Sarbanes-Oxley 404; Underestimated or undervalued?

Sarbanes-Oxley 404;

Underestimated or undervalued?

A perspective on the advantages and disadvantages of SOx 404

Wietse de Heer

University of Groningen

Sarbanes-Oxley 404;

Underestimated or undervalued?

A perspective on the advantages and disadvantages of SOx 404

University of Groningen

Faculty of Economics and Business Master Thesis

Author: Pieter Gijsbert de Heer

Student number: 1383329

Master: Accountancy

Company: PricewaterhouseCoopers

Supervisor 1: prof. dr. J.A. van Manen

Supervisor 2: dr. R.B.H. Hooghiemstra

Preface

Several years ago, I could not imagine that in the summer of 2008, I would be sitting here in Amsterdam finalising my master thesis in Auditing (Dutch: Accountancy). After five years of studying at the University of Groningen, I can look back at a very useful and pleasant period. I have benefited from these years in educational manners, but probably even more in my personal development.

My bachelor thesis was focussed on financial reporting, one of the main areas in accountancy. Another important aspect of accountancy concerns corporate governance. I wanted to get some more understanding of this field as well. In the choice of a subject, I deliberately chose a subject that crosses country-borders. Articles in the media about companies that delisted and discussions about internal control statements pulled my attention towards probably one of the most controversial laws in corporate governance; The Sarbanes-Oxley Act. For me, it was a challenge to deal with such a complex topic. This connects the cover of this report, because I never expected that the effects of this American legislation would captivate me in the way it did. It is impressive to see that section 404, existing of only 180 words, would have such an impact on companies all over the world. And despite the fact that I focussed this research on such an important section, I am well aware that this is still just a very small piece of a comprehensive field.

“We often take for granted the very things that most deserve our gratitude.” (Cynthia Ozick)

I want to use this preface to thank the persons who helped me and supported me during the past period. First of all, I would like to thank Prof. Dr. Jaap van Manen for guiding me during this master-thesis. Our discussions and the conversations in the ‘coffee corner’ have been valuable to the final result. Furthermore, I want to thank Boudewijn van der Veer (my coach) and Agnes Zeestraten from PricewaterhouseCoopers for their input in the process. They familiarized me with PwC and shed their light over the content of this report. Finally, I want to thank Paul Klaassen and Wendy Kroes for their feedback on the first draft of the final thesis.

Last but not least, I want to thank my family and friends. During the last period of my study, I got a lot of support and understanding from them in all my activities and the choices that I made. A special thanks to my parents. They contributed everything according to their abilities to create the right circumstances for a successful study period.

Wietse de Heer

Table of contents

EXECUTIVE SUMMARY ... 5

1 INTRODUCTION ... 6

1.1 INTRODUCTION ON THE SUBJECT ... 6

1.2 RESEARCH DESIGN ... 6 1.2.1 Objective setting ... 6 1.2.2 Research question ... 7 1.2.3 Sub-questions ... 7 1.2.4 Conceptual model ... 8 1.2.5 Scope ... 9 1.3 RELEVANCE ... 9 1.4 METHODOLOGY ... 10 1.5 CRITERIA ... 11 2 SARBANES-OXLEY 404 ... 12 2.1 INTRODUCTION ... 12 2.2 CONCEPTS ... 12

2.3 THE IMPACT OF SOX 404 ON A U.S. LISTED COMPANY. ... 13

2.3.1 The Sarbanes-Oxley Act ... 13

2.3.2 The purpose of Section 404 ... 15

2.4 THE EFFECTS OF THE SOX 404 STATEMENT ON THE AUDITOR’S ROLE ... 16

2.4.1 The content of a SOx 404 statement ... 16

2.4.2 The role of the external auditor ... 17

2.5 CONCLUSION ... 18

3 THE ADVANTAGES AND DISADVANTAGES OF SOX 404 ... 20

3.1 INTRODUCTION ... 20 3.2 ADVANTAGES OF SOX 404 ... 20 3.3 DISADVANTAGES OF SOX 404 ... 23 3.4 CONCLUSION ... 26 4 RESEARCH METHODOLOGY ... 27 4.1 INTRODUCTION ... 27 4.2 SAMPLE ... 27

4.3 DEVELOPING THE RESEARCH INSTRUMENT ... 28

4.3.1 Questionnaire ... 28 4.3.2 Scale of Likert ... 29 4.4 ANALYSIS ... 29 4.5 STATISTICAL ANALYSIS ... 29 5 ANALYSIS ... 31 5.1 INTRODUCTION ... 31

5.2 THE OPINION ABOUT ADVANTAGES AND DISADVANTAGES ... 31

5.2.1 Advantages – non financial ... 31

5.2.2 Advantages – financial ... 36

5.2.3 Disadvantages – non financial ... 38

5.2.4 Disadvantages – financial ... 41

5.3 THE OPINION ABOUT THE EXTERNAL AUDITOR’S ROLE ... 43

5.4 CONCLUSION ... 46 6 CONCLUSION ... 48 6.1 INTRODUCTION ... 48 6.2 LIMITATIONS ... 48 6.3 CONCLUSION ... 49 6.4 SUPPLEMENTAL RESEARCH ... 51 LITERATURE ... 52 APPENDIX ... 55

Executive Summary

This thesis comprises an analysis on the advantages and disadvantages of Sarbanes-Oxley 404 to cross-listed companies in the United States. The analysis is based on relevant literature and interviews with auditors. These auditors are member of audit teams for companies that are listed in The Netherlands as well as in the United States. The following research question functioned as a guideline to this research:

“What are advantages and disadvantages of Sarbanes-Oxley 404 for cross-listed companies, and what is the external auditor’s opinion on these effects?"

The Sarbanes-Oxley Act1 _{is introduced in the United States to restore investor confidence as a result of}

major scandals in the financial world at the beginning of the 21st century. The way in which legislators wanted to achieve this objective has led to major changes for U.S. listed companies. This law is not just required for U.S. companies, but foreign companies listed in the U.S. are subject to this law as well. SOx became subject to a lot of discussion. Probably the most criticised section of SOx is section 404. Section 404 requires management to organize and assess the internal control systems. Management needs to determine whether the system of internal control provides reasonable assurance that material errors, in either interim or annual financial statements, will be prevented or detected. One of the most noticed critics concerns the costs involved in the implementation of SOx 404, while less light is shed on the benefits.

