Testimony Concerning
The Impact of the Sarbanes-Oxley Act
by Chairman Christopher Cox
U.S. Securities & Exchange
Commission
Before the U.S. House Committee on Financial Services
September 19, 2006
Chairman Oxley, Ranking Member Frank, and Members of the Committee:
Thank you for inviting me to testify on behalf of the Securities and
Exchange Commission concerning the impact of the Sarbanes-Oxley Act of
2002. I am especially pleased to be testifying today alongside Chairman
Mark Olson of the Public Company Accounting Oversight Board, with whom I
am working very closely to implement the Act.
On this fourth anniversary of the Sarbanes-Oxley Act, I'd like to begin
by recognizing the leadership of this Committee under Chairman Oxley and
Ranking Member Frank. When President Bush issued his Ten-Point Plan to
Improve Corporate Responsibility and Protect America's Shareholders, on
March 7, 2002, in the wake of the Enron collapse, this Committee put
forward a plan that contained many of those elements. And most of those
essential provisions of this Committee's legislation were included in the
Conference Report on the final Sarbanes-Oxley Act.
As a member of this Committee at the time, I well remember the
significant work that preceded the drafting of the legislation, including
extensive hearings, and the considerable effort that you led to shepherd
the bill through the legislative process. I particularly remember the
House-Senate Conference, and the immediately evident significance of the
eventual product: the most sweeping modernization of our system of
securities regulation since the initial enactment of the federal
securities laws more than 70 years ago.
We have come a long way since 2002. Investor confidence has recovered.
There is greater corporate accountability. Financial reporting is more
reliable and transparent. Auditor oversight is significantly improved. The
legislation that this Committee produced four years ago under your
leadership, Mr. Chairman, has helped make that happen.
The Act is not perfect in every respect. But the vast majority of its
provisions are net contributors to the nation's economic health. And those
parts of SOX that aren't working as well as they should — notably Section
404 — can be made to work better through better implementation. Chairman
Olson and I are hard at work on that.
But before providing an update on the Commission's efforts to improve
implementation of the Sarbanes-Oxley Act, I would like to highlight a
little-noticed fact: While competitors in other countries are using
Sarbanes-Oxley as a reason for foreign companies to list in their
jurisdictions, many of those same countries are adopting provisions of the
Act as part of their own regulatory regimes. As we consider the effect of
Sarbanes-Oxley on U.S. competitiveness, it is important to keep in mind
how broadly many of its tenets have been taken up overseas.
It would appear, four years later, that America's approach is not
unique — we just happened to be early adopters. Of course, each country
has implemented reforms in slightly different ways, depending on their
national legal system, market conditions, and other factors. But it is
still remarkable how similar so many of their reforms are to those passed
by Congress four years ago.
Let me give you just some of the examples.
Governments in the major markets around the world have established
independent auditor oversight bodies like the PCAOB. For example, the
European Union recently adopted a directive requiring all EU member states
to create an auditor oversight body. There is now widespread agreement
that, to improve audit quality, auditor oversight bodies should be
independent of the industry they oversee.
Other major capital markets have also recognized the conflicts of
interest that some non-audit services create, and the need to place
restrictions on these services to improve audit quality. The European
Union, the United Kingdom, France, Hong Kong, China, Japan, Australia,
Canada, and Mexico have all passed reforms requiring mandatory audit
partner rotation, although they vary regarding the details about how this
rotation works.
Audit committee independence is another increasingly common theme
around the world. The United Kingdom, Hong Kong, Australia, Canada, and
Mexico have all introduced reforms since 2002 requiring that all members
of the audit committee be independent of management.
A number of countries have even adopted requirements similar to the
first half of the controversial Section 404 of the Sarbanes-Oxley Act,
which requires management to do its own assessment of internal controls.
Several countries, including the United Kingdom, Australia, and Hong Kong,
have adopted a comply-or-explain approach to a management assessment.
Japan, France, and Canada all now have legislation or regulations
requiring a management assessment of internal controls. Still others, such
as Mexico, have corporate governance codes that recommend having a
management assessment of internal controls.
The problems we have experienced with Section 404 arise from the
implementation of the second half of this provision: the part that
requires an auditor evaluation of management's assessment. And just as in
America, that aspect has proven more controversial abroad than the
assessment itself. Despite the controversy, however, several other
jurisdictions have adopted some variant of this requirement.
For example, the UK requires auditors to report on a comply-or-explain
basis if they believe management's assessment is unsupported. China,
France and Japan have adopted rules requiring an auditor's evaluation of
management's report of internal control over financial reporting, but with
some differences in the manner in which this evaluation is to be conducted
that make it far less costly. Some countries, including Brazil and
Australia, require an evaluation, but do not require that the evaluation
be made public. Instead, they require the auditor to report this
evaluation to the board. Another trend is for corporate governance codes
to include a non-binding recommendation for an auditor evaluation, as is
done in Germany and Mexico.
