Today is the 10th anniversary of the Sarbanes-Oxley Act, which was enacted by Congress “to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud”. It has failed. Most importantly, Sarbox has not restored investor confidence in audit companies after Arthur Andersen’s failure to mitigate fraud at Enron.

An audit should be an objective opinion on the financial position of a company. Investors should have confidence that a company is earning what it says it is earning and behaving how it says it is behaving.

A decade on from Sarbox, however, audit companies too often deny responsibility for frauds that happen on their watch. Former PwC global chairman Sam DiPiazza, for example, said of his firm’s audits of Satyam, a $1bn fraud: “This was a massive fraud conducted by the [then] management, and we are as much a victim as anyone. Our partners were clearly misled.” JPMorgan Chase shareholders have paid PwC more than $500m in fees over the past five years. Yet PwC has not been widely criticised over the “ London whale”, even though Jamie Dimon, JPMorgan’s chief executive, has admitted the trades were “flawed, complex, poorly reviewed, poorly executed and poorly monitored”.

Did auditors give shareholders any advance warnings about failures and losses at Royal Bank of Scotland, Northern Rock, Anglo Irish, MF Global, Lehman Brothers, Bear Stearns, AIG or Barclays? US companies spend nearly $50bn annually on the “Big Four” (PwC, Ernst & Young, Deloitte and KPMG) but the auditor rarely speaks or is questioned at annual meetings. Boards have discretion to retain an incumbent auditor year after year even if, in rare circumstances, shareholders file a significant number of negative votes.

We need reform – again. Time limits on the use of any one auditor, annual audits by two companies and changes to fraud reporting have been suggested. But these are superficial proposals. Regulators should start with a cost/benefit analysis of the industry and its delivery model.

The global audit market is in many ways similar to that of the credit rating agencies. It is an oligopoly sponsored by government mandates. And both auditors and rating agencies provide opinions on the quality of financial information. Investors learnt after the crisis that rating agencies were often not operating independently of their clients – the banks that wanted favourable ratings for mortgage securities. Investors should question, too, the value of an audit opinion.

Why? There are at least three reasons. First, because companies pay directly for the audits they receive, attempts at achieving full auditor objectivity are all but moot.

Second, audit companies still encourage partners to sell additional services to audit clients. Roger Dunbar, a former E&Y vice-chairman who is now the chairman of Silicon Valley Bank, told a recent forum on auditor rotation: “There’s an increase in scope creep, of wanting to provide these ancillary services to audit clients. I am personally worried. It’s a risk.” Remember, Arthur Andersen had a disproportionate focus on the huge fees it earnt from consulting to Enron compared to the audit.

Sarbox was supposed to eliminate this conflict. Except for Deloitte, audit companies went back to being primarily auditors after the 2002 act was passed. That trend has now reversed. Deloitte held on to its consulting arm and it has grown ever since. The remaining three Big Four companies rebuilt consulting businesses they sold or squelched.

Finally, Sarbox gave audit committees – the members of a company’s board charged with oversight over financial reporting – the power to hire and fire auditors. But these committees are often not very diligent about independence, following a “check-the-box” approach to ensure only that non-audit services provided by company auditors are cost competitive and do not cross the legal line.

Banks and their investors have taken huge hits since the crisis because of fraud and illegal acts, as well as poor risk management and weak internal controls. Bad news will continue for all companies, with no warning from auditors, if regulators do anything less than a complete redesign of audits and the way auditors deliver them.

The writer is the author of the blog re: The Auditors and is a columnist for the American Banker

Get alerts on International Financial Reporting Standards when a new story is published

Copyright The Financial Times Limited 2018. All rights reserved.

Follow the topics in this article