Information Certification under the Sarbanes-Oxley Act: Implications for Computing Educators Ivan Cantu, Daniela Gonzalez, Hector Leal, Kai Koong and Lai Liu College of Business Administration The University of Texas – Pan American Edinburg, Texas 78541, USA Abstract Information content contained in scheduled annual reports and released to the public is normally accepted as accurate. In addition to the relatively structured format used for preparing the listing, the report is supposed to have been audited by highly reputable accounting conglomerates. In the new millennium, misinformation and improper relationships between companies and auditing firms created a shock in the financial world. To remedy the problem, the Sarbanes-Oxley Act was passed. One of the stipulated provisions required executives to certify that the publicly released information was correct. This study examines the compliance of executives with the information certification provision. Specifically, this research reports on the proportion of companies that are able to meet the deadlines, their auditing firms, and auditing firm switches. The results of this study should be of interest to law enforcement individuals, accountants, financial auditors, and information systems experts. Computing educators will find the outcomes reported in this study especially useful because complying with governing standards and generating accurate reports affects all types of information systems. Keywords: information certification, information quality, misinformation systems, Sarbanes-Oxley Act 1. INTRODUCTION Information is a critical asset for individual as well as corporate business decisions. Particularly in the case of agile business environments, this asset can provide decision makers with a competitive advantage. Some of the common sources of information alternatives include periodic scheduled reports, exception reports, demand reports and responses, and push reports (O’Brien 2002). For end-users who are computer savvy, developments in Web-based technologies have even made it possible for them to access portal systems and generate custom-tailored as well as multiple scenarios reports wherever they are located using commercially available decision support and expert systems software. In most cases, it is even possible to capture the data in real time mode and affect outcomes when decisions must be made in a short period of time. For information to be truly useful, it must contain certain quality dimensions and attributes. Most research efforts have found that high-quality information products have three major dimensions; namely, time, content, and form (Bailey and Pearson 1983; Koong and Liu 1999; O’Brien 2002). The time dimension normally includes attributes such as timeliness, currency, frequency, and time period. In the case of the content dimension, the attributes are accuracy, relevance, completeness, conciseness, scope and performance. Finally, clarity, detail, order, presentation, and media are normally included in the dimension pertaining to form. Periodic scheduled reports are widely accepted by individuals and corporate decision makers as quality information products. Guided by commonly agreed upon accounting principles, such reports are fairly standard in their format of presentation. In addition, an internationally known auditing firm is normally recruited to verify that the information presented to the public is accurate and acceptable. For this reason, these annual reports are highly valued by individuals as well as businesses for making investment decisions or for selecting a supply chain partner. At the turn of the new millennium, the many instances of scandal shocked the financial world (Stroller 2002; Editors 2003). Highly rated companies, such as AOL, Enron, HealthSouth, TimeWarner, and WorldCom, just to name a few, were being charged and investigated for having manipulated the data and providing misinformation to the public. World-famous investment advisement companies and banks including J.P. Morgan Chase, Merrill Lynch, Citigroup, and Credit Suisse First Boston, were found to have participated in generating biased opinions for the public. Worst of all, internationally known auditing firms such as Arthur Andersen and KPMG that were supposed to protect the public were a party in the generation of the compromised reports. Given the magnitude of the damages to individuals around the world, Congress passed the Sarbanes–Oxley Act in an effort to restore public confidence in the financial market. Specifically, the Securities and Exchange Commission adopted rules to strengthen auditor independence, provided rules for the retention of records relevant to audits and reviews, and instituted rules limiting auditors from offering consulting services (Schroeder 2003; U.S. Securities Exchange Commission 2003b, 2003c; Whittington and Fischbach 2002). To restore public confidence in the scheduled reports, the chief executive officer or the chief financial officer of companies is required to certify that the publicly distributed information reported is correct and accurate (U.S. Securities Exchange Commission 2003a) when the Sarbanes-Oxley Act becomes effective. 