The Sarbanes-Oxley Act of 2002 (SOX): A redundant regulation for the banking industry

Abstract

The aim of the paper is to show that, for banking institutions, Sarbanes-Oxley (SOX) regulation is redundant, and imposes additional unnecessary compliance costs. The banking industry in the United States is heavily regulated. Each of the regulations that banks must follow was developed in isolation by various governing bodies, causing many regulatory provisions to be redundant, overlapping or contradictory. In the wake of the Enron and WorldCom scandals, the Sarbanes-Oxley Act of 2002 was the Securities and Exchange Commission's answer to restoring investor confidence. However, the enactment of SOX was done hastily, and its effects on industries like the banking sector were largely ignored. SOX overlaps with previously enacted banking regulations such as the Federal Deposit Insurance Corporation Improvement Act, Bank Secrecy Act (BSA)/Anti-Money Laundering Directive (AML) and Basel II, among others. The redundant nature of SOX is costing banking institutions large sums of time and money. It is essential that banks strive to achieve a single compliance framework that can manage all of the regulations to which the bank is subject in order to mitigate the costs of redundancy.

Appendix

Survey results

The distinction between large, mid-size and small banking organisations is based on market capitalisation. For our purposes, banks with a market capitalisation greater than or equal to $700 million are deemed large, those with market capitalisations between $75 million and $700 million are considered mid-size, and those with market capitalisations less than or equal to $75 million are defined as small organisations. In addition, any banks that are non-public companies are labelled small. The characterisation of each bank will be noted next to its assigned number.

Bank 1 – Large:

A few comments to start. I think that the approach to SOX evaluation and testing started to change in 2007, with the guidance issued by the Securities and Exchange Commission (SEC) to assist management in their assessment and the PCAOB issuance of AS5 to refine guidance for independent auditors. Both of these pronouncements made it clear that management did not have to test all controls – only those that could impact significant financial statement disclosures (account balances). Before 2007, I think a lot of companies and accounting firms were auditing everything even if it was not significant, significant being defined as an amount or type of transaction that might influence an investor's decision to buy or sell (some per cent of income or complexity of transactions, for example).

In our organisation, we modified the internal audit programme to expand the amount of testing throughout the year related to controls over financial reporting. Before SOX, we had more of a focus on testing for compliance with operational policies and regulations. Our process includes a quarterly business manager review of their procedures and controls to determine that there have been no changes. Internal audit perform tests covering the entire year (we usually test twice a year – with the second test a roll forward to 31 December). The combination of management reviews and audit tests is sufficient to allow us to conclude that our controls are appropriately designed and functioning as intended.

The initial cost of SOX included the use of external consultants and more than doubling the external auditor's fee. In addition, we committed a significant number of internal resources to develop and update control narratives and design tests. I cannot put a specific dollar amount on it but it was more than we anticipated by a factor of 2 to 3 times. Before 2007 but after SOX came into effect, the continuing compliance costs were a factor in delaying business changes. The post-2007 costs will still be higher than pre-SOX costs but should become more manageable.

The way in which SOX was implemented was a major burden on industry. There was no real thought given to materiality and significance. Management and independent auditors were (or felt they were) placed in the roles of adversaries, with limited discussion. If SOX brought some sense of ‘validity’ to investors (and to some extent it did) there has been a benefit. The transparency of information is much better than it was pre-SOX – investors know more about a company.

In reality, I don’t see the rules in SOX stopping the corporate frauds it was a reaction to — an Enron could happen again.

Bank 2 – Small:

Although we are a rather small bank, we are public, and have had to comply with the Sarbanes Oxley Act for the past three years. The first year, we hired an outside company to perform the work. This was very expensive. However, they set up the narratives and test plans for all the processes, as well as performing all the testing. The second year, the bank tried to cut costs, and engaged the help of the Audit Department to perform some of the testing. While this was somewhat helpful, it was still costly. For 2007, the Bank decided to take the entire Sarbanes Oxley project in-house. (Note: There are only two of us in the Audit Department.)

In May, we sent the narratives to the process owners to review and make changes if the procedures for performing the functions had changed since the previous year. In June and July, we revised the test plans accordingly. In September, we started the testing while still performing our internal audits to complete the schedule we had set for the year. From November until February, we worked almost exclusively on Sarbanes Oxley testing. While this testing is not difficult, it is tedious. Some of the internal audit work we had performed during the year could be used to support the SOX testing; however, the testing needs to include samples from the whole year, and audit testing generally includes a much smaller sample. This necessitated going back and performing additional testing. When the testing was completed, we recapped all the exceptions noted into a deficiency spreadsheet, which was sent to management for their comments, much like we do for the Internal Audit Reports. However, we then discussed the deficiencies and responses with management, and management was responsible for rating them according to Accounting Statement 5 (AS5 – Deficiency, Significant Deficiency, and Material Weakness). I believe this is a positive step because it forces management to understand the reason for the internal control, and not just to see it as ‘red tape’. Management also seems to take it more seriously because they have to consider how the outside auditors will look at the deficiency. Management does not want to rate something as being just a deficiency when the outside auditors consider it to be more serious.

