For Greater Transparency, Is Section 404 an Effective Response?

Section 404 of the Sarbanes-Oxley Act requires that managers certify the integrity of their internal controls for financial reporting. In the end, are shareholders getting their money’s worth? Are more costly amendments to come?
by James Heskett

Summing Up

Responses to this month's column raise questions about whether Section 404 of the Sarbanes-Oxley Act, requiring that senior managers certify the integrity of the processes by which their companies' financial reports are prepared, will have much impact by itself on the issue of added transparency for shareholders and other stakeholders. The primary argument is that, without high standards of personal integrity posed from within, Section 404 will be of limited value. As John Louk put it, "I personally believe that you cannot force change from the outside... Fix what is really broken. It is really about people and ethics." B. V. Krishnamurthy concurred, saying "... the Act ... is unlikely to result in any radical transformation of the system. Such a transformation has to be an internal process with managers understanding their role as trustees of public wealth and guarding it accordingly."

Others agreed, but suggested that Section 404 could serve a useful purpose. Mike Flanagan commented that "Section 404 is a good first step ... (but) ... does fall short... If ethics and professionalism do not exist on the lower levels, then Section 404 will miss an entire group of lower level functions and staff." Rich Lanza pointed out that "(Section 404) is a necessary step ... (but) more continuous controls monitoring is needed that independently analyze company databases daily for ... rogue (journal) entries." Abhishek Gupta commented, "It is important to have faith in our leaders... But it is also important to acknowledge the wisdom of the age-old adage: Have faith in God, but tie your camel first." William Redington put it more succinctly when he said "Trust yes, but verify."

Other lines of thought suggested that Section 404 may actually have far less value than its cost. In Stephen Thomas's opinion, "... the new, exaggerated internal controls can make a company ... more risk-averse... And in aggregate it creates new risk to the U.S. economy, especially in an era of global competition, because innovation is less likely to occur." Brian Donahue warns that "an assessment of internal controls by management at a point in time is not effective because the organization—and thus internal controls—have already changed to meet the demands of the market ..."

Yet others question the premise of the article. Richard Eckel opined that "A basic misconception is that Section 404 increases transparency afforded to stakeholders... What 404 does is require that corporate leadership demonstrate that the processes used to produce the required transparency are founded upon good practice rather than creative manipulation." He suggests that this should be of special value to long-term shareholders.

These responses suggest a wide variety of views, with most coming down on the side of modest returns on investment, at best, from Section 404. It is probably far too early to tell whether the Section and the Law of which it is a part will have the desired effects. This suggests the importance of tracking both the costs and benefits of the Law. There is little or no provision to do either in the Law itself. What is the prospect that these kinds of things will be measured? If so, how should the measurements be made? And for what purpose? What do you think?

Original Article

Transparency currently is one of the most frequently used terms in the corporate lexicon. In general use, it's right up there on the scale with safety. Having emerged from several years of particularly intense exposure to news of business leaders' alleged (and in some cases proven) acts to deliberately mislead investors, employees, and others, we are naturally interested in greater transparency. And it applies equally importantly to governmental, non-governmental, not-for-profit, and other organizations as well.

Transparency is defined by Don Tapscott and David Ticoll in their book, The Naked Corporation, as "accessibility of information to stakeholders of institutions, regarding matters that affect their interests." The U.S. government's response to the need for greater transparency in the wake of the scandals of the past few years is the Sarbanes-Oxley Act of 2002. Of the seventy-one sections of the Act, one probably has caused more expenditure of time and money on the part of leaders of publicly traded firms than all the rest. It is Section 404, "Management Assessment of Internal Controls." It requires, among other things, that selected managers be responsible for "establishing and maintaining an adequate internal control structure and procedures for financial reporting ..."

Perhaps even more important, it requires that managers as well as accountants certify (upon penalty of legal action against them for failure to do so) the quality of internal control structures and procedures. You can imagine how this provision has captured the attention of CEOs across the country. In response to this one section, managers of publicly traded companies are spending up to 5 percent (and in some cases more) of this year's operating income (and perhaps next year's as well) to assure an internal control structure whose integrity they can endorse in writing.

But one has to ask whether this is an effective response. After all, haven't investors (and employees who own stock) placed their faith in leaders of their organizations in the past? And isn't this what they are asked to do under Section 404, which says little about the nature of information provided to the public as a result of establishing certifiable internal control structures and procedures? In the final analysis, doesn't our faith in organizations still depend on trust placed in the leadership of the businesses in which we invest and for which we work? And doesn't that in large part depend on the amount and kind of information our leaders choose to share with us, regardless of Section 404 and other provisions of the Sarbanes-Oxley Act? In short, are shareholders getting their money's worth from Section 404?

