Going Beyond Sarbanes-Oxley Compliance: Five Keys to Creating Value

By Mark S. Beasley and Dana R. Hermanson

E-mail Story Print Story

Under the requirements of the Sarbanes-Oxley Act, executives must personally certify a public company’s financial results (section 302) and soon will have to issue a report on the effectiveness of the company’s internal controls over financial reporting (section 404). Auditors will issue an additional report attesting to management’s internal controls report. In addition, the Sarbanes-Oxley Act contains a number of provisions related to auditor independence (section 201), audit committee composition (section 301), and criminal penalties for accounting fraud and related offenses (Title VIII and Title IX).

Sarbanes-Oxley compliance is costing companies significant amounts of time, professional fees, and other resources. In the authors’ experience, executives seem to be grudging in their support of Sarbanes-Oxley. Many appear to view the law as an overreaction that will do nothing more than increase the compliance burden on public companies. In fact, only 30% of the respondents to a survey in CFO Magazine thought that the benefits of Sarbanes-Oxley would exceed the costs. Many other executives appear to be looking only for ways to “stay out of trouble” with Sarbanes-Oxley compliance, and view the situation as involving only downside risk. While the legislation was passed quickly and may be imperfect, if companies view implementing and complying with the Sarbanes-Oxley Act as more than a “check-the-box” type of exercise, it can provide important, long-term benefits.

The Context of Sarbanes-Oxley

The clear motivation for the Sarbanes-Oxley Act was to combat the financial statement fraud problem that continues to plague the United States, as embodied by Enron, WorldCom, Global Crossing, and too many others. In addition to the impact of stock-based compensation, many have viewed the causes of these frauds as overly powerful CEOs, weak boards and audit committees, ineffective or compliant auditors, weak internal controls and weak management of risks, and soft penalties for accounting fraud perpetrators.

Simply stated, Sarbanes-Oxley takes direct aim at the perceived drivers of fraud by attempting to strengthen board and audit committee oversight, increase auditor vigilance and independence, strengthen internal controls and risk management, and create accounting fraud penalties with a significant deterrent effect. Accounting fraud disasters, if not discovered in time, can cause damages into the tens of billions of dollars.

Five Keys to Value-Added Sarbanes-Oxley Implementation

The authors believe that five keys are involved in implementing Sarbanes-Oxley in a manner that goes beyond simply trying to “get in compliance with the rules” (see the Exhibit):

• Appreciate the goal behind Sarbanes-Oxley.
• Understand the fraud disease.
• Aggressively address ethical attitudes and the potential for rationalizing fraud.
• Consciously decide to go beyond simple compliance to improve governance and controls.
• Investigate and implement enterprise risk management (ERM).

Appreciate the goal behind Sarbanes-Oxley. While the mechanisms that the Sarbanes-Oxley Act put in place may not be perfect, appreciating the overall goal of preventing fraud can help build the right organizational mind-set regarding implementation. In other words, executives should “buy into fraud prevention, enhanced governance, control orientation, and risk management” even if they think certain elements of Sarbanes-Oxley are onerous or unnecessary.

This buy-in is so critical because the consequences of financial reporting problems are severe. For example, the 1999 study sponsored by the Committee of Sponsoring Organizations (COSO), Fraudulent Financial Reporting: 1987–1997 (Beasley, Carcello, and Hermanson), found that more than half of companies committing accounting fraud failed (e.g., bankrupt; defunct; ownership change) within two or three years after the fraud was disclosed. Failure to implement effective governance and internal controls, or to effectively manage risks, can also be disastrous. For example, weak governance can lead to executive compensation debacles such as the recent NYSE situation, and weak controls can increase the risk of asset misappropriation and fraud. As a result, minimizing fraud risk, enhancing governance, strengthening controls, and effectively managing organizational risks are worthy, value-adding goals, even in the absence of the Sarbanes-Oxley Act.

Understand the fraud disease. As described by J.K Loebbecke, M.M. Eining, and J.J. Willingham, Jr., in “Auditors’ experience with material irregularities: Frequency, nature, and detectability” (Auditing: A Journal of Practice & Theory, Fall 1989), the fraud recipe contains three ingredients: incentive, opportunity, and attitude/rationalization.

The first ingredient, incentive, addresses whether executives have a reason to commit accounting fraud. Common reasons include compensation factors (stock options, bonus targets), strong pressure to perform, and expectations analysts place on the company. Putting pressure on executives certainly is a good motivator, but it is important to recognize when the pressure becomes so intense that people resort to fraud to make the numbers.

The second ingredient is the opportunity to commit accounting fraud. The main deterrent to opportunity is strong internal controls, the focus of section 404 of the Sarbanes-Oxley Act. Controls should address routine transaction processing and asset safeguarding, as well as estimates and assumptions used in preparing the financial statements. If section 404 work improves internal controls, the side benefit should be a reduced risk of accounting fraud.

The third ingredient in the fraud recipe is attitude/rationalization. In other words, can someone with a reason to commit fraud and the opportunity to do so explain away such behavior? Is the fraud okay because it saved jobs? Is it okay because it happened only once and will be corrected in the future? Is it okay because the CEO said “make the numbers or else”?

Executives should view the organization through this lens of incentive, opportunity, and attitude/rationalization. In addition, the appendix to SAS 99, “Management Antifraud Programs and Controls,” may be a helpful resource to those seeking to understand and prevent fraud (seewww.aicpa.org/download/antifraud/SAS-99-Exhibit.pdf). Conducting regular, honest assessments of the organization’s fraud risks can go a long way toward preventing fraud.