I am not fond of Sarbanes Oxley. I think it causes me to perform double work. However, SOX is not going away and so we must learn how to make it work for us. As 2007 was really my first year, I have learned a few things that should make it easier for this year. I have rearranged my internal audit schedule to perform some of the audits later in the year in order to take advantage of internal audit's 2008 testing for SOX, such as commercial and consumer loans. I have also realised that we should perform SOX testing simultaneously with the Internal Audits wherever possible. It is, and will continue to be, a work in process.

The short answer to your question is that Sarbanes Oxley is costly and time-consuming.

Bank 3 – Small:

For us, the impact has been minimal. As I am sure you are aware, Sarbanes-Oxley was instituted for publicly traded companies. Bank 3 is a privately held institution and not regulated by the SEC as a result. However, despite the minimal impact to date, the Management of the Bank does expect some regulatory creep over the next several years. What I mean by ‘regulatory creep’ is that the practices outlined in Sarbanes-Oxley will slowly start to become best practices at other agencies that do regulate us. We are a national bank and therefore regulated by the Office of the Comptroller of the Currency. We expect them at some point to start asking questions during our regular examinations as to whether we perform to some of the standards set forth in the act. Some of the standards, for example contingency planning for who will lead if current management is unable, have been part of the examination process for us for more than 20 years. In addition to that, our external auditors are starting to focus on the control processes of our bank, as opposed to the general financial statements and whether they add up.

Bank 4 – Mid-size:

The banking industry was ahead of other industries with regard to internal control compliance, as there was a similar enactment in 1991 FDICIA – that required banks to define and document their control environment. The industry is also highly regulated, and each institution is examined by its applicable regulatory agency. The charter of the bank defines the agency that oversees it: Nationally chartered banks are under the governance of the OCC, while state chartered banks are under the governance of the Federal Deposit Insurance Corporation and the State Examiners. Thrifts are governed by the Office of Thrift Supervision. For Bank 4, and I believe for most banks, Sarbanes Oxley required us to take a look at the control environment in a different way. We certainly had to make changes in process and in governance procedures.

Bank 5 – Large:

General comment – As a regulated banking institution, SOX has not provided any tangible benefit to our company. While intangibles have some general benefit – better communication, standardised documentation process, better appreciation of internal controls, and so on – there has not been any significant increase in operational efficiency that would offset the cost of complying with this legislation.

Implementation cost and continuing compliance cost are significant, and are being passed on to customers who receive no benefit of this extra overhead cost.

SOX was a knee-jerk reaction to the inappropriate actions of a few companies and the incompetence of a few audit firms in policing their own independence policies and to ensure that their audits met the most basic auditing standards.

As a result, hundreds of millions of dollars have been paid by companies to add overhead and provide a generous subsidy to public accounting firm partners without receiving any benefit in return.

Bank 6 – Large:

In recent years, Bank 6 (our international firm) has been documenting the internal control model of its most relevant business units (considering also non-bank entities), following the corporate methodology defined by the Corporate Internal Control Area in our bank. Bank 6 has been responding to the demands arising from Section 404 of the Sarbanes Oxley Act. These requirements were as follows:

1. 1

   The determination of the management's responsibility to establish and maintain adequate internal control over financial reporting.

2. 2

   The certification and assessment by the ‘CEO’ and ‘CFO’ on the effectiveness of the internal control structure over financial reporting.

3. 3

   Certification by the external auditor of the evaluation carried out by the business units.

4. 4

   The creation of a new area called Corporate Internal Control, which is responsible for all the internal control issues in our bank.

The Internal Audit in our bank conducts an evaluation of the internal control model and its findings serve as the basis for the official certification that Bank 6 provides to the SEC. Recent changes in the requirements for the certification of Bank 6's internal control model with regard to Financial Reporting have resulted in the reduction of scope, in both the number of companies to be considered and the controls to be evaluated. However, Bank 6 has opted to maintain the necessary assessment of the internal control model of all its companies worldwide, regardless of the fact that not all are formally included in the scope of SOX or fall in the category of non-bank business units. The final conclusions of the assessment are issued by the Internal Audit team, which serves as the basis for the official certification to be made by Bank 6 before the SEC. Like many other banks, Bank 6 is moving forward to maintain and guarantee an adequate internal control system that contributes to the efficiency of the operations and services we provide to our customers.

