Regulatory Responses Flashcards
What are the key regulatory changes post-scandals
US (SOX 2002):
Created PCAOB oversight
Mandated CEO/CFO financial certification
EU (2014 Reform):
Audit firm rotation (10-20 years)
70% cap on non-audit fees
UK (2021 Proposals):
ARGA replacing FRC with stronger powers
“Managed shared audits” for FTSE 350
Operational separation of Big 4
Example: EY’s 2022 plan to split audit/advisory businesses
What patterns emerged in major audit failures
Accounting Tricks:
Off-balance sheet entities (Enron)
Fake accounts (Parmalat’s €4B “bank account”)
Auditor Failures:
Over-reliance on management (Carillion)
Lack of skepticism (Patisserie Valerie)
Structural Issues:
Long auditor tenure (Avg. 17 years pre-SOX)
Cross-selling conflicts (Andersen consulting)
Data Point: 80% of frauds involved asset overstatements (ACFE)
What is the Sarbanes-Oxley Act?
Enacted: July 30, 2002 (post-Enron)
Scope: All SEC-registered companies (incl. foreign listings)
Core Purpose: Restore trust via:
Stronger internal controls
Auditor independence
Executive accountability
Impact: Audit fees increased 35% in first year post-SOX
What are SOX’s major requirements
✔ PCAOB: New audit regulator
✔ Section 302: CEO/CFO personal certification
✔ Section 404: Internal control audits
✔ Audit Committee: Fully independent
✔ Partner Rotation: Every 5 years
✔ NAS Ban: 9 prohibited services
Penalty: Willful violations → 20 years imprisonment
What is Section 302 of SOX
SOX Section 302 mandates that CEOs and CFOs have to sign off on SEC reports, confirming that they have reviewed the report, that it contains no untrue statements or omissions, and that the financial position is fairly represented.
They are also responsible for internal controls and must have evaluated and reported on them within 90 days of the report, disclosing any weaknesses to the audit committee and auditors, as well as reporting any significant changes in internal controls.
These requirements are enforced by personal penalties (imprisonment/fines)
What is Section 404 of SOX
SOX Section 404 requires an annual internal control report that is signed off by auditors on the adequacy and effectiveness of internal controls.
The requirements of the SOX Act encompass the points listed under the major provisions, emphasizing a sound system of internal control, documentation of financial processes and risk management, and evidence of evaluation of the control environment by management, auditors, and audit committees
How did SOX change auditing
Constraints:
NAS revenue dropped 40% initially
PCAOB inspections increase liability
Opportunities:
Control testing became 30-40% of audit work
SOX compliance services created new revenue
Paradox: Big 4 revenue grew 58% 2002-2005 despite restrictions
What reforms followed SOX’s limitations
EU (2014): Mandated audit rotation
UK (2020): Operational separation
Global: ISQM 1 quality management standards
Current Debate: Whether shared audits improve competition
What services are auditors banned from providing to audit clients under SOX
Bookkeeping: Maintaining client accounting records
Financial Systems Design: Implementing/changing accounting software
Actuarial/Valuation: Calculating reserves or asset valuations
Investment Services: Portfolio management advice
Internal Audit: Outsourced internal audit functions
Management Roles: Temporary staff in executive positions
Rationale: Prevents auditors from auditing their own work or becoming management.
How can auditors provide non-prohibited services (what’s allowed by NAS)
✔ Must obtain pre-approval from client’s audit committee
✔ Committee must be fully independent
✔ Services must be documented in SEC filings
✔ Fees must be reasonable and disclosed
Example: Tax compliance services require committee approval.
How does SOX mandate audit partner rotation
Lead Partner: Must rotate every 5 years
Cooling Period: 5 years before returning
Other Partners: 7-year rotation for concurring reviewers
Documentation: Rotation plans must be filed with PCAOB
Impact: Reduced average partner tenure from 12→5 years post-SOX.
What additional SOX independence rules exist
Employment Ban: Auditors can’t join client in key roles for 1 year
Conflict Disclosure: Must report all relationships to audit committee
Fee Caps: NAS fees can’t exceed 5% of total audit fees
Whistleblower Protections: Auditors can report issues without retaliation
Enforcement: PCAOB conducts independence inspections.