The external auditor has to analyse and report on management’s assessment of the internal control system of financial reporting as well as the effectiveness of the controls. The PCAOB2 has clarified the external auditor’s role in SOx 404 in AS2, which is replaced later on by AS5, to make an audit more efficient and less costly.

Due to the negative sentiment surrounding SOx 404, a literature search has been executed to the advantages and disadvantages of this section to companies. Since the auditor’s role is much felt in the process, their opinion upon these SOx-effects is examined. 6 partners an 6 (senior-)managers of Dutch FPI’s have been interviewed by using a questionnaire with several statements about SOx and in particular section 404.

Overall, auditors are well informed about the usefulness of SOx 404 to their client. In the beginning, the compliance process got most attention and the costs were considerable. The phase in which companies are now, is focussed more on creating a well functioning control environment and on executing the work more efficiently. Experience in the compliance work and professional judgement are important factors to achieve this, together with the change from AS2 to AS5. Auditors agree that SOx has a positive influence on managing companies, although benefits are harder to quantify compared to costs and it would take more time until they appear. SOx lead to catching up a lot of deferred maintenance within companies, which led to more standardization and documentation. Managers as well as auditors feel more comfortable now in their decision making.

The auditor is functioning as a business partner in this and is helping to streamline the internal control framework. However, the SOx process is a joint project between the auditor and its client. The attitude of the client itself is most crucial for its success. Auditors have different experiences with different clients, but in general the opinion of auditors about SOx is more positive compared to the sentiment in the literature and the public opinion. This explains why auditors expect that the advantages will ultimately exceed the disadvantages. If SOx would cross the boarders of the U.S. is still questionable due to its image and its rule based character.

SOx’ will be used as a shortcut for The Sarbanes Oxley Act 2

1

Introduction

1.1

Introduction on the subject

16 January 2007 – Six large U.S. listed companies want to have a discussion with the six most important audit firms. The companies find their auditors too strict in the application of the American Sarbanes-Oxley Act (‘SOx’) for corporate governance. They hold the opinion that these different audit firms do have quite divergent interpretations about this law as well. (‘Het Financieele Dagblad’)

18 December 2007 – In the beginning of next year, KPN will delist from the Stock Exchanges in New York, Frankfurt and London. The telecom company expects to save around 10 million every year by doing this. The decision does not have any connection with Sarbanes-Oxley, according to CFO Marcel Smits. “The attention for quality improvement of our internal control procedures and risk management to comply with the American Sarbanes-Oxley Act has been good for the company, and this attention will not decrease.” (www.accountant.nl)

The Sarbanes-Oxley Act is known as the most important corporate governance and disclosure legislation since the Securities Act of 1933 and the Securities Exchange Act of 1934 (Bergen 2005). Since its introduction in 2002, SOx has been subject to a lot of discussion. Several empirical studies discuss the effects of the Act by looking at the financial impact for the company and at the impact on the U.S. economy as a whole. The findings from these studies differ and this is mainly caused by the perspective from where an interested party is experiencing these corporate governance rules. The interests of a user (demand perspective) can differ from the interest of a supplier (supply perspective) of the annual report. The auditor is situated between supply and demand, functioning as some kind of mediator between both parties.

Probably the most criticised section of SOx is section 404. Section 404 requires management to organize and assess the internal control systems. The independent auditor has to evaluate the effectiveness of the internal control instruments. One of the most noticed critics concerns the costs involved in the implementation of SOx 404, while less light is shed on the benefits.

In this report, specialists in the SOx compliance process will be asked for their opinion about the effects of SOx 404 on companies and the involved parties. These specialists are: the auditors.

1.2

Research Design

1.2.1 Objective setting

Sarbanes-Oxley is introduced to restore investor confidence. The way in which legislators want to achieve this objective has led to major changes for companies listed in the United States and the stakeholders of these companies. SOx is not just obliged for U.S. companies, but foreign companies listed in the U.S. are subject to this law as well. These cross-listed companies can be listed in the U.S. for several reasons, but the most important one is the access to the U.S. capital market. It may be expected, that these companies are weighting the pros and the cons of a U.S. listing, taking the SOx-consequences into account as well. Especially the consequences of the most criticized section, section 404, plays a major role in the considerations.

The purpose of this research is to give an insight in the advantages and disadvantages of SOx 404 for cross-listed firms. The advantages and disadvantages will be verified with experiences of Dutch auditors within the audit team of these firms which are listed on the Dutch Stock Exchange (Amsterdam) as well as on one of the

U.S. Stock Exchanges. This will show the auditor’s perspective on the effects of SOx 404. A subsequent question that may rise is how auditors fulfil their own role in the SOx compliance process. They can just check if a company complies with SOx, but perhaps they are able to look beyond the rules as well to consider whether a SOx 404 statement is useful to their client. This is particularly interesting in terms of efficiency and effectiveness to a company in financial reporting as well as in operations. This report will give a contribution to the knowledge about SOx and especially to the actual discussion about the advantages and disadvantages of the internal control statement based on the requirements of section 404.

1.2.2 Research question

To meet the objectives of the report, a research question has been formulated. This question is functioning as a guideline to this research:

“What are advantages and disadvantages of Sarbanes-Oxley 404 for cross-listed companies, and what is the external auditor’s opinion on these effects?"

The advantages and disadvantages are the positive and negative effects on a company and her stakeholders as a result of the adaptation of SOx 404. In the literature, advantages and disadvantages are also referred to as benefits and costs.

Sarbanes-Oxley 404 is the section of the Sarbanes-Oxley Act which is concerned with assuring effective management controls over reporting. Chapter 2 will give an extensive description of this section.

Cross-listed firms are firms from another country than the United States, which have a listing on the American Stock Exchange as well. A motive to cross-list could be to increase the visibility of the company, to tap into a more liquid market, to signal the company’s strength, or to follow tougher exchange requirements (Zhu and Small 2007). For U.S. investors, cross-listing is advantageous as well, because this allows them to take advantage of international diversification, without trading in a market outside the U.S.

The externalauditor, as meant in this research question, is an external specialist who is responsible for the audit of financial statements, internal control over financial reporting etc., at a company that is (or was) obliged to comply with SOx 404.

1.2.3 Sub-questions

To give an answer to the research question, the following sub-questions have been formulated. Some questions are based on the literature in chapter 2 and 3, but will be described in this section as well. The sub-questions will be answered in the following chapters.