Bank 7 – Small:

Bank 7 is a non-accelerated filer, and therefore we have not felt the full effects of SOX. However, in preparing for SOX in 2007 we spent $40 000 in consulting fees, and have assigned one person full-time to the SOX project. Additionally, we have three other individuals including myself working part-time on SOX. So far, we have identified certain weaknesses, none material, that could lead to a loss or a misstatement on our published financials (we have verified that no losses or misstatements have occurred). The majority of these weaknesses have been corrected, and we are in the process of correcting the rest.

From a bottomline viewpoint, the findings so far have not been sufficient to warrant our investment in SOX. From a management viewpoint, SOX is redundant in most areas, as we are a regulated institution and are examined by the banking regulators on a yearly basis. The regulators look at the capital, asset quality, management, earnings, liquidity, sensitivity to market risk and risk management of each institution. They review our SEC filings and our annual strategic plan. They do not miss much.

Personally, I believe that regulated industries such as community banks should be exempt from SOX. From talking to other community banks’ CFOs located in (the bank's state of business), not one is in favour of SOX.

Bank 8 – Large:

The effect of SOX on our bank has been profound. In addition to the large cost associated with compliance, (over $200k in just our first year of compliance – an amount equal to 20 per cent of our net income), the staff time commitment has been tremendous. Every department of the bank has had to dedicate time to review the related documentation. This takes valuable time away from actually doing what our shareholders want us to do: make money. As you probably know, banking is one of the most heavily regulated industries in the United States. This regulation is for good reason. Without banks operating in a safe and sound manner, the liquid capital system would cease to exist. However, SOX was formed as a result of what occurred at Enron and, more specifically, WorldCom. Ironically, but not surprisingly, none of the SOX regulations would ultimately have prevented what occurred at those two tragic companies.

The costs we have incurred were a result of additional staff, third-party service providers, current staff time, IT system enhancements and reporting costs.

We are always looking for ways to use these new regulations as an opportunity to improve how we do business. While the regulations of SOX have some redundancies with the regulations that we are already required to comply with, there have been some benefits in terms of improved documentation that we have enjoyed due to our compliance. I have no doubt that the value of the improved documentation is not worth the massive investment, but nevertheless, it was not a complete loss.

Bank 9 – Small:

The Sarbanes-Oxley Act of 2002 has created needed reform. The scandals of Enron et al were terrible, and certainly an ‘overhaul’ was needed. The creation of the PCAOB appears to have changed the age-old practice of using ‘clients’ generally accepted accounting principals’. In the old days of public accounting, if a client was significant to the firm's revenue stream, then there was a propensity to interpret the rules in their favour. Certainly, under any circumstances, an auditor is not assuring the client that it is able to detect fraud. In cases where you have a rogue CFO, they are able to manipulate information and have it go undetected.

The change has led to revisions in audit programmes and approaches that more appropriately examines the audit support to determine whether information is presented fairly and is not materially misstated.

Financial institutions tend to have a stringent approach to internal management that results in accurate information in general. This is due to extensive regulatory review and the need for external audits. I have started two de novo banks and they are reviewed by the FDIC at 6 months and 1 year. There is also a separate information technology review. Thus, the likelihood of there being a problem of misstatement is remote. Certainly possible, but remote. This is even more significant when the bank is fully registered and a ‘34 Act entity. As a ‘33 Act entity, we prepare audited financial statements, annual proxy and hold a shareholders’ meeting, but do not file any SEC reports. When the entity files SEC reports, you tend to see more qualified CFOs and more serious board oversight.

With regard to board oversight, SOX has changed the mindset of the members, especially the Audit Committees. Many boards tend to be led by management, but with the realisation that a board could be sued and held accountable there is much more interest in complying with the rules. Boards now want quality audits and regular internal audits. The current company that I am at is a non-SEC filer but has all the oversight that a filer or a large entity would. The Audit Committee is very serious about its responsibilities and is on top of every issue. It holds regular executive sessions with the external auditors and is always testing the CFO and management for their use of best practices and accuracy of information. Prevention is also high on the list.

Also, costs have increased with SOX. As a small entity, our audits cost more than they used to, as our board seeks a quality audit and is willing to pay the price that a larger and more reputable firm charges. There are some smaller firms that charge less but have suspect reputations.

Lastly, our entity is not subject to 404, but has essentially adopted it. This is positive from my point of view. Sure it creates more work, but it makes for a better internal control environment, greater accuracy and timeliness of information.