Shostack + Friends Blog Archive


Why Didn't SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below:

Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment.


Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn’t work for the financial crisis. And, they so didn’t work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda

The thing about SOX is that while it is hugely in-depth as audit requirements go, it is also incredibly narrow in it’s breath in terms of how it is implemented by companies and how it is audited. Auditors are so busy ensuring that someone isn’t cooking the books that they don’t look for people deluding themselves or who don’t understand their own inputs or whether or not the source data for the models was reasonable. This is why Refco was identified and the bank failures were not. And if there this is an actual failure of SOX this is it. Not that it didn’t catch the bank failures but that it was never designed to do so in the first place. If all you are worried about is nails, all you look for is hammers.

4 comments on "Why Didn't SOX Catch The Bank Failures?"

  • David Brodbeck says:

    And in a lot of cases where there is actual fraud, auditing is simply circumvented by hiring someone friendly to pose as the auditor. That’s allegedly what Bernie Madoff did.

  • rob sama says:

    Well put.
    I have a background in finance and accounting. SOx is designed to stop small errors from accumulating throughout a large system. That is what they mean by financial controls, e.g. making sure expense reports are signed off on and the like. The fact that this was implemented in response to Enron is beyond absurd. Enron wasn’t an accumulation of little errors throughout the system. Rather it was due to fraud conducted at the highest levels of management. SOx will never catch that sort of thing. Neither will it catch widespread delusion or tulip-like mania.
    Sox should be repealed, and assurance in its current form should be replaced by shareholder insurance. Let shareholder’s buy a policy as to financial statement misstatement and let adjusters determining how much to charge based on the quality of a company’s internal controls. It makes more sense than having auditors attempting to “assure” that there are no material misstatements on the books of a company…
    I’ve been meaning to write a long post on this subject myself. Remind me.

  • Adam says:

    Arthur–How can you check that the books aren’t being cooked without understanding what’s in them? If I list a million dollar recievable, doesn’t it make sense to look and notice that that’s on a house that 2 years ago sold for $500K?

  • Lynn Wheeler says:

    related comments in thread at financial cryptography Audit II: Two more scary words: Sarbanes-Oxley Audit II: Two more scary words: Sarbanes-Oxley
    mentioned in the above is study (& database) that GAO has been doing of financial statements of public companies that involve financial fraud and/or accounting errors … which appear to be on the increase since Sarbanes-Oxley.

Comments are closed.