First of all, it is important to describe Sarbanes-Oxley in broad outline and to zoom in on section 404. This will give an important basis for understanding this research in its context and the report as a whole. A theoretical perspective will be given on the influence of Sarbanes-Oxley on companies with special attention to section 404:

1. What is Sarbanes-Oxley 404 and what is its impact on a U.S. listed company?

Now that the aim of SOx 404 is clear, it is important to get an understanding of an internal control statement. The management as well as the auditor have a key role in formulating this statement. A theoretical perspective will be given to the next question:

2. What does a Sarbanes-Oxley 404 statement consist of and what is the external auditor’s role in formulating this statement?

SOx 404 is frequently discussed in recent years. The effects as a result of its introduction are appearing progressively. This report is focussing on the positive and negative effects of SOx 404. The advantages and disadvantages of SOx 404 have to be summarized from the literature, to formulate an overview of the existing knowledge about SOx 404:

3. What are the advantages and disadvantages of Sarbanes-Oxley 404 to a company and its shareholders in contemporary literature?

The third sub-question will result in an overview of the advantages and disadvantages of SOx 404. An auditor is closely involved in the process of SOx implementation and maintenance. External auditors are hired by the client because they are specialists in this area and have to be well aware of actual developments and legislation. This report will connect the literature with practical experiences. The independent and objective perspective is the reason why the auditor has to attest to the management-statement of the client in relation to the effectiveness of internal control over financial reporting. In view of their role, the external auditor’s perspective on the advantages and disadvantages of SOx 404 could give a useful insight about how these effects are experienced at the client:

4a. To what extent do external auditors agree with the advantages and disadvantages of Sarbanes-Oxley 404 and what is their opinion about it?

4b. To what extent do external auditors agree with the effects of Sarbanes-Oxley 404 and the accessory auditing standards on their own role and what is their opinion about it?

4c. To what extent are auditors divided in their opinion about the effects of Sarbanes-Oxley 404?

1.2.4 Conceptual model

Stakeholders which are concerned with Sarbanes-Oxley can be classified in a demand side and a supply side. The demand side is the group of stakeholders that use the statement to get information about the firm by reading the annual report. The supply side has to provide this statement through an annual report to the users of the report. In previous sections, the external auditor is mentioned several times as pivot between the demand and the supply side of an in control statement. The auditors provide assurance about the financial report of a firm, so that the demand side as well as the supply side can use the information for their decision making. Figure 2.1 visualises the auditor’s position relation to Sarbanes-Oxley and the shareholders of a listed company.

Figure 1.1: Conceptual model

1.2.5 Scope

To safeguard the quality and depth of this report, the scope of the research is determined. Corporate Governance, and Sarbanes-Oxley in particular, is a very comprehensive topic. The scope is based on the available time and resources. The research is focussed on the following aspects:

• The research focuses exclusively on the advantages and disadvantages of section 404 of the Sarbanes-Oxley Act. Other sections are left out of consideration. Section 404 is one of the most criticised sections of SOx with a considerable impact on listed companies.

• The empirical research is focussed on external auditors connected to PricewaterhouseCoopers only. PricewaterhouseCoopers has a representative list of clients with SOx requirements.

• The selected cross-listed firms are clients of PricewaterhouseCoopers. Since I am interviewing auditors connected to PricewaterhouseCoopers, it is a logical consequence that the firms are (or recently were) clients of PricewaterhouseCoopers as well.

• The sample contains auditors of cross-listed firms (FPIs3_{) from The Netherlands. The firms are}

cross-listed or were cross-cross-listed on the U.S. Stock Exchanges. By focussing on these FPI’s, I was able to select sufficient auditors to draw useful conclusions.

1.3

Relevance

This report gives an insight in the advantages and disadvantages of SOx 404. In the media, negative publicity dominates the coverage about Sarbanes-Oxley. This report is looking at the broader perspective to analyse the positive aspects of the internal control statement as well. The SOx 404 adaptation is obliged to cross-listed firms as of July 15, 2006. Two years later, companies and auditors are able to look back at the introduction and they are focussing on improvements and maintenance. That is why this is a good time to analyse the consequences of the SOx 404 adaptation.

Last years, much research to SOx 404 has been done from the demand or supply perspective, as will be shown in chapter 2. A research among auditors is still quite exceptional. Prentice (2007) already composed a literature review about the impact of Section 404, which will be relevant for my own theoretical framework. Rittenberg and Miller (2005) executed a research to the benefits of section 404. They asked questions to Chief

3 _{Foreign Private Issuers}

Sarbanes-Oxley Act

Section

404

Legislators Internal Audit

The Board (two tier) /Supervisory board

(one tier)

External Auditor

Governments/Banks Etc.

Audit Executive members of The IIA4 and analyzed the results. This research will be quite similar but the statements will be more extensive and there will be more room for own comments from the respondents.

It is very important for an auditor to be well informed about the advantages and disadvantages of SOx 404. This is necessary for executing a good audit of this section and for supporting their client in the introduction process. In addition to the audit, it could be important to give some advice to the company about their need for compliance. Possibly, it is useful to a company to delist from the U.S. exchanges to avoid SOx and to draw up an own internal control statement. The Committee on Capital Markets Regulation (2006) recommended the SEC5 _and

PCAOB to collect better and more complete information in relation to the costs and benefits of Section 404. This report is written within this perspective and could add some useful information for this demand. Determining the opinion of auditors about SOx 404 will provide valuable information to stakeholders about the existing sentiment concerning SOx to the corporate governance field.

1.4

Methodology

This report contains an exploratory study with characteristics of a (formal) descriptive study. An exploratory study tends toward loose structures with the objective of discovering future research tasks and a formal study begins where the exploration leaves off (Cooper and Schindler 2003). The research could create a foundation for a qualitative or quantitative supplemental research.

The literature in chapter 2 gives an overview of SOx 404 and the role of the auditors and its client within the implementation and maintenance process. Chapter 3 summarizes the advantages and disadvantages of SOx 404. Secondary data from books, articles and from the World Wide Web is used for this. This information will be used for the descriptive study.

The empirical factual material led to additional sub-questions as shown in section 2.2. These questions will be answered by executing an empirical research. The findings from the literature search will be compared with experiences from auditors on the job. In chapter 4, the methodology for this empirical research is explained in detail. Statements, diverted from the theory, are formulated to create a questionnaire which will be used for the interviews. I will ask the opinion of auditors of cross-listed firms about these statements. Testing these statements with the auditors, will result in the auditors’ opinion about the advantages and disadvantages of SOx 404 and about their own role within the process. The opinion of auditors is interesting, because of their role as shown in figure 1.1.

