While corporate scandals in the U.S. have received a great deal of attention, Europe has its own versions of Enron and WorldCom. Parmalat, the Italian agribusiness giant, and Ahold, the Dutch retailer, are two recent examples. The scandals and the resulting loss of investor confidence have increased global efforts to create a regulatory framework that improves transparency in financial reporting for both publicly traded companies and government agencies.
The Sarbanes-Oxley Act has received the most attention, but is widely viewed in much of the world as an overreaction that has imposed too harsh a burden, especially on smaller and entrepreneurial enterprises, which create the majority of economic growth.
The European Union has taken a principle-based and voluntary approach, with less reliance on government regulations than the U.S. The EU is touting this as an emerging global standard. The more flamboyant critics in Europe call SOX an extension of American imperialism, but have little evidence that voluntary measures will work. SOX is too new to evaluate its impact benefits, but cost estimates continue to rise, ranging from $1 million to $5 million for most enterprises.
The answer to the debate between voluntary guidelines versus mandatory regulations may lie in which approach offers the most economic benefit. Even the harshest critics of the U.S. concede that American economic growth continues to outpace that of the EU and the members of the Organization for Economic Cooperation and Development. The OECD's Economic Outlook, No. 76, Nov. 30, 2004, published projections that call for the U.S. to continue to outstrip the others in terms of growth in gross national product. (See chart, page 39.)
Forward-thinking public and private companies in the U.S. have taken a proactive approach to regulatory requirements to improve internal controls. They view them as a best practice that will increase their profitability and provide a strategic competitive advantage. If this is true, it may widen the growth gap between the U.S. and the EU even further.
The U.S. government's Office of Management and Budget Circular A-123 will impose SOX-like regulations on all federal agencies starting next year. It is likely that the U.S. states and possibly local agencies will follow suit. This could have a major economic impact, given that federal and state spending combined equal about 25 percent of gross domestic product in the U.S., according to the Congressional Budget Office and the Center on Budget and Policy Priorities. Total government spending is as high as 40 percent to 50 percent of GDP in some European countries, so activities to improve government internal controls and, by extension, efficiencies, can improve the effectiveness of social welfare programs.
What follows is an overview of the global efforts to improve internal controls.
The U.K. and Canada
The United Kingdom's efforts to improve internal controls are described in the Combined Code on Corporate Governance, first published in 1999. The goal of this "Turnbull Guidance" is to assist non-U.S. companies that are registered with the Securities and Exchange Commission, referred to as "SEC registrants," that have elected to adopt the Turnbull Guidance as a framework for Sarbanes-Oxley Section 404 purposes. The SEC has referenced the Turnbull Guidance as a suitable framework for judging the effectiveness of internal controls. It goes into effect on July 15, 2005.
Canada is enacting its own measures to improve internal controls. Known as the Ontario Securities Commission Multi-Lateral Instrument 52-109 (similar to SOX 302) and Multi-Lateral Instrument 52-111 (similar to SOX 404), they require the filing of an internal control report with a company's annual report.
Banking and insurance
There are also efforts underway to improve internal controls within the banking community. In June 2004, the Group of Ten countries published a new framework for capital adequacy known as Basel II, which goes into effect by the end of 2006. Sections 744 and 745 of Basel II call for an independent review of the internal control structures, including risk management; establishing a method for monitoring compliance with internal policies; and verifying whether a system of internal controls is adequate to ensure well-ordered and prudent conduct of business.
Sections 751 and 752 of Basel II call for the assessment of the control environment, including the quality of information reporting and systems, the manner in which business risks and activities are aggregated, and management's record in responding to emerging or changing risks. The capital level of individual banks should be determined according to their risk profile and the adequacy of their risk management process and internal controls.
The European Commission's Financial Services Action Plan creates major challenges with Solvency II for insurance carriers with a new solvency regime. Capital markets are demanding greater steadiness and clarity in the measurement of solvency. While improving solvency requirements, the commission believes that the rules for banks and insurers should be harmonized, because many of their product offerings are overlapping and consolidating.
Basel II and Solvency II would require banks and insurers to rethink their existing risk management strategies due to the fact that many of them do not have systems to quantify and mitigate risks. Both Basel II and Solvency II take a three-pillar approach, in which one pillar calls for enhanced internal controls, including risk management, as a means to promote transparency in financial reporting. As banks and insurers are required to manage risks, they will reward their customers who can demonstrate robust internal controls with, respectively, lower capital costs and lower rates.
The EU and the OECD
The EU's interest in improving internal controls has been driven by the introduction of the euro as a common currency, the freer flow of capital, the growth and diffusion of shareholding, increased merger and acquisition activities, and global market pressures to improve efficiencies and competitiveness. Other factors include the loss of investor confidence sparked by scandals, economic downturns and the flight of capital from various unstable areas.
