February 08, 2009
Audits II: Two more scary words: Sarbanes-Oxley
In the last post on audit, I raised the possibility that we need some fixes to the audit process, rather than just following some journo's best practices list ("use a big-4 auditor"). Is it then a possibility to rewrite the regime, to create a tougher approach? If we look a little deeper in history, we find the answer:
No, we already tried it. Say hello to two more scary words: Sarbanes-Oxley. Recall that this was a huge project by the Congress of the USA to rewrite the entire auditing requirement for public companies. It was deliberately and carefully done in the aftermath of the collapse of audited-but-unauditable Enron.
In Sarbanes-Oxley, no stone was left un-turned, no leaf un-renewed. The noble profession of Financial Auditors had, post-Enron, plenty of incentive to improve their game. Sarbanes-Oxley was written at the behest of the auditing industry. They asked for it, and they got it, cost regardless. It more or less doubled the size of the public audit.
Indeed, Sarbanes-Oxley was so fierce that, by some lights, it killed the international market for Wall Street IPOs! Given all this substantial work, and substantial cost, the paying public might therefore expect that Sarbanes-Oxley must have done some good. Fair enough?
Certainly, there have been many reports of "stronger, better" but this is one of those questions that is hard to measure objectively because we cannot run proper tests. However, we do now have would could be considered to be a highly indicative test: the financial crisis.
Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment. Post any examples in comments! (And yes, for the record, we are ignoring all of the regulators, central banks, finance committees, rating agencies and other checks and balances that also apparently came to nought.)
Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn't work for the financial crisis. And, they so didn't work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda.
Questions arise. And, this time they are serious, more serious than post-Enron. This time the questions cannot be answered from within, but only from without. By us, the paying public. The questions before us could be considered like this:
Why did the audit not work in practice? For the financial crisis?
Are audits delivering a benefit?
Is the benefit of audits in excess of their cost?
Are audits part of the problem rather than the solution?
What do we do about it?
In order to answer that, we need more information. What is it that we really know about that audit? That's the subject of the next post.
Posted by iang at February 8, 2009 07:29 PM
at a european executive financial conference a few yrs ago, I commented that it would be relatively straight-forward to manipulate computer books to get by (SOX would catch mistakes but didn't seem like it would explicit fraud) ... and the only thing I saw in SOX was the section about whistle-blowers. a couple old posts with references:
Enron & Worldcom was supposedly laid at the door of deregulation and Sarbanes-Oxley was the result ... pbs website with discussion of Enron, Worldcom, deregulation, repeal of Glass-Steagall:
then comes congressional hearings last week into Madoff ponzi scheme ... with the person that has been trying for a decade to get SEC to do something about it .. A few recent posts ... discussing in more detail:
In his testimony, there was repeated theme that crooks & fraud thrive where there is lack of visibility and transparency ... and the major recommendation is to change the culture to provide transparency in all aspects of the operations. There is need for new legislation and regulations, but they will always lag behind the crooks. Much more important is creating institutional and infrastructure transparency.
A couple other tidbits:
could only think of one person at SEC (in some field office, gave their name) that had any understanding of financial transactions ... all the others at the SEC had no understanding (and were mostly lawyers).
only 4% of fraud is turned up by audits ... over 50% from tips; tips are 13 times more effective than audits. SEC has a 1-800 hotline for companies to complain about too vigorous investigation. there is no corresponding "tip" line.
The Madoff ponzi scheme isn't the only one, in the process of turning over detailed documentation to the authorities about a (different) "small" $1b ponzi scheme.
if it wasn't for the current financial crisis, the Madoff ponzi scheme easily could have continued to $100B
None of the clients he advised, had gotten involved with Madoff
... snip ...
Possibly, in part because SEC didn't seem to be doing anything, GAO started database:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.
... snip ...
audit started falling apart after y2k when the "big four" crawled all over the investment banks. Then there was the departure of any talent the banks had to the dot com boom meaning a tranche of consultancy flotsam was sucked up the management tree in the investment banks. It was the beginning of the end. First thing they did was get rid of any engineers and people with expertise - last thing they wanted was people who could make them look bad. Then it was the usual model - bums on seats - bring in your erstwhile chums, build huge projects staffed by muppets. Nothing of any consequence was delivered - great example of this was XXX.
