SEC Chair Gary Gensler may just have some paternal affection for SOX, especially on the week of its 20th birthday. In these remarks to the Center for Audit Quality, he recalls having “a front-row seat” for the negotiations and signing of the bill, working as Senior Advisor to the late Senator Paul Sarbanes on this legislation. The bill passed the House almost unanimously and the Senate by a vote of 99 to 0—hard to imagine that ever happened, let alone only 20 years ago. In giving SOX its 20-year review, he discusses the significant role SOX played in restoring public trust in the financial system after the Enron and WorldCom scandals, but also offers some, let’s say, opportunities for improvement. (He also drops the hint that the SEC may be taking a “fresh look at the SEC’s auditor independence rules.”)
Gensler identifies a number of problems that led to some of the scandals at the time—many of them related to broad failures in auditor independence—which SOX was designed to address: the auditing profession writing its own auditing standards, audit firms inspecting each other, the absence of barriers between the auditing and consulting sides of their businesses in relation to audit clients, lack of independent funding for the FASB as the accounting standard setter. And then, of course, SOX imposed a variety of corporate governance measures intended to enhance the accountability of managements and boards, such as management certification requirements, clawback provisions in the event of a restatement as a result of misconduct and disclosure of audit committee expertise. And, of course, there’s SOX 404, which requires management to provide an assessment of the effectiveness of the company’s internal control over financial reporting and the auditors to attest to, and report on, management’s assessment.
For example, Gensler points out, prior to SOX, the AICPA set the auditing standards: “The profession was writing its own rules. That’s an inherent conflict. Additionally, auditing firms were tasked with ‘inspecting’ each other. Naturally, such inspections had conflicts, failing to identify serious shortcomings in auditor independence and audit quality.” SOX established the PCAOB, which is independently funded and subject to SEC oversight, to set and enforce auditing standards. To start, the PCAOB was permitted to carry over existing AICPA standards on an interim basis, with the intention that it would later revise them as appropriate. But—presenting an opportunity for improvement—most of those interim standards are still in place. This year, the PCAOB announced a plan to update them, which Gensler hopes will happen “before Sarbanes-Oxley can legally drink.”
SOX also directed the SEC to take steps to create a stronger barrier between auditors and their often highly profitable consulting engagements with their audit clients—a problem that Gensler says had afflicted Enron’s auditors. Although, in the immediate wake of SOX, many audit firms spun out their consulting businesses, since then, “many of these firms went on to rebuild them again. PCAOB inspections continue to identify independence—and lack of professional skepticism—as perennial problem areas. Those advisory practices not only have grown; they also have gotten more complex. Given the growth in the size and complexity of non-audit services, it is important that audit firms maintain a culture of ethics and integrity—placing the highest priority on auditor independence throughout the firm, not just in the audit practice.” He also adverts to concerns about “decreased vigilance” expressed by Acting Chief Accountant Paul Munter. Gensler here notes that he has asked the PCAOB “to consider adding updates for auditor independence standards to their agenda. We may need to take a fresh look at the SEC’s auditor independence rules as well. In the meantime, I encourage firms to review and enhance their independence protocols with respect to their auditing and consulting practices.”
SOX also provided for “secure, independent funding” for the FASB. Prior to SOX, the FASB conducted its own fundraising, which often meant raising funds “from the very issuers for which it was setting standards.” No surprise that this state of affairs might have created “conflicts of interest that witnesses agreed had made FASB slow to adopt new standards and reluctant to tackle controversial topics.”
Finally, recalling the Senate negotiations, Gensler observes that Congress also made SOX applicable to foreign issuers, with Senator Sarbanes contending that investors “should be protected—and should have trust in the numbers—regardless of whether an issuer is foreign or domestic. He understood that it’s a privilege to access the U.S. capital markets: the deepest, largest, and most liquid in the world. If foreign issuers want that access, they need to comply with our requirements.” Sound familiar? The issue has come up again recently in the context of the HFCAA, which amended SOX to prohibit trading on U.S. exchanges of public reporting companies audited by audit firms located in foreign jurisdictions that the PCAOB has been unable to inspect for three sequential years. (See this PubCo post.) According to Gensler, China and Hong Kong have not yet complied with the requirements of the PCAOB: “Going forward,” he asks,
“will our markets include Chinese issuers? That still is up to our counterparts in China. It depends on whether they are willing to comply with the requirements of U.S. law to be able to remain in the U.S. markets. Consistent with the HFCAA, the SEC and the PCAOB have been negotiating with Chinese authorities on a Statement of Protocol to govern inspections and investigations of registered public accounting firms on the ground in China and Hong Kong. We are not willing to have PCAOB inspectors sent to China and Hong Kong unless there is an agreement on a framework allowing the PCAOB to inspect and investigate audit firms completely. Any framework would need to bring specificity and accountability to fulfilling the goals of the HFCAA. Make no mistake, though: The proof will be in the pudding. While important, any framework is merely a step in the process. In light of the time required to conduct these inspections—as well as to fulfill quarantine requirements—a Statement of Protocol would need to be signed very soon if the inspections have any chance to be completed by the end of this year. This could be particularly important as Congress is considering accelerating the HFCAA’s timeline from three years to two years.”