Chapter 5 shows the results of the executed research and analyses the outcomes. Chapter 6 is the last chapter and concerns the conclusion. An answer to the research question is formulated in this conclusion. The structure and methodology used in this paper is visualized in figure 1.2.

4

The Institute of International Auditors

Derived from the Empirical Cycle* (A.D. de Groot in Korzilius, 2000) Phase 1: Observation Phase 2: Induction Phase 3: Deduction Phase 4: Testing Phase 5: Evaluation

Figure 1.2: Report structure

1.5

Criteria

This master thesis has several criteria which are formulated by the University of Groningen, faculty of Economics and Business, and by PricewaterhouseCoopers. These constraints are:

• The thesis has to deal with a scientific problem.

• The thesis has to fulfil a knowledge gap, which can not be done with the existing literature. • The weight of the thesis involves 20 European Credits.

• The total research has to be completed within 5 months (February till July 2008).

• The thesis has to meet the requirements for a master thesis, set by the faculty of Economics and Business.

• Both, the University of Groningen and PricewaterhouseCoopers, have to clear this thesis. • Information obtained from auditors or clients will be treated confidentially.

Study of literature Chapter 2 & 3 Observation* Research Question Chapter 1 Questionnaire Interviews Analysis Conclusion Chapter 6 Evaluation* Sub-questions Chapter 1 Formulating questions* Empirical research Chapter 4 & 5 Analysis* Supplemental Research

2

Sarbanes-Oxley 404

2.1

Introduction

In July 2002, the Sarbanes-Oxley Act was passed in attempt to restore investor confidence in the United States. The aim of this act was to make executives responsible for company accounting statements, to redefine the relationships between companies and their auditors, and to restructure the internal control systems of public companies. Because of its considerable impact, section 404 has become nearly synonymous with Sarbanes-Oxley itself.

In this chapter, Sarbanes-Oxley 404 is introduced by answering the first sub-question: What is Sarbanes-Oxley 404 and what is its impact on a U.S. listed company? A short overview of Sarbanes-Oxley will be given and thereafter section 404 will be highlighted. It is important to understand the content of SOx 404 for the continuation of this report. The second sub-question that will be answered in this report is: What does a Sarbanes-Oxley 404 statement consist of and what is the role of the external auditor in formulating this statement? The auditor’s role and management’s role have changed due to SOx 404. The auditor’s role is important to understand, since the empirical research in chapter 6 will be focussed on the auditor’s opinion about SOx 404. However, before dealing with these sub-questions, some key concepts have to be explained for understanding the literature review. These concepts will appear several times in this report.

2.2

Concepts

The following concepts will be explained to give the reader a better understanding of the literature that will be summarized and discussed in this report:

SEC: The Securities and Exchange Commission is the primary federal regulatory agency for the securities in the United States. The responsibility of the SEC encompasses the safeguard for transparency of listed companies and to protect investors against fraudulent and manipulative practices in the securities markets.

PCAOB: The Public Company Accounting Oversight Board is a quasi-public organization which is charged with overseeing, regulating, inspecting, and disciplining audit firms in their roles as auditors of public companies. The PCAOB sets standards for the activities of an external auditor and ensures that the auditor is following these strict set of guidelines in preparing the internal control report for a client. These standards are based on the Sarbanes-Oxley Act.

COSO framework: COSO stands for the "Committee Of Sponsoring Organisations of the Treadway Commission. COSO is a non-profit commission that, in 1992, established a common definition of internal control and created a framework for evaluating the effectiveness of internal controls. The COSO framework views internal controls as consisting of the following five interrelated components: Control environment, risk assessment, control activities, information and communication and monitoring. In 2004, ERM-Integrated framework (Appendix 4) is introduced and the following components are added to the former five: objective setting, event identification and risk response (www.coso.org).

Internal Control: To explain “internal control”, I will use the definition formulated by The Committee of Sponsoring Organisations of the Treadway commission (COSO): “Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations” (www.coso.org)

The marked words are the key concepts of this definition. SOx is mainly focussed on the second category: reliability of financial reporting (McConnell and Banks 2003).

AS2: Accounting Standard No. 2 was approved by the SEC in June 2004. These standards are effective for audits of internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002.AS2 is formulated after a process of public comment, based on prior experiences with auditing the Sarbanes Oxley requirements (www.pcaobus.org).

AS5: In May 2007, the PCAOB adopted Auditing Standard No. 5. This Auditing Standard is formulated in succession to AS2 and also deals with the audit of internal control over financial reporting. The SEC approved AS5 in July 2007. AS5 is designed to be more principles-based and streamlined compared tot AS2. De main difference is that AS5 focuses on the greatest risks to a company and eliminates redundant procedures. This makes an audit more efficient and easier to fulfil. AS5 superseded AS2 only one year ago. That is the reason why the literature in this report particularly deals with AS2. (www.pcaobus.org).

ADR: An American Depositary Receipt is a negotiable certificate, issued by a U.S. bank, representing a specific number of shares of a foreign stock traded on a U.S. stock exchange. The rights and benefits to the holders are the same as for the underlying shares. ADRs are specifically designed to facilitate U.S. investors’ purchase, holding, and sale of securities of non-U.S. companies. ADRs are divided in 4 different levels. Both Level II ADRs (no capital raising) and level III ADRs (new capital raising) trade on a U.S. Stock exchange (Zhu and Small 2007). The non-U.S. companies offering level II and III ADRs are subject to the Sarbanes-Oxley Act.

2.3

The impact of SOx 404 on a U.S. listed company.

2.3.1 The Sarbanes-Oxley Act

Before discussing SOx 404 in particular, it is necessary to understand the context of this section. Section 404 is part of the Sarbanes-Oxley Act, which was passed by the American government and signed by President George W. Bush on July 30, 2002. The congressional sponsors of this law were Senator Paul Sarbanes and Representative Michael G. Oxley, which explains the name given to the law. This law is introduced in response to major occurrences in the U.S. financial world. Koehn and Del Vecchio (2004, p.1) state that, “the Sarbanes-Oxley Act is seen as the most significant change in the U.S. securities law since 1934”. President George W. Bush characterized Sarbanes Oxley as "the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt." This indicates that the impact of Sarbanes-Oxley on companies and their stakeholders is considerable.

