The Sarbanes-Oxley legislation was signed into law by President Bush on July 30, 2002. Section 404 of the bill, on “internal controls,” is perhaps the most controversial part of the law, and after four years of living with it, we now have enough experience to make three observations with confidence. First, it has been extremely expensive to implement. Second, it has been minimally effective in identifying the type of abuse that was targeted. Finally, as with a great deal of well-intentioned legislation, it has produced numerous unintended consequences that could have changed the votes of many legislators, had these effects been identified at the time of the vote.

The concept of “internal controls” can encompass any policy, procedure or practice that helps investors sleep well at night. While a company obviously wants to hire honest, reliable employees, internal controls are supposed to ensure that not even Bonnie Parker and Clyde Barrow, if employed by the company, would be able to abscond with corporate assets. To have that effect, the internal controls need to encompass not only general principles (like separating the preparation and approval of invoices, or requiring two signatures on checks over a certain limit), but also the specific circumstances of each individual business. A dairy operation may need to assess pasteurization, refrigeration and distribution controls on its primary asset, while a car dealer may want to deploy a few slightly-underfed German Shepherds on its lot at night. Section 404 of the Sarbanes-Oxley Act requires the accounting firms that audit public companies to opine on the soundness of the audited company’s internal controls. The act specifically provides that the internal controls should be judged on how well they improve financial reporting and concurrently discourage the executive frauds that led to so many high profile bankruptcies.

The rapid demise of Arthur Andersen, and the general climate of skepticism toward accounting, has made the accounting industry extremely risk averse when signing off on internal controls.

Evaluating internal controls has always been an important part of the auditing work accounting firms do. In the pre-Sarbox era, an evaluation of the client’s internal controls was the critical component in determining the scope of the audit: the more robust those controls were, the smaller a sample the accountants could use to evaluate the integrity of the financial statements. Conversely, weak internal controls meant more work for the auditors, since with a higher risk of faulty accounting a more thorough search for it was warranted. Sarbox section 404 has, in practice, been interpreted as a sort of meta-audit requirement, forcing the accounting firms to formally evaluate the efficacy of the client firm’s own procedures for formally evaluating itself.

The rapid demise of Arthur Andersen, and the general climate of skepticism toward accounting, has made the accounting industry extremely risk averse when signing off on internal controls. An auditor who refuses to sign off on a client firm’s controls can’t simply tell the client firm what to change, since the auditor would then end up assessing the quality of its own advice to clients. The guidelines surrounding the implementation of 404 make it crystal clear that the responsibility for designing the system of internal controls rests with management.

This whole process is every bit as costly as it sounds. A recent estimate of the cost of Sarbanes-Oxley compliance, developed by AMR Research, predicted that North American companies will spend $6 billion on it this year. More worrisome than the dollar cost, however, is the way these new rules force management and directors to shift their focus toward compliance matters and away from strategies for growing the basic business. Even Senator Charles Schumer recently acknowledged that “there appears to be a worrisome trend of corporate leaders focusing inordinate time on compliance minutiae rather than innovative strategies for growth.” Business leaders must worry so much about not doing the wrong thing that they focus less attention on doing the right one. Some would characterize this change as spending corporate resources on fat rather than muscle. A study by the Milwaukee-based law firm, Foley & Lardner, reported that 34% of respondents stated that Sarbanes-Oxley compliance had resulted in budget and/or staffing cuts in other critical areas of the business.

The data on effectiveness of the stronger internal controls suggests that they are not a smart investment. The Association of Certified Fraud Examiners published its 2006 Report to the Nation on Occupational Fraud and Abuse, in which it reviewed data compiled from 1,134 cases of occupational fraud that were investigated between January 2004 and January 2006. The study results show how executive fraud was detected with the top five methods and corresponding success rates listed as follows:

*Because some frauds were identified by multiple methods, the total percent of cases totals more than 100%.

The fact that internal controls are only the fifth most effective means of identifying executive fraud is only part of the surprise. The real indictment of such reviews is that they are only half as effective as accidental discoveries of such improprieties. Obviously, from a benefit/cost point of view, the argument for committing financial resources to incremental internal control efforts is extremely weak. The other result that jumps out of the above table is the profound benefit that results from having some form of confidential tip line. While employees are the source of most tips to such lines, these calls can also come from ex-employees, disgruntled spouses, mistresses, vendors, customers or other outside parties. Again, from a benefit/cost perspective, the availability of a confidential tip line is an extremely cost effective way for boards of directors to identify management chicanery. A review of stories detailing the declines of Enron, WorldCom, Adelphia, Global Crossing, etc. typically shows that there was widespread awareness of the deceptive activities within the company, but that the informed parties were reluctant to blow the whistle for any one of a number of reasons. One must wonder if one of those reasons was that the particular company’s perceived status dwarfed the city in which it was headquartered. Why did Coudersport, Pennsylvania (Adelphia), Jackson, Mississippi (WorldCom) and Birmingham, Alabama (Health South) have more corporate scandals than New York, Chicago and Los Angeles?

In most cases, there was widespread awareness of the deceptive activities within the company, but the informed parties were reluctant to blow the whistle.

When Congress passed the Sarbanes-Oxley legislation, the clear intent was to clamp down on the executive abuses that had lead to the disappearance of so many sizable corporations with the attendant loss of investment and retirement assets for innumerable voters. What was not foreseen was the pushback by companies that confronted the burdensome realities of dealing with the Section 404 requirements. The reaction has taken at least three forms: 1) taking public firms private, 2) delisting shares from exchanges in the United States and listing them on exchanges in other countries, and 3) locating initial public offerings (IPOs) in overseas locations rather than on Wall Street. Had any of these unintended consequences been anticipated in July, 2002, it is difficult to believe that the legislation would have been approved. The net effect of these moves could be to outsource the financial center activities that Wall Street has spearheaded over the past several decades to the rest of the world.

In testimony before the House Government Reform Subcommittee on April 5, 2006, Grace L. Hinchman, Senior Vice President of the Financial Executives International, provided commentary that summarizes the views of many who feel that there are some positive benefits to the Sarbanes-Oxley Bill outside of the heavily-publicized Section 404. She praised the Sarbanes-Oxley Bill, focusing particular attention on the benefits of CEO and CFO certificates (Section 302), increased penalties for criminal misconduct (Section 906), and strengthening requirements for audit committees. However, she diplomatically suggested that “…it is evident that more work needs to be done in implementing Section 404 of the Act”. If her words can be heeded, then we can get away from the myopic focus of Section 404 and its bottom up approach, and gravitate to a top-down attack on improving financial reporting. A simple application of benefit/cost analysis principles should lead to a significant mitigation of the overkill contained in the implementation of Section 404.

James C. (Tad) Howard is President of Nassau Financial, a firm that advises corporate boards and management on corporate governance, as well as providing financial expert assistance to law firms.