SEC Chair Gary Gensler may just have some paternal affection for SOX, especially on the week of its 20th birthday. In these remarks to the Center for Audit Quality, he recalls having “a front-row seat” for the negotiations and signing of the bill, working as Senior Advisor to the late Senator Paul Sarbanes on this legislation. The bill passed the House almost unanimously and the Senate by a vote of 99 to 0—hard to imagine that ever happened, let alone only 20 years ago. In giving SOX its 20-year review, he discusses the significant role SOX played in restoring public trust in the financial system after the Enron and WorldCom scandals, but also offers some, let’s say, opportunities for improvement. (He also drops the hint that the SEC may be taking a “fresh look at the SEC’s auditor independence rules.”)

Gensler identifies a number of problems that led to some of the scandals at the time—many of them related to broad failures in auditor independence—which SOX was designed to address: the auditing profession writing its own auditing standards, audit firms inspecting each other, the absence of barriers between the auditing and consulting sides of their businesses in relation to audit clients, lack of independent funding for the FASB as the accounting standard setter. And then, of course, SOX imposed a variety of corporate governance measures intended to enhance the accountability of managements and boards, such as management certification requirements, clawback provisions in the event of a restatement as a result of misconduct and disclosure of audit committee expertise. And, of course, there’s SOX 404, which requires management to provide an assessment of the effectiveness of the company’s internal control over financial reporting and the auditors to attest to, and report on, management’s assessment.

SideBar

Just in time for SOX’s 20th birthday, Audit Analytics has published its 18-year review of SOX 404 disclosures. Audit Analytics reports that, after a decline in 2020, the number of adverse ICFR auditor attestations jumped to 197 in 2021 (5.8% of all auditor attestations) from 153 in 2020 (4.8%). In addition, the number of adverse ICFR management reports increased from 1,401 in 2020 (23.7% of all management reports) to 1,595 in 2021 (21.7%). According to Audit Analytics, the percentage reported for 2021 is the “highest percentage of adverse management reports since the inception of SOX 404.” Some smaller companies (emerging growth companies, non-accelerated filers and companies that qualify as smaller reporting companies and reported less than $100 million in annual revenue) are not required to provide auditor attestations. With regard to companies that filed only management reports on ICFR, the number of adverse ICFR reports increased to 1,398 in 2021 from 1,248 in 2020. While the numbers reflected an increase, as a percentage of all management reports, the numbers declined in 2021 to 38.4% of all management reports from 41.0% in 2020. Audit Analytics attributes the change in part “to an increase in the overall number of companies eligible to file a management-only report under SOX 404(a), corresponding with amendments to the SEC’s accelerated filer definition that became effective in April 2020,” carving out low-revenue SRCs).

The report also observes that, in “almost every year since 2004, except for 2009 and 2012, at least 10% of the companies filing their first auditor attestation disclosed a need to improve their ICFR. The percentage reached a new high point of 28.4% in 2021.” In addition, the percentage of first time management-only reports citing ineffective controls also reached a new high of 55.2% in 2021. Audit Analytics reports that the top two issues cited in adverse ICFR auditor attestations for 2021 were, first, a need for more highly trained accounting personnel, and second, issues surrounding information technology. These two issues were also the top two issues cited in 2020. The two most common accounting issues cited by auditors in adverse ICFR assessments were revenue recognition (21%) and taxes (13.2%). Audit Analytics also reports an increase in accounting issues related to M&A, which were identified by auditors in 10.2% of adverse ICFR attestations. For adverse ICFR management-only reports in 2021, the two most common issues cited were a need for more highly trained accounting personnel and issues related to segregation of duties. For adverse ICFR management-only reports, the most common accounting issue cited in 2021 and 2020 related to debt and warrants. Audit Analytics attributes this ranking to the significant number of SPACs that had to restate their financials related accounting for warrants. (See this PubCo post.)

For example, Gensler points out, prior to SOX, the AICPA set the auditing standards: “The profession was writing its own rules. That’s an inherent conflict. Additionally, auditing firms were tasked with ‘inspecting’ each other. Naturally, such inspections had conflicts, failing to identify serious shortcomings in auditor independence and audit quality.” SOX established the PCAOB, which is independently funded and subject to SEC oversight, to set and enforce auditing standards. To start, the PCAOB was permitted to carry over existing AICPA standards on an interim basis, with the intention that it would later revise them as appropriate. But—presenting an opportunity for improvement—most of those interim standards are still in place. This year, the PCAOB announced a plan to update them, which Gensler hopes will happen “before Sarbanes-Oxley can legally drink.”

SOX also directed the SEC to take steps to create a stronger barrier between auditors and their often highly profitable consulting engagements with their audit clients—a problem that Gensler says had afflicted Enron’s auditors. Although, in the immediate wake of SOX, many audit firms spun out their consulting businesses, since then, “many of these firms went on to rebuild them again. PCAOB inspections continue to identify independence—and lack of professional skepticism—as perennial problem areas. Those advisory practices not only have grown; they also have gotten more complex. Given the growth in the size and complexity of non-audit services, it is important that audit firms maintain a culture of ethics and integrity—placing the highest priority on auditor independence throughout the firm, not just in the audit practice.” He also adverts to concerns about “decreased vigilance” expressed by Acting Chief Accountant Paul Munter. Gensler here notes that he has asked the PCAOB “to consider adding updates for auditor independence standards to their agenda. We may need to take a fresh look at the SEC’s auditor independence rules as well. In the meantime, I encourage firms to review and enhance their independence protocols with respect to their auditing and consulting practices.”

