When Guido Rossi invited me to attend this conference, he suggested that I address the role of the audit committee in U.S. public companies. This is an important topic, not only because of the responsibilities historically undertaken by the audit committee, but also because of its increased responsibilities resulting from reforms under the Sarbanes-Oxley Act of 2002. In order to provide a frame of reference for my remarks, I will start with a short overview of the Securities and Exchange Commission (SEC or Commission) and then turn to the general themes of Sarbanes-Oxley and more specifically to the role of the audit committee within the U.S. corporate governance structure. I must also include the standard disclaimer that the views I express today are my own, and do not necessarily reflect the views of the Commission or its staff.
As most of you may already know, the SEC, headquartered in Washington, D.C., is an independent federal agency. While the President appoints its five Commissioners, the SEC is not part of the executive branch. Furthermore, no more than three Commissioners can be from one political party, so we are bipartisan by design. With approximately 4000 employees, the SEC is one of the smaller U.S. federal agencies. While the agency may be small in size, no one can dispute that the SEC has a big impact on the financial markets, both domestic and international.
The Commission's primary mission is to protect investors and maintain the integrity of the securities markets. The SEC fulfills its mission in part through a disclosure regime with the simple concept that all investors, whether large institutions or individuals, are entitled to certain basic information about an investment before buying it. To this end, the SEC requires certain companies to register with us and to disclose, through their required filings, meaningful financial and other information to the public, thereby providing a common knowledge base for investors to use in making investment decisions. Likewise, the SEC oversees key participants in the securities industry, including stock exchanges, broker-dealers, investment advisers, and mutual funds. As with public companies and their filings, the laws and rules applicable to these participants largely focus on the disclosure of important information so that investors may make reasoned decisions about the agents on whom they rely.
The Commission and its staff carry out our responsibilities in a variety of ways. One is oversight. This includes selectively reviewing and commenting on required disclosures and providing guidance to registrants, prospective registrants, and industry participants to help them comply with the law.
In addition to oversight of the disclosure program, the Commission conducts compliance and enforcement activities. The Office of Compliance Inspections and Examinations examines industry participants, including securities exchanges and markets, broker-dealers, mutual funds, and investment advisers. The inspections are performed to foster compliance with the securities laws, to detect violations of the law, and to keep the Commission informed of developments in the regulated community. Inspections may result in referrals to the Division of Enforcement. The Enforcement Division investigates possible securities law violations that it learns about from a variety of sources, recommends that the Commission initiate an action where appropriate - either in federal court or before an administrative law judge - and negotiates settlements or litigates on behalf of the Commission. As I am sure you have noticed, both our inspection and enforcement activities have ratcheted up in the past few years.
The Commission also adopts rules to advance our mission. The federal securities laws are broadly drafted to establish the basic framework for the SEC's oversight of the securities markets. Recognizing that the securities markets are dynamic, these statutes authorize the Commission to engage in rulemaking to maintain fair and orderly markets and to protect investors by altering existing regulations or creating new ones. The rulemaking process typically involves a rule proposal drafted by the Commission staff and put forward by the Commission for a period of public review and comment. Thereafter, the staff may present a final rule for the full Commission's consideration, which, if adopted, becomes part of the official rules. Our rulemaking is motivated by many factors that broadly fit into four categories. First, an event or combination of events may occur that compel action. For example, the recent market timing and late trading cases involving mutual funds have resulted in a spate of rules designed to prevent or deter abusive activity. Second, market changes may necessitate new rules. Advances in technology and changes in market structure, for example, may warrant SEC rulemaking. A current example is proposed Rule NMS, which addresses issues in the securities markets. Third, congressional legislation may require the Commission to engage in rulemaking. The most obvious recent example is the Sarbanes-Oxley Act. Fourth, where there is sufficient indication that it is a good idea, the Commission may engage in rulemaking on a "forward-looking" basis, in order to anticipate and, hopefully, avoid problems. As an example, I note the Commission's pending proposal to address comprehensively the registration, disclosure, and reporting requirements for asset-backed securities.
During my almost three-year tenure at the Commission, a significant amount of my time has been devoted to the rulemaking process. Most recently, our rulemaking has focused on mutual fund issues. However, much of last year's rulemaking activity was due to the enactment of the Sarbanes-Oxley Act on July 30, 2002, which was passed in response to the corporate scandals at Enron, Worldcom, and others. Through this legislation, the U.S. Congress directed the Commission to adopt rules to, among other things, increase the accountability of chief executive and financial officers at public companies, raise professional, legal and ethical standards applicable in our financial system, and improve the quality of financial reporting. The Act also enhanced the SEC's enforcement authority, including providing the Commission with access to foreign audit work papers, authorizing the Commission in administrative proceedings to prohibit persons from serving as officers or directors, and allowing the SEC to temporarily freeze certain extraordinary payments made to alleged securities law violators. The Act also established the creation of "fair funds for investors" which allows for civil penalties to be distributed to the victims of securities law violations.
