The downfalls of Enron, followed by the Arthur Andersen conviction, bankruptcy of Worldcom have highlighted the need of questioning the activities of the audit committees (Laufer W 2006). However it has began a decade before the Enron scandal. Published in 1999 Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (BRC) listed the activities that audit committee should take to improve its effectiveness. In 2002 the US Congress published the Sarbanes - Oxley Act (SOX). Both legislations were to make the audit committee more effective. In 2003 the SEC was issued which included regulations for audit committees of publicly traded companies. (Myers et al 2006)
According to Myers et al (2006) BRC not being as much famous as SOX could address many effectiveness steps before the 2002 scandals. The efforts had increased after the BRC publication.
The major aim of SOX was to "promote corporate responsibility, enhance public disclosure, and improve the quality and the transparency of financial reporting and auditing in order to protect shareholders ". Davies M. et al (2008) p.1 The impracticality of an international "one size fits all" corporate governance code of practice.
According to Romney et al (2006) "SOX applies to publically held companies and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud." Romney et al (2006) p.193
According to Laufer (2006) the SOX was misconceived by the Congress and disregarded the body of corporate finance research that could have introduced the other initiatives to help improve the audit quality.
According to Moeller (2005) SOX introduced the most important new rules for the auditing and internal auditing.
Sox require the companies to consider audit rotation. Cosserat et al (2009)
Sox have changed the regulation of corporate governance and financial practice for US listed companies. One of the requirements of section 404 is publishing by the registered accounting firm in the annual reports information regarding the scope and adequacy of the internal control structure as well as the procedures for financial reporting. The companies are also required to include the information about the effectiveness of the internal control and the procedures. Cosserat et al (2009)
Needleman (2009) highlights the management responsibility required by SOX. Management can no longer just sign the reports but implement effective internal controls so that the errors are uncovered and repaired. This doesn't mean that auditors should not take responsibility for their work but their work supported by the management review should be much more accurate.
Needleman (2009) mentions t risk assessment directly related to management as one of the measures of internal controls effectiveness.
Romney et al (2006) highlights the importance of the information security as being the top management issue, not the information technology issue.
Compliance with SOX means more involvement of internal auditors. SOX also require chief executives and financial officers to certify the internal control and risk management systems. Cosserat et al (2009) CEO and CFO should certify that the financial statements represent true results of the company's activities. Romney et al (2006) SOX intend to protect investors and restore investors' confidence by requiring the financial reports to be accurate and complete. Maurizio et al (2007)
New York Times (2002) called the legislation to be (the biggest overhaul of securities law
However Shilts et al (2009) claims that SOX gives a false security to stakeholders as it concentrate on the past events not preventing from the future problems. As an example Shilts et al (2009) mentioned lending organization which concentrated on compliance with SOX rather than checking the risk of lending their money. Checking of currents risks is crucial especially now in the credit crunch era. SOX require management to take responsibility for accuracy of procedures, controls and reporting but don't make management responsible for the prosperity of the company. Needleman (2009) However Shilts et al (2009) the financial crisis should make management to put risk management at the highest priority.
According to SOX auditing firms appointed by the entities listed on US stock markets should register with the Professional Oversight Board. The auditing firm should report to the POB their compliance with the terms of the SOX. The requirement includes the auditors of US controlled subsidiary entities
It can be argued that this may lead to the interference of United States into domestic affairs of the countries where audit firms are based. Cosserat et al (2009)
According to Moeller (2005) internal auditors avoided financial auditing issues in the past (pre SOX). These were left for the external auditors who issued annual financial statement and the reports on the adequacy of these report. During 1990s until 2002 external auditors took the responsibility of the internal controls (outsourcing). Many internal auditors were employees of the big accounting firms. Arthur Andersen auditors responsible for Enron's audit were also acting as Enron's internal auditors. Moeller (2005) claims that in the the pre SOX time CEO and CFO were more interested in personal gain than providing shareholders with sufficient information on company's financial situation. Audit committees were not sufficiently involved in the transaction the company was involved. External auditors were in the centre of high criticism. Outsourced internal auditors were critized as being too dependent on their external audit firm owners. Moeller (2005) suggests that Arthur Andersen, Enron's audit firm was more interested in providing consulting services than auditing its financial statements. The Enron situation raised a question on the "independency of the external auditors". It also pointed out the conflicts of interested were many auditing firms were offering their consultancy services, installing a financial system at the client's corporation and then issuing the internal controls report for the system they installed themselves. Moeller (2005)
SOX prohibit external auditors perform and approve internal controls assessments. It also doesn't allow public audit firms to outsource the internal audit to the firms where they are performing external audit. Moeller (2005) SOX requires he audit committee to approve all external services.