Other countries have taken a softer approach to auditor evaluations of
management's internal control assessment. Still other jurisdictions, such
as Canada, are taking a wait-and-see approach to determine the impact of
the auditor attestation requirement in the United States.
Not only with respect to Section 404, but with the entirety of
Sarbanes-Oxley, the SEC will continue to work with other regulators around
the world to encourage effective regulatory standards that encourage
capital formation, job creation, and economic growth, while at the same
time offering a high degree of investor protection. As the Congress full
well appreciated when it passed Sarbanes-Oxley, these are not inconsistent
goals, but rather, highly complementary ones.
Since President Bush signed the Sarbanes-Oxley Act, the Commission has
completed nearly 20 rulemakings and studies that were mandated by the Act.
Since 2004, the largest public companies, representing more than 95% of
the total U.S. market capitalization, have been subject to all of the new
rules created by Sarbanes-Oxley. The Section 404 requirements, as I have
said, have gotten by far the most attention. But before I continue with a
more detailed description of our plans to provide 404 relief, I would like
to mention some of the specific improvements that have profoundly and
positively affected corporate America, our public investors, and the
important work done every day by the Commission.
One of the principal objectives of the Act was to improve executive
responsibility and the "tone at the top" at public companies. We can
credit two sections of the Act in particular for helping to achieve that
objective: Sections 302 and 906. Pursuant to the rules implementing these
sections, whenever a public company files a quarterly or annual report
with the Commission, both the principal executive officer and the
principal financial officer must personally certify that they have
reviewed it. Furthermore, they must affirmatively state that to their
knowledge the report does not contain any untrue statement of a material
fact and that it does not omit any material information.
A fraudulent Section 302 certification is subject to civil enforcement
by the Commission, and a fraudulent Section 906 certification carries
criminal penalties enforceable by the Department of Justice. These dual
certification requirements are designed to ensure that the company's top
leaders are personally involved in the disclosure process. Before
investors rely on a company's financial statements, these officers are
required to take all reasonable steps to be sure they paint an accurate
picture. The Section 302 certification also assigns responsibility to the
certifying officers for establishing and maintaining effective disclosure
controls and procedures, as well as internal control over financial
reporting.
One of the hallmark accomplishments of Sarbanes-Oxley is that it has
implemented the corporate equivalent of President Truman's oft-cited
aphorism: "The buck stops here." Thanks to SOX, the responsibility for the
truthfulness of public corporate reports and disclosures stops on the
desks of our corporate leaders.
Another very significant improvement was made by Section 301 of the
Sarbanes-Oxley Act. This section embodies the Congress's view that audit
committees play a vital oversight role in the financial reporting process.
The SEC's rules under Section 301 require that the audit committees of all
listed companies be independent. They alone are responsible for the
appointment, compensation, retention, and oversight of a company's outside
auditor. And the auditor must report directly to the audit committee. The
audit committee also must establish the level of funding necessary to
fulfill its duties, including, if necessary, the retention of independent
counsel and other advisors.
We have long had independent auditors, but their independence rested in
large part on their ability to deal with the sometimes conflicting demands
from the same executives who selected them and paid their fees. Today's
independent audit committees, thanks to Sarbanes-Oxley, can retain their
own counsel and other advisers. They now have the resources and protection
they need to carry out truly independent evaluations.
In addition, the audit committee must establish procedures for handling
whistleblower tips and complaints. That includes a process for accepting
such complaints, keeping records of them, and most importantly dealing
with them. If a whistleblower seeks to report an accounting or auditing
problem confidentially, the audit committee has to have a way to protect
his or her anonymity. This is an important new means for companies to
discover and correct internal control problems.
Beyond the independence of audit committees, Sarbanes-Oxley has
strengthened auditor independence. The entirety of Title II of the Act is
devoted to the topic of auditor independence. The intense focus on this
topic reflects Congress's appreciation that the audit process is most
effective when investors are assured that audits are performed by
objective and unbiased professionals. The Act bans auditors from providing
the kinds of non-audit services to audit clients that could give rise to
financial conflicts of interest. It emphasizes the role of audit
committees in approving other services provided by auditors. And it
requires audit partner rotation. All of this is more protection for
investors, and less incentive for the auditors to do anything that
detracts from their core mission.
In January 2003, the Commission amended its auditor independence rules
to conform to the Act. As with all of our rules, we are continually
monitoring their implementation as we respond to requests from companies
and accounting firms for interpretative guidance. The PCAOB also has taken
a strong interest in auditor independence and has proceeded with its own
rulemaking in this area.
