The united States Public Company accounting board that regulates Accountants has scaled back Sarbanes –Oxley Act’s auditing requirements. The board approved by 5-0 rules that will allow auditors to focus on the items most likely to trigger financial misstatements. The revised auditing standard also permits accounting firms to use more judgment, do fewer checks and eliminate unnecessary work. The new audit rules will be aligned with guidelines for company managers, approved by SEC yesterday, aimed at simplifying compliance.
What Cause Costs?
Sarbanes Oxley Acts 2002 implementation has made a radical change in American corporate landscape. The biggest enmities so far are the high compliance costs and how it stifles innovation. What is driving the expensiveness of compliance costs is section 404, the heart of Sarbanes Oxley acts which relate to internal Controls. It was reported listed company like Dow Chemical spent 100,000 man-hours on internal controls which cost the company 12m. “The economist” had quoted an econometric estimate that the net private cost amounts to $1.4 trillion. According to “The Accountant”, a CFO at pharmaceutical company describes Sarbanes-Oxley as “a classic, legally driven American nightmare which is expensive and is not going to stop people stealing money from companies.” Apparently, no system is foolproof against perpetrator committing frauds, neither Sarbanes Oxley acts can.
Compliance costs are regulatory and therefore unavoidable. The purpose of spending resources is to achieve objectives. A company spent 100,000 man-hours, or 12m in monetary value, the felicitous performance measurement is to measure against the objectives. The apocalyptic catastrophe resulted from unfettered nefarious corporate behavior and the accounting hocus-pocus in America. Sarbanes Oxley Acts was a nifty arsenal to impose good dose of comeuppance to stave off the risk of infractions from escalating. And the results speak for themselves if you compare the before to the after. Regulation was to avoid systemic failures after myriad of colossal corporate scandals. Without drastic measures, it is difficult to subjugate rampant frauds from occurring. The costs to the financial system failure are prodigious and beyond measure. The loss of confidence by the investors would make them leave the market and parked their monies for safe harbor. The country also paid the price dearly because ordinary men in the street mistrust corporate officers’ integrity and invested in the companies now have gone bust with their life savings and pension funds; they saw their personal wealth eroded overnight with helplessness. In hindsight, report showed investors voted with their feet. And these costs were not reflected in the corporate accounts.
Sarbanes Oxley is not consummate if we give our unalloyed emphasis on objectives; there are scopes to tame costs at macro and micro levels. This article is chiefly study how to contain costs.
Costs at macro level
America is a litigious country. The value system of equity builds up rules and costs of defense. We can fathom that there is no particularly right or wrong to this value system, so long as the costs incurred achieve its objective- “I got back the fairness”. Of course, it is also surreal as there is no such thing as at all costs, which leaves leeway for mitigation. It is impregnable that corporate cost curve cannot infinitely trends upward. That is one aspect of the characteristics of cost.
Another aspect is some of the costs are nebulous. What actually is the meaning of costliness? You can’t quantify it without reference, therefore in a company, we compare our spending with predetermined benchmark to calculate the variance, and we decide to take action when the variance is intolerable by statistical standard. And in actual fact, the predetermined benchmark can be a moving target depending on the nature of the cost object. Some of the cost objects are inherently difficult to set a tolerable error margin, in other words, no one is prescient that exceeding certain point is adverse, because no one know for sure where the trigger point is. Compliance cost is one of these examples.
Third, there are behavioral aspects of cost. To spend resources is discretionary when reference point is nebulous. It depends on decision maker’s predilection or political process in decision making set the bar high or low. You may have heard of some owners who are willing to spend an amount on cost object which we think is inconceivable. In other words, the bar for the particular cost object is high. On the contrary, for item like compliance costs, you can’t measure direct impact of spending or difficult to quantify the benefits to be derived. The bar will be low by standard, because it is passive cost. A passive cost incurred is resulted from non-operation objective. For passive cost, it is regarded as frittered until something seriously happen. A company implements TQM, incurred prevention costs to improve product quality, because customer can feel and respond to it immediately once the product is out of the door. The intractable part of compliance costs is; something untoward may or may not happen in the short-term horizon. People are only woefully nodding and requesting to spend more if something goes awry. This interesting phenomenon depicts the behavioral aspect of passive cost.
To be effective, we target the cause of the largest frauds occurred which were lethal; for example, if you want to show your appreciation to someone for his good deed, go direct to the person, and be substantive; certainly he can feel it strongly. Similarly, the objective of resources consumption was to prevent scandals like Enron, World Com and alike from happening. According to 1999 Committee on Sponsoring Organization of the Treadway Commission study found the CEO and CFO directed the fraud in at least 82% of the cases examined. What they had committed largely were financial statement frauds. If we had concentrated our resources focus on senior management fraud and built up the mechanism to counter it. The costs would probably be slashed more than half of what have incurred. Section 404 is like hither and thither, requires full scale internal control examination, the time to spend on documenting and testing control points, processes are arduous; and it drives the resources on two side, first on the company and subsequent on the auditor’s own examination, and the cost escalate even more when company need to develop software which comply with SOA. It is palpable all these efforts are not wasted; they are just what was mentioned earlier-passive costs, prevention costs that maintain quality of the system. When the tasks suddenly increased substantially and the resources were lagging behind, the grudge began.