Aggressively address attitude/rationalization. Perhaps the most difficult fraud ingredient to address is attitude/rationalization, because it is an unobservable mind-set. As a result, it deserves special attention.

Possibly the greatest danger companies face in financial reporting is that top managers and other employees can rationalize certain questionable behaviors that subsequently escalate into outright fraud. Research indicates that many accounting fraud cases begin with activities that might be characterized as in the gray zone: not completely acceptable, but not clearly inappropriate. For example, the company may try to boost revenues through special payment terms and pressuring customers to accept orders just before year-end. In later periods, the company resorts to bill-and-hold schemes, secret side agreements, and ultimately recording fictitious revenues.

How did the company get there? By rationalizing its behavior along the way, and incrementally moving toward outright fraud. Something that started out as a one-time trick to get the company through a tough period ultimately brings the company down when the fraud is uncovered.

One way to prevent such disasters is to build the right ethical attitude in the organization and not allow people to rationalize gray-zone behavior, so the descent down the slippery slope toward fraud, the “black zone,” never begins. The challenge for corporate America is to define its core values (ethical attitude) and to communicate these to employees, in both word and deed. The Sarbanes-Oxley Act pushes companies in this direction by requiring disclosure of whether the company has adopted a code of ethics for senior financial officers and whether the code has been waived. In addition, the whistle-blower provisions of Sarbanes-Oxley should help to uncover ethical lapses in the organization.

When considering the ethical attitude, the following are helpful questions for companies to address:

• Does the company have clearly defined ethical boundaries that are communicated to employees?
• How would others describe the company’s ethical boundaries relative to the gray zone and the black zone?
• What types of accountabilities are present for those who suffer an ethical lapse?
• Does top management’s day-to-day behavior support or undermine the stated ethical attitude and boundaries?

Beyond compliance: Improving governance and controls.Companies that do the bare minimum necessary for compliance with law will realize little in the way of benefits from Sarbanes-Oxley implementation. They are wasting an important opportunity, and one may question whether such companies are establishing a culture of ethics, transparency, and a commitment to reliable financial reporting.

Similarly, in a recent Directorship article (“Avalanche of Corporate Governance Reforms Challenges Audit Committee,” June 2003), Mark Terrell and Scott Reed of KPMG’s Audit Committee Institute caution audit committees about focusing only on compliance: “As they deal with the many implications of the reforms, audit committees should beware [of] one distinct danger: that they will become swamped by—and inordinately focused on—compliance for compliance’s sake, rather than focusing on activities to enhance the effectiveness of their oversight function.”

Companies seeking to go beyond simple compliance can take two important steps as they address Sarbanes-Oxley-related issues. First, in addition to making required structural changes to the board and key committees, companies can explore governance best practices to enhance their governance processes. Several sources, such as the Conference Board (Commission on Public Trust and Private Enterprise), the Business Roundtable (Principles of Corporate Governance), the Corporate Governance Center at Kennesaw State University (21st Century Governance Principles), and CalPERS (U.S. Corporate Governance Principles), document useful best practices for boards and executives to consider. In this vein, executives should view stronger governance not as a foe, but as an organizational protector.

Second, companies can leverage their section 404 internal controls work to actually improve controls. Beyond simply documenting controls, justifying their current controls, and issuing reports on control effectiveness, companies should ask themselves what could go wrong, what controls are in place to prevent or detect such problems, and what residual risk remains unmitigated by controls. In other words, turn section 404 work into a substantive, honest evaluation of the company’s exposure to risks. In particular, these lessons should inform evaluations of accounting fraud risks, because weak controls create a greater opportunity for fraud.

Investigate and Implement Enterprise Risk Management (ERM)

The preceding steps—addressing fraud risk, attacking attitude/rationalization, and improving governance and controls—can prepare a company for a final, significant step that the authors expect many organizations will soon take: investigating and then implementing ERM. ERM investigation is a natural extension of a value-added Sarbanes-Oxley implementation.

According to the recently released COSO exposure draft,Enterprise Risk Management Framework (www.erm.coso.org), “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

In other words, ERM is about considering what events could prevent accomplishment of organizational objectives and then determining how to address these events. ERM goes beyond internal controls to provide a system to address organizational risks in a comprehensive fashion, as opposed to dealing with individual types of risks, and such as IT risks, financial reporting risks, and legal risks. The overall goal is to provide reasonable assurance of achieving organizational objectives in four areas—strategy, operations, reporting, and compliance—in the spirit of preventing disasters and maximizing entity value.

The work public companies are currently doing to comply with section 404 reporting provides an excellent framework that can be leveraged to think about broader risks facing the enterprise, beyond just financial reporting risks. Going beyond simple Sarbanes-Oxley compliance requires top management and the board of directors to understand the value of reduced fraud risk, enhanced governance, strengthened controls, and effective enterprise risk management. Sometimes this will be a tough sell. In such cases, often it will be up to CPAs and other financial professionals to lead the charge on pushing beyond a “check-the-box” Sarbanes-Oxley implementation approach.

Mark S. Beasley, PhD, CPA, is a professor and the director of the Enterprise Risk Management Program at the North Carolina State University department of accounting, Raleigh, N.C. 
Dana R. Hermanson, PhD, is a professor at the Kennesaw State University department of accounting, Kennesaw, Ga. He is also a research fellow of the Corporate Governance Center at the University of Tennessee.