When I was a full-time professor of accounting in the 1970s and 1980s, the industry was dominated by the "Big Eight" accounting firms. After a series of mergers and the 2002 Arthur Anderson collapse, we are now down to the "Big Four." And that's really a big danger.
Anyone who understands the implications of our legal system and who witnessed the end of Arthur Anderson knows that the "Big Four" could easily become the "Big Three" in a similar manner, but the truth is that such a shift would be much more damaging to our economy than most people might think. In fact, the dangers posed by this threat might just be serious enough to warrant a thoughtful attempt by policymakers to come up with a solution before a crisis hits.
Today, the Big Four accounting firms (namely Deloitte & Touche, Ernst & Young, KPMG and PricewaterhouseCoopers) do almost all of the public firm audits for the entire world. The reality is that the fifth largest global accounting firm is much, much smaller than the Big Four, so it is very unlikely that it could rapidly grow to their size.
Each of these four firms works with several hundred publicly traded companies, not just as auditors but in other functions as well. Current rules generally prohibit the same firm from serving multiple functions for a single client (so, for example, a company can't have a significant consulting job being done by its auditor) and the result is that many companies get a second firm for consulting, and perhaps even a third to handle tax issues.
If, for some reason, a company needs to find a new auditor, it may have only one other feasible choice at that point. This environment means that it is already difficult for our largest companies to retain an accounting firm that is not in some way connected to, or overlapping with, or auditing their biggest competitor. If the Big Four were to become the Big Three, finding independent auditors would, of course, be even more challenging.
In addition to the difficulties associated with maintaining independent accounting firms, there is a second serious risk of consolidation, which is the economic cost of the disruption. The problem is deeply connected to our whole reporting structure, which requires that publicly traded firms put out annual and quarterly reports audited by an independent firm.
If one of the Big Four were to go under, roughly one fourth of all publicly traded firms would be in a serious bind when it comes to meeting regulatory requirements. When Arthur Anderson collapsed, it took the market some time to deploy all of the professionals who were employed there to the other large firms, and, of course, that impact would only be bigger if one of the four remaining firms fell. Just the disruption alone would probably cost billions of dollars, in addition to the long-term structural problem.
The bottom line is that a Big Three scenario simply may not be viable in terms of our overall economy.
So, could it happen?
Given our legal system today, there is simply no way to make the Big Four accounting firms immune to collapse. Any firm can be sued for almost anything, and most firms simply don't have either the insurance or the capital to cover a billion-dollar judgment. The size of the lawsuit can be completely unrelated to the size of the original job, so an audit generating $10 million in fees could possibly produce a $2 billion lawsuit. Even in the case of Arthur Anderson, Enron was only a fraction of its total billing--certainly not big enough to lose the company over.
The Arthur Anderson case also demonstrated that a single felony indictment can start a devastating chain reaction. By law, if a firm is indicted, it can't audit governments or companies who have governmental clients. At the same time, many other clients will be scared off by the ensuing publicity. The result is a death spiral where the firm finds itself losing clients but not gaining any new ones. Arthur Anderson's conviction was ultimately overturned, but only after the firm had utterly collapsed.
This is a fundamentally risky business. That risk, combined with the potential economic cost of another Big Firm collapse, should give policymakers pause. If we're going to maintain the private system of audits the way it is now, then it seems the SEC needs to do something to create more viable firms. One approach would be to move toward a rational five-year plan designed to take us from four firms to eight firms. The largest firms could be motivated to divide into independent units, and new regulation could encourage this shift (for example, by limiting the overall percentage of any one industry that can be audited by a single firm). Other approaches could involve encouraging smaller firms to grow.
Ultimately, there is no one actor who benefits from this shift, except society as a whole. And that's why the SEC exists: to help protect our overall markets. Finding a way to spread risk across a larger number of big global accounting firms could avoid billions of dollars of economic disruption, and is at least worth a careful look.
Paul Danos is dean of the Tuck School of Business at Dartmouth.
http://www.forbes.com/opinions/2007/04/12/danos-accounting-bigeight-oped-cx_pd_0413danos.html
samedi 3 novembre 2007
New Rules May Ease Sarbanes-Oxley Audits
New guidelines for auditors of Sarbanes-Oxley compliance could take effect later this week, lowering the cost of SOX initiatives and reducing companies' dependence on auditors to interpret SOX requirements.
The Public Company Accounting Oversight Board (PCAOB) -- a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance -- on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations.
