The Impact of the Sarbanes-Oxley Act
by Chairman Christopher Cox
U.S. Securities & Exchange Commission
Before the U.S. House Committee on Financial Services
September 19, 2006
Chairman Oxley, Ranking Member Frank, and Members of the Committee:
Thank you for inviting me to testify on behalf of the Securities and Exchange Commission concerning the impact of the Sarbanes-Oxley Act of 2002. I am especially pleased to be testifying today alongside Chairman Mark Olson of the Public Company Accounting Oversight Board, with whom I am working very closely to implement the Act.
On this fourth anniversary of the Sarbanes-Oxley Act, I'd like to begin by recognizing the leadership of this Committee under Chairman Oxley and Ranking Member Frank. When President Bush issued his Ten-Point Plan to Improve Corporate Responsibility and Protect America's Shareholders, on March 7, 2002, in the wake of the Enron collapse, this Committee put forward a plan that contained many of those elements. And most of those essential provisions of this Committee's legislation were included in the Conference Report on the final Sarbanes-Oxley Act.
As a member of this Committee at the time, I well remember the significant work that preceded the drafting of the legislation, including extensive hearings, and the considerable effort that you led to shepherd the bill through the legislative process. I particularly remember the House-Senate Conference, and the immediately evident significance of the eventual product: the most sweeping modernization of our system of securities regulation since the initial enactment of the federal securities laws more than 70 years ago.
We have come a long way since 2002. Investor confidence has recovered. There is greater corporate accountability. Financial reporting is more reliable and transparent. Auditor oversight is significantly improved. The legislation that this Committee produced four years ago under your leadership, Mr. Chairman, has helped make that happen.
The Act is not perfect in every respect. But the vast majority of its provisions are net contributors to the nation's economic health. And those parts of SOX that aren't working as well as they should notably Section 404 can be made to work better through better implementation. Chairman Olson and I are hard at work on that.
But before providing an update on the Commission's efforts to improve implementation of the Sarbanes-Oxley Act, I would like to highlight a little-noticed fact: While competitors in other countries are using Sarbanes-Oxley as a reason for foreign companies to list in their jurisdictions, many of those same countries are adopting provisions of the Act as part of their own regulatory regimes. As we consider the effect of Sarbanes-Oxley on U.S. competitiveness, it is important to keep in mind how broadly many of its tenets have been taken up overseas.
It would appear, four years later, that America's approach is not unique we just happened to be early adopters. Of course, each country has implemented reforms in slightly different ways, depending on their national legal system, market conditions, and other factors. But it is still remarkable how similar so many of their reforms are to those passed by Congress four years ago.
Let me give you just some of the examples.
Governments in the major markets around the world have established independent auditor oversight bodies like the PCAOB. For example, the European Union recently adopted a directive requiring all EU member states to create an auditor oversight body. There is now widespread agreement that, to improve audit quality, auditor oversight bodies should be independent of the industry they oversee.
Other major capital markets have also recognized the conflicts of interest that some non-audit services create, and the need to place restrictions on these services to improve audit quality. The European Union, the United Kingdom, France, Hong Kong, China, Japan, Australia, Canada, and Mexico have all passed reforms requiring mandatory audit partner rotation, although they vary regarding the details about how this rotation works.
Audit committee independence is another increasingly common theme around the world. The United Kingdom, Hong Kong, Australia, Canada, and Mexico have all introduced reforms since 2002 requiring that all members of the audit committee be independent of management.
A number of countries have even adopted requirements similar to the first half of the controversial Section 404 of the Sarbanes-Oxley Act, which requires management to do its own assessment of internal controls. Several countries, including the United Kingdom, Australia, and Hong Kong, have adopted a comply-or-explain approach to a management assessment. Japan, France, and Canada all now have legislation or regulations requiring a management assessment of internal controls. Still others, such as Mexico, have corporate governance codes that recommend having a management assessment of internal controls.
The problems we have experienced with Section 404 arise from the implementation of the second half of this provision: the part that requires an auditor evaluation of management's assessment. And just as in America, that aspect has proven more controversial abroad than the assessment itself. Despite the controversy, however, several other jurisdictions have adopted some variant of this requirement.
For example, the UK requires auditors to report on a comply-or-explain basis if they believe management's assessment is unsupported. China, France and Japan have adopted rules requiring an auditor's evaluation of management's report of internal control over financial reporting, but with some differences in the manner in which this evaluation is to be conducted that make it far less costly. Some countries, including Brazil and Australia, require an evaluation, but do not require that the evaluation be made public. Instead, they require the auditor to report this evaluation to the board. Another trend is for corporate governance codes to include a non-binding recommendation for an auditor evaluation, as is done in Germany and Mexico.