2. STATEMENT OF THE PROBLEM Regardless of how it is assessed, the misinformation contained in the annual scheduled reports has caused a great variety of damages (Editors 2003; Stroller 2002). From a macro perspective, numerous individuals throughout the world were hurt. A large number of investors lost their life savings. Many well-known banks, investment brokers, and accounting firms were participants in the fraudulent conduct of providing misinformation, which resulted in the accounting and financial sector losing a major portion of their credibility. At the micro level, providing or being a party to the generation of misinformation can result in the death of highly regarded companies. Enron and Arthur Anderson are good examples (Stroller 2002; Jenkins 2002). Executives who participate in generating fraudulent reports can be forced to resign in shame, fined, jailed or all of the above. Again, Samuel Waksal of ImClone Systems, Chuck Watson of Dynergy, and Al Dunlap of Sunbeam, provide lessons to be learned. In the case of one Enron executive, the shame became so unbearable that he committed suicide. Recent efforts drafted by the American Institute of Certified Public Accountants and the United States Securities and Exchange Commission should be sufficient to show how critical it is to have high-quality information (Dilley 2002; U.S. Securities Exchange Commission 2003a). Unfortunately, this problem will probably remain in the perception of information users from now on. Once public confidence in such highly scrutinized and important annual publications is eroded to this extent, a long time will have to pass before trust can be restored. 3. STATEMENT OF OBJECTIVE In an effort to re-establish market confidence and to rebuild information quality contained in the annual scheduled reports of corporations, the United States Congress passed the Sarbanes-Oxley Act and made it effective on July 31, 2002. One of the provisions provided corporate executives with 30 days from the date the Sarbanes-Oxley Act became effective to certify that the information contained in their annual scheduled reports was deemed accurate and acceptable. This study examines the compliance of executives with the information certification provision. Specifically, this research reports on the proportion of companies that are able to meet the deadlines, their auditing firms, and auditing firm switches, if any. The results of this study should be of interest to law enforcement individuals, accountants, financial auditors, and information systems experts. Computing educators will find the outcomes reported in this study especially useful because compliance with governing standards and the ability to generate accurate reports affects all types of information systems. 4. METHODOLOGY Companies listed in the Russell 1000 Index were selected as the targeted population for this study. The Russell 1000 Index measures the performance of the 1,000 largest companies in the Russell 3000 Index. This group of companies represents approximately 92 percent of the total market capitalization of the Russell 3000 Index. As of the latest reconstitution, the average market capitalization was approximately $13 billion and the median market capitalization was approximately $3.8 billion. The smallest company in the index has an approximate market capitalization of about $1.4 million. All the companies in this group fit the guidelines contained in the Sarbanes-Oxley Act and have to certify the reports by the deadline. A complete listing of the companies can be downloaded from the World Wide Web located at http://www.russell.com /us/indexes/us/1000.asp. The online version of the annual scheduled report of each company was then accessed using a search engine to access their corporate Web site. The following information was then extracted from the posted report: a. SEC filing covering the affected period, June 30 through December 2002, at a minimum. b. Name of its auditing firm. c. Name of new auditing firm, if a switch was made during the year. d. Date on which information was certified. In cases where this information was not contained in the online report, additional efforts were made to find the information by navigating through the company Web site, or by reviewing the online news and disclosures about the specific company by the respective investment portals. Two dates were used to determine if the company has complied with the information certification requirement in the Sarbanes-Oxley Act. The first compliance date used was July 31, 2002, because this was the date the Act became effective. The second date used for computing compliance was August 29, 2002, because the Act clearly stipulated that this was the deadline for certifying the reports. Both dates were used to obtain a better understanding of the degree of confidence the certifying executives have in the publicly released information. Attempts were also made to see if there are any identifiable trends based on the auditing companies used. 5. FINDINGS All one thousand companies listed in the Russell 1000 Index were targeted for examination in this study. Using the listing, a total of 742 cases were completed for this research. The 258 missing