Over the past two years, the Commission, public companies, and other affected entities have all been extremely busy implementing the reforms required by Sarbanes-Oxley. It would take too much time to discuss all of the Sarbanes-Oxley provisions in detail. Instead, as requested by the program organizers, I will highlight some of the recently adopted Commission rules that directly or indirectly impact the audit committee.
Given that the home-country audit requirements for foreign issuers vary, it may be helpful to begin with a definition for the term audit committee. The U.S. securities laws define an audit committee as a committee or equivalent body established by and among the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer. If no such committee exists, then the company's entire board of directors constitutes the audit committee.
The rule most directly impacting the structure and specific duties of audit committees is new Rule 10A-3.1 This rule directs the national securities exchanges and Nasdaq to prohibit the listing of any security of a company not in compliance with five mandated requirements. These requirements significantly expand the duties and responsibilities of the company's audit committee.
These requirements apply to companies that are, or seek to be, listed on a U.S. exchange or Nasdaq. While the rule does not actually require a board to establish an audit committee, if the board does not do so, then the entire board is deemed to constitute the audit committee and all the requirements of the new rule, including the independence requirement, apply to the full board.
In January 2003 we adopted a rule pursuant to Sarbanes-Oxley that requires a public company to disclose whether it has at least one "audit committee financial expert" serving on its audit committee, and if so, the name of the expert and whether the expert is independent of management.3 A company that does not have an audit committee financial expert must disclose this fact and explain why it has no such expert. As initially proposed, and as widely reported in the press at that time, the rule would have defined a financial expert so narrowly that neither Federal Reserve Chairman Alan Greenspan nor investment luminary Warren Buffett would have qualified. Clearly, the proposed rule was too narrow, so we included a more realistic definition in the final rule.
Another rule that has an impact on the audit committee is the enhanced requirement for auditor independence. In addition to creating a new entity to oversee the auditing profession, the Public Company Accounting Oversight Board (PCAOB), Sarbanes-Oxley required that the audit committee approve services provided by the company's outside auditor and specified the non-audit services that the outside auditor is prohibited from providing to the company. Our final rule on this subject was adopted in January 2003.4 In adopting the rule, the Commission recognized the critical role played by audit committees in assuring auditor independence. This was accomplished by requiring the audit committee to pre-approve all permissible non-audit services and all audit, review or attest engagements required under the federal securities laws. As with the audit committee financial expert rule, our auditor independence final rule was more refined than the proposed rule, and recognized the practical complications and costs that the proposed rule, if adopted, would have created.
Section 404 of Sarbanes-Oxley is perhaps the one section of the statute that companies know by number - the requirement for management to assess and auditors to attest to internal controls. Our final rule implementing section 404, adopted in June 2003, provides the audit committee with oversight responsibilities of management's design and operation of a strong internal control environment.5 In connection with the final 404 rule, in June 2004 the Commission approved the PCAOB's Auditing Standard Number 2, which lays out the role of the auditors in reviewing management's internal control assessment.6 The general compliance deadline for this new rule is November 15, 2004 for accelerated filers, with an extended compliance date for others issuers, including foreign filers, of July 15, 2005.7
I could likely have based my entire talk with you today on section 404; however, one area I do want to emphasize concerns the cost of compliance. I have heard a growing chorus of complaints among issuers to the effect that implementing section 404 is significantly increasing a company's costs, especially as we approach the compliance date. A review of the findings of several surveys conducted by various industry groups of their members suggests that the average compliance burden typically has been estimated to be between $1 million and $3 million per company. While estimated compliance costs in absolute terms are significant, when they are measured against revenue, they do not appear to have a major impact on larger companies but proportionally may be more burdensome for smaller companies.
On a more positive note, I also hear that this reform is beneficial and has resulted in improvements in internal controls at some companies. Quite frankly, in my opinion, routine examination of internal controls is just good business, and should have been ongoing prior to the rule.
I recognize that the requirement for management to assess its internal control structure, with oversight by the audit committee, and the increased auditor fees for the required attestation can be viewed as burdensome. However, the key question to be answered in the coming months is whether the benefits that result from this assessment outweigh the costs. I will be very interested in reviewing the reports and listening to the concerns of companies as we proceed through this first season of implementation. One of my other key concerns going forward will be to ensure that this assessment does not become a simple "check the box" exercise with boilerplate disclosure, but rather, is used by management, audit committees and boards as a valuable tool to monitor risks to and in the organization.