In the beginning of the 21st century, the IT-bubble burst and multinationals like Enron and WorldCom collapsed. Arthur Andersen, one of the then five largest audit firms in the world, suffered from these scandals and went bankrupt. Investor confidence in the capital markets became very low. The Dow Jones Index dropped 25%, the S&P6 dropped over 40% and the NASDAQ7 dropped by more than 70% (Leon 2006). The purpose of the Sarbanes-Oxley Act, as stated in the law is “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. To achieve this purpose, the Act obliged reforms on corporate governance, accounting and disclosure rules and enforced punishment and liability with criminal penalties (Wagner and Dittmar 2006). These aspects of SOx are collected in 11 sections, summed-up in appendix 1. The SEC is responsible for implementing rules on requirements to comply with SOx.

The existence of SOx can be explained with the agency theory (see: Eisenhardt 1989). In a listed company, there is separation between management and ownership. The management has relatively much power compared to the shareholders (owners). This can lead to a situation in which the shareholders (i.e. principals) do not agree with the decisions of the board (i.e. agents) of the company. The aims of the agent and principal could conflict, because it can be different for the principal to verify the activities of the agent, due to information-asymmetry. The same situation can appear when the risk attitude of agents differ from the risk attitude of principals. These problems are called ‘agency problems’ (Eisenhardt 1989, p.58). To protect shareholders from agency problems, several ‘governance mechanisms’ have been developed. SOx is one of these mechanisms.

The SOx legislation established new or enhanced standards for the board and the management of public companies listed on the U.S. stock exchanges and for public accounting firms as well. SOx compliance is compulsory for all companies listed on the U.S. Stock Exchanges. SOx applies to “issuers”, as defined in section 3 of the Securities Exchange Act of 1934, that:

1) Have securities registered under section 12 of the Exchange Act; 2) Are required to file reports under section 15(d) of the Exchange Act, or;

3) File or have filed a registration statement that has not yet become effective under the Securities Act of 1933 and that they have not withdrawn

(Zhu and Small 2007).

Initially, Congress made no provisions in the SOx legislation for foreign companies listed on domestic exchanges. The SEC received much commentary from foreign issuers and interested parties, who were stressing the potential risks in SOx of not applying SOx to home corporate law (Leon 2006). In response to this, the SEC made some distinction between U.S. issuers and non-U.S. issuers. Ghoshray (2004) wrote an article about the conflicts in comparative corporate laws. The SEC determines which SOx provisions have to be applied by non-U.S. issuers, which differs on the different levels of ADRs. For some foreign-issuers, it is impossible to comply with both SOx and with the laws of their home country. Zhu and Small (2007) gave an example from Australia; the Australian corporate law requires shareholders to select the auditor. SOx requires the Audit Committee to select one. In this situation, an exception has to be made by the SEC to enable an Australian company to comply with SOx. Another difference between U.S issuers and non-U.S. issuers is the deadline for implementing SOx. For some sections, the deadline for non-U.S. issuers is extended. Section 404 is one of these sections.

6 _{Standard & Poor’s 500}

7

Private companies, or other companies that are not listed on the U.S. Exchanges, are not obliged to comply with SOx. Some companies, however, are choosing for voluntary compliance by selectively implementing some SOx-items (Stephens and Schwartz 2006). By doing so, companies are better able to make a good trade-off between the costs and the benefits. In practice, they are selecting ‘best practices’ from formal SOx experiences and avoid the most costly or non value adding aspects. Some legislators are already considering the extension of SOx provisions to private companies. These legislators are convinced of the positive effects that SOx can have for private companies.

The full text of the total Sarbanes-Oxley Act is decently brief. Section 404, for example, contains just 173 words in total. The full text of this section is shown in appendix 3. Significantly more extensive are the various rules, standards, and elaborations issued by the PCAOB. Examples are AS2 (2004) and its successor AS5 (2007), which supersedes AS2. For most companies, Section 302 and 404 represent the bulk of compliance work (Wagner and Dittmar 2006). The next section will elaborate on SOx 404, one of the sections most discussed in recent years.

2.3.2 The purpose of Section 404

The purpose of Section 404 is to rebuild public trust by bolstering the internal controls that underpin the accuracy and reliability of published financial information (Goelzer 2004). This section prescribes an annual evaluation of internal controls and procedures for financial reporting, and requires CEOs8 _{and CFOs}9 _to

periodically assess for and prove their effectiveness. Management’s assessment for Section 404 is as of year-end, which means that the statement is dated on December 31st _{considering a financial year equal to the calendar}

year. Furthermore, section 404 obliges companies to include an internal control report in their annual report. The SEC has indicated that the document should contain the following aspects:

• A statement acknowledging responsibility for establishing and maintaining adequate internal control over financial reporting.

• A statement identifying the internal-control framework used to evaluate the effectiveness of internal control over financial reporting.

• An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the most recent fiscal year.

• Disclosure of any material weaknesses in the company’s internal control over financial reporting.

• A statement that the independent auditor has issued a report on the company’s assessment of internal control over financial reporting.

(Wagner and Dittmar 2006, p. 138)

The scope of Section 404 addresses everything in the US GAAP-based10 _{interim and annual financial}

statements and related notes that are filed with the SEC (The Institute of Internal Auditors 2008). It is important to note that SOx 404 is only concerned with the internal control over financial reporting, which means that its scope is limited compared to, for example, the Dutch Code11 _{(de Groot and Koolstra 2006). Another limitation of}

SOx 404 is the fact that management’s assessment is as of year end. The Dutch Code obliges a management

8 _{Chief Executive Officer} 9

Chief Financial Officer 10

United States General Accepted Accounting Principles

11

statement for effectiveness of the internal control system over the whole financial year (De Groot and Koolstra 2006).

The SEC extended the compliance dates for non-accelerated filers and foreign private issuers regarding section 404 to the fiscal year ending on or after July 15, 2006 (U.S. SEC 2005). This was not the first postponement of SOx 404, which shows that it is a considerable operation for (cross-listed) companies to become SOx compliant.

The responsibility of the management of listed firms for effective internal control over financial reporting is described in section 404 as well as in section 302. Both sections are often mentioned in relation to each other. Section 302 is concerned with the responsibility of executives for reliable external disclosures. This section requires a quarterly reporting on the design and operating effectiveness of controls. CEOs and CFOs have to state personally, that they are responsible for the disclosure of controls and procedures and that they have performed an evaluation of the controls. They have to notify their Audit Committee and independent auditors of any significant deficiencies. Section 404, as mentioned before, is restricted to internal control over financial reporting. Extensive requirements are dictated for documentation and operations of the management, to come to a funded statement (Nieuw Amerongen and De Jager 2004). Management itself is required to identify, document and evaluate significant internal controls. The management has to draw its own conclusions on the effectiveness of the controls and is not allowed to base its conclusion on results of the external auditor’s tests (McConnel 2003). To meet the requirements, McConnel (2003, p. 4) describes the following management’s responsibilities:

• Accept responsibilities for effectiveness of internal control over financial reporting. • Evaluate their effectiveness using suitable control criteria.

