SOX too burdensome for small companies?

Back when COSO (Committee of Sponsoring Organizations of the Treadway Commission) was developing their recommendations to decrease fraud in financial reporting, everyone knew that fraud was a problem, but it had yet to be quantified. COSO goes so far in their 1987 report as to call financial fraud an infrequent occurrence.

In order to better understand the magnitude of the issue, COSO sponsored an 11-year study to support their beliefs with some raw data. To keep the data relevant, the team focused on only the strongest, most-clear cut cases of fraud in financial reporting. Some surprising findings came from this study. Of particular interest is the size of a company which commits financial fraud.

Relative to public registrants, companies committing financial statement fraud were relatively small. The typical size of most of the sample companies ranged well below $100 million in total assets in the year preceding the fraud period. Most companies (78 percent of the sample) were not listed on the New York or American Stock Exchanges.

It has been smaller to medium size companies who have been making the most noise about the burdens imposed by Sarbanes-Oxley compliance. However, those are the companies which are most likely to be committing fraud, and using the lack of controls as a good way to hide unethical activities.

The national stock exchanges and regulators should evaluate the tradeoffs of designing policies that might exempt small companies, given the relatively small size of the companies involved in financial statement fraud. A regulatory focus on companies with market capitalization in excess of $200 million may fail to target companies with greater risk for financial statement fraud activities.

It's concerning when you see a company that doth protest too much. It's startling to hear the CFO of Outback state that SOX compliance is so burdensome that he can't perform day-to-day operations.

If SOX compliance is taking up too much of a chief executive's time, the company cannot be running an effective SOX compliance program.

Another potential implication of that much time being required at that senior a level is not that there is a lack of controls -- those can be fixed without his involvement. The suspicion that anyone would have is that there are activities that independent professional judgment would find questionable. In this particular case, accounting guidelines underwent a recent modification, but that shouldn't be a call for crisis and departure.

If he is leaving with the idea to go to another public company, he's not going to escape SOX compliance.

Somewhat less surprising in the COSO report was the data that in 83% of the cases, the CEO and/or the CFO were directly implicated in the fraud. As would follow such direction, the companies also had weak or no audit committees, and few outside directors. Frauds were generally not limited to one reporting period, as they continued on average for two years.

One last finding in the report offers a warning to those firms who believe that they only need to do what's needed to "pass the audit." In 56 of the 195 companies in the fraud study, the auditing firm was implicated, either for participating in the fraud, or for negligence in not uncovering the fraud. The goal for SOX should be increased transparency and controls -- doing just enough to get past the auditors is no longer a high enough bar. This is explicit evidence that performing the minimum needed to satisfy the auditors is not enough to significantly reduce opportunity for fraud in our organizations.