AdSlot 1 (Leaderboard)

Protection, not communication

Sarbanes-Oxley marks a depressing start to 2003, and FDs won’t be losing too much sleep over the fact that the act has ruined Christmas and New Year for the staff of the Securities & Exchange Commission (SEC).

It has an incredibly short time – until the end of this month – to sort out the detailed rules implementing the US primary legislation, and it’s pretty safe to say that their efforts are hardly likely to be welcomed by FDs or CFOs.

Despite the fact that not much has yet been finalised we do know the main thrust of the proposals in the area of financial reporting and auditing.

Companies quoted on recognised US stock exchanges, and their auditors, must now follow new rules and procedures. For example, the new regulatory board will issue or adopt standards requiring auditors to have a thorough second-partner review and approval of every public company audit report. Management will be obliged to assess and make representations about the effectiveness of the internal control structure and procedures of the issuer for financial reporting. The new regulatory board will also issue standards that will oblige every audit report to attest to the assessment made by management on the company’s internal control structures, including a specific note about any significant defects or material non-compliance found on the basis of such testing.

The first of these points, second-partner review, will not cause a stir. This has been commonplace in decently run firms for a number of years. It’s the second two proposals that really go to the heart of the profound change that’s set to occur to the financial reporting process. They are contested strongly in the UK and strenuous effort is taking place to exempt companies on the grounds of the UK’s good record on corporate governance and internal controls.

Even if UK FDs win exemption, US CFOs will have to deal with the issue. The legislation that calls for the requirement on internal controls is contained in section 404 of Sarbanes-Oxley. It extends the SEC’s remit to cover aspects of internal management in a way that has never been attempted in such great detail. Finding the pragmatic solution to implement the legal requirement to report on internal control is extremely difficult. Deciding what are satisfactory internal controls is not an easy task for either directors or auditors.

The problem grows worse when they have to comply with a requirement for measurement and effectiveness. So far no organisation, academic, CFO or auditor has come up with objective benchmarks for defining, creating and assessing ‘effective’ internal controls.

It will be interesting to see how far section 404 alters the behaviour of directors, though there are fears that it will alter directors’ attitude to the disclosure of information in the reports and accounts.

Section 404 is similar to a section in the Cadbury report written a decade earlier. The crucial difference is that it took seven years for the UK to build its present, non-legalistic framework for internal reporting which is fairly well accepted in the UK. In contrast, the US is opting to do in weeks what it has taken years to achieve in the UK. But will it have the opposite result?

Even if UK companies were not directly affected it would be naive to assume that financial reporting here could remain immune from what is happening in the world’s biggest economy.

Currently there’s an implicit assumption that the purpose of financial reporting is to try to communicate something to somebody. The trend over the past decade or so has been for more meaningful accounts with clearer primary statements, greater disclosure, and more meaningful narrative.

But Sarbanes-Oxley could mark a departure from that tradition.

The fear among financial reporting and corporate governance experts is that Sarbanes-Oxley ushers in an era where that mission to explain is replaced by a legal statement, the main purpose of which will be to minimise the risk that the directors say anything that shareholders, or others, could later sue them over. What do you do when you are trying to avoid self-incrimination? You say as little as possible. In other words, 2003 could turn out to be the year when reports and accounts started turning into defensive, legalistic statements whose primary purpose is to limit as far as possible directors’ liability.

Related reading