cases involved companies that did not have the information posted online or their Web sites were not operating during the study period. Based on the 742 corporate disclosures, the number of auditing partners can be broken down into 12 categories. Pricewaterhouse Cooper had the most number of Russell 1000 Index clients. Following close behind Pricewaterhouse Cooper was Ernst & Young. About one out of every two companies in this group use either Pricewaterhouse Coopers or Ernst & Young as the auditing authority. By the time this research was completed, Arthur Andersen was ranked fifth in the number of clients with a little less than ten percent of the companies studied. Part of the reason for their poor ranking was because this company has lost over 25 percent of their clients to Deloitte & Touche, Ernst & Young, KPMG LLP, and Pricewaterhouse Cooper. The number of companies and their auditing firm is presented in Table 1. Table1. Auditing Companies and Associated Number of Clients Name of Auditing Firm Number of Clients Percent Rank Arthur Andersen 71 9.57% 5 BDO Seidman 4 0.54% 7 Ciulla, Smith, & Dale 1 0.13% 9 Crowe, Chizek & Co. 1 0.13% 9 DDO Seldman LLP 1 0.13% 9 Deloitte & Touche 125 16.85% 4 Ernst & Young 174 23.45% 2 Grant Thornton 3 0.40% 8 KPMG, LLP 127 17.12% 3 Malin, Bergquisz & Co. 1 0.13% 9 Pricewaterhouse Cooper 179 24.12% 1 No Auditing Firm Found 55 7.41% 6 Total Found 742 100.00% Inaccessible 258 Total 1,000 Table 2. Auditing Firm and Corporate Compliance Rate Name of Auditing Firm S-O Act Effective Date S-O Act Filing Deadline Did Not File Percent Complied by Deadline 7/30/2002 8/29/2002 Before On After Before On After Arthur Andersen 0 1 60 57 0 4 10 80 BDO Seidman 0 0 3 2 0 1 1 50 Ciulla, Smith, & Dale 0 0 1 0 1 0 0 100 Crowe, Chizek & Co. 0 0 1 1 0 0 0 100 DDO Seldman LLP 0 0 1 1 0 0 0 100 Deloitte & Touche 3 0 100 86 0 17 22 69 Ernst & Young 4 1 136 121 0 20 33 70 Grant Thornton 0 0 3 2 0 1 0 67 KPMG, LLP 3 1 103 93 0 14 20 73 Malin, Bergquisz & Co. 0 0 0 0 0 0 1 0 Pricewaterhouse Cooper 4 0 144 131 0 17 31 73 Not Found 0 1 34 31 0 4 20 56 Total 14 4 586 525 1 78 138 Percent (complied) 2.5 70.9 Table 3. Auditing Firm Switches and Effects on Compliance From To Number of Companies Certified Late Not Found On time Number of Days Late Arthur Andersen Deloitte & Touche 6 1 2 3 37 days Ernst & Young 9 0 8 1 KPMG, LLP 4 2 2 0 100 & 43 days Pricewaterhouse Cooper 6 0 3 3 Ernst & Young Pricewaterhouse Cooper 1 0 1 0 KPMG, LLP Ernst & Young 1 0 1 0 Total 27 3 17 7 Table 2 shows the number of companies and their associated auditing firms that were able to comply with the certification requirement. Less than 3 percent of the executives in the Russell 1000 Index certified their information on or before the Sarbanes-Oxley Act became effective. About 71 percent of the executives could certify the information in their annual scheduled reports by the required filing date. A few of the major observations are included below: * At the conclusion of this study in May of 2003, some 138 of the 742 companies or 18.6 percent of the executives have yet to report that their information is certified. In other words, about one in every five company examined may still have information content in the annual scheduled listing that are inaccurate. * On average, only 70 percent of the clients belonging to the “Big Eight” accounting and auditing firms were able to meet both the compliance deadlines. As a matter of fact, the majority of those 138 that have yet to certify their reports are clients of major auditing companies. * With the exception of one small auditing firm, the overwhelming majority of the companies using smaller auditing firms were able to certify their annual reports by or after the deadline. * Through May 2003, only 78 or another 10.51 percent of the executives have certified their reports. The late compliance rate among the “Big Eight” firms ranged from a low of 5.6 percent to about 13.6 percent. Actually, most of these major auditing firms still have an average of about 15 percent of their clients whose reports could not be certified. Table 3 shows that 27 companies switched from one accounting firm to another during the period examined. Arthur Andersen suffered the most losses with a total of 25 clients or 93 percent of all the switches during the accounting period examined. The other four major accounting and auditing firms benefited greatly from Arthur Anderson’s losses. Ernst & Young showed the most net gains (9), followed by Pricewaterhouse Cooper (7), Deloitte & Touche (6), and KPMG, LLP (3). Despite the switch, seven of the companies were still able to certify the scheduled report on time. In addition, by the time this research was completed, three more have certified their reports to be accurate and acceptable, bringing the total of complying companies switching auditing firms to ten. 6. CONCLUSIONS AND MAJOR IMPLICATIONS First, over 90 percent of the companies listed in the Russell 1000 Index are using the services of major auditing firms. One out of every two companies is using either Pricewaterhouse Cooper or Ernst & Young. With the exception of Arthur Andersen which has lost about 25 percent of their clients in the