SideBar

In this June statement, Munter addresses auditor independence, echoing a concern he raised in October last year. The SEC, he observed, “has long-recognized that audits by professional, objective, and skilled accountants that are independent of their audit clients contribute to both investor protection and investor confidence in the financial statements.” Munter appeared to be especially concerned about the “decreased vigilance” and “ethical deterioration” that may arise out of “checklist compliance mentality.” One area of increasing concern involved non-audit services, particularly “non-audit services and business relationships between the accountant and affiliates and non-affiliates of the company being audited” the extent and magnitude of which “would make it difficult for a reasonable investor to conclude that the accountant could exercise objective and impartial judgment in its audit.” Munter also highlighted the risks inherent in recent moves toward alternative practice structures, which, he contended, could undermine auditor independence. Some of these structures may involve complex business arrangements and restructurings. Recent examples included investment by private equity in accounting firms, necessitating that the firm be split into two entities—an attest firm that will perform audit services and a separate firm that will provide consulting or other non-audit services. (The split is usually necessary because of rules about who can own an audit firm.) Munter here admonished firms to “carefully consider the implications for auditor independence when considering alternative practice structures, as will the OCA.” (See this PubCo post.)

SOX also provided for “secure, independent funding” for the FASB. Prior to SOX, the FASB conducted its own fundraising, which often meant raising funds “from the very issuers for which it was setting standards.” No surprise that this state of affairs might have created “conflicts of interest that witnesses agreed had made FASB slow to adopt new standards and reluctant to tackle controversial topics.”

Finally, recalling the Senate negotiations, Gensler observes that Congress also made SOX applicable to foreign issuers, with Senator Sarbanes contending that investors “should be protected—and should have trust in the numbers—regardless of whether an issuer is foreign or domestic. He understood that it’s a privilege to access the U.S. capital markets: the deepest, largest, and most liquid in the world. If foreign issuers want that access, they need to comply with our requirements.” Sound familiar? The issue has come up again recently in the context of the HFCAA, which amended SOX to prohibit trading on U.S. exchanges of public reporting companies audited by audit firms located in foreign jurisdictions that the PCAOB has been unable to inspect for three sequential years. (See this PubCo post.) According to Gensler, China and Hong Kong have not yet complied with the requirements of the PCAOB: “Going forward,” he asks,

“will our markets include Chinese issuers? That still is up to our counterparts in China. It depends on whether they are willing to comply with the requirements of U.S. law to be able to remain in the U.S. markets. Consistent with the HFCAA, the SEC and the PCAOB have been negotiating with Chinese authorities on a Statement of Protocol to govern inspections and investigations of registered public accounting firms on the ground in China and Hong Kong. We are not willing to have PCAOB inspectors sent to China and Hong Kong unless there is an agreement on a framework allowing the PCAOB to inspect and investigate audit firms completely. Any framework would need to bring specificity and accountability to fulfilling the goals of the HFCAA. Make no mistake, though: The proof will be in the pudding. While important, any framework is merely a step in the process. In light of the time required to conduct these inspections—as well as to fulfill quarantine requirements—a Statement of Protocol would need to be signed very soon if the inspections have any chance to be completed by the end of this year. This could be particularly important as Congress is considering accelerating the HFCAA’s timeline from three years to two years.”

SideBar

The U.S.-China Economic and Security Review Commission reports that, as of March 31, 2022, Chinese companies listed on the three largest U.S. exchanges had a total market capitalization of $1.4 trillion. As a result, the trading prohibitions of the HFCAA, which could kick in in just a couple of years—or perhaps even sooner, if Congress speeds up the timeline—could have a substantial impact. According to YJ Fischer, Director of the SEC’s Office of International Affairs, the inability of the PCAOB to conduct inspections in these countries “poses serious risks to US investors,” given the significant exposure of U.S. investors to China-based companies. The PCAOB reports that, “[i]n the thirteen month period ended December 31, 2021, 15 PCAOB-registered firms in mainland China and Hong Kong signed audit reports for 192 public companies with a combined global market capitalization (U.S. and non-U.S. exchanges) of approximately $1.7 trillion.” But, Fischer indicates, “the PCAOB has never been able to conduct audit inspections of firms in Mainland China, despite efforts dating back to 2007. In Hong Kong, the PCAOB has never been able to inspect any larger, network affiliates, and only inspected a few small firms before being blocked from inspecting all firms after 2010.” To conduct its inspection, the PCAOB must review the audit work papers and interview the firm’s engagement personnel. And in the event of possible violations of PCAOB standards or federal securities laws, the PCAOB “must be able to obtain the necessary work papers, documents, and information from firms and take testimony from audit firm personnel.” Moreover, she observes, the PCAOB must “obtain sufficient cooperation and agreement from Chinese authorities so that the PCAOB Board can make a determination that it can inspect and investigate completely in China and Hong Kong”—meaning it “must be able to access audit work papers from all, not some, China-based issuers and their registered public accounting firms, as well as conduct complete inspections and investigations in China and Hong Kong.”