Other countries have taken a softer approach to auditor evaluations of management's internal control assessment. Still other jurisdictions, such as Canada, are taking a wait-and-see approach to determine the impact of the auditor attestation requirement in the United States.
Not only with respect to Section 404, but with the entirety of Sarbanes-Oxley, the SEC will continue to work with other regulators around the world to encourage effective regulatory standards that encourage capital formation, job creation, and economic growth, while at the same time offering a high degree of investor protection. As the Congress full well appreciated when it passed Sarbanes-Oxley, these are not inconsistent goals, but rather, highly complementary ones.
Since President Bush signed the Sarbanes-Oxley Act, the Commission has completed nearly 20 rulemakings and studies that were mandated by the Act. Since 2004, the largest public companies, representing more than 95% of the total U.S. market capitalization, have been subject to all of the new rules created by Sarbanes-Oxley. The Section 404 requirements, as I have said, have gotten by far the most attention. But before I continue with a more detailed description of our plans to provide 404 relief, I would like to mention some of the specific improvements that have profoundly and positively affected corporate America, our public investors, and the important work done every day by the Commission.
One of the principal objectives of the Act was to improve executive responsibility and the "tone at the top" at public companies. We can credit two sections of the Act in particular for helping to achieve that objective: Sections 302 and 906. Pursuant to the rules implementing these sections, whenever a public company files a quarterly or annual report with the Commission, both the principal executive officer and the principal financial officer must personally certify that they have reviewed it. Furthermore, they must affirmatively state that to their knowledge the report does not contain any untrue statement of a material fact and that it does not omit any material information.
A fraudulent Section 302 certification is subject to civil enforcement by the Commission, and a fraudulent Section 906 certification carries criminal penalties enforceable by the Department of Justice. These dual certification requirements are designed to ensure that the company's top leaders are personally involved in the disclosure process. Before investors rely on a company's financial statements, these officers are required to take all reasonable steps to be sure they paint an accurate picture. The Section 302 certification also assigns responsibility to the certifying officers for establishing and maintaining effective disclosure controls and procedures, as well as internal control over financial reporting.
One of the hallmark accomplishments of Sarbanes-Oxley is that it has implemented the corporate equivalent of President Truman's oft-cited aphorism: "The buck stops here." Thanks to SOX, the responsibility for the truthfulness of public corporate reports and disclosures stops on the desks of our corporate leaders.
Another very significant improvement was made by Section 301 of the Sarbanes-Oxley Act. This section embodies the Congress's view that audit committees play a vital oversight role in the financial reporting process. The SEC's rules under Section 301 require that the audit committees of all listed companies be independent. They alone are responsible for the appointment, compensation, retention, and oversight of a company's outside auditor. And the auditor must report directly to the audit committee. The audit committee also must establish the level of funding necessary to fulfill its duties, including, if necessary, the retention of independent counsel and other advisors.
We have long had independent auditors, but their independence rested in large part on their ability to deal with the sometimes conflicting demands from the same executives who selected them and paid their fees. Today's independent audit committees, thanks to Sarbanes-Oxley, can retain their own counsel and other advisers. They now have the resources and protection they need to carry out truly independent evaluations.
In addition, the audit committee must establish procedures for handling whistleblower tips and complaints. That includes a process for accepting such complaints, keeping records of them, and most importantly dealing with them. If a whistleblower seeks to report an accounting or auditing problem confidentially, the audit committee has to have a way to protect his or her anonymity. This is an important new means for companies to discover and correct internal control problems.
Beyond the independence of audit committees, Sarbanes-Oxley has strengthened auditor independence. The entirety of Title II of the Act is devoted to the topic of auditor independence. The intense focus on this topic reflects Congress's appreciation that the audit process is most effective when investors are assured that audits are performed by objective and unbiased professionals. The Act bans auditors from providing the kinds of non-audit services to audit clients that could give rise to financial conflicts of interest. It emphasizes the role of audit committees in approving other services provided by auditors. And it requires audit partner rotation. All of this is more protection for investors, and less incentive for the auditors to do anything that detracts from their core mission.
In January 2003, the Commission amended its auditor independence rules to conform to the Act. As with all of our rules, we are continually monitoring their implementation as we respond to requests from companies and accounting firms for interpretative guidance. The PCAOB also has taken a strong interest in auditor independence and has proceeded with its own rulemaking in this area.
