It’s amazing to think that the Sarbanes-Oxley Act (SOX) has been in place for nearly 20 years. That means there’s a whole generation of audit professionals who were studying to be future CPAs when SOX became law in 2002 and have benefited from working under the framework throughout their entire careers.
I can remember when SOX was enacted and what a watershed moment it was for the profession. I vividly recall the enormous amount of work and resources devoted to businesses’ compliance efforts and the level of our commitment, both as a firm and as a profession, to comply with these new standards.
Known formerly as the “Public Company Accounting Reform and Investor Protection Act,” SOX reshaped corporate oversight, governance and audit oversight in the United States. Following what one scholar called a “tsunami of corruption” that “threatened to sweep up the good with the bad in its destructive path,” ¹ this landmark legislation established independent oversight of public company audits through the creation of the Public Company Accounting Oversight Board (PCAOB), strengthened corporate governance and enhanced transparency and accountability with the ultimate goal of protecting investors.
Conceived in the aftermath of several significant corporate accounting failures and fraud scandals, SOX aimed to strengthen investor confidence and build trust in the capital markets. Nearly two decades after its passage, SOX is recognized around the globe for its effectiveness in promoting trusted financial reporting and high levels of audit quality.
Following the enactment of SOX, the public company auditing profession transitioned to a new independent regulator and stepped up its engagement with investors, boards of directors, educators, academics, policymakers and others who had an interest in high-quality auditing. In the ensuing two decades, these efforts have yielded demonstrable gains in audit quality, investor confidence and the reliability of financial reporting, made possible by the constant commitment and significant organizational investment by all members of the financial reporting ecosystem.
The results are clearly shown in the Center for Audit Quality’s most recent “Main Street Investor Survey,” which measures retail investor confidence in US capital markets, global capital markets, public companies and audited financial information.² The survey found that from 2011 to 2019:
- Confidence in independent auditors who audit public companies rose from 67% to 83%.
- Confidence in independent audit committees of publicly traded companies rose from 63% to 81%.
- Confidence in government regulators and oversight rose from 39% to 63%.
- Investors named independent auditors as the most effective entity in their investor protection roles, with 83% of investors expressing confidence.
The work can never be considered “done”
And while it’s important to note the progress we’ve made, there’s always more work to do, particularly as organizations and markets become increasingly complex and technology continuously evolves how we conduct audits. There’s no room to rely on past success as we seek new and innovative ways to enhance and advance audit quality and deter and detect fraud.
Today, trust in financial reporting has never been more important, given the heightened risks of fraud arising from the disruptive and uncertain COVID-19 environment, and it will continue to be critical as the world works to stabilize and recover from the economic fallout of the pandemic.
Keith Higgins, former head of the Securities and Exchange Commission (SEC) Division of Corporation Finance, recently noted that the strongest approach to deterring and detecting fraud involves collective action from multiple financial stakeholders, which underscores the important roles played by company management, audit committees, external audit firms and regulators.³
- Company management teams are responsible for establishing and assessing systems of internal controls over financial reporting, instilling the appropriate culture throughout the company and creating incentives and mechanisms to identify fraud and deterrents to committing fraud. They must also create and sustain a culture where whistle-blowers can report concerns about potentially fraudulent behavior without fear of exposure or punishment.
- Audit committees provide oversight of the audit process and are responsible for understanding the relevant accounting issues, communicating regularly with the external auditors and assessing their performance. Audit committees should know the company’s tolerance for identified fraud risks, help align antifraud procedures with the business strategy and understand the latest fraud trends and leading practices around compliance oversight. It’s the role of the audit committee to confirm that management has the necessary antifraud controls and that the external auditor has fully executed its responsibilities.
- Independent auditors have the responsibility of planning for and performing the audit to obtain reasonable assurance that financial statements are free of material misstatement, whether caused by error or fraud. Increasingly, auditors are using technology to identify unusual transactions and patterns of transactions that might indicate a material fraud.
- Regulators are responsible for standard setting, monitoring and enforcement. In the US, the PCAOB sets public company auditing standards, the Financial Accounting Standards Board sets accounting standards and the SEC sets reporting rules for public companies.
Teamwork strengthens the focus on fraud
The evolving external environment, with its global connectivity, rapidly changing technology, increasingly complex business models and the sophistication of organized criminal networks, requires a reexamination of how traditional audit procedures approach the risk of fraud.