Taming senior management fraud was imperative when array of scandals broke out. To contain a plethora of debacles, it has to be forceful and drastic to achieve effectiveness. SOA has achieved its objective in this respect. The counter measures such as section 302,304, 806,906, 1105, impose punitive measures, making the offence as criminal. All can achieve immediate effect to stem frauds perpetration, because the legislators have drawn a line of what is appropriate corporate behavior. In the same vein, strengthening board roles and audit committee function and external auditor independent roles achieve the similar effects of countering senior management frauds. It boils down to how to implement to achieve results.
As to section 806 whistleblower protection that target senior finance officer, I have reservation. Whistleblowers not only need protection, there must be incentive for them to do so. Apart from external factors like country culture and corporate culture play an influential role. Inner incentive is even more significant for whistleblower to pluck up enough courage to expose sordid affairs. The reality is few have very high ethic, whistleblower group is probably at the tail end of a distribution. Majority adopt neutral attitude, small wonder there is a saying, “You can’t beat them, join them”. Vicariously, who want to be nosey to expose bosses wrongdoing? These people are passive accomplice. Their purpose is not to rock the boat as if nothing happened. It goes without saying that whistleblowing requires adroit management. The cost of covering up to the company depends on the nature of the fraud and timing, the longer it takes to discover, the costly it will be.
Cost at micro level
An interesting article in “Financial Executive” mutters about work duplication by external auditor. A senior director of internal audit said, “If a certain number of quarterly reconciliations need to be done, we’d test a number to make sure they hit the key attributes. The redundancy is that the external auditor may come back and do the same level of work on the same reconciliation in order to make their assessment. Is that duplicative? Do they have to do the same amount of testing all over again?” The auditing guideline spells out circumstances an external auditor can rely on the work of an internal audit. To decode the phenomenon, there can be two conjectural situations equally inimical.
Situation one: Auditing is an evidence gathering and examination process. Evidence originated by the auditor by such means as own analysis and physical inspection is more reliable than evidence obtained from others. My first guess is in the past the external auditor has taken client schedules or internal audit work at face value to save time, iota of own analysis process was carried out, and now they are under the pressure of PCAOB to do a proper auditing job to avoid embarrassment.
Situation two: My second guess is equally negative. Auditing the auditor resulting external auditor adopts defensive routine. A defensive routine is a reaction to a threat. The psychological threat of the external auditor is being nitpicked by PCAOB. Defensive routine is negative thinking, it makes auditor less flexible, unwilling to use professional judgment and take risks. They resort to do a full scale audit to make sure their impeccable working paper pass the PCAOB’s audit. And their clients see audit fee ballooning.
Controlling compliance costs at micro level encompasses audit fee and control maintenance cost at company level. Cost of system documentation performed at company level or by auditor, they are usually a one-off project unless there are system changes or process changes, such as implementing ERP software. For company taking process improvement as their routine probably can reuse their system charts to save costs. External auditor can make use of client’s documentation of company system to perform control test. Of course, auditor has to perform walk through test to ensure the authenticity and reliability of the processes described in the charts. Auditor declined to make use of client’s system documentation is another example of defensive routine. I believe PCAOB would not be nitpicking if auditor documented the results of walk through test and the conclusion reached. But what is done cannot be undone. Defensive routine costs probably are incessant of a litigious society going forward. Doing maximum audit certainly is not of value to the shareholders.
There are several measures auditing firm can pare costs and improve productivity, and pass the cost savings to their clients.
First: Auditor has to be proactive to manage shareholder expectation to reduce audit cost and other compliance costs. Communication helps both party agree what is reasonable audit and will reduce shareholder lawsuit which in turn cut down insurance costs for both side.
One aspect of shareholder expectation is auditor’s role of discovering frauds. This issue has been debated for decades. In other part of the world, the court even ruled in favor of auditor as watch dog rather than blood hound. The reason being auditor’s duties is to express true and fair opinion of the financial statements. Therefore the evidence gather process does not design specifically to detect frauds but to satisfy the state of affairs derived. Auditor uses sampling to carry out depth test. The test does not necessary resulting fraud discovery, more often than not, it is to reach conclusion on whether sound internal control is in place. It is not jarring that auditor has to be vigilant in the process of the audit.