Transparency is the result of a multi-stage process. Will the most costly section of the Sarbanes-Oxley Act address more than an early (but admittedly necessary) stage of the process? If so, will there be even more costly amendments to the Act to come? What do you think?

    • Abhishek Gupta
    • Systems Architect/Engineer, American Financial Group

    Failure to be transparent on the part of managers is a symptom and not the disease itself. Measures such as Sarbanes-Oxley Act, Section 404 are geared towards making the symptoms disappear using the threat of great punitive measures while failing to address the root cause.

    To gain an insight into the actual disease, the right question to ask is not how to keep managers from being "opaque" but instead to contemplate what benefits/incentives managers realize in choosing not to be transparent. What elicits such a behavioral response?

    The decision to be non-transparent is an acknowledgement of a conflict of interests between those who run the show and those whose interests are being represented (misrepresented?) the famous agency problem issue.

    Addressing agency issues by defining suitable decision, evaluation, and reward systems may be an answer to eliminating the managers' need to refrain from being transparent. It does not eliminate the need to address or be watchful for symptoms, but it is important to acknowledge that symptoms are an indication of a deeper illness and like any good treatment, while it is important to be watchful for symptoms and treat them as well, it is equally or even more important to know and address the fundamental cause of illness.

    It is important to have faith in our leaders. It is even more important for our leaders to make sure that the faith does not go unrequited. But it is also important to acknowledge the wisdom of the age-old adage: Have faith in God, but tie your camel first.

    • Dr. B. V. Krishnamurthy
    • Director and Executive Vice President, Alliance Business Academy, Bangalore, India

    The modern corporation provides an opportunity for ordinary people to participate in the process of creating wealth. Since thousands, perhaps millions, of shareholders cannot manage a corporation, they entrust this task to a board of directors, a CEO, and managers at different levels. The relationship between the owners (shareholders) and the agents (managers) is essentially based on trust. So long as managers are conscious of their role, and thereby create value and wealth, a virtuous cycle would result in which investments and wealth creation would occur in tandem. Whenever the trust is abused, the system collapses.

    Section 404, or any other law for that matter, is meant to be a deterrent. Let us consider a situation in which managers do not disclose enough, or disclose with [bad] intentions. Assuming the law does succeed in identifying the law-breakers and brings them to justice, what would be the time involved? In any event, how would the helpless shareholders get any relief? Beyond providing sensational copy to the media, how does the entire process benefit society at large? What if investor confidence ebbs and the concept of the corporation itself becomes a question mark?

    In other words, the Act, like many others before it and many more to follow, is a classic example of a reaction to an event or set of events. It is unlikely to result in any radical transformation of the system. Such a transformation has to be an internal process with managers understanding their role as trustees of public wealth and guarding it accordingly.

    • Ali Hassan, PMP
    • COO, ITT Consulting, Inc.

    Reading this article and the comments from different people I tend to believe that we are addressing only pieces of this but not the complete picture.

    The reason behind SOX Section 404 is to restore investor confidence, not corporation's confidence. Under SOX Section 404, companies are responsible for announcing their current state of internal controls and share information where they lack controls with the public so that anybody considering an investment in that company has the same level of information about the organization's internal controls as the senior management.

    A cost benefit justification model does not apply here because if the company has already built enough internal controls it becomes an easy exercise of going through the checklist.

    I definitely agree with John Louk that the companies will find ways around this and we need to address the root cause, which is our corporate culture.

    In absence of such corporate culture should we leave things the way they are and let more Enrons play with investor's money or should we implement both top down (SOX Act) and bottom up (cultural shift) approaches at the same time? I say that we should focus on both without discounting the value of one or the other.

    FYI, I have worked on SOX projects for a leading bank.

    • John Louk

    I do not see Sarbanes-Oxley Act, Section 404 or SOX on the whole providing any improvements in either transparency or control. If we look at history, we have seen time and again laws passed that are supposed to address these same or similar kinds of control ideas. And time and again people have found ways to circumvent these acts by finding new and creative methods for doing things. I see this as more of the same business ethics that we have proven ourselves capable of. It is like the comment that many of us hear from time to time: It is not breaking the law if you are not caught.

    I submit that there are a number of issues here. One issue is that many acts and laws that we pass are not thought through enough to be comprehensive enough nor simple enough to enforce. The second issue is simply human nature (selfishness, greed, and ethics). Another item that we will find making it hard for 404 to work is that most companies have built some level of secrecy into their corporate culture. Finally, there is the global situation. Not every country has the same regulations nor do they have the same outlook on business.

    The Sarbanes-Oxley Act is a step. However, this step will cause companies to spend a good deal of money, time, and resources to comply with it. And I am not sure that the gains will justify the resources spent nor provide any benefit.