The number of EU nations issuing corporate governance codes to improve internal controls increased dramatically during the 1990s. These national code adoptions were facilitated by the OECD with its 30 member countries, which represent 60 percent of global gross national income and 76 percent of global trade. The OECD also has relationships with 70 other countries, so it has a global reach. It plays a prominent role in fostering good governance in the public service and in corporate activity.
The relevant provision in the OECD Convention's Section 8 imposes obligations that are similar to SOX. Measures to increase transparency include:
* Adequate accounting requirements;
* Independent external audits; and,
* Internal company controls.
The European Economic Reform White Paper of 2002 defines internal controls as creating standards for five key control components:
* The control environment;
* Performance and risk management;
* Information and communication;
* Control activities; and,
* Audit and evaluation.
As does SOX, the EU stresses that internal controls are the responsibility of all managers and must be integrated with all operating activities, so that timely reactions to changes can be made with valid information.
The OECD's principles-based approach to internal controls is based on good standards, rather than the mandatory compliance required by Sarbanes-Oxley. The OECD argues that their Principles of Corporate Governance have the following advantages over SOX:
* Unlike SOX, they play an important role in the development of national codes and principles and can become a world standard.
* Unlike SOX, they create an effective framework for stimulating and organizing the debate about corporate governance in a wide range of countries, including in many emerging market economies.
* Unlike SOX, they introduced the notion of using Standard & Poor's Corporate Governance Services to benchmark and provide voluntary compliance scores.
* And unlike SOX, they have been successful because they are just principles - allowing countries to adapt them to suit local circumstances and issues.
A global GAAP
Effective Jan. 1, 2005, all EU companies that have shares traded on any EU-regulated market will be required to prepare consolidated financial statements in accordance with International Financial Reporting Standards. Member nations may elect to extend IFRS to private companies as well. Seven thousand EU companies are now using IFRS. The U.K. is a strong supporter of IFRS as a replacement for its generally accepted accounting principles. Australia, Russia and Japan are moving towards IFRS as well.
The U.S. Financial Accounting Standards Board and the International Accounting Standards Board are committed to working with each other and converging U.S. accounting standards and IFRS, with the ultimate goal being a single set of high-quality global accounting standards, herein referred to as global generally accepted accounting principles.
There is also a movement toward an XML standard to promote a global GAAP. The Extensible Business Reporting Language is an attempt to create an Internet-based global reporting language. The spotty history of efforts to create industry-specific and process-specific XML standards would suggest that this will not be an easy task or a short-term effort.
The difficulty of converting from national GAAPs to IFRS will vary greatly from country to country, and from industry to industry. Many national GAAPs are based on completely different principles. Adding to the problem is the fact that many national GAAPs are not going to disappear, so enterprises will have to maintain two sets of books. While few U.S. companies will be directly affected in 2005, they will have to consider what their balance sheets would look like after convergence, and those with international subsidiaries will need to comply now. That means that chief financial officers in the U.S. will have to disclose information in Europe that they don't disclose here.
The impact on Asia will be even more dramatic. Many Asian enterprises are closely held, family-controlled and naturally hesitant to change. Western notions of good governance with independent directors are not normally accepted. Many American joint ventures in Asia are not publicly held. As they decide to go public, a major change in corporate governance will be required.
The move toward a global GAAP will impact internal controls. Most local GAAPs are not as robust as the new IFRS. While there are many differences between U.S. GAAP and IFRS, their core framework and guidance is basically the same. They will promote robust internal controls. The convergence of the U.S. GAAP and IFRS will create a more level playing field for investors as they seek to compare the financial performance of companies no matter where they are located throughout the globe. It will also help companies compare their financial performance, including internal controls, against competitors throughout the world.
COSO and COBIT
So there is a global trend to improve internal controls, but is there a recognized framework for defining internal controls and risk management, which is core to internal controls, on a business and technology level? The Committee of Sponsoring Organizations and the Control Objectives for Information and Related Technology, or COBIT, are growing in their acceptance among regulators, public accounting auditors, financial professionals and information technology professionals.
COSO established a framework for internal controls as part of the Treadway Commission in 1985. COSO standardizes the definition of internal controls by providing a framework for risk management and regulatory compliance. At its core, it requires:
* A control environment;
* Risk assessments;
* Control activities;
* A definition of materiality; and,
* Corrections of material weaknesses.
COBIT is an open standard for information technology governance that is growing in its acceptance. It was developed as a standard for good IT security and control practices that provides a reference framework for management, users, and information systems audit, control and security practitioners. COBIT was issued by the IT Governance Institute, and is increasingly accepted internationally as good practice for control over information, IT and related risks. Its guidance enables an enterprise to implement effective governance over IT that is pervasive and intrinsic throughout the enterprise.