Certainly there is no such thing as fixed role; the auditor needs to acclimate to inexorable changes as expectation to include fraud checking increases. However, detecting fraud is a different process requires detailed checking and forensic experience; that means longer hours of time spent is expected. The outcome may not justify the cost incurred. I think the common sense approach is back to basics to use two modes. Auditor proceeds with low costs approach, only when smell something fishy then deflect to high cost mode by engaging forensic expert for a detailed audit. The risk is auditor is deluded in a perfect scam that they are thwarted to switch to mode two. One article in AICPA’s Journal of Accountancy says “The challenge is that those individuals committing wrongful acts and fraud can- and do- lie to the auditor or manager.” To reach mutual understanding and realistic expectation can avoid value destroying litigations among shareholder, auditor, board and management.
On the other hand, auditor needs to sharpen its fraud checking skills, such as watching signs of possible frauds. In US, SAS.no 99, Consideration of fraud in a Financial Statement specifies questions auditors should ask management and others in checking for fraud risk. You get only one answer for asking the management. It is the fraud detecting skills that make fraud discovery possible. To lift up to expectation, the profession should include fraud detection in CPA firm’s in house training or CPA Continuing Professional Development Program, CPA examination). Another important area is developing fraud detection auditing software. According to report, the latest development is on Continuous Assurance Audit System (CAA). The system monitors another critical application program, produces instantly audit result after the actual event occurred. It was said KPMG in UK developed CAA called KPMG On-Line Auditing (KOLA). I have reservation external auditor has the resources to monitor their clients’ activities all year round, because not all exceptions discovered are irregular activities that distracting focus and continuing attention. The software monitoring capability probably benefit internal auditor. There should be funded research to support the development of fraud detection software to sharpen auditor’s fraud detection capability. PCAOB can play an instrumental role to combine the experience of the auditor and the software developer for this project to lift the audit quality for the audit profession as a whole, rather than individual in house development.
Internal control has gone through profound changes, such as segregation of duties increase costs by hiring more people for checks and balances. Automation on the other hands helps to cut head count, such as using ERP software. This radical development also changes the way auditor examining controls. Some part of segregation has disappeared totally. Though the principles of control for EDP auditing are remaining the same; such as access control and data security; the research for new examination techniques for complementary controls still lags behind changes in business landscape. Increasingly, company stores their supplier invoice in microfilm or other digital storage. Company also receives digital invoices. All these change the way traditional auditing check the authenticity of source documents. How do you ensure these digital documents are not cooked up in the black box? Where do you seek complementary control measures because latest software development changing the work processes that part of the original control diminished? How about interlace with the changes in organization structure to cater for business needs? Probably PCAOB can collaborate with the big four to pool resources together for this new research direction and tailor their search more intelligently.
It was reported the judgment toppled down Arthur Andersen was a mistake. It reduced competition and companies have fewer choices to change auditor and the big four forms oligopoly making companies paying higher audit fee. The contrarian to Arthur Andersen’s demise is itself a value judgment. Arthur Andersen once was an excellent firm, especially their consulting services. However, too many audit failures then were associated with them. That could not be coincident; there must be something fundamentally wrong in the way they operated resulting her demise. There are few books published giving full analysis of the fall of Arthur Andersen. Notwithstanding, there are few other alternatives as a mean of egress, such as court order to reform, change leading partners, and fines. Most of the big four involved in audit failures since then were fined heavily. It is meaningful if these fines can be channeled as nest-eggs to fund research for better audit quality.
Another interesting topic is the relationship among trust, control and cost. In modern management, we advocate a high trust modus operandi. “Trusting relationships are valuable, satisfying and productive. Trust raises the level of expectation on both sides. Without trust we expend considerable energy managing how we are perceived. Trust can reduced costs over long period of time by ensuring that people more readily understand and accept current realities and priorities” Certainly, no one denies the truth of effectiveness and efficiency of trust. With trust, we can share information faster, collaborate with others, implement change, foster innovation and creativity, recognize and learn from mistakes. These savings are intangible and hence difficult to quantify.
It is said trust is culturally related and America is a high trust society. Trust can co-exist with control if you want to prevent the cost of lost trust. Misplace trust can be lethal. Enron and WorldCom debacles prove that control is an integral part of trust. There is no absolute trust; we have to accept that some elements of controls are part and parcel of our corporate life that does not mean trust does not exist. A case in point is a very recent fraud case in Singapore involved a woman Finance & Admin executive of a US company Tyco International who forged 131 cheques to siphoned off $10m in three and half years. She used the monies to buy a Mercedes-Benz, a BMW, a Honda Odyssey, two Condominium units, six watches, 10 handbags, 61 pieces of furniture. Her alibi to commit fraud was to pay for her husband $1m gambling debts (note 1). The judge rebuffed that she was driven by pure greed rather using gambling debts as a pretext and asked her how about the balance of the $9m. The woman probably passed the reference check at the time of recruitment. She might appear innocent, hardworking, and reliable. Her boss probably trusted her and never checked supplier statement’s reconciliation for the past three and half years. Who knows at certain time vicissitudes change, her greed started breeding and quietly stole $10m of company funds. Similar cases abound. Control measures must exist at all time to prevent anytime someone perverted trust. We need to balance the level of control and trust according situation warranted.