Yet another significant improvement brought about by Sarbanes-Oxley is
the change to real-time disclosure of material information by companies
and insiders. Today, thanks to changes mandated by the Act, investors are
entitled to review reports of insiders' transactions in their companies'
securities, including receipt of option grants from their companies,
within two business days after the transaction occurs, and all of these
reports are now required to be filed on EDGAR, the Commission's electronic
filing system.
Recent developments in the areas of executive and director
compensation, including our adoption of new disclosure requirements in
August and our current enforcement efforts relative to the back-dating of
options, demonstrate the importance of these changes.
Furthermore, consistent with Section 409 of Sarbanes-Oxley, in March
2004 the Commission accelerated the deadline for the filing of "current"
reports on Form 8-K, and significantly expanded the range of presumptively
material events that a company must disclose in those reports. The changes
have led to increased scrutiny of the information contained in current
reports, including announcements that a company must restate previously
issued financial information because of accounting errors or, in some
cases, financial fraud.
One of the most significant changes made by the Sarbanes-Oxley Act was
the creation of the Public Company Accounting Oversight Board.
Investors were indeed fortunate when, in June 2003, William McDonough,
former President of the Federal Reserve Bank of New York, became Chairman
of the PCAOB. Under his direction, the PCAOB undertook a number of actions
to meet its responsibilities under the Act, including adopting the Board's
first professional standards, registering public accounting firms, and
initiating its inspection and disciplinary programs. And under his
leadership and that of Acting Chairman Bill Gradison, who succeeded him
last year, the SEC and the PCAOB have established a formal process for the
determination of the Board's annual budget and accounting support
fees.
On July 3, 2006, Mark Olson became the Chairman of the PCAOB. Chairman
Olson is familiar to most of you on this Committee, having served with
distinction as a Governor of the Federal Reserve Board of Governors, among
other notable positions. Chairman Olson is now working closely with the
Commission's new Chief Accountant, Conrad Hewitt, who is a distinguished
leader of the accounting profession and the former chief financial
regulator for the State of California, as we continue our joint efforts to
improve investor confidence in the reliability of audit reports. I must
stress how fortunate we are to have people of this caliber charting the
course of the PCAOB.
Let me turn now to the one notable exception to the largely positive
record of change wrought by the Sarbanes-Oxley Act. The Section 404
internal control reporting requirements, as they have been implemented to
date, have met with a variety of criticisms, particularly from smaller
companies. What we have learned from our Section 404 compliance efforts to
date is that the problems issuers have experienced thus far are not
inherent in the language of the statute, but stem rather from the method
of its implementation. We have also become convinced that there are no
irreparable problems with Section 404 implementation, although fixing the
problems that have been identified will be challenging. We are working
with the PCAOB to help insure that this provision of the law is
implemented efficiently and effectively.
Larger domestic companies with a public float of $75 million or more
have now been fully subject to the Section 404 requirements for two
reporting seasons. We have been carefully monitoring compliance efforts
each step of the way. On the basis of this experience, we can report that
while initial implementation efforts resulted in significantly
greater-than-anticipated costs, compliance with Section 404 produces
significant benefits. Chief among these benefits is a heightened focus on
internal controls at the top levels of public companies.
While a portion of the first-year compliance expense undoubtedly
reflected start-up costs — and, in many cases, long-neglected maintenance
by companies of their internal control systems and procedures — it is
undeniable that some of the costs were attributable to excessive,
duplicative, or misdirected efforts on the part of companies and their
registered public accounting firms.
In response to concerns about these unnecessary costs, the Commission
directed the staff to issue additional guidance. An overarching principle
of this guidance is that it is management's responsibility to determine
the form and level of internal controls appropriate for each company, and
to determine the scope of its assessment and testing. The guidance
emphasized that the registered public accounting firms must recognize a
range of reasonable choices by companies as acceptable in the
implementation of the Section 404 requirements. The PCAOB issued
complementary guidance in May and November 2005 regarding the application
of its Auditing Standard No. 2.
In May of this year, after carefully evaluating all of the public
commentary on the Section 404 requirements, and considering larger
companies' experience complying with the requirements, the SEC announced a
plan to re-balance Section 404 compliance by all of the companies that
fall under our jurisdiction — large and small, foreign and domestic. On
May 17, 2006, the Commission issued a roadmap laying out the specific
steps we plan to take to make Section 404 compliance more efficient and
cost-effective.
One of the significant steps on that roadmap was the publication on
July 11, 2006, of a Concept Release as a prelude to the issuance of SEC
guidance for management on how to assess the effectiveness of a company's
internal controls over financial reporting. This planned new guidance will
focus on the objectives of the evaluation process, on the risk-based
approaches available to management in conducting an evaluation, and on the
documentation of the evaluation. The Concept Release solicits public
comment on each of these topics and on whether guidance should be provided
on other topics as well. The public comment period on the Concept Release
just closed yesterday.
