment to revenue and income, as well as audit committee fees, legal fees, auditor fees, and the like.
- What are the ancillary benefits to your company’s strong ICFR? For example, the times between end of period, earnings release, and 10-Q filing—how have they changed over time? How have your D&O insurance premiums changed?
- How has the balance between your “capital budget” for SOX compliance (such as IT spending) fluctuated with your “operating budget” of man-hours spent on compliance? (For example, here’s a post I wrote for Workiva exploring how to simplify certification processes using software more smartly.)
You may wonder right now— didn’t we start this post talking about the SEC and Congress, and the dwindling number of IPOs? Isn’t that what SOX compliance reform will be about?
Well, yes and no. Good SOX compliance has little to do with your ability to go public; and almost everything to do with your ability to stay public and provide better, more reliable financial reporting to investors who depend on that reliability to fund their 401(k) plans.
SOX compliance reform, however, has almost nothing to do with that noble goal; and everything to do with letting bankers, lawyers, and stock exchanges reap more fees as they shove more companies through the IPO pipeline. We’ll get to that later this week.