Sarbanes-Oxley and Health Plans

The structure of employee health plans often obscures the view of benefit costs and internal controls that the Sarbanes-Oxley Act demands.
David M. Katz, CFO.com | US
May 13, 2004

Among the many compliance perils created by the Sarbanes-Oxley Act of 2002, one of the least talked about could well be the act's effect on corporate health-benefit programs.

The lack of discussion is understandable. To be sure, benefit managers commonly operate under the wing of human resources executives, who in turn report up to chief financial officers. Yet finance and HR often seem to live in two different worlds. That's been especially true since the passage of Sarbanes-Oxley: While finance executives have scrambled to comply with new reporting and certification requirements, benefits caretakers have largely watched from the sidelines.

That's changing. Under Sarbanes-Oxley Section 302, CFOs and CEOs must certify that their companies' quarterly and annual filings are true and that they omit no material facts. And facts about employee health care are becoming nothing if not more material: Employee benefits now typically represent a company's third-biggest expense, trailing only cost of goods sold and non-manufacturing payroll, according to a report published earlier this year in The McKinsey Quarterly. Health insurance is the fastest-rising component; between 1986 and 2003, it climbed at an annual compound growth rate of 6.7 percent. By comparison, the report noted that government-mandated benefits — including Social Security, Medicare, unemployment insurance, and workers' compensation — rose 5.3 percent during that period.

What's more, in order to sign off on those filings, finance chiefs arguably must have some grasp of the statements' underlying content. That can be an especially formidable challenge in the retiree-benefits arena, where a transparency-challenged accounting system holds sway. The system's volatility-smoothing techniques — projected out over decades — may obscure real cash demands. (For more on the accumulating cloudiness of retiree-benefit accounting, see "Prescription Change" in the June issue of CFO magazine.)

Determining a company's future benefit burden, in turn, involves the mystifying task of predicting the future of health-care costs. The alarmingly sustained double-digit inflation in benefit expense over the last five years, coupled with "the inherent complexity of the health-care supply chain," make such forecasting extremely difficult for individual companies, says Sreedhar Potarazu, president and chief executive officer of VitalSpring Technologies. (In this context, supply chain means the complicated billing, service, and financial connections among employees and retirees, doctors and hospitals, employers, insurers, and third-party administrators.)

And when wide-of-the-mark forecasts lead to errors on the income statement, those errors can build on themselves and invite unwanted attention from investors and regulators. "This has a cascading effect," says Potarazu, whose company provides software that culls corporate health-benefits data. "When previous estimates turn out to be inaccurate, increased scrutiny is inevitably placed on the processes and controls behind those predictions."

Sarbanes-Oxley Section 404 has already trained the spotlight on Corporate America's internal controls for financial reporting. Given the increasing national focus on the cost of health care — witness the recently-passed Medicare reform law — some finance departments have already found it prudent to take a closer look at the intersection of employee benefits and internal controls.

Sarbanes-Oxley has raised expectations that benefits-related errors will be rectified, observes Mike Aldrich, director of total compensation at Pactiv Corp., the maker of Hefty bags. Aldrich says that the need to supply Sarbox documentation has compelled him to dig deeper into the company's benefit-payment processes and data. If an internal-controls breakdown produces errors on the financials, he adds, "people are not going to care that it's come from health insurance."

Tricky Lineups
The way employee health coverage is structured at most companies, however, presents barriers for a finance executive who needs a clear view of benefit costs and internal controls, experts suggest.

That's because corporate health-benefit plans are largely self-funded. In 2003, 52 percent of employees with coverage were in a plan that was partly or completely self-insured, according to a survey by the Kaiser Family Foundation's. For companies with 5,000 or more workers, that figure was 79 percent.

But companies that insure themselves may also be saddling themselves with unacknowledged risk. "Investors need to take this risk into account when valuing a company with [a retiree health-benefits] plan," advised a 2003 Credit Suisse First Boston report on retiree benefits. "They are not only investing in an operating company, but they may also be purchasing a healthcare insurance company." Added CSFB analyst David Zion, one of the report's authors, "Is the company capable of managing that risk?"

For many companies, to be sure, the benefits of self-insuring outweigh the risks; money that might have been dedicated to premiums can be used for other corporate purposes until claims must be paid. At Delphi Corp, for example, a single catastrophic health-care case isn't likely to cause much of a financial ripple. CFO Alan Dawes notes that health-care spending at the auto-parts giant totals about $1.5 billion annually.

Still, while the financial risk of self-insuring might be readily absorbed by some companies, managing internal controls can be a far thornier matter since self-funded plans don't tend to administer the plans themselves. More often, they outsource that job to a third-party administrator (TPA), which handles such things as doctor and hospital payments, claims processing, and benefit reimbursements for a fee.

Splitting the funding off from the administration has made it tough for self-insured employers to get a coherent picture of their payment flows. A big part of the problem, suggest participants, is drawing a straight billing line from the health-care provider to the TPA to finance. "The trickiest part is getting all the different data to line up," says Aldrich.

Pactiv is about 60 percent self-insured, according to the compensation manager (other employees and retirees are covered through fully insured health maintenance organizations). Pactiv's finance managers write checks based on claims the company receives from providers, but Aldrich says that it's hard to reconcile the company's own claims data with the data he gets from Blue Cross/Blue Shield, one of the company's TPAs. The BCBS data, for instance, might contain more-up-to-date information on discounts negotiated with health-care providers than Pactiv itself has on hand.

Indeed, many companies have a fragmentary view of their health-benefit payouts, says Potarazu of VitalSpring Technologies. At some companies, transactions with doctors and hospitals may not be automatically reported in the corporation's general ledger, creating a situation ripe for errors. The software executive says that he's seen cases where HR employees risk redundant reporting by first subtracting the costs of self-insurance from a company's books, then delivering the data on spreadsheets to the finance department to record as corporate expenses.

Furthermore, says Potarazu, TPAs might fail to invoice an company for care provided to its employees, or they might aggregate invoice information and thus cloud the details of services provided. Under Sarbox 404, he notes, the inability to tie a transaction to an invoice — and provide an adequate audit trail — might be seen as a breakdown in internal controls.

Misplaced Incentives
Another question for many self-insured employers is one confronted by every outsourcer: How do you assess that the internal controls of your third-party administrator — which have, essentially, become an extension of your own — are shipshape?

A common solution is for the company's auditor to test the TPA for benefits-related errors. At Consolidated Edison, controller Ed Rasmussen says that the New York-based utility's auditors, PricewaterhouseCoopers, "have to be comfortable" with the internal controls of ConEd's benefits administrator. PwC performs an audit according to the Statement on Auditing Standards No. 70 (SAS 70), which governs examinations of the internal controls of outsourcing providers generally.