• Support this evaluation with sufficient evidence.

• Present a written assertion about their effectiveness in either a separate report accompanying the auditor’s report or a representation letter to the auditor.

These responsibilities cannot be delegated to the external auditor. Next to management’s statement, SOx 404 prescribes a statement of the external auditor as well. This statement will be discussed in the next section.

2.4

The effects of the SOx 404 statement on the auditor’s role

2.4.1 The content of a SOx 404 statement

In general, an internal control statement is connected to the effectiveness of the design and the functioning of a risk management system. The range of the internal control statement can be characterized along three dimensions (de Groot 2006):

• The type of risks (strategic, operational, financial (-reporting) and compliance) • The effectiveness of the design

• The period of time where the conclusion relates to.

SOx is concerned with the internal control statement over financial reporting. Positioning SOx 404 within these dimensions above shows that section 404 is mainly concerned with financial risks. The effectiveness of the design is covered in section 302 and section 404 as well. The period of time where the internal control statement relates to, is as of year end. The Dutch Code, as already mentioned in the previous section, covers all of these dimensions.

Section 404 obliges a company’s external auditor to analyse and report on management’s assessment of internal control over financial reporting, as well as on the effectiveness of the controls themselves. In Appendix 3, the full text of SOx section 404 is represented.

Management needs to determine whether the system of internal control provides reasonable assurance12 that material errors, in either interim or annual financial statements, will be prevented or detected. Management is able to make this assessment by (The Institute of Internal Auditors 2008):

• Identifying, assessing, and testing the design and operating effectiveness of the key controls that will either prevent, or detect material errors in the transactions that constitute the balances in significant accounts in the financial statements, or in the way the financial statements are prepared and presented. • Assessing whether any control deficiencies identified in the above process represent, either individually

or in aggregate, a reasonable possibility of a material error.

The assessment has to be done as of the end of the most recent fiscal year of the issuer.

The management has to use a framework that is suitable for internal control. AS2 and AS5 declare that the COSO-framework is suitable for this. Management is allowed to use another framework, but their auditor has to give his approval for this framework. The framework has to cover the same aspects as covered by COSO13_.

When approved, the client has to translate the framework into measurable criteria (Nieuw Amerongen and De Jager 2005).

2.4.2 The role of the external auditor

The requirement of Section 404 for an auditor’s opinion on internal control over financial reporting has changed the nature, timing and extent of testing controls. Before the Sarbanes-Oxley Act, external auditors were hired by a public firm to audit the financial report and they could elect to forgo the testing of controls and perform the audit using only substantive testing (Koehn and Del Vecchio 2004). Due to SOx 404, the auditor of a listed firm is obliged to determine the reliability of the management statement as well. The auditor determines the management statement (in all material respects) of the client in relation to the effectiveness of internal control instruments over financial reporting. Section 404 requires external auditors to attest to the company’s evaluation of its controls every year. The auditor is expected to assess the documentation of controls and procedures as well as how employees perform the control activities for which they are responsible (Wagner and Dittmar 2006).

Auditors reported that the initial implementation of SOx led to a dramatic increase in their workload (Hill et al. 2007). There was a lot of uncertainty about the precise requirements on the activities of the auditor, especially in the first stage after the implementation. The external auditor operated very cautiously in the post-SOx environment of PCAOB inspections. “The more effort the auditors demand of the 404 process, the less risk they absorb within their audit opinions, while at the same time maximizing the audit fees” (Kral 2006). In reaction to this, the PCAOB has clarified the external auditor’s role in SOx 404 in its Auditing Standard No.2 (AS2; PCAOB 2004). AS2 aims at giving the auditor more flexibility to use the test activities of their client, without harming the quality of the audit (Nieuw Amerongen and De Jager 2005).

12

Reasonable Assurance: Exchange Act Section 13(b)(7) defines reasonable assurance and reasonable detail as such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.

13

A way to decrease the workload is to focus on the controls that are most susceptible of error. This is called ‘controls rationalization’ (Wagner and Dittmar 2006). Hill et al. (2007) mentioned that auditors needed much more guidance from the PCAOB in the implementation and maintenance of the standards. Apparently, AS2 was not clear enough. Recently, the PCAOB introduced an improved version of AS2. This new standard is called AS514 _{and are approved by the SEC in July 2007. The aim of AS5 is to make an audit more efficient and less}

costly. The PCAOB said the following about the guidance: “AS5 is more principle based and focuses on the most important risks to a company while eliminating redundant procedures.” This can be connected to the opinion of Wagner and Dittmar (2006) about controls rationalization. Practice will reveal if these measures result in a decrease in workload for the auditor and lower costs for the client.

Under section 404, auditors are performing a (so called) integrated audit. McConnel (2003) describes the integrated audit as an “integrated activity consisting of an audit of the financial statements and of internal controls”. The auditor has to collect enough evidence to give its opinion on both aspects. The Internal Control-Integrated Framework issued by COSO (section 2.2), is the generally accepted control criteria on which the auditor’s opinion is based. The auditor’s primary focus is on reliability of financial reporting. The opinion relates to the effectiveness of the controls as a whole, and not on each individual component of COSO (McConnel 2003).

Auditors needed to obtain greater evidence about operating effectiveness of controls in performing integrated audits. The nature, timing and extent of substantive testing could be reduced. However, due to the inherent limitations of internal controls and the risk of management override, auditors will still have to perform substantive testing, including test of details and analytical procedures for each material account balance of class of transactions (McConnell 2003, p. 4). Management is not allowed to base its statement on the results of auditor’s tests, since the auditor’s role is to report on the entity’s internal controls and to determine if the management’s written assertion is fairly stated in all material aspects.

An important remark is that, within this process, auditors have to be careful that they would not do anything that would harm their independence and objectivity. For example, auditors are allowed to help management in gathering information, as long as management directs the process and is responsible for documenting the controls (McConnel 2003).

Hill et al (2007) state that auditors remain divided on the benefits and costs of SOx. It is exceptional for a profession like this to be as deeply divided on a subject like SOx. These different opinions may indicate how complex and far-reaching the implementation of SOx is. According to Leon (2006), auditors are, in addition to the legislators that supported SOx, vocal proponents of SOx.

