Sir,
I want to highlight what appears to be a fundamental 'misfire' in the Sarbanes–Oxley Act of 2002 (SOX): requiring that the audit firm of an SEC-reporting company whose securities are listed on a US stock exchange report directly to the audit committee of the company's board of directors. Congress appears to have been of the view that the audit committee members' independence (from management), combined with this direct reporting requirement, would strengthen the legs of the corporate governance 'stool'. But has this been the result? Consider this: why hasn't any of the audit firms identified the manner in which an audit committee functions or the scope of its activities as a 'material weakness' in the SOX 404-mandated assessment of an audit client's internal accounting controls? Perhaps it is because SOX stipulates that the audit committee is to be directly responsible for the appointment, compensation and oversight of the work of the audit firm. How inclined are any of us to bite the hand that feeds us?
At this point, SEC-reporting companies with market capitalisations in excess of $75m have been subject to SOX 404 for three annual reporting periods. In that time, a significant number of companies have announced that their audit committees have initiated independent investigations into various accounting and financial reporting matters. Frequently, such investigations have resulted in companies determining that a restatement of their financial statements is in order. This makes inevitable the acknowledgment that the companies' internal controls were not effective after all. An after-the-fact identification and acknowledgment of the errors is not what Congress had in mind. Nor is it what investors should have a right to expect given the reported significant costs that are being incurred, both internally and in the form of audit fees, in connection with the SOX 404 compliance process.
The vast majority of SEC-reporting companies — with market capitalisations of less than $75m — became subject to SOX 404 with respect to their annual financial statements as of the end of 2007. As noted in the guidance put out by Public Company Accounting Oversight Board (PCAOB) in mid-October 2007, the control environments of these smaller companies tend to be characterised by fewer levels of management and greater involvement by senior management in day-to-day activities, both of which provide the opportunity for management override of controls. The PCAOB's guidance highlights that a smaller company can address the risk of management override through increased oversight by the audit committee. Based on the data over the past three years, is it likely that we can count on the audit firms to make an issue of the actual level of audit committee oversight?
An audit committee charter does not begin to provide a 'road map' of what an audit committee member should be doing to fulfil his or her responsibilities. This leaves me wondering why, to paraphrase that familiar expression of Thoreau, there isn't a much more significant marketing of, and interest in, tools to teach audit committee members 'how to fish'. I can speak to this with some first-hand knowledge, having developed a set of modules designed with this in mind. Let's just say that the level of interest has been tepid, at best. It will be interesting to observe whether the volume of financial restatements in the next year or two serves as a wake-up call.