Second: underpinning internal procedures to reduce audit failures.
Audit planning: Many audit firms are oblivious or rather perfunctory on audit planning. Audit planning is the most crucial part to achieve cost efficiency. During audit planning, on top of applying analytical review to analyze reasonableness and data internal consistency of client’s financial statement. Risk based approach is the most cost effective way to help auditor to focus on material risks and design audit approach tailor to their own evaluation. This will help rather than beating the bush or mechanically filling out audit program. It makes auditing process challenging. Auditors are more proactive in auditing process.
Knowledge management: An effective audit planning cannot go without a client information database. The database consists of a permanent file including client’s history, characteristics of industry, the business model, competition, significant events, management team, accounting systems, past auditors’ remarks (compulsory updated in each audit), risk assessment, name of audit team and responsible audit partner etc. This process internalizes firm’s knowledge of client’s company and becomes firm’s intangible assets.
Knowledge transfer:
Audit firm must emphasize the important of knowledge transfer. It must look into how certain part of the knowledge can be reused to achieve efficiency, such as reuse the same audit team for same industry. Even five year partner rotation rule will not affect the reuse of knowledge if they are well documented.
Many in house training only concentrate their training on topics like changes in accounting standards, using in house audit manual to brush up classroom auditing techniques. Little concern about field audit tacit knowledge transfer and it is the very important part of auditing, because field evidence gathering and examination process is the cornerstone of the audit Field audit tacit knowledge transfer teaches fledging auditor real life experience of fraud detection, how to spot irregularities and interact at different level at client’s office. Many audit managers ignore to impart this part of knowledge to their staff.
Debriefing: Debriefing is like post-mortem, and is an important learning process. New findings can be included in the audit program to improve future audit quality and also update permanent file. Many audit firms do not conduct debriefing and belittle it as time wasting. Debriefing is also a knowledge transfer and accumulation process that avoids repeating errors and sharpens focus.
Making auditing firm a learning organization will make auditing firm an exciting place for learning and growing, fresh blood will not be taken as vouching machine which in turn will help to retain quality staff and improve audit quality overall and achieve long-term cost savings.
Third: Auditor should stick their neck out and embolden to use professional judgment. Applying professional judgment is value added and innocuous. It is why others value and respect professionals. Hidebound view of defensive routine benefits nobody because auditor’s work volume increases and client’s cost ballooning. Auditor should strive to achieve a reasonable audit. A reasonable audit conforms to regulatory requirements, meeting shareholder expectation and achieve cost effective target.
Fourth, Auditor should be transparent with its cost structure. Implement target costing to achieve required margin, and reverse engineered audit processes to calculate different grades of man-hours for the job, Key processes to complete audit. Time spent for each step to complete each process and select the most effective and efficient approach to achieve the audit objectives.
At company level, Section 404 stipulated annual report filing must contain an internal control report that states management’s responsibility for establishing and maintaining an adequate system, as well as management’s assessment, as of the fiscal year ending date, of the effectiveness of internal control procedures. The onus is now on the management to attest their company internal control is in order. The real conundrum is management has to challenge itself to avow affirmatively every year. To cover every possibility is truly a hard nut to crack. The downside risk is organization limbo. This can also result in defensive routine and not to the interest of the shareholder. The management will put the agency interest above the shareholder interest to comply with section 404 by incurring substantial costs to comb every corner for the risk that is remote to protect any untoward fall out.
A reasonable approach would be for law enforcer to adopt flexible administrative measure. The law will be toughened when things run amok. The enforcer looks into documentary evidence that reasonable efforts are spent, professional judgments are made, audit committee is satisfied, external auditor has no adverse opinion to relieve management responsibility. By doing so, management is more willing to make judgment and take risks.
Company will reap benefit from section 404 implementation by taking it as a round of process improvement. Section 404 no longer is seen as compliance costs rather an investment to eliminate non-value added activities.
In a nutshell, the grist of Sarbanes Oxley Acts successfully contained systemic risk outweighed the costs of section 404 implementation. Nevertheless, resources consumption is to achieve objectives. The scope for taming compliance costs at macro level and micro level can help organization to divert more resources for R & D, which is most needed in Corporate America.
Note 1 : Her Husband was brought to court in April 2006 on his gambling debts
References:
1. The Accountant
2. Journal of Accountancy
3. Strategic Finance
4. Financial Executive
5. Asian Wall Street Journal
6. The Economist
7. Trust matters- For organization and personal success
8. Sarbanes Oxley and the internal auditing rules
