I’m surprised with the blood bath in the financial markets and demise of WaMu, Lehman Brothers et al – that there has not been a cry to investigate the auditors of these companies.
Did any of the SOX-compliant firms like AIG and Lehman Brothers really comply?
I don’t think so.
What should have happened if Lehman Brothers was really SOX-compliant?
Section 409 of SOX requires real-time disclosure of problems in “financial condition or operations… in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate”
A year ago there were numerous publicly-available indicators of problems. The current crisis may have started following the 9/11 attack on the US – when the Fed reduced interest rates and the the home-equity bubble started building up. In other words – the current firestorm was not born overnight.
What actually happened?
SOX empowers an audit committee of the board of directors to monitor and control all company financial reporting. SOX requires that the CEO personally sign off on the financial statements. In order to be on safe ground – CEOs demanded a compliance-certificate from the external auditors and that’s how Sarbanes-Oxley became a multi-billion dollar/year franchise for the audit industry. I suppose, it’s a corporate form of a “get out of jail free” card.
Compliance created a budget line-item mentality – if there was a Sarbanes-Oxley line item – it got filled by the accounting firm. This created an effect of starving out bona-fide business threat analysis projects that are tasked with hunting down and mitigating the root cause fraud, data loss and … risky business practice.
Sarbanes-Oxley was supposed to help prevent the financial and accounting fraud that happened at Enron, Worldcom and other companies by ensuring that internal controls were sufficiently strong.
Instead – compliance made executive management at companies like Lehman Brothers, complacent, less competitive and distracted them from their primary mission – making money for the shareholders and protecting their customers from threats.