What is the US based method of enforcing corporate governance after Enron
Sarbanes-Oxley Act (SOX)
Enacted: July 30, 2002
Key Components:
* PCAOB oversight
* CEO/CFO financial certifications
* Internal control requirements
* Auditor independence rules
Applies to: All SEC-registered companies (including foreign listings)
Context: Implemented <1 year after Enron’s collapse to restore investor confidence.
How did SOX fundamentally change auditing
New Regulator: PCAOB monitors audit quality
Service Restrictions:
Banned bookkeeping, system design, valuation, internal audit, management services
Other NAS require audit committee approval
Partner Rotation: Lead partner every 5 years
Control Testing: Mandatory internal control audits (Section 404)
Legal Protections: Whistleblower safeguards
Example: Audit fees increased 35% in first year post-SOX.
What are the costs of SOX for firms
A FEI survey of 217 companies with average revenue above $5 billion found that the cost of compliance with SOX s.404 averaged $4.36 million, with much of this in the first year due to increased audit hours.
Interestingly, despite restricting NAS, audit firms have been among the largest beneficiaries of SOX due to their expertise in dealing with the legislation.
This suggests that while SOX might have closed off some revenue streams from NAS, it increased the demand and complexity of audit work itself, potentially increasing audit fees.
How did SOX affect non-US markets
Direct Effects:
Applies to all SEC-registered foreign firms
Created tensions with EU regulators
Indirect Effects:
Inspired EU’s 2014 Audit Reform:
* Mandatory rotation (10-20 years)
* 70% cap on non-audit fees
UK’s Operational Separation rules
Corporate Response:
Some firms delisted from US exchanges
Others adopted SOX-like controls globally
Example: Deutsche Bank spent €100M+ on SOX compliance.
What were the key events in the AIG accounting scandal
2005: Investigation reveals accounting fraud
May 2006: $58B market capitalization loss
Sept 2008: $85B Fed rescue package announced
Final Toll: >$200B in government loans
Critical Detail: Occurred 3-6 years after SOX implementation
Auditor: PwC issued clean opinions throughout
How did AIG expose SOX’s limitations
Expected SOX Protections:
✓ Internal control documentation
✓ PCAOB oversight
✓ Auditor independence rules
✓ Executive certifications
AIG’s Circumvention:
* Used complex credit default swaps
* Misclassified financial instruments
* Masked risks through offshore entities
* Auditors lacked derivatives expertise
Verdict: SOX couldn’t prevent sophisticated financial engineering
Why did these controls fail at AIG
Technical Gap:
SOX focused on traditional accounting
Didn’t address derivative valuation
Behavioural Gap:
“Checkbox compliance” mentality
Lack of professional scepticism
Structural Gap:
Audit partner rotation didn’t prevent oversight
Non-audit service bans irrelevant to core issue
What were the key objectives of the EU’s audit reforms
Primary Goal: Restore confidence in financial markets post-crisis
Key Focus Areas:
✓ Auditor independence
✓ Audit quality
✓ Market competition
✓ Transparency
Scope: Applies to all Public Interest Entities (PIEs)
Implemented: 2014 EU Audit Regulation and Directive
What is Mandatory Audit Rotation
Requirement: PIEs must rotate audit firms every 10 years (or tender after 20 years with joint audit)
Cooling Period: 4 years before re-engagement
Rationale:
✓ Prevents over-familiarity/”cosy” relationships
✓ Encourages fresh perspective
✓ Increases professional skepticism
Impact on Firms:
✓ More frequent competitive tendering
✓ Loss of long-term client relationships
✓ Increased costs of client acquisition
Which entities class as a Public Interest Entity (PIE)
Included Entities:
✓ Banks/credit institutions
✓ Insurance companies
✓ Listed companies
✓ Other designated entities
Special Requirements:
✓ Stricter auditor independence rules
✓ Enhanced transparency reporting
✓ Mandatory rotation applies
Rationale: These entities’ failures could significantly impact public confidence and financial stability
How did EU reforms strengthen Auditor Independence Rules
NAS Restrictions:
✓ Absolute bans on tax compliance, bookkeeping, HR services
✓ 70% cap on other NAS fees (vs audit fees)
✓ Audit committee must pre-approve NAS
Comparison to SOX:
✓ EU allows more NAS types than US
✓ But stricter percentage caps
Impact:
✓ Reduced conflicts of interest
✓ Decreased NAS revenue for audit firms
What Oversight changes did the EU implement
National Oversight Bodies:
Authority to inspect firms
Power to impose sanctions
Transparency Reports:
Must disclose:
* Governance structure
* Quality control procedures
* Financial information
* NAS breakdown
Peer Review: Regular quality inspections
What were the main components of the UK’s 2021 audit reform plan, what were the problems they addressing
Shared Audits: Mandate for FTSE 350 companies to involve smaller firms in audits (Goal: Break Big Four dominance).
Market Caps: Potential limits on Big Four’s FTSE 350 audits if quality doesn’t improve (Target: 30% of inspected audits needed improvement).
ARGA: New watchdog replacing FRC with powers to force account resubmissions (Problem: FRC lacked enforcement teeth).
Clawbacks: Directors’ bonuses recoverable for 2 years post-award (Response to “rewards for failure” in Carillion).
Resilience Statements: Disclose risks of dividends/bonuses during financial stress (Aimed at preventing premature payouts).
How would ‘managed shared audits’ function
Mechanics:
Big Four leads the audit but subcontracts ~30% to a smaller firm (e.g., Mazars audits a subsidiary).
FRC’s Scalebox provides training/resources to smaller firms.
What are the arguments for and against managed shared audits
Pros:
✔ Market Competition: Reduces Big Four oligopoly.
✔ Skill Transfer: Smaller firms gain PIE experience.
✔ Fresh Perspective: Mitigates “over-familiarity” risks.
Cons:
✗ Coordination Costs: Complex for global companies.
✗ Quality Risks: Smaller firms may lack FTSE 100 expertise.
✗ Hesitation: BDO/Grant Thornton avoid FTSE 100 work due to liability fears.
Answer Tip:
Use Carillion as an example of audit concentration risks.
Cite FRC data: Only 3% of FTSE 350 audits are non-Big Four.
What is the Financial Reporting Council (FRC and what does it do
Role: UK’s audit regulator pre-2024 reforms
Functions:
✓ Sets corporate governance codes
✓ Oversees audit quality
✓ Regulates accountants/actuaries
✓ Enforces reporting standards
Powers:
* Investigates firms
* Issues fines (up to £10M)
* Recommends (but rarely enforces) changes
Criticism:
“Too timid” after failures like Carillion (2018) and BHS (2016)
What is the Audit, Reporting and Governance Authority (ARGA)
Role: Proposed replacement for FRC (delayed to 2024+)
Key Upgrades:
✓ Stronger powers: Force account resubmissions without court orders
✓ Higher fines: Up to £50M vs. FRC’s £10M cap
✓ New mandates: Bonus clawbacks, shared audit enforcement
✓ Proactive oversight: Regular inspections of FTSE 350 audits
Purpose: Prevent future Carillion-style collapses through tougher regulation
What are the Key differences between FFRC and ARGA
ARGA will possess greater legal authority, including powers to force auditors and companies to resubmit accounts without going through courts. More direct and faster route
ARGA will have a much wider remit of scrutiny, so will have greater oversight over larger private companies
ARGA’s is more proactive to inspect firms as they go as opposed to the FRC’s reactive method after scandals
ARGA’s max fines are £50m as FRC is £10m
FRC took 4 years to sanction KPMG for Carillion
ARGA could force immediate corrections
Why do the FRC/ ARGA matter for auditors and markets
For Auditors:
ARGA’s £50M fines could bankrupt smaller firms
Stricter rules may reduce Big Four dominance (currently 97% FTSE 350 audits)
For Companies:
ARGA’s resilience statements may limit risky dividends
Clawbacks make directors personally liable
For Investors:
Higher-quality audits → more trustworthy reports
But delays hurt confidence (ARGA stalled to 2024)
Economy-Wide:
Aims to prevent £5B+ corporate collapses like Carillion
Stat: FRC found 29% of FTSE 350 audits needed improvement (2023)
