The limitations of the Sarbanes-Oxley Act

POORLY DESIGNED corporate legislation can retard innovation and warp economic growth while good policy can create confidence in the capitalist system, encourage prudent risk-taking, and foster growth. Yet, even the most thoughtful and balanced legislation has its limitations. In the wake of unprecedented corporate failures due to managerial fraud, Congress passed the Sarbanes-Oxley Act of 2002 with the goal of rebuilding investor confidence and protecting capital markets. The recent recovery leaves little doubt that confidence has returned. However, whether the Act actually will protect financial markets by efficiently providing long-term deterrents to fraud at public companies is a valid topic of debate.

Executives who committed the numerous and exceptional frauds of 2001 and 2002 largely will be judged under laws existing prior to enactment of the Sarbanes-Oxley legislation. Regardless, Congress, in a nod to confidence-building, properly inserted additional governance and reporting safeguards into the Act. Certain requirements, such as executive certification of public company financial statements, are designed to ensure accountability for reported financial information. Congress also introduced mandates designed to improve the independence and financial competence of public boards of directors with a view towards better oversight of executive management. Still more legislative changes targeted the public accountants, attorneys, banking analysts, and other gatekeepers. The overriding goal was to provide better, more accurate information for investors by shining enough light on these companies to make massive financial reporting frauds harder to achieve without detection. Now the question becomes: Will this new legislation prevent a future crisis?

To understand the limitations of the Sarbanes-Oxley Act, it is helpful to be aware of what was in force prior to its adoption. After the stock market crash of 1929, Congress passed the Securities Act of 1933 and the Securities Exchange Act of 1934 to address perceived corporate abuse. A lack of transparency and fair dealing led Congress to pass these acts to regulate the securities markets. The markets previously were regulated by a patchwork of state laws that commonly were referred to as "blue sky" laws, many of which remain in place today. The 1933 Act was passed to meet two basic objectives: it requires that investors receive material information concerning securities being offered for public sale and it prohibits deceit, misrepresentations, and other fraud in the sale of securities. This legislation was designed to require issuers to disclose important information to investors so that they could make informed decisions. The theory is that greater public disclosure is bound to discourage bad behavior. As Supreme Court Justice Louis Brandeis stated, "Sunlight is the best disinfectant."

Congress also passed the Banking Act of 1933 to address harm caused by banks to the investing public. In short, the Act was designed to prevent banks from selling securities, thereby preventing them from peddling their soured investments to the public. There were certain sections of the Act, referred to as Glass-Steagall, which prohibited commercial banks from owning investment hanks and vice versa. For years, this was viewed as an overly broad approach to a specific problem, yet was not addressed until passage of the Gramm-Leach-Bliley Act of 1999.

The Securities Exchange Act of 1934 extended regulation to trading as well as securities already issued. The Act created the Securities and Exchange Commission (SEC) and empowered it with extensive regulatory authority over all aspects of the securities industry and markets. Additionally, the Act requires issuers to provide information to the marketplace by filing annual and quarterly reports. Finally, there are provisions that prohibit fraudulent activities that cheat investors.

In response to investment company abuses, Congress again acted to minimize conflicts of interest that arise in the operations of these companies. In 1940, the Investment Company Act and Investment Advisors Act were passed to regulate firms that exist primarily to invest in securities of other companies. Mutual funds are one type of investment firm covered. This legislation included vital anti-fraud provisions for all those who meet the definition of an investment advisor.

Despite previous legislation and Federal oversight, the savings and loan industry experienced a crisis in the late 1980s that led to even more regulation. The Financial Institutions Reform, Recovery and Enforcement Act of 1989 was passed to "restore the public's confidence in the savings and loan industry." Deposit insurance and the system of oversight were restructured to reinforce the safety of deposits, and the Resolution Trust Corporation was created to dispose of the assets of failed institutions. Congress later added the Comprehensive Thrift and Bank Fraud Prosecution Act of 1990 to expand the authority of Federal regulators to combat financial fraud.