What does this all mean for audit committees in the United States? Historically, a public company's board of directors delegated to an audit committee oversight responsibility of the company's financial reporting. However, with the accounting scandals at Enron, Worldcom, and other companies that led to the enactment of the Sarbanes-Oxley Act, the role of the audit committee has been significantly expanded. The audit committee now also has a role to play in ensuring that the company has robust internal and reporting controls. As a result, prospective committee members must look at the job description and ask hard questions, including whether they have the minimum requisite credentials to serve competently on an audit committee of a public company and whether they are prepared to accept the responsibility of doing so.
Beyond the strict regulatory requirements for serving on an audit committee, the import of the rules is that audit committee members need to be inquisitive - not just independent - and must put their financial literacy to good use. This is not to say that the audit committee must re-audit the company's financial statements or re-design its internal controls, but it does mean that the members must possess a healthy dose of skepticism, should ask tough questions, and should pursue issues until they are satisfied that they have received adequate information to make informed judgments, especially with respect to instances that involve real or potential conflicts of interest for management or auditors.
Consistent with the requirement that the audit committee be independent, Sarbanes-Oxley gave the committee the right to hire at company expense its own counsel or other advisers, including forensic accountants, as it sees fit to fulfill its mission. This ability to look to advisers that are independent of the company and free from involvement in transactions that may have been approved by its management or auditors is essential to having a truly independent audit committee that can vigorously pursue its role.
I have heard from a number of executives and directors who say that it is now more difficult to find candidates willing to serve on the audit committee, especially for smaller companies. If this bears out, it would be an unintended negative consequence of Sarbanes-Oxley. Undoubtedly, the audit committee expertise requirement raises the bar - but this is precisely the intended effect of the legislation.
Similarly, I have heard anecdotally that the candidate pool has decreased because qualified individuals can no longer serve on as many boards due to the increased responsibilities. Again, I think this is exactly what Sarbanes-Oxley contemplated, and I question whether, prior to this legislation, it was ever possible for an executive with a full time job also to do an effective job as the member of numerous boards or audit committees. The legislative intent is clear - to focus a board member's attention on the job and the responsibilities he or she has agreed to undertake. I would also note that the New York Stock Exchange, as part of its listing standards, now requires that if an audit committee member serves on more than three public company audit committees, and the listed company does not limit the number of audit committees on which a member may serve, then the board must specifically determine that the member's simultaneous service is not an impairment of the member's ability to serve effectively on the listed company's audit committee. The board must annually disclose any such determination.
As you know, the Sarbanes-Oxley provisions and the Commission rules that we have adopted to implement them generally do not distinguish between domestic and foreign companies that issue securities in the U.S. Moreover, the Act does not provide any specific authority to exempt foreign issuers from its reach. Nevertheless, although the Commission has stated in multiple rule releases that the Sarbanes-Oxley provisions apply to foreign issuers, the Commission is mindful that the implementation of these provisions may conflict with home-county requirements of foreign issuers. For example, Rule 10A-3, regarding audit committee composition and duties, includes several significant accommodations for foreign issuer home-country practices.
It is clear that the problems that led to the enactment of Sarbanes-Oxley are not exclusive to the United States. Corporate governance issues are just as important internationally, as evidenced by some of the recent Italian and other European scandals. We in the United States are also not the only ones crafting solutions to these problems. It is therefore incumbent upon all of us to work diligently to ensure that our solutions are appropriate and have the intended effect. The Commission therefore has and will continue to seek a balance between its responsibility to protect U.S. investors and the need to provide reasonable accommodations to foreign issuers.
So, where do we go from here? Concerns are being raised by the business community suggesting that the implementation of Sarbanes-Oxley has caused the pendulum to swing too far in the direction of over-regulation. In my opinion, it is still too early to determine whether this is true. It has been only two years since the passage of Sarbanes-Oxley, and many of the rules adopted by the SEC are only now becoming operative. I believe that the Act has had a positive effect in terms of raising corporate awareness, and reminding market participants, including audit committees, of the important role they play as gatekeepers in ensuring proper corporate conduct.
However, I also believe that the Commission has a duty to monitor the implementation of our rules and analyze their impact to see if they are accomplishing their objectives. As an economist, in analyzing new rule proposals, I look to several factors: What are we really trying to accomplish with the rule? Will the rule be effective in achieving the intended result, or is it merely cosmetic? Is the rule practical? Does the rule go too far or not far enough? Do the benefits outweigh the costs? Will the rule raise unrealistic expectations or create unintended consequences?
I believe these questions remain equally important - if not more important - after rules have been implemented. There is no doubt we have imposed serious burdens - both time and money - on company management, boards, and audit committees. I have been, and remain, very open to hearing from companies and their agents - both domestic and foreign - that are affected by our rules and actions. I believe we owe it to them and their investors to make sure those burdens are providing real benefits. If not, we should make a serious effort to revisit, review, and revise our rules so that they achieve their intended effect in the most effective and least intrusive way.