The effectiveness of SAS 70 audits is limited, however. Service providers must report control failures themselves, but not the scope or exact substance of the audits that uncovered them.

Further, routine spot-checks of benefit claims aren't likely to uncover broader internal-controls failures. The probability that a claims audit "would identify a systemic problem, and therefore help [an employer] manage the risk, is very low," says David McSweeney of Healthcare Data Management. According to the chief operating officer of the Wayne, Pennsylvania-based health-plan auditor, spot-checks are unlikely to pick up a coding error that generates claim overpayments or one that results in payments that were never intended.

To avoid such broad problems, risk management experts suggest, finance executives should take a hard look at their companies' contracts with third-party administrators. A company's outsourced claims processors should have contractual incentives to focus less on speed and more on accuracy, says George Aldhizer, an associate professor of business and accounting at Wake Forest University.

Today, a TPA might be held to handling 90 percent of an employer's claims accurately within 10 days of receiving them; such an agreement can provide little motivation for a claims processor to uncover and report fraud and systems errors. "The administrator has no financial incentive to carefully monitor the bills that come in from hospitals, physicians, and clinics. There is no downside risk for them" in foregoing such care, says Aldhizer.

Better, then, for an employer to build more such incentives into the services contract and to keep a tight grip on the right to monitor the TPA's adherence to its terms. Instead of fussing over the cost of the services, says McSweeney, employers should pay greater heed to holding claims processors accountable for such things as fraud control and the protection of employee privacy.

Most important, he says, finance executives of self-insured companies should be especially chary of surrendering their contractual right to audit the TPA in exchange for a cheaper price. "I can't emphasize that the review of that agreement and the rights ceded and enforced is critical," adds McSweeney.

Stuck in the SAS 70s

As Sarbanes-Oxley Section 404 meets up with an obscure auditing standard, many companies are thinking hard about offshoring their business processes.
Craig Schneider, CFO.com | US
February 23, 2004

A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. Not only might the standard cause a number of businesses to run afoul of the Section 404 provisions on internal controls, but it might also dissuade other companies from business process outsourcing in India, China, and other emerging nations.

The standard in question is Statement on Auditing Standards No. 70, "Reports on the Processing of Transactions by Service Organizations." Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.

Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies. (Read more about what companies and their auditors are planning for in "Just What Does Section 404 Entail?" at the end of this article.)

Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause, however many cost-cutting sermons they've sat through. Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will "dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that."

Tom Eubanks, of IBM business consulting services, isn't so sure. "On first blush," he says, "one might think, 'Why would you outsource in a world where Sarbox is in place...and the magnifying glass is on the finance function?' " But what Eubanks and his colleagues are finding, he adds, is that "companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues."

All in the Timing
Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor's opinion on the fairness of the presentation of the provider's description of its controls and how well they're designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor's opinion on the effectiveness of the controls during the period under review.

Even a Type II report, however, doesn't guarantee airtight compliance with Sarbanes-Oxley. For one thing, the timing of the audit — if it's performed by the service provider's auditor — might be out of sync with the client's reporting period. If the audit is performed in June and the client's fiscal year ends December 31, for instance, there's a six-month gap in the attestation of the outsourcer's internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client's own year-end attestation could be compromised — and fair game for a Securities and Exchange Commission inquiry.

One response to the timing issue is to request that the service provider undergo SAS 70 audits on a quarterly basis or "fill in the gaps" with updates throughout the year. Smaller service providers might bridle at the added cost during contract negotiations — but after all, it's the client's attestation that's on the line.

Another worry for outsourcer auditors concerns just how much of the service provider's audit is being revealed. A service provider is required to inform its client only about any failures of SAS 70 tests; there's no requirement to spell out the exact substance or scope of the audit.

Thus, for instance, a client's own external auditor would be unable tell the client whether a test that unearthed two failures probed 40 processes, or only four. That could lead to some poor assessments of service-provider controls. "We will be dealing completely in the dark as far as the population of that test," says Lynn Edelson, systems and process assurance leader for PricewaterhouseCoopers. "I think that was one of the biggest flaws in SAS 70 in light of Sarbanes-Oxley."

That raises another point for clients to bear in mind during contract negotiations, says Edelson: Insist that the service provider disclose the scope of the audit and not only the failures.

Auditor Dependence?
Another thorny area is the possibility of conflicts of interest. That's particularly worrisome, says Meta Group's Lepeak, when a company's external auditor also performs the SAS 70 audit of the service provider.

In the eyes of the Public Company Accounting Oversight Board, there's no distinction between Section 404 compliance audits of a company's internal business processes and its outsourced processes. But in either case, an external auditor — which must attest to the client's Section 404 compliance — cannot also provide consulting services to the client or to the outsourcing provider on how to perform the SAS 70 audit.

In the area of auditor independence, much remains cloudy. The situation becomes especially unclear when an auditor performs a SAS 70 test on an outsourcing provider to distribute to the outsourcer's clients. If one of those clients has the same external auditor as the outsourcing provider, must it hire another external auditor to maintain an objective view of the service provider's audit?

The PCAOB could provide a great deal of clarity on the issue of auditor independence — and many other BPO-related conundrums — by finalizing its guidance for auditors on Section 404. The provision itself makes no mention of outsourcing. Nor have PCAOB officials expressed any intention of updating SAS 70 anytime soon. (Through a spokesperson, PCAOB chief auditor Douglas Carmichael declined to be interviewed for this story.)

With regulatory guidance in scant supply, many companies may well hold off for a while on business process outsourcing in India, China, and other emerging nations. As for companies and auditors already dealing with BPO providers overseas, they may soon find themselves up the Yangtze without a paddle.

Craig Schneider is an assistant editor at CFO.com.

Just What Does Section 404 Entail?

As directed by Section 404 of the Sarbanes-Oxley Act of 2002, in May 2003 the Securities and Exchange Commission (SEC) adopted rules regarding internal controls at public companies. Section 404 also requires that a company's independent auditors attest to and report on management's controls assessments, following standards established by the Public Company Accounting Oversight Board (PCAOB).

Under the SEC rules, management's annual internal-control report must contain:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company.
  
  
• A statement identifying management's framework for evaluating the effectiveness of internal controls.
  
  
• Management's assessment of the effectiveness of internal controls as of the end of the company's most recent fiscal year.
  
  
• A statement that the company's auditor has issued an attestation report on management's assessment.
  
  

Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that complies with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions.

Management must disclose any material weakness in a company's internal-controls structure. If material weaknesses exist, senior executives "will be unable to conclude that the company's internal control over financial reporting is effective," according to the SEC.

The PCAOB, which proposed its standard for auditors in October 2003, must still finalize the standard, after which it must be approved by the SEC before taking effect.

The proposed auditing standard addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions: one on the internal controls and one on the financial statements.

The proposed standard requires the auditor to communicate in writing to the company's audit committee all significant deficiencies and material weaknesses of which the auditor is aware. The auditor also is required to communicate in writing to the company's management all internal control deficiencies, and to notify the audit committee that such communication has been made.

A number of circumstances are defined by the proposed standard as "significant deficiencies" that would be strong indicators of a material weakness. They include:

• Ineffective oversight of the company's external financial reporting and of internal control over financial reporting by the company's audit committee. The proposed standard requires the auditor to evaluate factors related to the effectiveness of the audit committee, including whether committee members act independently from management.
  
  

• Material misstatement in the financial statements not initially identified by the company's internal controls.
  
  

• Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time.
  
  

Most senior managers will have to report on — and certify — their companies' internal financial controls starting with fiscal years ending on or after June 15, 2004. That reporting date applies to "accelerated filers" — U.S. companies with a market cap of over $75 million that have filed annual reports with the SEC.

All other issuers, including small businesses and foreign private companies, must comply with the new requirements beginning with fiscal years ending on or after April 15, 2005.

Sarboxing

Finance executives continue to grapple with Section 404 of Sarbanes-Oxley. So far, it's unclear who's winning.
John Goff, CFO Magazine
February 3, 2004

When last we left Mark Thompson ("Drowning in Data," November 2003), the senior vice president of finance and information technology at Crown Media Holdings was shopping for software. Specifically, he was looking for an application that would help him manage the company's international contract rights. Crown Media, which owns the Hallmark Channel, operates in more than 120 countries, where it buys and sells thousands of broadcast rights to more than a thousand films. Overseeing the contracts that govern the payment schedules for those programs is a herculean task. Says Thompson: "International rights is a huge portion of what we have to manage."

Three months later, the finance executive still hasn't found what he's looking for. "I haven't come across the right fit yet," he says.

He may have to settle on one soon, however. Handling contract rights is one of the 25 or so activities Crown Media's management deems key to the company's business. As such, the process is subject to the provisions of Section 404 of the Sarbanes-Oxley Act of 2002—meaning Crown Media must demonstrate sound financial controls governing that business process and then test those controls quarterly. Manually documenting and testing those controls, while doable, would be a real pain. Consequently, says Thompson, "the reporting deadlines and 404 are leading us down the path of automation."

Finance executives at other companies are headed down a similar path. Despite the fact that the Securities and Exchange Commission pushed back the filing deadline (accelerated filers must be in compliance after June 15), many corporate managers are fast discovering just what a bear Section 404 really is. The biggest hurdle: few businesses operate off a single information platform. In fact, The Hackett Group estimates that the average $1 billion company maintains 48 financial programs, along with nearly three enterprise resource planning (ERP) systems. So it's little wonder, says Randy Whitchurch, CFO at bar-code maker Zebra Technologies, that "if you've got a lot of far-flung locations on disparate accounting systems, [documenting controls is] a problem."

Not surprisingly, business-software makers—many of which see Sarbox as the next Y2K—have flocked to Section 404 like alley cats to albacore. John Van Decker, vice president (technology-research services) at Stamford, Connecticut-based Meta Group Inc., reckons there are now 50 or more vendors flogging software aimed at Section 404 (see our vendor directory). The long list includes ERP vendors, content-management and business-process-management specialists, start-ups, upstarts, and industry giants (read: IBM and Microsoft). And in a survey conducted by Meta, fully 92 percent of those IT product and service vendors said they expect Sarbox to boost their year-over-year sales.

To date, however, companies haven't fully embraced the vendor offerings. In fact, in the same Meta survey, 57 percent of the vendors said that sales of Sarbox products so far had not met their expectations. Part of the problem is that the early work on Section 404 is a decidedly in-house affair, with many companies tapping controllers and internal auditors to handle the initial documentation. What's more, of the $5 billion or so that publicly traded companies will spend on Sarbox projects this year, only about 20 percent will go toward software purchases, with the rest spent on staff and consultants.

Eventually, however, that percentage is bound to increase. CFOs, the senior executives generally charged with wrestling Section 404 to the ground, say they'd just as soon not go through this exercise every year. And deciding among the various software offerings that promise to alleviate some of the Section 404 drudgery will undoubtedly become a priority. Says James J. Groberg, senior vice president, director, and CFO at New York-based Volt Information Sciences, of the 168 words that make up Section 404: "It's a small section. But it's creating a large amount of work."

Papered Over
Software should eliminate much of the documentation work going forward. It is possible, says Steve Biskie, assistant vice president (internal control) at insurer Great-West Life & Annuity Insurance Co., for many businesses to rely on Word and Excel files to document internal controls, but he points out that such an approach would result in hundreds, if not thousands, of files. "That may be OK for the first year of 404 compliance," he asserts. "But on an ongoing basis, it will be tough to maintain controls using those products."

Deciding which product to use long term, however, is not cut-and-dried: there is no clear market leader. Greenwood Village, Colorado-based Great-West, for example, opted for a program called Certus, marketed by Nth Orbit, an interesting decision, considering Great-West is also an SAP customer. But Biskie says senior managers at the life insurance company weren't overly worried about using a relatively new product from a small software company (one that started out as a supply-chain specialist, no less). "The older products were designed for other purposes," he argues. "Besides, any product that is out there for 404 is new."

He has a point. While Van Decker warns against purchasing software from companies that have "arisen specifically because of Sarbanes-Oxley," Section 404 compliance products from such niche vendors as Movaris Inc. and Nth Orbit (plus programs from Paisley Consulting and OpenPages) do offer certain advantages over apps from better-known ERP and business-software companies. As Biskie points out, "Certus is geared toward doing this work. It's not a bolt-on product that's designed for something else."

Moreover, smaller software vendors can ill afford to lose any customers—a fact that often translates into gold-plated service. "Large companies don't give you the same level of service," claims Kyle Didier, vice president of finance at Minneapolis-based Regis Corp., which recently purchased Certainty, a compliance-management program, from Campbell, California-based Movaris. Buyers of compliance software from niche vendors also can negotiate price reductions, flexible contracts, and service enhancements. Another perk: Groberg reports that programmers at OpenPages consulted with Volt when designing an upgrade to its Sarbanes-Oxley Express (SOX) program, and ultimately incorporated some of those suggestions in later versions of the software.

Let's Play Twister
Of course, service tends to suffer when the service provider goes out of business. And make no mistake, a number of companies currently flogging Section 404-related products will be gone by the end of the year. As John Hagerty, vice president of research at AMR Research, states: "The market simply can't sustain a dozen independent vendors."

While it's tough to tell which companies will capsize, Van Decker says several in the contract-management sector are already foundering. Likewise, the crowded enterprise content-management space appears headed for a shakeout. In December, for example, Documentum was acquired by data-storage giant EMC Corp. Around the same time, Interwoven, which recently merged with rival content-management vendor iManage, reported a net loss of $35.1 million for the first nine months of 2003. That's a sizable hit, considering the Sunnyvale, California-based Interwoven generated revenues of only around $78 million during the same time period.

The prospect has clearly spooked some prospective purchasers of Section 404 software and has bolstered the case for dealing with larger—more stable—software vendors. But staying power doesn't necessarily mean the products of top-tier vendors are up to snuff. Doyle Arnold, executive vice president and CFO at Salt Lake City-based Zions Bancorporation, says he looked at all sorts of Section 404-related software before settling on a program from Providus (a company Zions spun out of Lexign, another software company it had acquired). "All the software [I looked at] was built for another purpose," explains Arnold. "It would have to be twisted to do 404."

Generally speaking, twisting software is not good. That's why most experts say it's unwise to purchase a Section 404-targeted program without considering if the application plays well with others—particularly ERP systems. As part of Crown Media's compliance efforts, for instance, Thompson bought an online purchase-order system called eRequester (from Paperless Business Systems). In making the buy, he says, he was mindful of Crown Media's plan to eventually swap out the company's Best Software general ledger. "We wanted a [PO] system that was open," he explains, "one that would work with whatever general ledger we went with."

Such an approach, while prudent, raises the obvious question: Why not simply use deployed enterprise software for Sarbox compliance? Indeed, at San Jose, California-based Aspect Communications, controller Bruce Ruberg says the company is addressing Section 404 compliance in tandem with a reimplementation of Oracle 11i. "We're redefining all our business flows, which ties in to the 404 sweet spot," he explains. "It makes sense to do them together."

Turned On
Certainly, integrating Section 404 reporting with a company's financial systems would seem to be an ideal approach to Sarbox. ERP vendors have not been shy about playing up the angle, either. Early on, vendors claimed that business users need only turn on the existing controls within their ERP systems to satisfy much of Section 404.

The pitch hasn't gained a whole lot of traction in the marketplace, however. First off, as Van Decker points out, ERP systems can help with the assessment of financial controls—a big task, admittedly—but not necessarily the documentation of controls. And as Hagerty notes, ERP systems come with both inherent controls and configurable controls. Those configurable controls offer a dizzying number of choices. Says Biskie: "There can be a million control options within each process [in an ERP system]. Which one do you choose?"

Even the ERP vendors appear to have backed off their initial "just turn 'em on" approach: in recent months, the major players have unveiled new modules designed specifically for Section 404 compliance. In May, for example, Oracle announced the development of its Internal Controls Manager, an application aimed squarely at Section 404 compliance. Then, in October, PeopleSoft launched its own Section 404 product, called Enterprise Internal Controls Enforcer. And SAP began shipping a similar offering, its Compliance Management for Sarbanes-Oxley Act (part of mySAP Financials), around the same time.

Yet while ERP vendors may be saying this is part and parcel of what they do, they're going to have to fend off some powerful rivals—rivals that are already well entrenched in the business-computing landscape. IBM, for one, has teamed with Big Four auditor KPMG to offer IBM Lotus Workplace for Business Controls and Reporting, a program designed to help businesses tackle the issues of documenting and dynamically assessing their controls and business processes.

Some industry watchers, however, say Big Blue competitor Microsoft may pose an even bigger threat to the Section 404 sales of ERP and niche vendors. Next month the company will release the Office Solution Accelerator for Sarbanes-Oxley, a software package built for the Office System platform (and one of a number of business "accelerators" the company markets). Essentially, the accelerator for Section 404 compliance sits on top of a company's existing infrastructure and features a familiar Windows interface. As with many products from Gates & Co., Microsoft is relying on partners to extend and enrich the software.

And which of Microsoft's raft of business partners will likely end up doing the extending and enriching? Says one industry watcher: "I think auditors will end up using this." Just what Section 404 software vendors need: more competition.

John Goff is technology editor at CFO.

Auditors in the Ring

Section 404 of the Sarbanes-Oxley Act of 2002 has been good to the Big Four. Not only are the firms in line to pick up considerable attestation business this year, they're also pitching 404 compliance tools to clients. Says Steve Barth, a partner at Foley & Lardner: "Audit firms are jumping all over this."

Some corporate managers are availing themselves of their auditors' tools—at least for this go-round. John Van Decker, a vice president at research firm Meta Group Inc., is advising corporations to "go through [the] first year with [your auditor's] tool, understand how it works with 404, then replace that when you understand the nature of your 404 process."

Other management teams, however, are choosing to talk to their auditors about the configuration of third-party Section 404 software. Volt Information Sciences CFO James J. Groberg says that his company gave auditor Ernst & Young a demo showing how Volt structured its 404 effort, which is encapsulated in a program from OpenPages. "The last thing we want in July is E&Y saying, 'Oh, that's not what we meant.' "

There are other risks involved with using an external auditor's Section 404 tool. At the top of the list: software development is not the core competency of accountants. Says Bruce Ruberg, controller at Aspect Communications: "The Big Four are not in the business of software, long term." In addition, purchasing Section 404 software from external auditors may send the wrong message to shareholders. "An auditor firm is very involved in [a] 404 process, then it sells you a software tool, then it comes in and audits over this," says Barth. "You can just see the cases coming up, can't you?"

Control(ler) Issues

How to meet the needs of a growing business -- and the demands of new regulations -- without burning out the finance staff.
Kate O'Sullivan, CFO Magazine
January 9, 2004

Complying with Sarbanes-Oxley is taking quite a toll on corporate finance staffs these days—particularly on controllers. "When my controller is going home for dinner and then coming back to work, there's something wrong," says Scott Youngstrom, CFO of Compex Technologies, a New Brighton, Minnesota-based maker of electronic muscle-stimulator devices.

But that's exactly what controller Paul Wotta has been doing for months, trying to meet the needs of the growing business as well as the demands of new regulations. The juggling act has meant that both Youngstrom and Wotta periodically work 12 hours a day and another 6 or 8 hours on the weekends. And there's no end in sight: with a fiscal year that ends in June, Compex will be one of the first companies required to comply with Section 404, the internal-controls requirement of Sarbox.

As Wotta's schedule illustrates, controllers are on the hot seat. Besides managing payroll and holding down costs, they are being asked to spearhead the subcertification process that now precedes all financial filings. And the tedious task of documenting internal controls rests squarely on their shoulders. Says Joan Freilich, CFO of New York utility Consolidated Edison Inc., "A year ago, I did not think [Sarbanes-Oxley] had increased the workload. But 404 is clearly an additional layer of work. And the accounting department under the controller has a very big role."

Given these new demands, many CFOs are realizing that their controllers are overburdened. While the whole staff contributes to the internal-controls effort, says Youngstrom, it is Wotta who sits at his desk putting all the details down on paper at 8 o'clock at night. "What would happen to this company if my controller just didn't show up one day?" he asks, adding, "I don't want this to be a sweatshop. We've got to make some adjustments to alleviate this workload."

Competing Priorities
The controller's job has always been a difficult—and often thankless—one. Day-to-day tasks involve gathering, or in some cases digging for, information from all areas of the company, as well as meeting the constant deadlines of closing the books. Allen Elkin, director of the Stress Management & Counseling Center in New York, says controllers also feel the squeeze of what he calls "the sandwich effect." Positioned between the CFO and the other members of the finance department, they are "responsible up and down," he says. "And being in the middle often results in the most stress."

With the economy poised for growth, controllers are also facing competing priorities. Wotta, for example, has added significantly to his duties: Compex made two acquisitions recently, and the company, which has traditionally sold products to doctors and clinics, is introducing a consumer offering. And in addition to integrating these new businesses into the financials, he recently took responsibility for Compex's Tampa collections division.

The pressures are just as pronounced at private companies. Although KhiMetrics Inc., a Scottsdale, Arizona, developer of revenue-management software, is free from the scrutiny of the Securities and Exchange Commission, controller Debra Standal still tries to keep up with the new regulations. "I like to have the controls in place regardless," she says. But with just four people in the finance group, she has little time to read up on rule changes. Moreover, with every additional scandal—such as the current mutual-fund probe—she says, "there's a tendency to want to scrutinize everything you come across. I'm not balancing very well at the moment."

Stress Reduction
Not surprisingly, all of this work is creating a palpable amount of anxiety in finance departments. "It's an incredible strain on me and my staff," says Wotta of the speed with which he must meet the controls requirements. In addition, Con Edison controller Ed Rasmussen comments that everyone is more aware of his or her liability now. "It doesn't thrill you when you see controllers on TV in handcuffs. That does cross your mind every once in a while," he says.

To alleviate some of those stresses, many companies are bringing on more experienced finance staff to handle the regulatory issues, or searching for more people to take on some tasks. "The number of controller and chief accounting officer searches we're seeing is up year-over-year and certainly over two years ago," says Barry Bregman, managing partner at recruiter Heidrick & Struggles in Manhattan.

To help balance Wotta's load, for example, Youngstrom has received approval to hire additional staff. At KhiMetrics, CFO John Harbottle is spreading out the work by educating nonfinance staff about finance-related matters. And at Relizon, a business-process solutions company in Dayton, with close to $1 billion in revenues, top finance officer Sarah Burton points out that simple gestures are also important. She recently invited her entire staff out for a drink, "just as a thanks for working hard," she says. "With the pressure on those positions, it's really important to make sure you recognize and appreciate them."

Silver Lining
Controllers admit there are benefits to the added work, however. Con Edison's Rasmussen says the increased workload has meant greater visibility within the company. He spends a significant amount of time educating his colleagues about compliance, giving internal presentations, and meeting with the board—"going through the financial statements line by line."

Such regular contact with the board and constant interaction with the CFO, while often anxiety-producing, should lead to opportunities, says Richard Roth, principal at The Hackett Group, a business-advisory firm based in Atlanta. "The good news is [the controller] can be a star. The bad news is it's going to be a hell of a lot of work."

Notwithstanding the demands of his schedule, Wotta tries to maintain perspective. "This isn't open-heart surgery. No one's going to die on the operating table if you make a mistake," he says. But the pressure makes such equanimity tough to achieve. "It's really important to me to bring a sense of fun to the job," he says. "[But] with Sarbanes-Oxley, everything's become a little more serious."

Rites of Privacy

With the dust settling on Sarbox compliance in the public sector, eyes turn to private companies.
David M. Katz, CFO Magazine
November 1, 2003

Much has been made in the past year about the potential tab for complying with the Sarbanes-Oxley Act of 2002, as well as the burden in terms of man-hours and liability. So it's logical to assume that any company that didn't have to comply wouldn't comply. Think again.

At Cargill Inc., adhering to Sarbox is not required, because the Minneapolis-based company is private. However, as part of a decision to operate within the spirit of the act, Cargill's board of directors has made a number of changes, including shaving the maximum amount of time a lead audit partner can serve from seven years to five. And in its May 31 quarterly financial report, the company also started disclosing material details of its off-balance-sheet dealings and explaining them in the Management's Discussion and Analysis section. Says CFO Robert Lumpkins, "Given all that was going on—the scandals, Sarbanes-Oxley—we thought it was time to reexamine our processes."

Cargill isn't the only private-company adapter. Almost 40 percent of nonpublic-company CFOs say their companies would benefit from implementing elements of the year-old law, according to a recent survey of 356 CFOs by Robert Half International. That figure rises to 52 percent of CFOs at private companies of 500 employees or more.

Increasingly, however, compliance is not a matter of choice, even for private companies. Already, many are running into Sarbox simply by raising capital. And if several attorneys general have their way, compliance will be extended to private companies on a state-by-state basis. The year following the law's July 30, 2002, enactment was "public-company time," says John Vail, an attorney with Quarles & Brady LLP in Chicago, but now the private company's time has come.

Bonds in the Stocks
Sarbox, for instance, applies to a company offering public debt as well as to one issuing public equity—a fact Interline Brands, a Jacksonville, Florida-based plumbing and hardware distributor, knows firsthand. Still-private Interline will file a third-quarter 10Q early this month. At that point, it will become subject to Section 302 of Sarbox as a result of the company's offering of $200 million in senior subordinated notes in May 2003. (As a nonaccelerated filer under the act, the company doesn't have to fully comply until 2005.)

The transition might not be all that hard for Interline. Some of its executives have experience filing financial reports with the Securities and Exchange Commission, since the stock of Wilmar Industries, Interline's predecessor, was publicly traded before 2000. In that year, Wilmar exited the public arena because, as a small-cap industrial distributor, says Interline CFO William Sanford, "our sector was out of favor at that time."

Still, Sanford maintains that Sarbox will serve the company well. While the toughest and most-expensive requirement may be the internal-controls assessment embodied in Section 404, Sanford says the process will help many of Interline's 2,200 employees grasp where they stand in "the custody chain of information." Moreover, it could also ready the company for a potential initial public offering. "We're owned by private-equity firms, and their exit strategy might involve a public offering," says the finance chief.

The Merge to Comply
Issuing public debt, however, is only one of the circumstances that make private companies subject to Sarbox. Those attempting to merge with public companies, of course, must prepare to comply. And, increasingly, lenders and investment bankers are using the act's provisions as a due-diligence gold standard.

For example, says Vail, some Chicago banks are requiring CFOs and CEOs to certify financial statements in their loan covenants with private companies. Other bankers are said to be mulling whether to demand internal-controls sign-offs. Says Jack Capers, a partner at King & Spalding in Atlanta: "In the past, investment bankers and lenders were more likely to deal with financial statements on the surface. They're now asking extra questions about how the financial statements are built."

Such disclosure may soon be mandated on the state level. In New York, for example, state attorney general Eliot Spitzer has proposed a bill that would require the CFOs and CEOs of nonprofits to verify annual reports. It's one of several "Little Sarbanes" bills—designed to extend Sarbox beyond the public-company sphere—making their way in and out of state legislatures. In New Jersey, a bill withdrawn earlier this year would have barred auditors from providing nonaudit services to all companies, not just public ones.

What isn't legislated may end up being court-ordered, says Vail. Inspired by Sarbox, he says, courts are poised to judge the performance of private-company boards much more harshly. They might, for instance, question the number of boards directors sit on and how much they rubber-stamp management decisions, says the attorney.

One federal judge has already suggested that board members and executives of private firms be held to even higher governance standards than their peers at public companies. Earlier this year, five former directors and officers of bankrupt Trace International Holdings, including ex-CFO Robert Nelson, were found liable for failing to keep the company's CEO, Marshall Cogan, from enriching himself at the company's expense. "Given the lack of public accountability present in a closely held private corporation, it is arguable that such officers and directors owe a greater duty to the corporation and its shareholders," wrote Judge Robert Sweet in his decision.

Picking and Choosing
As of now, Sarbox compliance is largely voluntary for private companies. And even those that choose to comply, such as Cargill, can always pick which rules to obey.

For example, Cargill's governance processes, which were reviewed and updated a year ago, are "a hybrid between public and private," notes Lumpkins. So unlike public companies, Cargill limits Web access to detailed financial data. And it has decided not to comply with Section 404. "We don't think it's a valuable exercise," says Lumpkins. "We just think it's a lot of work, it's costly, and we don't really see the benefits."

Nonprofits fall into a similarly gray area. Because of the public-service role many of them play, they bear a responsibility to the public for their governance practices. Some Sarbox provisions, such as those requiring audit-committee members to be independent, "make sense in a not-for-profit world," says Kim Schwartz, vice president of corporate finance for the American Red Cross. "You have the same inherent conflict of interest you could have in a for-profit world."

However, there might not be much gain, however, in requiring a not-for-profit to separately disclose that it has a financial expert on its audit committee, she says, since many already disclose that information in their annual report. For its part, although the Red Cross is likely to adopt some provisions of the act—its executives are currently analyzing Sarbox's long-term effects on its 1,000 operating units and observing how things shake out in the public sector. "Our mantra here is: proceed with caution," adds Schwartz.

Opting Out
Of course, flexibility in adopting Sarbox's provisions could be behind the sudden rush to go private. As of July, 95 U.S. public companies had gone private in 2003, according to Thomson Financial—the biggest number in the past five years.

The costs of Sarbox could also be a factor. In fact, private-equity investors "are saying there is a larger pool of small-cap public companies willing to explore the merits of going private" because of compliance expenses, says William Koehler, a managing director of Cleveland-based KeyBanc Capital Markets.

Once there, however, newly private companies quickly realize that when it comes to Sarbox, they can run, but they can't hide.

David M. Katz is deputy editor of CFO.com.

Drowning in Data

A flood of corporate data, intensified by Sarbanes-Oxley compliance, threatens to overwhelm business managers.
John Goff, CFO Magazine
November 1, 2003

Recently, a major technology vendor sent out questionnaires to senior business managers about data and decision-making. A number of them came back with additional comments, most of them variations on a theme: "Data is buried in a sea of noise." "Swamped in information." "I'm drowning." Despite—or perhaps partly because of—a sizable drop in the cost of storing and retrieving information, many corporations are in danger of being swamped by information. Software applications from ERP to CRM to SCM may generate great efficiencies, but they also generate great floods of data. So great, in fact, that nowadays CIOs speak of petabytes (quadrillions of bytes) of storage rather than mere terabytes (trillions), a trend that must surely worry the branding heads at Dayton-based Teradata, a subsidiary of NCR Corp. But not the sales heads: in a survey released by the technology company in September, more than half of 158 corporate executives said their businesses have two or three times the amount of information available to them as they had last year.

What's more, a lot of that data is useless, or worse. Experts estimate that anywhere from 10 percent to 30 percent of the data flowing through corporate systems is bad—inaccurate, inconsistent, formatted incorrectly, entered in the wrong field, out of a value range, and so on. In its most recent study of corporate data integrity, the Seattle-based Data Warehousing Institute found that nearly half the surveyed companies had suffered "losses, problems, or costs" due to poor data. The estimated cost of the mistakes? More than $600 billion.

Now, the potential cost of poor data management is about to rise. Under Section 404 of the Sarbanes-Oxley Act of 2002, which goes into effect in June 2004, publicly traded companies will be responsible for providing "full, fair, accurate, timely, and understandable disclosure" in their periodic reports.

Obviously, you can't have accurate financials without accurate financial data. But identifying all Sarbox-relevant financial data and funneling it into a single report is no small feat. "It's a big dumping of data," says Mark Nagelvoort, an internal-controls manager who is heading up the Sarbox-compliance effort at Mahwah, New Jersey-based Hudson United Bank.

And that's nothing compared with what companies may be forced to do with their unstructured data—the E-mails, contracts, and PowerPoint files that account for 80 percent of corporate information. Right now it appears that courts will treat such information as discoverable evidence in Sarbox-related prosecutions—an ugly prospect. Hence, many companies are now scrambling to archive as many E-mails, letters, and memos as possible. Warns James Watson, CEO at Chicago-based consultancy Doculabs Inc.: "Some companies are going from saving nothing to saving everything. It's phenomenally dangerous."

Dirty Rotten Data
Finance chiefs have been down this path before. In the mid-1990s, senior executives began routing data from far-flung financial, supply-chain, and customer-information systems into data warehouses and data marts.

On the drawing board, the projects made sense. By analyzing slices of company data, managers could spot trends and make better decisions. But in reality, data warehousing was, and is, fraught with difficulties; for every successful project, there is a failed one. And even with the successful ones, getting the right number can take forever. True, search and query speeds have improved dramatically in the past few years. Likewise, the cost of the software used to store the data has dropped. "The dot-com bust has brought down the cost of mature technologies like data warehousing," says Danny Siegel, New York-based senior manager (global business technology) for Pfizer Inc.'s pharmaceuticals group. Siegel says data-mining tools cost one-fourth what they did a few years back (see "White Goods for Data?" at the end of this article).

Still, cheap storage and servers don't guarantee good information. Indeed, bad data continues to bedevil many corporate data miners, asserts Michael Schrage, co-director of the E-markets initiative at the MIT Media Lab, in Cambridge, Massachusetts. "It's an article of faith, almost to the point of a joke," he says, "that every organization I've dealt with that wants to data mine looks at the quality of data and realizes it's not sufficient to do it."

To clean up the problem, some companies have turned to what's known as ETL (extract, transform, and load) software. Sold by such vendors as Ascential Software, Ab Initio, and Informatica, ETL programs scour data before it's routed into warehouses. Some companies use custom programs: Winston-Salem, North Carolina-based Krispy Kreme Doughnuts Inc., for example, uses homegrown data validation and exception applications that act as business-rule black boxes. The programs help keep funky data out of its financial-data warehouse, explains CIO Frank Hood.

Other businesses are attempting to reduce errors by reducing the number of inputs that feed such corporate reports as the general ledger. Earl Shanks, who has been CFO at NCR for two years, says the company used to deal with about 1,200 customized reports generated by the finance and administrative organization. A standardization project has reduced that number to just over 100, he says.

Consolidation projects could prove crucial in meeting regulatory requirements. Obviously, the fewer systems in place, the less data integration required. In addition, the deep-sixing of some programs should reduce the amount of chatter finance managers have to deal with. Case in point: Siegel recalls that before Pfizer deployed its financial-data warehouse, the company's financial managers had to access 14 distinct systems. "A financial manager does not have the time to be an expert in 14 different systems," he remarks.

Not surprisingly, some ERP vendors are flogging instance consolidation—that is, the adoption of a single version of a program—as the simplest way to comply with the new regulatory requirements. Since consolidating existing software tends to generate workflow efficiencies, it's equally unsurprising that customers seem to be listening. A recent survey conducted by AMR Research revealed that 65 percent of publicly traded companies are strongly considering instance consolidation to help them deal with Sarbox (see "Six Degrees of Automation" at the end of the article).

Instance consolidation comes with its own difficulties, though. Cost tops the list. According to AMR, the price tag for an instance consolidation works out to about $10 million per $1 billion in annual revenues. What's more, instance-consolidation projects can take anywhere from 12 months to two years to complete and often require a full reimplementation of the system.

Can You Demonstrate That?
For the moment, most finance executives aren't worrying about instance consolidation. They'd be content instead to document exactly how numbers get rolled up into the general ledger.

At Hudson United, Nagel-voort was brought in to head up the bank's compliance efforts and internal controls. He says the company's executives are comfortable with the output of the controllers group. But, he adds, "if the CFO and CEO have to put their names on the dotted line..."

The ellipsis speaks volumes. With Sarbox approaching, finance managers will likely be fielding tough questions about data—particularly from audit committees. Says Mike Ressner, a former CFO who sits on the audit committees of WilTel Communications and Entrust: "Audit committees ought to be saying, 'You're representing this information as high quality and done with integrity. It would be nice if you could demonstrate that.'"

In all likelihood, internal-control departments will be respon-sible for the demonstrating. "Generally, controllers tend to be more focused on the general ledger or subledgers," says Ressner. "Now they've pushed back out of those ledgers to the underlying systems to make sure the data flow is correct."

Consider Hudson United, which operates about 200 branches in New Jersey, New York, and Connecticut. To help satisfy the Sarbox Sections 302 and 404 certification requirements, Nagelvoort put together a 12-member compliance team that is responsible for the bank's business departments. Recently, Hudson United began installing a document-workflow program called SOXA Accelerator, marketed by HandySoft. According to Nagelvoort, the program helps the company create reports detailing what management and the company auditors consider material for each line item in the general ledgers.

Hudson United appears to be ahead of most companies—at least in the purchasing of compliance software. Many technology vendors see Sarbox as a big selling opportunity (the next Y2K problem, say some) and are pitching all-encompassing, large-scale compliance products, or "kitchen-sinkware," as Schrage calls it. So far, few vendors have made a killing from these products. "Since they don't touch sales," notes Sid Banerjee, CEO at Falls Church, Virginia-based consultancy Claraview LLC, "there's no ROI on these products."

There may be no "R," but there certainly is an "I." The cost of purchasing compliance software can easily top the $1 million mark, say consultants. In addition, Watson of Doculabs points out that for every software dollar spent, corporate customers will have to spend $4 in service. "You're talking about a boatload of consultants," he says.

Further, some finance managers say they're not overly impressed with the current crop of compliance products. When executives at Crown Media Holdings, an entertainment company that operates the Hallmark Channel, first started to assess Sarbox compliance, they contemplated buying software to help manage the company's unstructured data. Specifically, Crown's executive team was interested in a program that would manage the company's voluminous contract rights—one of its key business processes. Although Crown has deployed a document-management program sold by Optika Inc., it has yet to purchase a rights-management application.

Why the delay? "The offerings are not there yet," answers Mark Thompson, senior vice president, finance and information technology, at Crown. "There's nobody out there." Other finance managers tell similar stories. One controller says flatly: "The compliance products are still immature."

Deborah Birnbach, a partner in the litigation group at Boston law firm Testa, Hurwitz & Thibeault who advises clients on compliance, has heard similar complaints. "Companies will buy compliance software," she predicts, "when they see other people buying it."

On Deadline
They'd better hurry. Publicly traded companies have barely seven months to get in line with Section 404 of Sarbanes-Oxley.

The specter of that deadline leaves little time for businesses to dig too deeply into data deficiencies—or to automate data tracking. In fact, Todd Naughton, controller at Vernon Hills, Illinois-based bar-code maker Zebra Technologies, says that because of the June 2004 deadline, Zebra has ruled out deploying software programs for the first round of certifications. "It's three to six months just to pick a tool and install it," he claims. "And that's before anybody starts putting data into it."