Russell 1000 Index group, the rest of the major accounting firms have all benefited from the switching of companies away from Arthur Andersen. In other words, when it comes to the selection of an auditing firm, brand name or reputation is a very important criterion among Russell 1000 companies. For that reason, when an accounting firm is being investigated for improper conduct and for being a partner in helping to provide misleading information, it can very quickly lose its clients to the competition within the same league. Second, in reality, the compliance rates of companies using the other major accounting firms were not necessarily better than those of Arthur Andersen or the smaller firms. Most of the other accounting firms had an average of about 70 percent of their clients certifying the reports by the deadline. Arthur Andersen clients reported an 80 percent compliance rate. Yet, many of Arthur Andersen's clients did move over to the competition when the accounting firm was being investigated. The majority of firms using smaller auditing companies were able to certify their reports on or before the deadline. Put another way, the problem is actually an auditing industry problem, one that is not specific to Arthur Andersen. Putting this into perspective, it can be said that the name or reputation of an auditing firm is no guarantee that the scheduled annual report is accurate. Third, when the information of a major company has been compromised, switching from one auditing company to another is not likely to fix the problem. This study shows that only 25 percent of the companies that switched were able to meet the certification deadlines. Including those that filed late, it came to less than 50 percent. This indicates that auditing companies cannot perform miracles with data that may have been compromised or missing. It is unlikely that an auditing firm can provide any quick fixes for reports that have not followed generally accepted accounting principles. Finally, from a macro perspective, it can be said that most executives did not have much confidence in their own scheduled listings when the Sarbanes-Oxley Act became effective in July 2002. It was only by the required deadline and after revisions in many cases, that the scheduled reports were certified correct. Some 30 percent of the annual reports could not meet the deadline. At the conclusion of this study, some 19 percent of the leading companies in the targeted group still could not certify the accuracy of the information contained in the annual reports. Therefore, scheduled periodic listings were not what they were purported to be. Given this high rate of non-compliance among the nation's leading 1,000 companies, there is a definite need for more governmental scrutiny and industry-wide accountability measures. These major trends noted above provide critical feedback and lessons for computing educators. First and foremost, computing educators have always taught that data quality and processes are critical for the creation of quality information products. To this end, the financial scandals that have caused such a shock around the world provide good examples for students attempting to understand the general concept of "garbage in garbage out." In programming and modeling classes in particular, faculty members may want to add more coverage on data validation, error detection techniques and audit trails. Second, educators have always taught that scheduled listings are critical publications for the assessment of corporate performance. Financial ratios are often generated directly from the reported figures. While such a teaching focus is relatively prudent, it may be necessary for educators to now help students read and understand the “fine print” about how the numbers were generated by the company. Given the many gray areas where judgments about where and how operating expenses can be reported, the additional training on how to scrutinize an annual report can greatly benefit students in their life-long learning experiences. Third, this study shows that brand name and reputation, once tarnished, can be devastating. The collapses of Enron and Arthur Andersen make excellent examples for case studies in core business administration and information systems courses such as Business Policy or Analysis and Design. Specifically, the outcomes show that when companies engage in poor business practices, and allow possible negligence, it can result in corporate death. Past reputation, no matter how good it is, may not be sufficient to provide a company with a second chance. Students need to know that one mistake, intentional or unintentional, can destroy a business in a matter of days. Fourth, many people were hurt by the recent financial scandals. While it is true that many of the victims are retirees, the people who have suffered loss are actually quite diverse. Many faculty members’ retirement accounts and university endowments suffered major losses when their portfolio plunged. As a result, many students also lost scholarship opportunities. Put simply, no sector is immune from the fallout from inaccurate information released by companies such as Enron and WorldCom. When students understand