"These changes could have a very profound effect on the whole compliance effort," says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services. "It's going to take some of the pain away. It's not morphine, but it could at least be Tylenol with codeine."
"If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud," says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. "Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup."
Since its passage in 2002, SOX has been an incredible drain on corporate IT and security resources. The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT.
"The original provision is only one paragraph long, which left it open for a lot of interpretation," Davis says. "Most people chose to interpret it very broadly and deeply, which made it a pretty expensive proposition." The question of compliance has been left largely to SOX auditors, who have developed their own methods and rules for determining a company's conformity with the law.
And up to now, auditors have been very strict. "For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data," says Davis. "In a large company, you can imagine how many transaction paths there are."
But the PCAOB's proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole.
"They're saying, 'let's stop and think about this,'" says Taylor. "Most financial fraud is going to occur in a rush, right at the end of a reporting period, when the company finds out that it's going to have some problems with its numbers," he says. "Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect.
"Contrast that with, say, backup," Taylor explains. "To commit financial fraud through a backup system, you'd have to gain access to the backup data, and then you'd have to have the knowledge to alter it. Then you'd somehow have to crash the operational systems so that the backup data would be put in place. That's a lot more complex, and a lot less likely, than making simple changes in the general ledger. And the audit process should reflect that."
The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.
The PCAOB also is considering some other new guidelines, such as allowing auditors to accept compliance data from trusted third parties, rather than collecting it all themselves. "That's the kind of thing that could make the difference between an audit lasting two weeks or lasting two months," Davis says.
And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."
The proposed guidelines also relax the requirements for smaller companies that are subject to SOX. While it doesn't lift those requirements, it acknowledges that smaller companies have simpler processes and technologies and therefore should not be put through the same rigorous audit procedures.
Experts concede that even if the proposed guidelines do pass, they will still leave a lot of interpretation to auditors, particularly with regard to the IT security requirements. "We'll get a lot more specificity on the business requirements, but not on the IT requirements," Davis predicts.
— Tim Wilson
http://www.forbes.com/technology/2007/05/22/sarbanes-oxley-audits-cx_0522darkreading.html
The Public Company Accounting Oversight Board (PCAOB) -- a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance -- on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations.
"These changes could have a very profound effect on the whole compliance effort," says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services. "It's going to take some of the pain away. It's not morphine, but it could at least be Tylenol with codeine."
"If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud," says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. "Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup."
Since its passage in 2002, SOX has been an incredible drain on corporate IT and security resources. The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT.
"The original provision is only one paragraph long, which left it open for a lot of interpretation," Davis says. "Most people chose to interpret it very broadly and deeply, which made it a pretty expensive proposition." The question of compliance has been left largely to SOX auditors, who have developed their own methods and rules for determining a company's conformity with the law.
And up to now, auditors have been very strict. "For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data," says Davis. "In a large company, you can imagine how many transaction paths there are."
But the PCAOB's proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole.
"They're saying, 'let's stop and think about this,'" says Taylor. "Most financial fraud is going to occur in a rush, right at the end of a reporting period, when the company finds out that it's going to have some problems with its numbers," he says. "Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect.
"Contrast that with, say, backup," Taylor explains. "To commit financial fraud through a backup system, you'd have to gain access to the backup data, and then you'd have to have the knowledge to alter it. Then you'd somehow have to crash the operational systems so that the backup data would be put in place. That's a lot more complex, and a lot less likely, than making simple changes in the general ledger. And the audit process should reflect that."
The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.
The PCAOB also is considering some other new guidelines, such as allowing auditors to accept compliance data from trusted third parties, rather than collecting it all themselves. "That's the kind of thing that could make the difference between an audit lasting two weeks or lasting two months," Davis says.
And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."
The proposed guidelines also relax the requirements for smaller companies that are subject to SOX. While it doesn't lift those requirements, it acknowledges that smaller companies have simpler processes and technologies and therefore should not be put through the same rigorous audit procedures.
Experts concede that even if the proposed guidelines do pass, they will still leave a lot of interpretation to auditors, particularly with regard to the IT security requirements. "We'll get a lot more specificity on the business requirements, but not on the IT requirements," Davis predicts.
— Tim Wilson
http://www.forbes.com/technology/2007/05/22/sarbanes-oxley-audits-cx_0522darkreading.html
Inscription à :
Commentaires (Atom)