    I personally believe that you cannot force change from the outside. People (and businesses) resist change. Until we shift this attitude and change human behavior and evolve to true corporate transparency, we cannot bring any abuse or corruption to a close. Fix what is really broken. It is really about people and ethics.

    • Mike Flanagan, C.P.M.
    • Corporate Equipment Purchasing Manager, Retail Grocery Chain

    Section 404 is a good first step. The reporting of events or transactions that can materially effect the bottom line should be exposed to upper management first, and then to stockholders or stakeholders so as to enhance the decision-making process (investment or strategic).

    Section 404 does fall short. In large corporate structures, the lower levels of staffing can commit companies to financial commitments, which could have an adverse effect on the bottom line. Given their location in the hierarchy, their activities are under the radar screen and go unnoticed and unrecorded.

    If ethics and professionalism do not exist on the lower levels, then Section 404 will miss an entire group of lower level functions and staff. This level is where daily decisions and commitments are made to fulfill upper management's goals and objectives, but are done on the premise of saving their jobs and cementing their security with the company.

    • Richard A. Eckel
    • President, Systems Synergy, Inc.

    A basic misconception is that Section 404 increases transparency afforded to stakeholders. Using The Naked Corporation definition, no direct disclosure or information is required over previous SEC regulations. While the title of the piece may suggest that 404 is such a response, little could be further from the truth. What 404 does is require that corporate leadership demonstrate that the processes used to produce the required transparency are founded upon good practice rather than creative manipulation.

    One way that smaller or growing corporations reduce their expenses is by undercapitalizing the governance infrastructure that defines how the business is operated internally. Rather than developing processes that implement governance and reporting systems, smaller corporations tend to concentrate control in individuals, and growing corporations distain formal definition as too constraining in a rapidly changing competitive environment. Costs of implementing corporate control are reduced by dependence on people over formal process, and that cost reduction adds to the profit side of the ledger; a primary motivation. These corporate behaviors generate a reliance on faith in leadership; a reliance that stakeholders had good cause to question.

    While it has been possible for corporations to become efficient through individual recognizance, there is a loss of corporate value in that the reliability and repeatability of governance becomes dependent on people instead of process. In terms of corporate governance, people are an expense and processes are investments. Therein lies the benefit and cost justification for many corporations: Governance infrastructure is an asset.

    What Section 404 does is force companies to invest in their infrastructure where there has been little tactical economic benefit to be gained and only risk to be reduced. Many companies have to invest heavily to meet the deadlines for appropriate controls because those controls have been starved in the pursuit of profits. Good leadership heritage will be demonstrated by minimal additional expense to fulfill Section 404.

    Poor leadership heritage will be demonstrated by excessive expenditure for compliance. The real value of a CEO and management team, in place for the twelve to forty-eight months prior to SOX compliance, can be gauged well by the amount of money spent on remediation. Less is more in this case.

    SOX audit assertions provide an important indicator to shareholders that the internal governance chain is in good health. For a short term shareholder, speculating on market perceptions, SOX reduces the volatility and profit opportunity. For a long-term shareholder holding for growth and income, SOX enhances or validates the underlying strength of the company governance processes. For many investors, the opportunity for speculative returns has been a very bloody two-edged sword. Smart money will be on companies to whom Section 404 was nothing more than a bump in the road rather than a chasm to be bridged.

    • Stephen Thomas
    • Vice President, Pricing, Federal Home Loan Bank of Chicago

    I believe that internal controls, especially the new, exaggerated internal controls, can make a company more aware of its internal risks but also more risk averse. These two effects are not always offsetting. The creation of more risk averse-corporations creates new risks for the company versus its competitors. And in aggregate it creates new risk to the U.S. economy, especially in an era of global competition, because innovation is less likely to occur.

    • Brian Donahue, MBA, CIA, CFE
    • Senior Associate, PricewaterhouseCoopers

    I have been working with 404 for the last year with high tech clients in Silicon Valley. I believe Section 404 will be ineffective in meeting its objective of bringing greater transparency to corporate stakeholders. Business is not static and people/positions change constantly. Therefore, an assessment of internal controls by management at a point in time is not effective because the organization—and thus internal controls—have already changed to meet the demands of the market rather than remain static for the purposes of regulatory compliance.

    • Rich Lanza, CPA, CFE
    • Internal Audit Manager, Fortune 200 retailer

    As someone who is helping his company complete the documentation, what I find most intriguing about Section 404 is that for all the money spent and all the tests performed, it may be more form over function. Let's keep in mind the act was established to ensure the eradication of fraudulent financial reporting.