2.5

Conclusion

The purpose of the Sarbanes-Oxley Act, as stated in the law is “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. SOx is compulsory for all listed firms listed on the U.S. Stock Exchanges. This legislation established new or enhanced standards for the board and the management of public companies and for public accounting firms as well.

Section 404 of the Act supports the internal controls that emphasize the accuracy and reliability of financial information published by a company. This section prescribes an annual evaluation of internal controls

14

and procedures for financial reporting, and requires CEOs and CFOs to periodically assess for and prove their effectiveness. Management has to provide a management statement dated as of the end of their fiscal year as well as an internal control report in their annual report. Management needs to determine whether the system of internal control provides reasonable assurance that material errors, in either interim or annual financial statements, will be prevented or detected. COSO is a suitable framework that can be used.

The external auditor has to analyse and report on managements’ assessment of the internal control over financial reporting as well as the effectiveness of the controls. The auditor determines the management-statement of the client in relation to the effectiveness of internal control instruments with respect to financial reporting. The PCAOB has clarified the external auditor’s role in SOx 404 in AS2, which is recently superseded by AS5, to make an audit more efficient and less costly. An integrated audit is used by auditors to combine the audit of the financial statements with the audit of internal controls.

3

The advantages and disadvantages of SOx 404

3.1

Introduction

One of the main components of this report is the identification of the advantages and disadvantages of Sarbanes-Oxley 404. This will be emphasized by the third sub-question: What are the advantages and disadvantages of Sarbanes-Oxley 404 to a company and its shareholders? In the literature, these effects are mainly referred to as benefits and costs. Identifying these effects is not as straightforward as is seems to be. Before evaluating the advantages and disadvantages, it is important to consider from which point of view the research or the remark has been done. It will be obvious that experiences with SOx 404 on the demand side of the statement will differ from experiences on the supply side15_.

Goelzer (2005) stated in one of his articles: “The costs tend to be more obvious and easier to track. The trick is in capturing and quantifying all of the benefits.” This is one of the most important characteristics to keep in mind while giving an overview of the costs and the benefits. SOx was implemented in the period between 2002 and 2006. Cross-listed firms were the last group to comply with SOx. In recent years, experiences have been shared and the costs of the SOx 404 implementation have been calculated. The benefits are harder to measure. Some benefits are difficult to distinguish from economic influences and other benefits have not occurred yet in this relatively early stage.

The SEC is apparently positive about SOx 404, but makes its remarks too. An example is the difference in consequences for bigger and smaller companies. Donald T. Nicolaisen (U.S. SEC 2005), the SEC’s Chief Accountant, said, “The Section 404 requirements are among the most important parts of the Sarbanes-Oxley Act, and I encourage public companies to devote the necessary resources to make sure those requirements are implemented effectively. I don’t underestimate the effort this will require for smaller companies and foreign private issuers, but this extension will provide additional time for those issuers to take a good hard look at their internal controls, as the Act contemplates.” This underlines again, which difficulties occur while giving an overview of the advantages and disadvantages. In the next section, an overview of the present experiences and opinions will be given.

3.2

Advantages of SOx 404

As already mentioned in the previous introduction, most of the research papers are focussed on the costs of implementing an internal control structure that meets the requirements of section 404. Very little of the research papers addresses potential benefits of the statement to the company, its investors and other stakeholders. Bergen (2005) describes that this may be due to the intangibility of investor benefits and the lack of conclusiveness in behavioural finance analyses. Nicolaisen (in: Rittenberg and Miller 2005) shares this opinion: “I suspect that the costs are not easy to estimate, but I know that it is even tougher to quantify the benefits”. The advantages of SOx are mainly based on opinions instead of on hard empirical evidence. Since SOx is an ongoing process instead of a standalone project, most of the benefits of SOx will appear over time.

15

First of all, the benefits for the internal organization will be discussed. Goelzer (2005) asserts that when a company succeeds in a proper implementation of SOx 404, this could be turned into a value enhancing initiative. The only way for a company to accomplish this proper implementation is to create an appropriate corporate culture. Section 404 is just a piece of a broader change in this corporate culture (Goelzer 2005). The improvements in the control environment made it possible to improve the basic internal controls as well (Rittenberg and Miller 2005).

Kral (2006) summed up some benefits of the SOx 404 process in his column. He mentioned that SOx causes a greater awareness of well functioning internal controls within an organization. Instead of just executing the actions tied up in procedures, management and staff are more aware of the importance of the internal control system and the impact of malfunctioning internal controls for the organization. Besides the awareness, the accountability of people involved in the functioning of internal controls within the organization is enhanced as well (Kral, 2006). This can be stimulated by creating an environment in which the SOx requirements are embedded. This is the control environment (COSO), which is strengthened by SOx 404. The management has a key role in propagating the values in the company. Wagner and Dittmar (2007) state that the control environment creates the degree to which employees recognize the importance of method, transparency, and care in the creation and execution of their company’s policies and procedures. This does not specifically means an increase in workload, because Kral (2006) also says that SOx 404 causes the elimination of non-value added redundant controls so people can pay more attention to the most important controls. These controls are often called ‘key controls’. Deficiencies in those significant controls could be identified and repaired.

Other advantages appeared as well. SOx forced management to support their staff to update operations manuals, to revise personnel policies and to record control processes (Wagner and Dittmar 2006). So the quality of documentation improved, but the quantity as well. Some tasks were complex from nature, but others were needlessly complex. SOx stimulated simplification of these tasks and accelerates the simplification process (Wagner and Dittmar 2006). Processes have been standardized as well. This was quite a difficult task since all inconsistencies were identified and addresses across all operating units and entities.

Manual processes are the weakest aspects of the internal control system, because they are more sensitive for human error and less reliable compared to automated controls (Wagner and Dittmar 2006). The resources of the company were especially devoted to the IT controls which turned out to be vulnerable. When the IT controls are working correctly, companies will have more confidence in their control structure, and are able to evaluate accounting risks by structured identification, documentation and testing. This enables an investor to get more confidence in the reliability of unaudited data provided to the market (Rittenberg and Miller 2005). Human processes were more extensively tested.

