IT Audit in Practice: The Impact of SOX on the Industry 20 Years Ago and Today

It seems that fraud and conspiracy are all around us. Buzz words such as “misinformation” and “disinformation” haunt the daily news, and trust seems hard to establish. We are not only plagued by the need to fact check everything, there appears to be no end to the fraudulent activity that permeates our society. Unfortunately, just a quick web search highlights several recent cases of fraud, including:

• United States vs. Epsilon Data Management, LLC, (Docket number: 1:21-cr-00006-RM) is a judgement approved for a deferred prosecution agreement (DPA), on 27 January 2021, regarding Epsilon Data Management LLC knowingly selling consumer data to clients engaged in fraud. The agreed penalty was US$150 million.¹
• United States vs. Facebook, Inc., (Docket Number 1:19-cv-2184 (DDC)) was an approved settlement between Facebook and the US Federal Trade Commission (FTC) for violations of the US Federal Trade Commission Act regarding misrepresentation of how consumers could protect personal data and misrepresentation of how Facebook used consumer personal data. A US$5 billion civil penalty was levied by the US District Court for the District of Columbia. Additionally, the judgement required Facebook to establish an independent assessor and independent privacy committee to oversee compliance with the judgement. The judgements were paid by Facebook in April 2020.²

So, 20 years after US Sarbanes-Oxley Act of 2002 (SOX), are we any better off? The environment that authors former US Senator Paul Sarbanes and former US Representative Michael Oxley addressed with SOX does not look like the world we live in today, especially with regard to technology, which continues to impact our lives at a frenetic pace. It is the challenge all lawmakers and practitioners face: How does one adapt an “old” law to the new world?

History

The turn of the century saw a proliferation of bad corporate behavior. Free market capitalism had encouraged some to compete unfairly at best and illegally at worst. Technology was on an upward trend, heralded by the dot-com era, which attracted job seekers and investors alike, only to burst and fall apart by the early 2000s. Even more concerning was a flurry of activity coming from two companies in disparate industries, only a short four years after the major accounting scandal by Waste Management had occurred in 1998, a scandal that still ranks as the top accounting scandal worldwide.³ Enron, a US energy company, and shortly after, WorldCom, the US telecommunications behemoth, became hallmark cases that prompted quick action by the US Congress.

As a publicly traded energy company, Enron was devoted to the principal of increasing shareholder value. In the early 1990s, Enron’s performance tracked similarly with the Standard and Poor’s 500 Index (S&P 500), but surged far ahead of other companies by 1999–2000, with a 56 percent increase in stock price in 1999 and an additional 87 percent increase in 2000. This at a time when the S&P increased 29 percent in 1999 and declined 10 percent in 2000.⁴ Various accounting practices that hid illegal activity within the firm were manipulated by Enron, most specifically “mark to market.” The practice of mark to market, a US Securities and Exchange Commission (SEC)-permissible means of assessing an organization’s value, is intended to measure the fair market value of accounts that fluctuate over time against the current market value in order to assess an organization’s worth.⁵ For Enron, mark to market became a means for inflating company value well beyond actual company performance, hiding a shaky structure that led to bankruptcy in 2021. Unlike its successor-in-scandal WorldCom, Enron’s audit department, audit board and Arthur Andersen all continued to support mark-to-market accounting and the use of various accounting loopholes. It took Sherron Watkins, former vice president of corporate development at Enron to bring the issues to light, at the point when Enron declared bankruptcy in November 2001, well beyond when the company could be salvaged and employee pensions and investor portfolios saved.

Instead of multiple complex and convoluted accounting practices, WorldCom’s illegal activity occured against a single questionable practice by a member of the internal audit group. Swift investigations found the booking of capital instead of expenses for “prepaid SONET,” which resulted in a series of indictments and WorldCom’s subsequent bankruptcy in July 2002.⁶ The whistleblower, internal auditor Vice President Cynthia Cooper, persisted in getting attention directed at the questionable practice.

The repercussions of the WorldCom fraud did not only impact employee and WorldCom investors. In the late 1990s, the telecommunications industry was dominated by three major competitors, AT&T, MCI, and Sprint, along with a large number of telecommunications resellers. As companies jockeyed for position, WorldCom’s merger with MCI created a head-on battle for the top contenders, one I experienced as chief of staff to the regional sales vice president at my company. In a very real sense, my company was a victim of fraud, something that not only changed what happened to our company and employees, but to the industry in general. MCI had been a tough competitor, aggressive in pricing, and that seemed to accelerate with the WorldCom merger. As sales results came in under the company’s expectations for retaining and growing market share, results had to be achieved from the expense side of the ledger, and layoffs became an unfortunate outcome in the late 1990s and early 2000s. As a sales force, we were introspective: Were we not assertive enough selling our services? Were we too engineering oriented and not strong enough with a customer-focused marketing perspective? What about our pricing strategies? Were we holding on to unrealistically high pricing in what seemed to be an overall pricing freefall? Only later, as the investigations unearthed the extent of the scandal, did the actions of Worldcom Chief Executive Officer Bernie Ebbers and his company illuminate a different view on what had happened and why we struggled to compete.