    However, one rogue journal entry could lead to a company exposure. And as most people know, with a little collusion in the posting of that entry (and subsequent entries to cover the tracks), there is nothing Section 404 will do to stop this occurrence.

    I do believe it is a necessary step, but also feel that more continuous controls monitoring is needed that independently analyze company databases daily for those rogue entries. I also believe company employees should be proactively surveyed weekly, based on a sample of the company. Such continuous analysis provides an easy forum for someone to post their concerns, and deters others from committing the fraudulent act, knowing such a forum exists.

    • William C. Redington
    • Chief Underwriting Officer, American Reinsurance

    Yes, I believe that we must have faith in the directors and officers of public companies. However, the value of Section 404 of SOX is that it adds an additional level of internal control and monitoring on the financial and operational activities of businesses subject to the act. The cost of Section 404 is admittedly high, but the potential benefits will far outweigh those expenses. In the wake of the damages to investors, employee pension plans, and the general economy, it is a small expense to pay. Trust yes, but verify.

    • Michael Rich
    • Senior Manager, Business Reporting & Communications, KPMG

    404 documentation, testing, and certification of the ICFR is as you say a "necessary stage of the process" to restore trust, but key shareholders are unlikely to receive (as a return on that investment) any significant improvements in reporting clarity.

    Such clarity impacts their understanding of an organization's business strategy, performance (financial and non-financial), and insights into the performance outlook. It's these things that help them make precise and timely decisions about the organization in terms of access to capital at an equitable cost, licenses to operate in particular markets, and corporate reputations.

    Often transparency and clarity are terms used synonymously, which is misleading. The 404 process will help transparency but will only aid clarity if used as a catalyst for a wider examination of the effectiveness of financial reporting to underpin efficient capital markets.

    There is much current debate on reporting reform by the likes of the AICPA and others. While you would like to think that the search for market efficiency should happen without a regulatory driver, it would seem that this is not the case. As such, businesses should be positioning their investment in 404 as an early stage of a broader strategy that will dramatically improve the clarity and effectiveness of all business reporting and communications. In this context, shareholders will understand the part played by (and the money spent on) 404. But in an increasingly competitive environment, and with rapidly evolving economies and capital markets, organizations cannot afford to wait for further regulation to drive change.

    • Hariharan
    • Controller, Perstorp Aegis Chemicals

    Transparency is an age-old element that needs to be put into practice in all associations, whether they are family relationships, friendships, or business organizations. This is the moral fiber on which trust builds, and to sustain mutual confidence it should be continuous.

    More than imposing transparency through statutes, the need of the hour is to infuse it in corporate culture to unseat the deep-rooted practice of artificial behavior.

    • Homiyar Wykes

    I don't believe Section 404 will improve transparency. It is legalizing what auditors should always be doing: detailed testing of internal control. In the pursuit of the last dollar, audits in the 1990s reduced examination of internal controls and relied more on other "low-cost" procedures.

    404 will compel management and auditors to focus on internal controls, which can only be a good thing. In the end, though, there is no system to prevent greed from getting the better of corporate leaders. And ethics cannot be taught: You have to have them!

    • Bong Batingana
    • Manager

    The act just formalizes and establishes structures directed towards determination of responsibility. To my mind, the best response to this lack of financial transparency would be leadership reorientation and emphasis on the basic values of integrity, humility, and sense of responsibility. No matter how strong the internal controls and reputable members of the board are, if business leaders and management teams are not grounded on those basic values, overriding will always happen.

    • Freddie McMahon
    • CEO & Co-Founder, Decisionality Ltd.

    Transparency is a far bigger argument than is being advocated. The issue has more to do with the gap between governance and interactions. Interactions involve lots of small decisions deep within the organization, involving customers, employees, and the widest definition of "partners." Often when a public or private organization is faced with a governance exposure, the remedial action is to improve procedures. Though procedures and the usage of these procedures have been around for a long time there is a surprising lack of understanding in terms of their relationship to transparency.

    Today complexity, velocity, and volatility are collectively driving more and more transparency fissures. Yet to cope with this fractal state means knowing how to handle situations at the cellular level within an organization: This means having real-time transparency of interactions and procedural decisioning. While the hierarchical constraints of "command and control" remain, transparency fractures will continue at an increasing regularity.

    The move towards a network-centric organization based on empowerment and control will provide the means to handle transparency. The issue rests with academia, executives, and consultancies that developed their capabilities in a steady state and not a fractal state. Now the focus needs to be at the microeconomic level for productivity and performance.

    We have created several generations of senior decision-makers and influencers in many of the service sectors who do not have hands-on experience of working practices. It will take further, spectacular transparency exposures before many will see the need to focus on deep change so that organizations become highly responsive to uncertainty.