In addition, last month, the Commission proposed to grant some relief
from the Section 404 reporting requirements to smaller public companies by
extending the date by which non-accelerated filers must start providing a
report by management assessing the effectiveness of the company's internal
control over financial reporting. The initial compliance date for these
companies would be extended by five months, with the result that they
would begin complying with the Section 404 requirements in their annual
reports for fiscal years ending on or after December 15, 2007. The
Commission also proposed to extend the date by which non-accelerated
filers must begin to comply with the Section 404(b) requirement to provide
an auditor's attestation report on internal control over financial
reporting in their annual reports. This deadline would be moved to the
first annual report filed for a fiscal year ending on or after December
15, 2008.
At the same time, the Commission proposed a transition period for newly
public companies. Under the proposal, a public company that has become
public through an initial public offering or a registered exchange offer,
or that otherwise has triggered the Exchange Act reporting requirements
for the first time, would not be required to provide either a management
assessment or an auditor attestation report in the first annual report
that it files with the Commission. By not requiring the Section 404
reports until a newly public company files its second annual report, we
hope to enhance the attractiveness and cost-effectiveness of participating
in our markets both for domestic and foreign companies contemplating IPOs
and for foreign companies considering listing in the U.S. for the first
time, without sacrificing important investor protections.
As a separate action taken in August, the Commission granted relief
from Section 404(b) compliance for certain foreign private issuers that
are accelerated filers. The Commission's data indicate that about 23% of
the approximately 1,200 foreign private issuers will receive the one-year
extension of the compliance dates.
We anticipate that the SEC staff's next inspection of the PCAOB will
focus on the PCAOB's own inspection program for registered audit firms. In
particular, the staff will likely focus on the PCAOB's inspections of
audits under PCAOB Auditing Standard No. 2.
This authority to inspect the PCAOB is an important aspect of the
Commission's general oversight under Section 107(a) of the Sarbanes-Oxley
Act. By focusing our next inspection of the PCAOB on its largest program
area — inspections of registered public accounting firms under
Sarbanes-Oxley 404 and Auditing Standard 2 — we hope to achieve greater
compliance with the Commission's and the PCAOB's own guidance that these
audits be risk-based and cost-effective.
Another important oversight responsibility of the Commission is the
approval of the PCAOB's rules and professional standards. During the past
year, the Commission approved the PCAOB's proposed Auditing Standard No. 4
and its proposed rules on ethics and independence.
Auditing Standard No. 4, "Reporting on Whether a Previously Reported
Material Weakness Continues to Exist," provides guidance to auditors when
a company voluntarily engages the auditor to report on previously
identified material weaknesses in the company's internal control over
financial reporting. Auditing Standard No. 4 provides a mechanism for
auditors to report on the correction of material weaknesses without having
to wait until the next annual audit of the company's internal controls.
In its order approving the PCAOB's proposed Auditing Standard No. 4,
the Commission published guidance stating that both management's report on
the correction of the previously reported material weakness and the
auditor's related report can be included in any Exchange Act form.
Together with Auditing Standard No. 4, this guidance should enable
companies to address their investors' concerns about the reliability of
the companies' financial statements, thereby achieving an important goal
of the Act.
As this brief summary makes clear, Mr. Chairman, much has been
accomplished to strengthen and restore integrity to the U.S. capital
markets since the enactment of Sarbanes-Oxley four years ago. In a time of
crisis, you, then-Chairman Sarbanes, this Committee, and your colleagues
in the Senate stepped forward to champion these significant reforms to our
regulatory framework. Your vision and responsible judgment, Mr. Chairman,
along with Ranking Member Frank and the other leaders of this Committee,
has been absolutely essential in maintaining the standards in our
securities markets as the best in the world, in giving America's investors
the strongest protection in the world, and in providing them with a higher
level of confidence than they can have anywhere else on earth.
In the months and years ahead, we will continue to work to implement
the critical reforms effected by the Sarbanes-Oxley Act in the best way
possible to meet our objectives of investor protection, well-functioning
markets, and healthy capital formation. We will not forget the failures
that plagued our markets at the dawn of this millennium, and the crisis in
investor confidence that ensued. We will do our best to honor your legacy
by ensuring that Sarbanes-Oxley works for every stakeholder — for
investors, for issuers, for our economy, and for our country.
I appreciate the opportunity to speak on behalf of the Commission. I
would be happy to answer any questions that you may have.
http://www.sec.gov/news/testimony/ts091906cc.htm
Modified: 09/19/2006 |