The Folly of Sarbanes-Oxley

Saturday, April 30, 2005

Rumblings of despair about something known as Sarbox might lead one to believe a new disease threatens us from foreign shores. Instead, Sarbox—short for the Sarbanes-Oxley Act of 2002—is a set of regulations intended to prevent the next Enron or WorldCom by improving corporate governance. It is now entering its first year of enforcement, and by many accounts it is the worst affliction visited on public companies in the last 70 years.

Why? Because the act empowers the federal government in unprecedented ways, dictating areas of corporate governance previously left to states. Complying with Sarbox will levy $35 billion of additional costs on corporate America this year—20 times more than the SEC originally estimated. Washington bureaucrats can now impose a one-size-fits-all approach to the structure of corporate boards, determine their duties and those of their officers, and set the standards and processes for internal controls. In so doing, Sarbox defies common sense and the American tradition of competing to promote innovation and best business practices. The new regulatory regime is demeaning in its treatment of people, sapping the confidence of managers to take risks and undertake new business initiatives and demoralizing workers with time-consuming, meaningless tasks.

How did this happen? In the early summer of 2002 the Sarbanes-Oxley bill was seen as emergency legislation to correct accounting fraud and executive self-dealing and to stabilize the stock market, which was then in its third year of free fall—a $4 trillion loss—the depths of which had not been seen since the years of the Great Depression. Graphic media coverage of outlandish executive excess, the collapse of audit king Arthur Andersen, and the bankruptcies of Enron and WorldCom—two companies once ranked among the 10 largest companies in the S&P 500—were unprecedented and created an environment wherein Congress felt it had to “do something.”

With a media feeding frenzy and elections looming, no member of Congress could oppose a bill that promised to restore corporate accountability and Wall Street confidence. So, on July 25, 2002, the Senate passed the bill 99–0. Unfortunately, laws passed under duress with insufficient debate often have unintended consequences. As we are now learning, Sarbox reaffirms the old saw that “legislation that passes unanimously generally proves to be bad legislation.”

Sarbanes-Oxley does introduce some beneficial reforms, such as establishing an oversight board for public accounting, increasing penalties for fraud, providing more protections for whistle-blowers, requiring more transparency of insider stock sales and material events, and reducing potential conflicts of interest in corporate governance. But much of this good is outweighed by the unexpected negative consequences of Sarbox’s Section 404, which regulates internal company controls. In evaluating any new complex regulatory regime, it is appropriate to ask, “who wins and who loses?” It is no secret that Sarbox greatly benefits lawyers and auditors.

Wait a minute. Weren’t they the ones that got us into this mess, by failing in fundamental due diligence regarding Enron’s capital structure and WorldCom’s financial statements? It may be good that Sarbanes-Oxley requires corporate board audit committees to be entirely independent and also requires CEOs and CFOs to sign off on the company’s financials. What is troubling is that the external public auditing firms that previously let the public down now have more power than ever, effectively regulating the information technology operations of public companies. The time-consuming audit procedures of Sarbox’s 404 have become a windfall, with auditors’ fees being increased 100 percent or more in two years. And for what?

High-level fraud is still likely to go undetected because regulators are looking in the wrong places. The voluminous documentation, testing, and certification of Section 404 audits focus attention on the minutiae of micro-operational details of corporations. Sarbox’s 404 procedures will not catch the kind of financial deception orchestrated at the top, such as capitalizing instead of expensing the billions that took WorldCom down. The bottom line is that, since the act passed, public auditors’ revenues have doubled, but their role as a second line of defense against executive malfeasance and corporate crime is no better today than before.

Let’s make sure we’ve got this straight. Sarbox has rewarded auditors’ previous failures with a full employment act for fussy inspectors and a bonanza of new revenues and done little to stop the next megacorporate crime—all paid for by shareholders. Little wonder the stock market is in a funk. Sarbanes-Oxley has facilitated the largest transfer of corporate wealth from the producing class to the consuming class since the alleged Y2K computer glitch contributed to the tech bubble that burst while lining the pockets of computer and software consultants.

The impact of Sarbanes-Oxley extends beyond public companies. Mischief has now been spread to the bond market, where the newly empowered auditors and regulators have ignored two decades of commonsense practice and forced public companies to reclassify the accounting of auction-rate bond securities for no good purpose. The changes will have no material effect on the earnings of corporations or the liquidity of the auction-rate bonds in which they invest. But the forced reclassification precipitated unnecessary uncertainty and massive amounts of selling, causing temporary instability in the $250 billion auction-rate note market, previously considered by many to be one of the best and most convenient cash management venues on Wall Street. The result? Corporate treasurers are running scared for no good reason, and their companies’ investment income has been reduced.