There are clear actions that we as auditors are already taking to evolve the audit to detect fraud. However, if we are to truly tackle the issue of corporate fraud, actors throughout the abovementioned lines of defense must work together. Collaboration is key to improving the prevention and detection of fraud and, ultimately, protecting potential victims of fraudsters.
Whether as directors, management teams or independent auditors, we have a responsibility to drive ongoing improvements in financial reporting.
The power of audit technology
Now more than ever, vigilance, skepticism and attention to the risk of fraud are essential to executing quality audits and maintaining trust in the capital markets. Fortunately, advancements in technology enable audit professionals to sharpen their focus on risk and enhance their ability to detect and deter fraud. Almost 100% of the US public company audits that we perform now employ data analytics, including procedures to respond to identified fraud risks. The data-driven audit – one that relies more heavily on the analysis of full populations of clients’ data than statistical sampling – allows audit teams to:
- Deepen their understanding of the companies they audit and their financial reporting processes
- Enhance risk assessments
- Identify anomalies more effectively than using a traditional sampling approach
- Understand the nature and source of journal entries in the context of financial statement accounts
- Devote more time focused on the risks that matter most throughout the year
One of the benefits of a data-driven audit is that it enhances the identification of and response to fraud risks. For example, by using the EY Helix suite of data analytics, our auditors are better able to challenge assumptions, present new perspectives and provide management teams with unique insights to help them make vital business decisions. Teams can ask better questions and corroborate the results of management inquiries. They can deliver a more dynamic audit approach. With a data-first audit, companies not only have greater confidence in the audit, they are better able to respond to findings and make a course correction, rather than waiting until year-end.
Audit technology is continually evolving with a focus on improving audit quality. The EY global organization is investing in the next wave of digital audit technology, including predictive analytics, blockchain, robotic process automation and artificial intelligence. Emerging technologies allow auditors to analyze transactions in even more powerful ways.
For example, artificial intelligence can be used to extract key information from large numbers of text heavy, unstructured contracts to facilitate analysis. And there is also the additional benefit of freeing auditors from certain more repetitive tasks related to auditing and giving them more time for critical thinking.
Bringing stakeholders together
Since its founding a decade ago, the Anti-Fraud Collaboration (AFC), which includes the Center for Audit Quality, Financial Executives International, the Institute of Internal Auditors and the National Association of Corporate Directors, has brought together stakeholders from across the financial reporting ecosystem to enhance the effectiveness of financial fraud risk management.
The AFC report “Mitigating the Risk of Common Fraud Schemes: Insights from SEC Enforcement Actions,” published in January 2021, analyzed financial statement frauds over a period of five and a half years and found that the most common types included improper revenue recognition, manipulation of reserves, inventory misstatement and impairment issues. The report also identified the most common issues that can make a business environment or culture more conducive to fraud, such as a poor tone at the top, a high-pressure working environment, business challenges, and a lack of sufficiently experienced or trained personnel.
In fact, the AFC report suggests that the most common fraud schemes and high-risk areas are not particularly novel. But it warns that the types of business challenges that the SEC has identified –increased supplier costs, slowing demand for products and pressure to meet analysts’ expectations – have been exacerbated since the onset of the COVID-19 pandemic.
Globally, the International Audit and Assurance Standards Board (IAASB) is looking at ways to combat fraud. In September 2020, it launched a consultation on fraud and going concern in the audit, asking stakeholders for their perspectives on whether the auditing standards related to fraud and going concern need to be updated to reflect the rapidly evolving external reporting landscape and, if so, in what areas.
In response to the IAASB consultation, some organizations, including the Institute of Chartered Accountants in England and Wales (ICAEW), have acknowledged the role of SOX in detecting and preventing fraud and the need for better cooperation and collaboration among companies, investors, auditors, audit regulators and standard setters. In particular, the ICAEW has noted that meaningful change will happen only when SOX-style reporting by companies and auditors on internal controls over financial reporting becomes more widespread.⁴
Many other jurisdictions also are considering the benefits and lessons learned from SOX to inform their policy discussion and decision-making.
Nearly 20 years after SOX became law, it stands as a bold example of how to deter corporate fraud, increase transparency and ensure the completeness and accuracy of financial reporting.
And, while SOX provides the framework, as audit professionals, it’s the work we do every day that provides trust in financial reporting and helps prevent another crisis of confidence like the one that led to this game-changing legislation nearly two decades ago.