In particular, COBIT's Management Guidelines component contains a framework responding to management's need for control and measurability of IT by providing tools to assess and measure the enterprise's IT capability for the 34 COBIT IT processes.
Conclusion
The global movement to improve internal controls is undeniable, and there is a growing acceptance of a business and IT framework upon which to define internal controls and to manage risks. The common elements in Basel II, Solvency II, the OECD's Principles, the U.K.'s Turnbull Guidance, Canada's Multi-Lateral Instruments 52-109 and 111, and Sarbanes-Oxley include requirements or recommendations to:
* Identify risks to financial reporting and develop risk mitigation strategies on both the business and the IT side.
* Ensure that all significant risks are matched to manual and automated controls.
* Design and pilot an operational effectiveness testing methodology.
* Test all key manual and automatic controls and revise control ratings based on their operational effectiveness. This includes monitoring, detecting and enforcing controls.
* Automate the process for the quarterly review of significant financial accounts to determine whether any new accounts fall within the defined materiality threshold.
* Identify any new business and IT control gaps arising from the quality assessment review and operational effectiveness testing, and ensure that remediation action plans are in place.
* Complete a detailed quality assessment of all business and IT controls documentation in order to verify that no key controls are missing.
* Document all embedded system application controls.
The major debate is over whether it is best to base control efforts on mandatory regulations with severe criminal and civil penalties, or on largely voluntary guidelines. The EU and OECD side would argue that it is unrealistic to impose one mandatory standard on all the economies of the world. They advocate a system of largely voluntary guidelines and principles to improve internal controls without the high financial costs and threats of criminal penalties that SOX imposes.
The American side would argue that the large number of scandals in the high-flying 1990s prove that voluntary guidelines based on U.S. GAAP and other widely accepted standards, and audited by prestigious accounting firms, were catastrophic failures that mandate dramatic changes in regulations. A growing number of leading U.S. firms would add to the argument that new regulations will improve decision-making with more timely and accurate financial reporting, facilitate the handling of material events and weaknesses, and reduce intentional fraud and unintentional errors.
The reduction of fraud and errors may be the single largest benefit from improvements in internal controls. Joseph Wells, in his 2004 book The Corporate Fraud Handbook: Prevention and Detection, cites a survey of 30,000 members of the Association of Certified Fraud Examiners. Based upon their experience and general knowledge, his members estimate that losses to fraud represent 6 percent of gross revenues. Applied to the U.S. gross domestic product of $10 trillion, this would result in $600 billion in losses.
The question is how much fraud and how many errors can be reduced through improved internal controls. Even a small reduction could have a dramatic impact on financial performance for both public companies and government agencies.
Even more intriguing is the impact of improved controls on government agencies. Americans typically argue that government spending is inherently inefficient and a drag on economic growth, and, subsequently, that improvement in internal controls can only help in reducing the economic drag. Since government spending is as high as 40 percent to 50 percent in Europe, the failure to improve internal controls via the requirements found in the U.S. OMB Circular A-123 will put the EU even further behind the U.S. in economic growth.
When given a choice between enterprises and markets that have clearly demonstrated robust controls and those that have not, investors will take the path of least risk and reward the leaders in controls - especially if improved controls translate into greater transparency in reporting, greater financial stability, and higher productivity and growth rates. Banks and insurers will also reward public and private enterprises with robust compliance.
The disdain that much of the world feels towards the U.S. and the Sarbanes-Oxley legislation must be balanced against the undeniable fact that the American economy has historically grown and is projected to continue to grow faster than the EU and the OECD, and that the U.S. has the opportunity to widen the gap with improvements in internal controls.
While the OECD is correct in noting that local differences exist, the fundamentals of internal controls and good GAAP in corporations and governments should transcend national and regional boundaries. The scandals of corporate America in the 1990s may be the best evidence that the OECD's voluntary guidelines approach will have only limited success.
America cannot afford to be arrogant or jingoistic in this process. After all, it was under U.S. GAAP that America suffered through the recent huge wave of corporate scandals, with financial reports signed by the most prestigious accounting firms in the world.
The IFRS efforts to create a global GAAP will compel major changes on the American side as well. The SEC is supportive of convergence with a global GAAP to attract emerging markets to the U.S. exchanges. The international acceptance of COSO's internal controls framework, IFRS's GAAP, and the prospering of U.S. firms with robust U.S. SOX compliance will have a combined effect to greatly improve and standardize financial reporting. This will lead to global capital markets in which companies will present financial reports that can be understood and compared by investors around the world.