Instead of multiple complex and convoluted accounting practices, WorldCom’s illegal activity was identified against a single questionable practice by a member of the internal audit group.

Legislative Response Through SOX

Both the US House bill, called the Corporate and Auditing Accountability, Responsibility and Transparency Act sponsored by Michael Oxley and the Senate bill, introduced as the Public Company Accounting Reform and Investor Protection Act of 2002 proposed by Paul Sarbanes aimed at stemming the tide of scandals. Within a few months, the two bills were reconciled, passed and enacted as P. L. 107‒204, which became known as the Sarbanes-Oxley Act of 2002.⁷ Section III of SOX identified its intent as “the Commission [SEC] shall promulgate such rules and regulations, as may be necessary or appropriate in the public interest or for the protection of investors, and in furtherance of this Act, (Public Law 107-204 July 30, 2002 116 STAT 745)" and key elements included:

• Establishment of a public company accounting oversight board under Title I
• Enhanced Financial Disclosures under Title IV, including the frequently cited Section 404 for Management Assessment of Internal Controls
• Corporate and Criminal Fraud Accountability under Title VIII
• White Collar Crime and Penalty Enhancements under Title IX

The list of top-10 account scandals shows that there was not a watershed of good behavior after SOX went into effect.

Conflicting Opinions on SOX

White papers written shortly after SOX became law highlighted the incredible cost to business in terms of documentation and evidence gathering to support the law’s requirements, yet the same white papers have noted the benefits in terms of governance, structure and improved accountability. An article in the Harvard Business Review noted that some executives welcomed the requirements because:

They were thinking not only of protecting stakeholders and shielding their companies from lawsuits, but of developing better information about company operations in order to avoid making bad decisions.⁸

Ten years later in 2012, the debate on how effective SOX had been continued to rage on, with opinions citing the exorbitant costs of data collection and maintenance, while other opinions and white papers heralded the framework of controls as critical structure for corporations to include in their governance model. Yet most of the list of top-10 account scandals shows that there was not a watershed of good behavior after SOX went into effect:

1. Waste Management, 1998
2. ENRON, 2001
3. WorldCom, 2002
4. TYCO, 2002
5. HealthSouth, 2003
6. Freddie Mac, 2003
7. AIG, 2005
8. Lehman Brothers, 2008
9. Bernie Madoff, 2008
10. Satyam, 2009⁹

To Regulate or Not to Regulate: Where We Go From Here

While the debate rages on about the expense involved in SOX compliance and the degree of empowerment SOX provided to the SEC, it remains clear that there is no widely accepted beneficial result SOX has provided. One can argue that the magnitude of fraudulent acts has diminished in US dollar value since enterprises began to adopt the requirements, and without a doubt, the flurry of pervasive fraudulent activity by large organizations between 1998 and 2003 was breathtaking. Yet not every organization is committing fraud, and, furthermore, the one-size-fits-all SOX requirements can be overly demanding, especially for smaller enterprises. Also, we no longer live in the early 21^st century, and technology continues to enable sound audit practices and support the SOX data collection and retention requirements.

SOX benefits derive from the belief that regulation is necessary to promote and enforce good behavior. As one considers the plusses and minuses, the core principle of required regulation must be accepted to consider SOX worthwhile. As auditors and risk management professionals, the balance of appropriate requirements is key. One might even suggest that appropriate guidelines, whether regulatory or basic in-house business governance is the rallying cry for the audit profession. The following key factors are worth consideration:

• Impact of technology on record retention—When SOX was enacted, the challenges of big data were overwhelming, but that burden has eased with cost-justifiable data warehousing capabilities both in-house and hosted that provide economically reasonable ways to handle the information requirements.
• “In-line” auditing tools that verify system integrity—Auditing has become less mundane and more consultative, with enabling analytics programs available. While cost-effectiveness needs to be carefully evaluated against vendor application features, the trend toward analytics auditing continues to show promise and shape the future of the audit industry.
• The concept of monitoring controls, instead of only preventive or detective controls—With the advent of monitoring controls as a key component to an audit program, the ability to identify and isolate potential fraudulent behavior in almost a predictive fashion is possible. Furthermore, monitoring controls, with data metrics retention, can readily substantiate troubling activity when appropriately applied to key control points in the process.

If one concurs that record retention, in-line auditing tools, and monitoring controls, especially automated monitoring, relieve much of the administrative burden of SOX, the next consideration is whether those practices help reduce the abusive practices to an extent that benefits the public. For people like me who have worked almost entirely in regulated industries, it may be hard to imagine a world without oversight and even harder to judge whether the oversight is necessary. Organizations falling under SOX or other similar legislative requirements frequently cite the dramatic cases regarding the accounting transgressions in their employee training courses, whether the examples provided are from their own organization’s history or those of other enterprises. Memorable stories of real-life consequences are viewed as important preventive measures in setting the tone for expected behavior.

Risk assessment and audit discipline are keys to deriving benefit from legislative efforts such as SOX.