Yet another significant improvement brought about by Sarbanes-Oxley is the change to real-time disclosure of material information by companies and insiders. Today, thanks to changes mandated by the Act, investors are entitled to review reports of insiders' transactions in their companies' securities, including receipt of option grants from their companies, within two business days after the transaction occurs, and all of these reports are now required to be filed on EDGAR, the Commission's electronic filing system.
Recent developments in the areas of executive and director compensation, including our adoption of new disclosure requirements in August and our current enforcement efforts relative to the back-dating of options, demonstrate the importance of these changes.
Furthermore, consistent with Section 409 of Sarbanes-Oxley, in March 2004 the Commission accelerated the deadline for the filing of "current" reports on Form 8-K, and significantly expanded the range of presumptively material events that a company must disclose in those reports. The changes have led to increased scrutiny of the information contained in current reports, including announcements that a company must restate previously issued financial information because of accounting errors or, in some cases, financial fraud.
One of the most significant changes made by the Sarbanes-Oxley Act was the creation of the Public Company Accounting Oversight Board.
Investors were indeed fortunate when, in June 2003, William McDonough, former President of the Federal Reserve Bank of New York, became Chairman of the PCAOB. Under his direction, the PCAOB undertook a number of actions to meet its responsibilities under the Act, including adopting the Board's first professional standards, registering public accounting firms, and initiating its inspection and disciplinary programs. And under his leadership and that of Acting Chairman Bill Gradison, who succeeded him last year, the SEC and the PCAOB have established a formal process for the determination of the Board's annual budget and accounting support fees.
On July 3, 2006, Mark Olson became the Chairman of the PCAOB. Chairman Olson is familiar to most of you on this Committee, having served with distinction as a Governor of the Federal Reserve Board of Governors, among other notable positions. Chairman Olson is now working closely with the Commission's new Chief Accountant, Conrad Hewitt, who is a distinguished leader of the accounting profession and the former chief financial regulator for the State of California, as we continue our joint efforts to improve investor confidence in the reliability of audit reports. I must stress how fortunate we are to have people of this caliber charting the course of the PCAOB.
Let me turn now to the one notable exception to the largely positive record of change wrought by the Sarbanes-Oxley Act. The Section 404 internal control reporting requirements, as they have been implemented to date, have met with a variety of criticisms, particularly from smaller companies. What we have learned from our Section 404 compliance efforts to date is that the problems issuers have experienced thus far are not inherent in the language of the statute, but stem rather from the method of its implementation. We have also become convinced that there are no irreparable problems with Section 404 implementation, although fixing the problems that have been identified will be challenging. We are working with the PCAOB to help insure that this provision of the law is implemented efficiently and effectively.
Larger domestic companies with a public float of $75 million or more have now been fully subject to the Section 404 requirements for two reporting seasons. We have been carefully monitoring compliance efforts each step of the way. On the basis of this experience, we can report that while initial implementation efforts resulted in significantly greater-than-anticipated costs, compliance with Section 404 produces significant benefits. Chief among these benefits is a heightened focus on internal controls at the top levels of public companies.
While a portion of the first-year compliance expense undoubtedly reflected start-up costs and, in many cases, long-neglected maintenance by companies of their internal control systems and procedures it is undeniable that some of the costs were attributable to excessive, duplicative, or misdirected efforts on the part of companies and their registered public accounting firms.
In response to concerns about these unnecessary costs, the Commission directed the staff to issue additional guidance. An overarching principle of this guidance is that it is management's responsibility to determine the form and level of internal controls appropriate for each company, and to determine the scope of its assessment and testing. The guidance emphasized that the registered public accounting firms must recognize a range of reasonable choices by companies as acceptable in the implementation of the Section 404 requirements. The PCAOB issued complementary guidance in May and November 2005 regarding the application of its Auditing Standard No. 2.
In May of this year, after carefully evaluating all of the public commentary on the Section 404 requirements, and considering larger companies' experience complying with the requirements, the SEC announced a plan to re-balance Section 404 compliance by all of the companies that fall under our jurisdiction large and small, foreign and domestic. On May 17, 2006, the Commission issued a roadmap laying out the specific steps we plan to take to make Section 404 compliance more efficient and cost-effective.