Although Sarbanes-Oxley has prompted some companies to adopt new internal control systems, many more have delayed system upgrades, fearing that the inevitable disruptions would precipitate a Sarbox compliance nightmare. The fact is that, with or without systems upgrades, corporations now face huge costs every year to document and certify internal controls to satisfy Sarbox’s 404. Privately, many CEOs and CFOs acknowledge the massive waste and misdirection of resources; some remain silent, however, because 404 provides them a measure of protection against liability should a system or human error require a material restatement. One S&P 500 corporate executive taking early retirement acknowledged that 404 has less to do with controls such as ERP (enterprise resource planning), ORM (operational risk management), or BPM (business performance management) and everything to do with CYA (cover your ass).

Sarbox illustrates the madness of overregulation and the folly of Congress trying to legislate risk- and error-free business operations. Were these one-time costs, and did they not interfere with management’s flexibility and ability to run the business, they might be tolerable. “But with Sarbox nobody has any bandwidth to think about innovative ideas or new models,” says a manager at Cingular, the nation’s largest cellular service provider.

In practice, new initiatives have gone right out the door at many companies. Project after project has been postponed or canceled in order to focus on ensuring Sarbox compliance. William Zollars, CEO of Yellow Roadway, the largest trucker in the United States, says that “it requires an army of people to do the paperwork.” In addition to diverting some 200 employees to work on Sarbox in the fourth quarter of 2004, Zollars spent $9 million—more than 3 percent of his firm’s annual profit—on outside accountants and auditors. But Yellow Roadway may be getting off cheaply, as Business Week puts the average large-company compliance price tag at upward of $35 million. Scott McNealy, CEO of Sun Microsystems, says that the billions spent nationally on Sarbanes-Oxley compliance weighs on the stock market and is like “throwing buckets of sand in the gears of a market economy.”

It gets worse. The greatest impact of Sarbox is on small public companies and venture capital start-ups, which generate more than 70 percent of new jobs in the United States. As is the case with most regulation, compliance is more regressive with smaller companies because costs are spread over fewer heads and less revenue. As a result, not only are many start-ups hesitant to go ahead with IPOs, but approximately one-fifth of existing small public companies in the United States have considered going private because of the costs of Sarbox. Thomson Venture Economics and the National Venture Capital Association point to Sarbanes-Oxley as the chief source of blame, reporting that it “has appreciably dampened the IPO market beyond the weakness engendered by the dot-com bust.”

Apprehension following 9/11 and the dot-com collapse have no doubt contributed to the slow pace of economic recovery and the subpar growth in new jobs in the past few years. But the cause more frequently mentioned in the halls of many public companies is Sarbox and its layers of costly regulations and the defensive, inward-looking mind-set it has engendered. Jupitermedia CEO Alan Meckler describes the plight of the small company: “The SOX rules and regulations are strangling public companies in a web of arcane, obtuse and absolutely ridiculous regulations . . . the chief beneficiaries of which are auditing firms and out of work accountants.” The fact that business initiatives take much longer to get approved and implemented is due to Sarbox process and documentation requirements. Many companies are not able to get new products to market as quickly and cheaply as they did several years ago. And if a public company is competing with a private or foreign company, the latter may now have a significant advantage.

The most obvious sign that Sarbanes-Oxley goes too far is capital flight. For the first time in the history of the U.S. capital markets, many companies are voting with their feet and taking active steps to de-list to the pink sheets or to go private. The exodus also involves foreign-domiciled companies who must comply with Sarbanes-Oxley because of being listed on one of the U.S. stock exchanges.

So what can be done? The SEC may be able to exercise its prerogative and use its exemptive power to render optional the excessive provisions of Section 404. But a better solution is for Congress to act, for which there is precedent. The Securities Act of 1933, which passed in an environment much like that of Sarbanes-Oxley (after a market crash to correct excesses that had led to conflicts of interest, accounting irregularities, misrepresentation, and fraud), was found wanting. When the deficiencies became apparent, Congress went back and passed the Securities and Exchange Act of 1934, which has provided the main bulwark of securities regulation ever since. Now, with capital flight and the harm to innovation and productivity that are the direct result of Sarbanes-Oxley becoming so apparent, a midcourse correction is urgently needed.

Congress can correct its overreach by simply making Section 404 mandates on internal controls voluntary and still claim victory in being tough on corporate crime, improving corporate governance, and boosting investor confidence. Firms can determine the appropriate level of controls by management discretion or by shareholder vote, with full disclosure to the SEC and in annual reports. Such a scaled-back Sarbanes-Oxley II would let shareholders and managers have more say than the government in deciding how corporate resources are best spent. A solution along these lines would help keep the United States competitive in world markets, restore balance at home, and reaffirm the primacy of free market initiatives and innovation.

Heck, it might even be fun to go to work again.