SOX INTERNATIONAL IMPACT
SOX is aimed at all companies with SEC registration, United States and international. There was the assumption that foreign registered companies would be exempt from SOX rules. According to Moeller (2005) in early 2004 there were 474 non-US companies from 51 countries listed at the New York Stock exchange. As they were following different rule the SEC has offered them limited exceptions and allowed more time to compliance with SOX. However SOX applies to all foreign companies whose securities are registered on a U.S. exchange. Moeller (2005)
SOX COST, documenting
According to Loeb (2005) firms are struggling with the cost of compliance with SOX, experiencing an average increase of 90% in accounting costs. According to Webb (2008) the size and firm performance may be crucial in the SOX compliance. Webb (2008) p.6 goes on to suggest "Larger firm have an easier time complying with the Act than smaller firms, all else being equal, and the governance structure has less of an impact." The high cost of compliance with SOX results in delays, especially of small companies.
The cost of SOX compliance is huge; however it changed the way of documenting. Many companies use software packages to compile with SOX documentation tasks. Bagranoff (2008)
SOX will not prevent companies from collapsing but will help to give a true picture of the company financial situation.
- Myers P. M., Ziegenfuss D.E.,(2006) Audit committee pre-Enron efforts to increase the effectiveness of corporate governance, Corporate Governance, pp 49-63, Vol 6 No. 1 2006
- Hoitash R., Hoitash U., (2009) The role of audit committees in managing relationships with external auditors after SOX, Managerial Auditing Journal, Vol. 24 No.4, 2009
- Laufer W., (2006) Illusions of compliance and governance, Corporate Governance, Vol. 6 No 3 2006
- Davies M., Schlitzer B., (2008) The impracticality of an international "one size fits all" corporate governance code of best practice, Managerial Auditing Journal, Vol. 23 No. 6, 2008
- Grimshaw J., Baron G., Edwards B., (2006) How to combat a culture of excuses and promote accountability, Strategy and Leadership, Vol. 34 No. 5 2006
- Chan K., Lee P., (2008) Why did management and auditors fail to identify ineffective internal controls in their initial SOX 404 reviews?, Review of Accounting and Finance, Vol.7 No.4 2008
- Holt G., (2006) SOX "best practices" or too much accountability, The bottom line: Managing Library finances, Vol. 19 No.3 2006
- Petra S., Loukatos G., (2009) The Sarbanes-Oxley Act of 2002: a five-year retrospective, Corporate Governance, Vol. 9 No.2 2009
- Dujuan Y., (2009) Inefficient American corporate governance under the financial crisis and China's reflections, International Journal of Law and Management, Vol. 51 No.3 2009
- Huang H., (2009) Sarbanes Oxley section 404 compliance, Recent changes in US-traded foreign firms' internal control reporting, Managerial Auditing Journal, Vol. 24 No.6 2009
- Michelson S., Stryker J., Thorne B., (2009) The Sarbanes-Oxley Act of 2002: what impact has it had on small business firms? Managerial Auditing Journal, Vol.24 No.8 2009
- Burnaby P., Abdolmohammadi, Hass S., Sarens G., Allegrini M., (2009) Usage of Internal Auditing Standards by companies in the United States and select European countries, Managerial Auditing Journal, Vol. 24 No. 9 2009
- Woods M., Humphrey C., Dowd K., Liu Y., (2009) Managerial Auditing Journal, Vol.24 No.2 2009
- Brown W., Nasuti F., (2005) What ERP system can tell us about Sarbanes-Oxley, Information Management & Computer Security, Vol. 13 No.4 2005
- Webb E., Sarbanes -Oxley compliance and violation: an empirical study, Review of Accounting and Finance, Vol.7 No.1 2008
- Kalbers L., (2009) Fraudulent financial reporting, corporate governance and ethic: 1987-2007, Review of Accounting and Finance, Vol.8 No.2 2009
- Hoi C., Robin A., Tessoni D., (2007) Sarbanes-Oxley: are audit committees up to the task? Managerial Auditing Journal, Vol.22 No.3 2007
- Loeb, L. (2005) "Sarbanes Oxley : worse that no solution at all?, www.e-week.com
- Needleman T., 19 Oct 2009, Grappling with SOX, http://www.webcpa.com/ato_issues/2009_16/-51941-1.html
- Shilts J., Holtz L., 27 Aug 2009, Risk Assessment is a necessity, Marcumrachlin http://www.webcpa.com/news/Risk-Assessment-Necessity-51511-1.html
- Accounting today , 11 Feb 2009, Small COS. Get final SOX 404 reprieve http://www.webcpa.com/ato_issues/23_17/small-cos.-get-final-sox-404-reprieve-52168-1.html
- Romney M., Steinbart P., (2006) Accounting Information Systems, Pearson Education Inc
- Bagranoff N., Simkin M., Norman C., (2008) Core concepts of accounting systems, Third Edition, John Wiley & Sons, Ltd.
- Cosserat G., Rodda N., (2009) Modern auditing, Third Edition, John Wiley & Sons, Ltd.
- Moeller R., (2005) Brink's Modern Internal Auditing, Sixth Edition, John Wiley & Sons, Inc
- Baltzan, P., Phillips A. (2008) Business Driven Information Systems, The McGraw-Hill Companies, Inc.
- Jessup, L. and Valacich J. (2006) Information systems today (Second edition), New Jersey, Pearson Education, Inc.