One of the significant steps on that roadmap was the publication on July 11, 2006, of a Concept Release as a prelude to the issuance of SEC guidance for management on how to assess the effectiveness of a company's internal controls over financial reporting. This planned new guidance will focus on the objectives of the evaluation process, on the risk-based approaches available to management in conducting an evaluation, and on the documentation of the evaluation. The Concept Release solicits public comment on each of these topics and on whether guidance should be provided on other topics as well. The public comment period on the Concept Release just closed yesterday.
In addition, last month, the Commission proposed to grant some relief from the Section 404 reporting requirements to smaller public companies by extending the date by which non-accelerated filers must start providing a report by management assessing the effectiveness of the company's internal control over financial reporting. The initial compliance date for these companies would be extended by five months, with the result that they would begin complying with the Section 404 requirements in their annual reports for fiscal years ending on or after December 15, 2007. The Commission also proposed to extend the date by which non-accelerated filers must begin to comply with the Section 404(b) requirement to provide an auditor's attestation report on internal control over financial reporting in their annual reports. This deadline would be moved to the first annual report filed for a fiscal year ending on or after December 15, 2008.
At the same time, the Commission proposed a transition period for newly public companies. Under the proposal, a public company that has become public through an initial public offering or a registered exchange offer, or that otherwise has triggered the Exchange Act reporting requirements for the first time, would not be required to provide either a management assessment or an auditor attestation report in the first annual report that it files with the Commission. By not requiring the Section 404 reports until a newly public company files its second annual report, we hope to enhance the attractiveness and cost-effectiveness of participating in our markets both for domestic and foreign companies contemplating IPOs and for foreign companies considering listing in the U.S. for the first time, without sacrificing important investor protections.
As a separate action taken in August, the Commission granted relief from Section 404(b) compliance for certain foreign private issuers that are accelerated filers. The Commission's data indicate that about 23% of the approximately 1,200 foreign private issuers will receive the one-year extension of the compliance dates.
We anticipate that the SEC staff's next inspection of the PCAOB will focus on the PCAOB's own inspection program for registered audit firms. In particular, the staff will likely focus on the PCAOB's inspections of audits under PCAOB Auditing Standard No. 2.
This authority to inspect the PCAOB is an important aspect of the Commission's general oversight under Section 107(a) of the Sarbanes-Oxley Act. By focusing our next inspection of the PCAOB on its largest program area inspections of registered public accounting firms under Sarbanes-Oxley 404 and Auditing Standard 2 we hope to achieve greater compliance with the Commission's and the PCAOB's own guidance that these audits be risk-based and cost-effective.
Another important oversight responsibility of the Commission is the approval of the PCAOB's rules and professional standards. During the past year, the Commission approved the PCAOB's proposed Auditing Standard No. 4 and its proposed rules on ethics and independence.
Auditing Standard No. 4, "Reporting on Whether a Previously Reported Material Weakness Continues to Exist," provides guidance to auditors when a company voluntarily engages the auditor to report on previously identified material weaknesses in the company's internal control over financial reporting. Auditing Standard No. 4 provides a mechanism for auditors to report on the correction of material weaknesses without having to wait until the next annual audit of the company's internal controls.
In its order approving the PCAOB's proposed Auditing Standard No. 4, the Commission published guidance stating that both management's report on the correction of the previously reported material weakness and the auditor's related report can be included in any Exchange Act form. Together with Auditing Standard No. 4, this guidance should enable companies to address their investors' concerns about the reliability of the companies' financial statements, thereby achieving an important goal of the Act.
As this brief summary makes clear, Mr. Chairman, much has been accomplished to strengthen and restore integrity to the U.S. capital markets since the enactment of Sarbanes-Oxley four years ago. In a time of crisis, you, then-Chairman Sarbanes, this Committee, and your colleagues in the Senate stepped forward to champion these significant reforms to our regulatory framework. Your vision and responsible judgment, Mr. Chairman, along with Ranking Member Frank and the other leaders of this Committee, has been absolutely essential in maintaining the standards in our securities markets as the best in the world, in giving America's investors the strongest protection in the world, and in providing them with a higher level of confidence than they can have anywhere else on earth.
In the months and years ahead, we will continue to work to implement the critical reforms effected by the Sarbanes-Oxley Act in the best way possible to meet our objectives of investor protection, well-functioning markets, and healthy capital formation. We will not forget the failures that plagued our markets at the dawn of this millennium, and the crisis in investor confidence that ensued. We will do our best to honor your legacy by ensuring that Sarbanes-Oxley works for every stakeholder for investors, for issuers, for our economy, and for our country.
I appreciate the opportunity to speak on behalf of the Commission. I would be happy to answer any questions that you may have.