Directors need to ask management tough questions these days. Here is one they may be asking themselves: Where was SOX?
Why did the Sarbanes-Oxley Act—passed in the aftermath of accounting scandals to restore credibility, accountability, and transparency—fail to curb the current abuses that led to this wretched financial crisis?
Certainly, the broadening of the crisis from the financial sector to the wider market can be blamed on a lack of investor confidence. But wasn’t SOX enacted to restore this confidence? Wasn’t it supposed to ensure that the proper controls were in place and the incentives to gild the lily were deflated? Then why, as Yogi Berra might say, does this feel like deja vu all over again?
Truth be told, I realized that Corporate America had reached an epic low point when an old friend, an astute investor and longtime bank director, declared shortly after the fall of the House of Lehman: “They’re all liars…I wouldn’t invest a thing.”
These harsh words go to the very heart of our responsibility as directors to shareholders and to the corporations on whose boards we choose to serve. They also underscore how completely the public statements made by company executives in the days leading up to the collapse of their once venerable companies have eroded investor confidence. Losses to shareholders and employees just from Lehman, once the fourth largest investment bank, are staggering. The list of those holding the bag includes the 158-year-old firm’s 25,000 employees (a group that as a whole owned 30 percent of the firm’s stock) and more than 400,000 shareholders. The plunge in Lehman’s shares this year wiped out $15 billion of their net worth.
No question what is needed now is a restoration of trust. But is new regulation the answer? SOX was well intended, but as we’ve just witnessed, it failed to prevent this horrific outcome.
More specifically, Section 404 of SOX was a form of risk analysis that provided, on paper at least, for an evaluation of a company’s internal controls. Section 404 also mandated that annual reports detail the scope and adequacy of internal-control structures and the procedures for financial reporting, while requiring accounting firms to assess and report on the effectiveness of those structures and procedures.
The idea was that, in addition to fraud, the internal controls mandated by 404 would expose unnecessary risk. A massive amount of money was spent to implement 404 with the good intention of creating a less risky corporation and alerting investors and boards of the potential for risk. Small businesses fought back against the high costs of SOX and 404 implementation. But big business—including companies in the most highly regulated industries such as financial services and insurance— duly went about developing bureaucratic apparatus to analyze risk.
The objective seemed, unfortunately, to design a process that passed legal muster. But an activity that is purposely designed to meet a regulatory requirement as its goal often produces problematic results, as we have now discovered. Assuring that the controls apparatus is in place and well-documented is not the same as assuring that it works well.
So, what do we do now?
The answer clearly lies in risk assessment. But how do we make it both effective and confidence-building to the investing public? It must be designed and carried out in an inspired way, not because the government requires it, but because it is the directors’ duty to shareholders. Such an approach ultimately will create a better process and, in the end, a better result.