that they can be victims, too, it should help them to have a better appreciation of the value of accurate information and the reasons for practicing sound business principles. It is important to point out that this study does not support nor imply that missing the certification deadlines means that a firm has been fraudulent in its reporting. Large multinational companies may have many unconnected systems that may not be able to generate a balanced report. Confronted with higher risk, the executives may have elected not to certify potentially false reports until they are sure they will pass the test. However, the penalty for not certifying the reports can be a costly one. For executives who could not produce the needed information, the penalty is 20 years in jail (Brill and Nimsger 2003). Students aspiring to become future executives should definitely know about this potential risk. Finally, a number of auditing firms and their affected clients were reported to have engaged in the destruction of corporate records when they were being investigated. Obviously, the new legislation has corrected that. Executives can now be sentenced to 20 years in jail just for failing to produce the requested information. The fact that businesses would engage in such a practice is troubling because AACSB International, ACBSP, and CSAB have required the coverage of ethics in core classes for some time. More often than not, the section on ethics is skipped because educators do not feel comfortable discussing what is "right" and "wrong" with students. Given the magnitude of the recent scandals, faculty members who share such views or who have been omitting the teaching of such critical material on ethics should rethink their position and reshape their practices. As a matter of fact, it may be a prudent practice to require every student to complete a course in ethics. In particular, having law enforcement personnel as well as persons convicted of white collar crimes as guest speakers can provide helpful experiences that can impact the value systems and future work ethic of students. 7. CAVEATS There is at least one major limitation to the findings in this research. The outcomes identified are based on 742 companies that are listed in the Russell 1000 Index and where their information was reported online. Companies whose Web sites were not functional or accessible during the study period were not captured in the findings. However, it should be pointed out that given the large number of cases examined, some 742 out of the 1000 cases, and the amount of effort expended to access as many of the difficult-to-find companies as possible during the study period, the outcomes reported here can be considered trustworthy. The targeted corporate listing was a reputable one and the method used for analyzing the data was robust. Great caution was also taken in interpreting the results. 8. ACKNOWLEDGEMENTS This research was funded by a grant from the United States Department of Education to the Computing and Information Technology Center at The University of Texas – Pan American (UTPA) and a grant from the Undergraduate Research Scholars Initiative at UTPA. 9. REFERENCES Bailey, J. E., and S. W. Pearson, 1983, "Development of a Tool for Measuring and Analyzing Computer User Satisfaction." Management Science, Vol. 29, No. 5, pp. 530-545. Brill, Allan E. and Kristin M. Nimsger, February 5, 2003, "Data Destruction: What They Can’t Find Can Get You 20 years." ComputerWorld, pp. 1-5. Available online: http://computerworld.com/ hardwaretopics/storage/story/ 0,10801,78207,00.html. Dilley, Julie A., December 2, 2002, Proposed Statements on Auditing Standards. New York: AICPA. Exposure Draft. Editors, 2003, "HealthSouth Charged with 1.4B Fraud." Available online: http://money.cnn.com/2003/03/19/ news/companies/healthsouth.htm. Jenkins, Gregory J., 2003, The Enron Collapse. Upper Saddle Rover: Pearson Education. Koong, Kai S. and Lai C. Liu, 1999, "A Factor Analysis of Attributes Affecting Computing and Information Technology Usage for Decision Making in Small Business." International Journal of Computer Applications in Technology, Vol. 12, No. 2/3/4/5, pp. 81-89. O’Brien, James A., 2002, Management Information Systems. New York: Irwin McGraw-Hill Publishers. Schroeder, Michael, January 23, 2003, "SEC Clears Rules Limiting Auditors from Offering Consulting Services." IEET Journal, p. C9. Stroller, Gary, October 21, 2002, "Funny Numbers." USA Today. P. 3B. U.S. Securities and Exchange Commission, 2003a, "SEC Adopts Rules on Provisions of Sarbanes-Oxley Act." pp. 1-8. Available online: http://www.sec.gov/ news /press/2003-6.htm. U.S. Securities and Exchange Commission, 2003b, "Commission Adopts Rules Strengthening Auditor Independence." pp. 1-6. Available online: http:// www.sec.gov/news/press/2003-9.htm. U.S. Securities and Exchange Commission, 2003c, "SEC Adopts Rules on Retention of Records Relevant to Audits and Reviews." pp. 1-2. Available online: http://www.sec.gov/news/press/ 2003-11.htm. Whittington, Ray, and Gretchen Fischbach, 2002, The New Audit Documentation Requirements. New York: AICPA, pp. 1-8. Available online: http:// www.aicpa.org/pubs/jofa/apr2002/ whitting.htm.