Management’s responsibility increases and the internal control statement is stressed due to reporting about being ‘in control’. The internal control system has to prevent companies against fraud in financial reporting. By using this instrument in the right manner, legislators are able to get better grip on an organization (De Groot 2006). Due to the growing importance of the internal control system, companies can obtain a competitive advantage by setting up a well functioning internal control system. Companies can distinguish themselves from competitors, because the internal control system could result in lower risk for investors (De Groot 2006). This competitive advantage is not specifically of importance for U.S listed firms, because all these firms have to implement a well functioning internal control system. In particular companies that delisted but maintained their internal control framework based on SOx, could distinguish themselves from other firms without a listing on the U.S exchanges.

Oversight Systems (2005) executed a research to find out if SOx has influence on the prevalence of institutional fraud. In 2005, most of the fraud examiners saw SOx as an effective tool for fraud identification. “Nearly two-thirds of respondents (65 percent) indicate that SOX has been somewhat or very effective in identifying incidences of financial-statement fraud” (Oversight Systems 2005). The respondents did not expect that a cultural change among U.S. business leaders toward institutional integrity and fraud prevention in the wake of account scandals would remain in the future. This turned out to be true in the research executed by Oversight Systems in 2007; “three-quarters of respondents feel institutional fraud is more prevalent today than it was in 2002.” This finding was remarkable, because the respondents were asked to reply to the same query as in the research of 2005. This would indicate that SOx is not effective in reducing fraud on the long term, which could be a disadvantage of SOx as well.

Not only the parent company has to comply with SOx, but its subsidiaries as well. Even partner companies have to comply with SOx, when they materially affect the financials of the primary company (Wagner and Dittmar 2006). The primary company must obtain assurance about the effectiveness of the internal control system of the partner company. A way to do this is to ask the partner company to provide a SAS16 70 type II report. If the partner company is unwilling to do so, the primary company has to audit the partner by itself. Weak links will be strengthened since this joint SOx process will stimulate communication among stakeholders and subsidiaries.

SOx has to lead to an increase in the quality and credibility of the Audit Committee as well (Wagner and Dittmar 2006). This can be achieved by more focus on the independence of the members the Audit Committee. Members of the committee must be free of most financial and personal ties to the company. Another measure could be that at least one of the members should be a ‘financial expert’ (Wagner and Dittmar 2006).

As already mentioned in the beginning of this section, it is difficult to measure the benefits of SOx 404. Researchers are currently trying to estimate the positive effects of these rules. “Recent studies show a correlation between strong controls and positive performance in shareholder returns, profitability, risk mitigation, dividend yields, and costs of capital” (Kral 2006). This implies that shareholders are satisfied with SOx 404, which results in an increased confidence in the companies. The cost of capital will decrease, as well as the dividend that was meant to compensate the risk. These lower costs will have a positive influence on the profitability of the company and will result in higher shareholder returns. The lower cost of capital as a result of stronger internal controls is supported by a research of Ashbaugh-Skaife et al. (2006). This research proves that a firm with control deficiencies have significantly higher idiosyncratic risk17_{, systematic}18 _{risk, and cost of equity capital. The}

remediation of an internal control deficiency is followed by a significant reduction in the cost of capital.

Benoit (2006) concluded after his research to the benefits and the costs of SOx 404, that average stock prices increased more for companies that already had good internal controls over financial reporting compared to companies that either corrected their internal controls or remain unimproved. This shows again the advantage of a reliable internal control system to the company and its investors.

16

Statement on Auditing Standards number 70

17

The risk that a share does fluctuate more or less compared to the market.

18

Due to the benefits for investors, it is possible that investors are going to desire SOx 404 compliance for companies outside the U.S. as well (De Groot 2006). The reason is that a strong internal control framework could be beneficial to all companies, regardless of its home country or its size.

The SOx requirements are clearly stated by its legislators. Shareholders, bankers and other stakeholders may start to view these SOx requirements as “best practices,” and they prefer a relation with entities that voluntarily comply with procedures and standards that are close to the SOx requirements (Stephens and Schwartz 2006). This indicates that a market wide demand exists for stronger internal controls. Companies are starting to realize this, even though these companies are not listed on an U.S. stock exchange. Some companies even started developing own instruments to provide a trustworthy internal control statement to shareholders and other stakeholders.

The most important criticism on SOx 404 is the compliance costs involved with this section. I will go into further detail to this disadvantage in the next section. The high costs are apparently the price that had to be paid for future advantages. Compliance costs are a result of documenting more fully and elaborately, defining and enforcing restrictions on access to information technology systems, separated accounting and financial functions and an improvement of procedures. But these packages of measures are necessary to yield benefits in terms of better information systems and reduced risk of lower-level fraud (Clark 2005). The costs that come along with fraud are considerable. The chance that fraud appears not only reduces investor confidence and increases their monitoring costs, it also leads to misallocation of recourses (Johnson et al. 2004). So reducing fraud will reduce costs for companies on the long term as well. The problem on the short term is that these benefits are expected to occur on the longer term. In addition to that, The CRA International (2005 and 2006) proves that the costs of compliance with SOx 404 are declining over time. This is a result of a good functioning internal control system, and the fact that higher historical costs stimulated a company to use their resources more efficiently. Companies will see significant efficiencies over time (Rittenberg and Miller 2005). McConnell (2003) wrote: ‘better control processes could result in operating efficiencies and reduced litigation and fraud’.

The efficiencies do not only count for the companies themselves, but also for the auditors responsible for judging the management statement over the internal control framework. The PCAOB prescribes a new top-down, risk based approach. This method will contain some extra work in the early stage, but is expected to lead to a decrease in workload and lower compliance costs in the future (Nieuw Amerongen 2007). One of the most important arguments for the opinion that the initial compliance costs are an investment in the future is that stronger controls and better auditor understanding of those controls in terms of audit efficiency will benefit on the long term (Goelzer 2005). An auditor has to fulfil fewer activities, when he or she can build on a strong internal control system. “In addition to the legislators that supported SOx, accountants have been vocal proponents of the Act” (Leon 2006). Wagner and Dittmar, both auditors, even said: “smart companies have stopped complaining about Sarbanes-Oxley . . . and turned it to their advantage.” By reading this statement, the fact that audit companies benefited from these new legislation themselves as well, cannot be neglected.

3.3

Disadvantages of SOx 404

The main disadvantage of SOx is related to the costs that occur when a company has to comply with the Act. Section 404 is probably one of the most costly provisions (Koehn and Del Vecchio 2004). Legislators, as well as companies and executives, expected that the introduction of the new law would contain a significant increase in governance costs, but the costs have been much higher than expected (Kral 2006). In the literature, many