Not all structural changes were initiated by government, however, as market pressures also can have a positive impact on corporate governance. By example, shareholder activists waged battles with corporations throughout the 1990s. They fought against poison pills (corporate actions that prevent an unsolicited takeover) and brought about greater transparency for boards and regulators by attacking secret executive compensation.

All of this previous legislation and private sector action had the desired effect of restoring confidence in companies and the financial system at a critical time, and still have some influence today. Nonetheless, these efforts did not prevent the crises that followed. Corporate legislation has a sort of biological clock where its impact is maximized shortly after it is enacted. Over time, the ability of new legislation to restore and maintain confidence in public markets will fade and deterrents will weaken as the disposed learn new ways to sidestep the installed safeguards. When the next massive fraud surfaces, legislation again will be considered to reassure the nation and instill confidence in markets. This can be a virtuous cycle as long as the imposed regulations do more good than harm. Just as good legislation can contribute to confidence-building, overly burdensome regulation can result in a loss of American initiative and competitiveness.

The Sarbanes-Oxley Act was designed to address specific abuses relevant to the latest generation of frauds. Its focus is on corporate financial reporting and the related responsibilities of the nation's gatekeepers. At WorldCom, the appearance of corporate health was accomplished by passing top-side entries that turned expenses into assets. This is relatively simple to execute. Even less complicated is to omit the disclosure of liabilities altogether, as was the case at Adelphia Communications. On the other hand, Enron constructed a false picture of financial health by transferring assets through a sophisticated network of entities that had the effect of masking tree performance and impairment of these assets. Regardless of the specific methodology, each company managed to present a bankrupt company as a healthy going concern through manipulation of its financial statements.

Prosecuting executives

The prosecution of the executives of these firms largely is occurring under a number of laws that existed prior to the passage of the Sarbanes-Oxley Act. Nevertheless, there seems to be no shortage of statutes on which to base indictments. In fact, one of the first major cases utilizing the deterrents built into the Sarbanes-Oxley Act is the much-anticipated prosecution of Richard Scrushy, the former chairman and CEO of HealthSouth Corporation, among the nation's largest health care providers. In the original 85-count indictment brought by the Department of Justice is the prosecution's allegation that Scrushy personally certified financial statements filed with the SEC that he knew to be false. This count, made available by the Sarbanes-Oxley Act, together with the other counts, means that, if convicted of all of the current charges, Scrushy could have been sentenced to up to 650 years in jail, been required to pay $36,000,000 in fines, and have had to forfeit over $275,000,000 of real estate, airplanes, yachts, and other property. Interestingly, false certification under the Sarbanes-Oxley Act only counts for about 20 of the 650 possible years of jail time. As this case goes to trial, prosecutors have refined their charges by focusing on 45 of the strongest counts, including false certification of financial statements under Sarbanes-Oxley.

So what did Scrushy do to run so afoul of the government? Prosecutors contend that he devised a scheme to ensure that HealthSouth would make sufficient net income to meet the expectations of Wall Street analysts without regard to true operating performance. Their indictment charges that management created $2,700,000,000 of fictitious income between 1996 and 2003 specifically to "fill the gap" between reality and Wall Street targets. As a part of the fraud, the prosecutors allege that Scrushy obtained large compensation packages for those helping him manipulate the financial statements. Additionally, he personally accumulated in excess of $250,000,000 over the fraud period.

The situation at HealthSouth began to unravel in August of 2002 when accounting staff advised management that they no longer would make false entries. According to the indictment, a senior officer also refused to sign a financial report until Scrushy agreed to a plan to correct accounting problems and promote the senior officer to CFO of a HealthSouth spinoff. Finally, on or about November 13, 2002, Scrushy and other co-conspirators certified and filed a doctored quarterly financial statement with the SEC. This is the event that allowed prosecutors to indict Scrushy under provisions of the Sarbanes-Oxley Act.

The ability of HealthSouth to "make its numbers" and the resulting impression of profitability drove the company's stock price up to $30 a share; the ensuing disclosure of fraud saw it collapse to pennies. The stock has since recovered to about six dollars a share. This is of little solace to those who bought at $30.

Sarbanes-Oxley was passed to deter this type of abuse, yet it was powerless to prevent the certification of HealthSouth's fraudulent financial statements. While an extra 20 years of potential prison time might have reassured the markets, it provided little, if any, additional deterrent to the criminal element. By definition, criminals do not obey the laws of the land. The penalties may be more stringent and the chances of getting caught greater, but it is safe to say that neither Congress nor the SEC can legislate individuals into doing the right thing. If you are a criminal, what is another 20 years if you already face over 600 years in prison? Additional time behind bars in excess of a life sentence may be a good, inexpensive policy to communicate the government's intention to get tough on white collar criminals, but we should not pretend that it will prevent fraud.

There is no arguing that Sarbanes-Oxley has raised the stakes for board members, executives, and employees. The consequences of illegal and unethical business practices now are front and center in the nation's conscience. The number of enforcement actions have increased 40% since 2001 as the SEC and the Department of Justice aggressively pursue wayward managers.

Additionally, the record of the Act since its inception does contain some real accomplishments. It seems to have provided a balm that has contributed to some confidence-healing. Companies are getting their financial houses in order. Restatement of financial statements is at a record high, as companies correct past accounting and disclosure errors or adjust to refined accounting guidance. Financial analysts are reporting improvements in the quality of earnings and financial disclosures.

Independence on public boards of directors also is increasing. According to the American Society of Corporate Secretaries, 62% of the corporate boards of its membership now have an independent chairperson, lead director, or presiding outside director. This is up from 26% prior to passage of Sarbanes-Oxley. Directors are more active, and independent audit committees have been strengthened with real oversight authority, including the ability to retain their own independent counsel. Furthermore, PricewaterhouseCoopers reports that 72% of U.S. multinational companies have established a whistleblower complaint process, making identification of managerial fraud more likely.

Most of the early initiatives of Sarbanes-Oxley produced significant structural benefits to shareholders at reasonable costs, which is the hallmark of excellent legislation. The most expensive and far-reaching component appears to be Section 404 requiring public companies to certify their system of internal control over financial reporting. It is not enough that the CEO and CFO must certify their financials; they also must document, test, and certify their system of internal control for processes that produce the company's financial statements. Yet, even a robust control structure will wilt in the presence of widespread executive collusion. There simply are too many vulnerable positions to protect economically when the organization is rotten at the top. Nevertheless, it would seem that Congress did not want to take any chances, so it took a belts and suspenders approach to financial reporting.

I expect that most CEOs and CFOs are honest people. So, when Congress passed legislation requiring the certification of financial statements, no conscientious CEO wanted his or her name associated with statements that did not properly reflect the financial position of the company. Procedures were implemented efficiently and rapidly to ensure that what was filed with the SEC was accurate. These officers certified the statements knowing that there were criminal and financial penalties associated with falsification. Was it really necessary for them to go back and document and test their control structure on top of this? While this may lend even more confidence to the financial reports emanating from public companies, the cost is high. Risks can migrate from deep in an organization to the financial statements. For a multinational company to document the control structure for all of these potential sources at a detailed level is a tremendous undertaking. In many cases, internal SWAT teams are added to outsourced consulting resources to scope, document, and test controls across the company. Since a material deficiency would be reported to the public, smart companies err on the side of caution and include any system or process that could contribute, however remotely, to financial presentation misstatements. In effect, Congress has mandated an environment of corporate risk aversion rather than enabling prudent risk-taking.

According to AMR Research Inc., companies spent approximately $5,500,000,000 on compliance in 2004. Financial and system consultants, tracking software, and increased audit tees quickly can add up to millions of dollars. Yet, it is unlikely that these efforts will stop a management team determined to circumvent existing controls. Clearly, Congress believed the benefits of ensuring a strong control structure outweighed the cost borne by our public companies. Or it could be that they did not foresee how expensive Section 404 would be or the full impact its implementation could have on firms. Regardless, it is now law.

Choking small business

While the largest companies have the resources to comply, smaller businesses may have to make some hard choices between the costs of compliance and the need to access public markets. According to a survey by Foley & Lardner LLP, "the average cost of being a public company with revenue under $1 billion in the wake of corporate governance reform has increased 130%." Survey participants overwhelmingly cited Section 404 as having the most significant financial impact--and this is before the full costs of Section 404 have been tabulated. Companies are still preparing--and still spending.

The impact Section 404 will have on small firms and private entities wishing to go public should be monitored closely. If the regulatory environment has become too burdensome, then policymakers need to exempt small companies from Section 404. There already may be evidence that this is the case. The accounting firm Grant Thornton reports that the number of public companies going private is up 30% since passage of the Act. However, reversing such legislation will not be easy. It took more than 70 years to address the overly onerous sections of the Glass-Steagall Act despite widespread recognition that it was too broad a solution for the particular problem it was designed to address. That put the banking system at a disadvantage with foreign competitors. The reason for lack of action may have been the absence of competition in the wake of World War II, but the emergence of European banking powerhouses by the late 1990s had made the case for reform more acute.

One of the U.S.'s greatest competitive advantages lies in its small public companies. While heavily regulated European firms tend to be quite large before they can afford the costs associated with going public, the U.S. has been able to provide relatively low cost access to liquid markets for thousands of small and mid-cap public firms. Money to a business is like water to a plant. In good soil and climate, the plant may brow from rainwater alone, but add irrigation and fertilizer, and crop yields improve dramatically. Choke off access to capital, and you strangle the growth of small companies. Provide access to public markets for enterprises of this size and you not only get the opportunity for faster growth, but job creation, additional tax revenues, and better, less-expensive goods and services to consumers.

The key is legislative restraint. Let the markets self-correct whenever possible, and legislate where business is incapable of self-policing or cannot meet society's safety objectives. It is likely that the work accomplished by CEOs and CFOs to certify their financial statements--with oversight from a newly invigorated and regulated accounting profession--met the stated objective of sound financial reporting before the implementation of Section 404, and did so efficiently. Other objectives, such as board independence, benefited from Congressional guidance. It is unlikely that the board of directors of public companies voluntarily would have increased their independence to the point they have without the passage of Sarbanes-Oxley.

Looking forward, it also is unlikely that many "Imperial CEOs," those who hold the positions of chairman of the board and CEO, will give one up despite the clear conflict of interest. Shareholder activists continue to put pressure on boards to increase their independence from management, but they tend to focus on larger companies and seem to be fighting on too many fronts to be effective. This is an example of where legislation, in the absence of all effective self-correcting mechanism, potentially could create needed structural change at reasonable cost. Competent, independent oversight of management will do more to deter fraud at small companies than a mandated system of internal control.

The response to the market timing frauds experienced in the mutual fund industry provides a lesson in restraint. Rather than rushing new legislation through Congress, cooler minds are waiting to gauge the impact of the SEC's response to the crisis. When the next scandal presents itself, we should continue to exercise legislative restraint. Confidence building, yes. Aggressive prosecution, yes. More independent supervision, yes. Layering extensive and costly requirements of marginal benefit on public companies, no. If we ignore the competitive threat in an irrational attempt to eliminate all corporate fraud, the ticking we hear may not be legislation's biological clock, but rather the sound of a well-meaning but dangerous weapon delivered to an important pillar of the American economy. Sarbanes-Oxley is good legislation. It could be better by being less. As long as there are fallible people at the helm, no amount of legislation can eliminate fraud from the nation's corporations. Let's not destroy our competitiveness trying.

Scott Green is director of compliance for the law firm of Weil, Gotshal and Manges, New York, and author of Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud.

COPYRIGHT 2005 Society for the Advancement of Education
COPYRIGHT 2005 Gale Group