Gartner published a report in april 2008 about the differences of corporate governance legislation in US and in Europe, for the SOX Act and related European legislation, as well as their similarities. Some key findings are summarized below.
The situation developed differently in the U.S. than in Europe. In the U.S., the big scandals of Enron and MCI caused a lot of publicity and triggered the creation of the SOX, basically trying to legislate ethical behavior. Unethical behavior was criminalized. Europe had its share of scandals as well (most notably: Parmalat and Ahold), but the public outcry in 2003 was not as big as in the U.S., where more than 40% of pension fund investments depend on equities. Like elsewhere in the world, European attention to corporate governance had started already, with the introduction or revision of more than 30 corporate governance codes in various countries in Europe in the late 1990s. When financial scandals in Europe surfaced, the EU Commission decided not to rush to action, but rather address problems in a EU-typical way harmonization instead of intervention.
SOX is a U.S. federal law, with immediate legal effect on businesses in the U.S. The European Directive 2006/43/EC (see Note 1) has some similarities with SOX, and therefore it is often called "EuroSOX," but there are also major differences. Most importantly, it is not a law and no company can comply with it. EU Directives are addressed to EU Member States (and beyond, see Note 2), which in turn have to transpose these Directives into one or several national laws. Countries can define these laws to be more stringent or they can grant more exceptions. These laws then have an immediate effect on national businesses.
The culture of compliance is different in the U.S. from in Europe rule-based versus principle based. In the U.S., the philosophy is "comply or die." The Securities and Exchange Commission (SEC) is powerful and can impose fines in the range of billions of dollars. Companies can be prosecuted under penal law. In Europe, the philosophy is rather "comply or explain" (see Note 3), and supervisory authorities are less powerful. In Germany for example, the Federal Financial Supervisory Authority can only impose fines of up to 1.5 million. Only individuals can be prosecuted for wrongdoing under penal law (with trial, witnesses and pleadings), but not companies; that is, there is less negative publicity for a company. For companies, there are only civil penalties. The new Directives will not change this because they are not specific and leave leeway for the Member States by requiring them to establish that "The penalties provided for must be effective, proportionate and dissuasive." Moreover, cases which sooner or later come in front of a court are also less likely to set precedent.
Aside from the different political and cultural context described in the sections above, there are also some technical differences between SOX and the European Directives. An internal control system is required in Europe as it is in the U.S. However, according to SOX, an external auditor (called statutory auditor in Europe) has to certify the effectiveness of these controls and report to the regulator; the EU Directives merely require reporting on internal controls to the audit committee (which can be the board), leaving it to the Member States to maybe add to these requirements. There are also slight differences regarding risk management. Unlike SOX, where the necessity of risk management has only emerged in guidance over the years, European legislation explicitly requires the company to address risk management. However, details on risk management are mostly left to the companies.
The goal of SOX and the European Company Law Directives is to regain the trust of investors and the public in financial markets, in general, and in financial reporting, in particular. To achieve this, the laws reinforce objectivity and independence of auditors, introduce public oversight and foresee the establishment of audit committees. This is even more important in a state of ongoing financial crisis, and with scandals happening despite already strengthened legislation (for example, in France).
SOX and the European Directives are, by nature, not very precise. Section 404 of SOX, which caused U.S. companies a lot of headaches and resulted in $2 billion in incremental audit fees is merely two paragraphs long. The requirements for internal controls in the European Directives are not more detailed. This uncertainty leaves room for speculation and the fear that compliance in Europe could be as costly as it turned out to be in the US.
This is rather unlikely, for a number of reasons. In 2002, when SOX was enacted, corporate governance around the globe was known, but it was less stringent than it is today. Since then, some guidance has emerged.
At a first glance, SOX and the Directive 2006/43/EC apply to listed companies. However, in both cases more entities can be affected. In the US, it includes organizations that are required to report to the SEC. Other institutions are finding that their regulatory bodies are implementing SOX-like requirements too. This has happened in some U.S. states, with New York for instance making entities like the Port Authority and MTA follow SOX-like rules. U.S. federal authorities have implemented OMB A-123 on federal agencies. A similar option exists in the EU Directive. In addition to entities whose securities are traded on a regulated market, credit institutions and insurance undertakings, Member States can declare other entities as entities of "public interest," for example, depending on their size or national importance.
After the Enron scandal, the U.S. overly prescribed SOX, causing a lot of attention to corporate governance, including a high level of investment in processes and tools. Since then, auditors have received some push-back from companies, court cases have set precedence, and SOX compliance was adjusted to meet realistic expectations. In Europe, tighter corporate governance rules are also slowly making their way into legislation, putting more control pressures on companies. Above all, law mandates an internal control system and sound risk management. In the end, the level of control and regulatory oversight in the U.S. and in Europe will level out.
Recommendation: This is a good opportunity for Europe to adopt some of the best practices that companies in the U.S. had to learn the hard way.