Actions Are Still Louder Than Words (Facta Non Verba)

Onboarding and recurring training set an important foundation for employees, but day-to-day expectations cement the ethical actions of the business for employees, clients and suppliers. If one considers a controlled environment to be a fraud deterrent, then clear expectations backed by controls and metrics keep stakeholders on their toes. Regardless of enterprise size or even specific SOX applicability, all organizations implementing and monitoring a controlled environment with supporting evidence can take advantage of the structure of common goals and guidelines that document appropriate execution of those goals. In the end, organization size does not matter when it comes to fraud. A fraudulent event, unfortunately, more common that one would suspect, can be a final blow to a small organization, potentially more so than to a large enterprise.

Risk assessment and audit discipline are keys to deriving benefit from legislative efforts such as SOX. As risk assessment professionals know, it is impossible to cover all vulnerabilities in a timely manner. Choosing what is most impactful to the business and establishing controls against the most critical areas allow focus and promote effectiveness. Does that require a full-blown risk analysis with three separate lines of defense? The points can be debated based on the complexity of the operations at the enterprise and the degree of regulation under which it operates. Even with three lines of defense, collaboration to cover all areas of critical and high risk vs. duplication of sampling, monitoring and evidence collection are commonplace. With growing trends in integrated audits, given the highly technical nature of financial transactions in the 2020s, time and money can be more efficiently managed with audit and first-line teams working together.

Do we still need SOX? As my recommended reading list suggests, the debate continues regarding how to manage SOX requirements and what changes might make the law more effective. With the 20^th anniversary of the law, new consideration is underway regarding how it can provide insights into protecting the public in the spirit in which the law was created.

Reading List

• Fanning, T.; S. Ravich; S. Spaulding; “Why a Sarbanes-Oxley Update Is Needed to Protect Our Financial Sector From Hackers,” The Hill, 28 December 2020, http://thehill.com/blogs/congress-blog/technology/531781-why-a-sarbanes-oxley-update-is-needed-to-protect-our-financial
• Blokhin, A.; “The Impact of the Sarbanes-Oxley Act of 2002,” Investopedia, 23 February 2021, http://www.investopedia.com/ask/answers/052815/what-impact-did-sarbanesoxley-act-have-corporate-governance-united-states.asp
• Wagner, S.; L. Dittmar; “The Unexpected Benefits of Sarbanes Oxley,” Harvard Business Review, April 2006, http://hbr.org/2006/04/the-unexpected-benefits-of-sarbanes-oxley
• Mahoney, J.; “Don’t Forget the Good That SOX Has Done,” The Wall Street Journal, 28 February 2018, http://www.wsj.com/articles/dont-forget-the-good-that-sox-has-done-1519423423
• Drawbaugh, K.; D. Aubin; “Analysis: A Decade on, Is Sarbanes-Oxley Working?” Reuters, 30 July 2012, http://www.reuters.com/article/us-financial-sarbox/analysis-a-decade-on-is-sarbanes-oxley-working-idUSBRE86Q1BY20120729
• Clark, C.; “Could SOX Be Better?: Exploring the Benefits and Shortfalls of Sarbanes-Oxley,” University of Tennessee at Chattanooga, Tennessee, USA, May 2021, http://scholar.utc.edu/honors-theses/294
• Curwen, L.; “The Collapse of Enron and the Dark Side of Business,” BBC News, 3 August 2021, http://www.bbc.com/news/business-58026162
• 107^th US Congress, H. R. 3763 Sarbanes-Oxley Act of 2002, USA, 30 July 2002, http://www.congress.gov/bill/107th-congress/house-bill/3763/text

Endnotes

¹ US Department of Justice, Current and Recent Cases, CIVIL, Department of Justice, http://www.justice.gov/civil/current-and-recent-cases
² Ibid.
³ Corporate Finance Institute (CFI), “Top Ten Accounting Scandals,” http://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
⁴ Healy, P. M.; K. G. Palepu; “The Fall of Enron,”Journal of Economic Perspectives, vol 17, no. 2, Spring 2003, p. 3–26, http://www.aeaweb.org/articles?id=10.1257/089533003765888403
⁵ The Economic Times, "Definition of Mark to Market," http://economictimes.indiatimes.com/definition/mark-to-market
⁶ Center for Ethical Organizational Cultures, WorldCom’s Bankruptcy Crisis, Harbert College of Business, Auburn University, Alabama, USA, 19 June 2019,  http://harbert.auburn.edu/binaries/documents/center-for-ethical-organizational-cultures/cases/worldcom.pdf
⁷ 107^th US Congress, P. L. 107–204, 30 July 2002, 116 STAT 745, US Sarbanes-Oxley Act of 2002, http://www.congress.gov/bill/107th-congress/house-bill/3763/text
⁸ Wagner, S.; L. Dittmar; “The Unexpected Benefits of Sarbanes-Oxley,” Harvard Business Review, April 2006,  http://hbr.org/2006/04/the-unexpected-benefits-of-sarbanes-oxley
⁹ Op cit Corporate Finance Institute

Cindy Baxter, CISA, ITIL Foundation

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a client’s business and help them worry less because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.