The SEC Threatens to Go Soft on Internal Controls
A proposal to exempt certain companies from a full audit would encourage fraud and hurt investors.
By Arthur Levitt Aug. 18, 2019 4:04 pm ET
Sometimes the best argument for an idea is also the most damning.
In May, as the Securities and Exchange Commission weighed a proposal to exempt more small companies from certain audit requirements, Republican SEC Commissioner Hester Peirce, who favors the exemption, tweeted: “If an investor in a small biotech company had the option of having her money go to an audit of internal controls or the hiring of another scientist, what would she choose?”
Ms. Peirce presents the exemption as a simplistic choice between productive and burdensome costs. But her example unintentionally shines light on the actual problem the SEC faces: Left alone, many companies will shift resources away from the thorough accounting practices that protect investors.
The real choice at stake with the exemption policy is whether investors would prefer management to have total leeway over company dollars, or whether they’d feel better knowing a small portion of the company’s revenue (about 50 cents per $1,000) was dedicated to a thorough audit of internal controls. Unlike audits of financial statements, internal-controls audits involve a close review of a company’s processes to assure it produces reliable financial information, achieves efficient operations, and complies with internal policies.
There’s no doubt that hiring an auditor exacts a cost on a company and its investors. Proponents of the SEC proposal say each affected company would save about $210,000. It’s true that some companies don’t have enough revenue to sustain that cost easily, but in any case they are attracting large sums of investor dollars. If they want to raise money in public markets, they need to observe the same laws as everyone else. After all, the costs of undetected fraud and malfeasance are often far greater.
This is not a theoretical point. An analysis last month by professors at Stanford, Wharton and other major business schools found that more than 100 companies eligible for relief from audit requirements had already had to restate their earnings by a total of nearly $300 million. These companies wiped out almost the same amount from their investors’ market value.
When managers reported recently acquired assets under the SEC’s loosened requirements, their companies produced a lower return on assets and had a higher likelihood of a goodwill impairment, in addition to a greater chance of a financial restatement. The subpar return of investments in such companies suggest investors view exemptions negatively. Another study, led by Temple University business professor Lawrence D. Brown, indicates that a majority of investors see weak material internal controls as a red flag that indicates a higher potential for financial misreporting.
Predictably, Congress’s decision to waive the audit requirement for some companies going public resulted in significant investor losses. From 2014-16, exempted companies had a restatement rate of 11.2%, while similarly sized companies still subject to the audit requirements had a rate of 6.2%, according to SEC figures.
A fair-minded investor might look at these figures and see an audit of internal controls as a form of insurance to reduce the risk of wealth-killing financial restatements.
More than four decades after the SEC first required audits of internal controls, and a decade and a half after the Sarbanes-Oxley Act strengthened the requirements, more than 1,000 companies have reported they do not have adequate internal controls.
Good internal controls are essential bulwarks against sloppiness, errors and irregularities. An audit might make sure that inventories are reported accurately, or that vendors are legitimate, or that cybersecurity policies and antihacking protocols are implemented effectively. Auditors may review internal emails to detect potential fraud. They can see into the regular operations of a company and, if empowered, call out the kinds of mistakes or malfeasance that leads to major financial restatements and other market-moving events.
Why should investors care if a company follows internal controls carefully as long as its revenue and profit are rising? Because what happens inside a company inevitably affects everything else—its revenue, its earnings and its valuation.
Consider what happens to seemingly successful companies with sloppy internal controls that allow potentially criminal and fraudulent activity. In time, that activity is discovered, and the company’s past results are called into question—and potentially wiped out by regulatory and legal action. The names of Enron and WorldCom are receding into the mists of memory, but anyone who remembers those incidents will tell you this: Had there been adequate audits of internal controls at those companies, the damage would have been far less—and investors wouldn’t have lost billions.
Mr. Levitt was chairman of the Securities and Exchange Commission, 1993-2001.