Meanwhile in security land, the web meant that the green zone now had holes punched into it. Network guys with their firewalls were no longer of any use. Risk assessment was the order of the day. This once was the province of the business as they had to evaluate and accept their own risks. In IT - "domain experts" [in security] paddled tacit advice post implementation. They were in reality glorified form fillers, adding little value. Enter IT Audit - under the auspices of the big four of course: sas70, PCI, GLB, BSI7799, ISO27001 etc etc. Just what they love - a checklist based audit standard which has led to the demise of real security. All we do now is ensure the ticks are met - no one cares about security - as long as we pass audit. Budgets are cut, tools go unused, personnel are trimmed to the bone. Processes are threadbare and poorly designed. Still - we pass audit - and that's all that matters.
no - don't attribute this to me :-)
If all the parties in an investment scheme have recourse and real time information then no one is a threat, and that threat is what is killing Western finance not executives making over $500,000 per year. Obama has basically told Wall Street he doesn't understand the mechanics and Bush told Wall Street he didn't want to know how the sausage was made , just go about making the stuff. In essence a chart of accounts that allows members of a trading community to know each others risk is key and if the primary participants can trust each other then that trust can be passed on to others. We lack a core essence of primary participants that trust each other. Even if all the finance institutions are nationalized, without real time roll up of critical data no one will trust anyone.
The rating agencies role has yet to filled properly and a trading regime that has a real time reporting system for verification of risk exposure and real time mark-to-market reporting does not exist, but your system could leverage that and the actual instruments being traded are secondary. The real value of a clearing house and exchange are trust being passed from primary parties into the rest of the market.
It is the time factor. The old scenarios are not working because more can happen in a half day than before and within that half day everyone can be broke due to some clod in Paris exceeding his limits.
We can only trust what we can see, and a contract that replicated an accounting transaction is required real time. It is the same scenario I suggested be used for shipping containers via use of contracts at each end verifies assurance. We are now using something akin to the Roman Wax tablet and expecting the Fourth Legion to take on a tank squad. The only problem with that is the tank squad has only one purpose and it is not policing folks into and orderly fashion it is as designed a death machine. In this case the Panzer commander believes he can breath life back into the corpses to keep the game going. The game is over with until someone finds the solution I suggest.
One can only have a game if the investor is armed with the same level of information that the insiders have that way they can assess the bet. As it stands now a great many insiders are not armed with anything more than anecdotal experience and a sense that Mr. Madoff is an honorable man.
That sense is stupidity without real numbers that can be seen daily even hourly.
If there is a real-time transparent accounting system, audits become titular and nothing of substance. Which they are now anyway.
Think about the ramifications. Just-in-time debt that matches actual revenue. The debt could be based on stated assumptions rather than vague notional statements. Banks in the past lent money in this manner, actually sitting there on a daily basis watching the sales being deposited. The cover being ripped off the exchange system and the banking system left everyone in the blind. Securitizations left the bond holder in the dark regarding collections and the delinquency rates. So if the damn thing where designed from the beginning with that reporting, then the event of default could have been strictly with well-informed investors who would have chosen to lend money at a higher rate.
Sarbanes-Oxley supposedly also required SEC to do something about the rating agencies .. but there doesn't seem to be anything other than:
Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
In the congressional hearings last fall on the rating agencies, there was repeated testimony that both the rating agencies and the toxic CDO issuers/sellers knew that the toxic CDOs weren't worth triple-A ratings, but the issuers/sellers were paying for the triple-A ratings. Futher testimony was that in the early 70s, the rating agencies business process became misaligned when they switched from the buyers paying for the ratings to the sellers paying for the ratings (significantly opening things up for conflict of interest).
Last month there was news item that IDC had been brought in to help price toxic assets the gov. was looking at buying. IDC had bought the "pricing services" division from one of the rating agencies in 1972 (in the period that testimony said the rating agencies' business process became misaligned) ... as an aside I interviewed with IDC in '69 ... some recent posts
Long-winded decade old post mentioning some of the current issues
We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and they had invented this technology they wanted to use called SSL. there had to be a whole lot of work to turn technology into actual business processes to do financial transactions (frequently now called "electronic commerce"). then in the mid-90s, we were invited to participate in the x9a10 financial standards working group which had been given the requirement to preserve the integrity of the financial institution for all retail payments ... which resulted in the x9.59 financial standard ... some references
Somewhat as the result of "electronic commerce" & x9.59 work, we were asked to come in to NSCC (since combined with DTC and renamed DTCC) to see if we could do something similar for all the operations in the securities industry. After some amount of effort, it was eventually suspended because a side-effect of the increased integrity would have created significantly more transparency in all aspects of the industry. This ran into conflict with pervasive cultural for lots of obfuscation and lack of transparency ... recent post: