Andrew Bailey and Greg Shepherd examine some of the lessons that the Sarbanes-Oxley legislation forced firms to learn
The Sarbanes-Oxley legislation ('Sox'), which became law in July 2002, was widely regarded, both within and outside the US, as a heavy-handed and excessively legalistic response with international repercussions to US accounting problems, specifically the beggaring of shareholders in Tyco, Enron and WorldCom by unscrupulous management.
Since then there have been the expected comments from a range of international firms that if they did not have a US listing already they would never seek one now, plus continued criticism of the cost of compliance.
But has it all been bad?
There was, understandably, a fair amount of 'Sox paranoia' initially, with staff at all levels expressing concern that they might find themselves being escorted in handcuffs to a US penitentiary.
There was concern that inadvertent error at a low level could lead to disastrous consequences for both the individual and the organisation.
While, of course, the punitive aspects of Sox are aimed at senior executives rather than junior staff, however, it remains important that staff at all levels have an appreciation of the importance of Sox compliance, while trying to retain a sense of proportion about the likely impact of inadvertent errors.
One of the challenges of Sox is to understand processes comprehensively, while at the same time ensuring that the focus is always at a material level. At Markel the Sox exercise initially started from 'the bottom up', documenting processes in detail. With hindsight it would have been preferable to look at it 'top down' so that we could better see what was likely to be material. In the end we had to look at it both ways.
Some of our first-year testing, in 2004, was on low-level operations that were also subject to higher-level controls. In 2005 we have focused more on the higher-level material items while still retaining some detailed tests. In 2006 we would envisage the exercise going further still in this direction.
Sox can cause a change in the relationship between a firm and its auditors. While in certain high-profile cases the auditor's objectiveness was clearly comprised through an inappropriately 'cosy' relationship, initial indications were that Sox might inhibit the external auditors' ability to provide objective input to their clients.
At one stage we were concerned that Sox would be like a driving test - you receive no feedback until the end when you may be told "you have failed to reach the required standard." Some firms have found it difficult to reach practical solutions to this situation, which has the potential to encourage them to over-engineer systems and procedures to ensure that they achieve audit approval.
There are some important implications for outsourcing arrangements. Under Sox, where a company has material information or a major function provided by a third party, that company needs to satisfy itself of the accuracy of the data it receives.
Of course, in the London market Xchanging is a highly significant provider of data directly into insurers' systems, and it was essential for Markel to obtain independent verification of the effectiveness of its internal controls.
Xchanging were understanding and helpful in discussing with us and others the shape and focus of the audited report on its controls. Some outsourcing companies may not have been as responsive and this is clearly an area in which the provision of adequate verification must form part of the engagement of an outsource service in the future.
Much of the London insurance market's business comes from binding authorities. Firms impacted by Sox must find a way of demonstrating that the premium and claims data they receive from cover holders is materially accurate.
For the past two years Markel has been enhancing its audit programme and has employed staff dedicated to conducting on-site audits or engaging third party auditors to do so. This will be an area of growth for the market in the future.
Systems implementation is an area that has been enhanced through Sox. Detailed documentation, thorough records of testing, and early consultation with internal audit were always sound practice, but they are now compelled by Sox.
Markel's 2004 Sox testing was largely independent of other internal audit work. We have tried during 2005 to widen the testing that is performed for Sox purposes into broader internal audit reviews that add greater value to management than the simple assurance provided by pure Sox testing.
For example, audits of controls within a particular department can be widened to include process reviews that provide an independent assessment of the effectiveness of that area. We anticipate this increasing during 2006.
Has Sox been beneficial?
Compliance with the Act has certainly increased the consciousness of both management and staff to the importance of documentation of processes and evidencing the operation of controls.
It has also assisted, to some extent, with implementing a risk assessment framework which feeds into firms' Individual Capital Assessment. In 2004 Sox was approached by us and many other firms as a 'project' - since then it has become more 'embedded' and part of corporate consciousness.
This reduces the burden. However, compliance with Sox still represents a significant expense to all those affected by it, and the benefits certainly do not outweigh the cost.
Sox compliance involves a highly detailed review of a firm's internal controls and extensive testing of those controls. External auditors have to be confident that management's own assessment of its controls is accurate.
As such, successful completion of Sox should provide all those observing a company, whether investors, ratings agencies or regulators, with confidence.
' Andrew Bailey is compliance officer, and Greg Shepherd is internal audit manager, at Markel International