Instead, executives at scores of companies are manually documenting the policies and procedures intended to safeguard the integrity of their financial data. The documenting includes not only assessing where the data is but also deciding who should have access to it. "For me, the problem is not having too much data," says NCR's Shanks, "but how do we use that data and make that data available to the right people at the right time."

NCR maintains an enterprise data warehouse to help with that large task. For many businesses, however, Sarbox compliance remains a very low-tech affair. Zebra simply gathered 10 to 15 employees in a room with an Excel spreadsheet and went about identifying the company's material risks and the controls to address each risk, says Naughton.

Observers say even low-tech approaches can carry some hazards, however. Former CFO Ressner worries that, for some companies, the documenting process could get out of hand, resulting in data about data. "The over-rotation of this," he conjectures, "is that you could end up with a manual for everything."

Ironically, some of this painstaking documenting could come back to haunt companies. According to attorney Birnbach, creating a paper trail about internal-control procedures before identifying what those procedures are may prove to be a big mistake. "It's not wise to put an open discussion about the assessments of control processes onto paper," she notes. "It's discoverable."

Ironically, some of this painstaking documenting could come back to haunt companies. According to attorney Birnbach, creating a paper trail about internal-control procedures before identifying what those procedures are may prove to be a big mistake. "It's not wise to put an open discussion about the assessments of control processes onto paper," she notes. "It's discoverable."

Wait 'Til Next Year
Faced with stiff penalties for lax internal controls, some businesses will no doubt ignore that warning. Instead, they will start saving every bit of unstructured data in the house. "Companies will start saving all E-mail," predicts Doculabs's Watson. "Unless you're confident in documenting policies and data, you'll have to save it."

What's more, identifying a company's internal controls and key financial processes—a Herculean task—is not a one-off deal. "We'll have to update any change we make in internal controls, or if we install new software," concedes Crown's Thompson. "We'll have to update anything that has implications for our flowcharts or internal processes."

Eventually that will lead many companies down the path of automation. As Watson notes, merely backing up everything won't cut it: "You need auto indexing, and you need rules and parameters for the indexing."

A ray of hope for technology vendors? Possibly. Some finance managers say, yes, they'll likely be more inclined to purchase compliance software in 2004—once they're through with all their documenting, that is. Says Naughton: "I don't want to do this every year."

John Goff is a senior editor at CFO.

White Goods for Data?

When Section 409 of the Sarbanes-Oxley Act of 2002 kicks in for real—in January 2004—many companies will have to report material events to the Securities and Exchange Commission within 48 hours. Meeting the short deadline could prove to be a bear, particularly for businesses that plan to examine financial data to determine if an event qualifies as material.

The snag: data analysis is still anything but real time. Data warehouses, which nowadays house terabytes of information, are rarely updated on a daily basis. What's more, the traditional architecture for warehouses—a patchwork of various drives, servers, and software—is best suited for backward-looking, slow-cooking sorts of analysis. The large amount of data movement in a typical warehouse limits the slice of information that can be accessed in a single search (usually about 1 percent of the available data). To get a fanfold view, users must engage in repeated queries. Says one CEO: "You go back and forth, back and forth."

Appliances to the Rescue
Managers who need to perform ad hoc queries—and need the results now—are generally out of luck. Notes Dan Vesset, a research manager at technology consultancy IDC: "Speed of decision-making, whether we're talking about real time or near­real time, is still only a goal for most organizations."

This may be changing, however. A new device, called a data appliance, could radically alter the time it takes to analyze data. Built from the ground up as a dedicated storage, retrieval, and analytics system, a data appliance is an all-in-one machine. Since server, storage, and software are integrated at the lowest level, there's less movement of data. The result? A 10-to-50-times improvement in performance for products from data-appliance maker Netezza Corp., claims Jit Saxena, CEO of the Framingham, Massachusetts-based company.

Netezza sells five data-appliance models, ranging in price from under $1 million to $2.5 million. The basic unit, a rack, can store up to 4.5 terabytes of data. To increase capacity, customers simply buy additional racks. As for the vendor's performance claims, Wakefield, Massachusetts-based Epsilon, which hosts data for financial-services companies and others, recently installed a Netezza data appliance. Mike Coakley, Epsilon vice president of marketing technology, recalls the benchmarking the company performed on the device before making a purchase. "We tested load times, queries, summarizations," he says. "The results were astronomical—borderline ridiculous."

Coakley claims the data appliance has cut load times at Epsilon from 11 hours to 3. Complex SAS queries on an Oracle database, he notes, used to take 2 hours; now they take 15 minutes. Says Coakley: "This is a real shift." —J.G.

Six Degrees of Automation
Costs and benefits of IT probrams for Sarbox compliance.

Whistle-Blower Woes

Many companies think the whistle-blower provisions of Sarbanes-Oxley will spark nuisance suits by disgruntled employees. The truth is far more complex.
Alix Stuart, CFO Magazine
October 1, 2003

When Matthew Whitley was laid off from his job last March as a finance manager at The Coca-Cola Co., along with about 1,000 other employees, he didn't take it lying down. Two months later, Whitley approached his former employer seeking a whopping settlement—$44.4 million—on the grounds that he had been fired in retaliation for raising concerns about accounting fraud. When Coke balked, Whitley turned for relief to a new ally: the Sarbanes-Oxley Act of 2002. He filed for whistle-blower protection under the act's Section 806 provisions, and initiated federal and state lawsuits that charged seven Coke executives, including CFO Gary Fayard, with crimes ranging from racketeering to mail and wire fraud.

"This disgruntled former employee has made a number of allegations accompanied by an ultimatum: that the company pay him almost $45 million or he would go to the media," said Coke in a May statement announcing the claims. Since then, a Georgia state court judge has dismissed most of the charges, including those related to racketeering and breaches of fiduciary responsibility. While Coke may still have to defend itself against claims related to wrongful termination, "we are confident we will prevail once the facts are presented in a court of law," said Coke in a statement.

One of Whitley's allegations, however, has already had some effect. His contention that Coke falsified a marketing test of Frozen Coke at Burger King restaurants in Virginia led the company to make a public apology and an offer to pay Burger King $21 million. In July, the Department of Justice (DoJ) announced it was launching a criminal investigation of the alleged fraud.

CFOs may be forgiven for fearing that cases like Whitley's are a harbinger of things to come—that, thanks to the protections afforded by Sarbanes-Oxley, irate workers will accuse their employers of financial wrongdoing in order to wring large settlements from them. Indeed, on August 27, a federal judge refused to dismiss a whistle-blower lawsuit accusing TXU Corp., an energy company, of earnings manipulation; unless the case is settled, it will become the second suit filed under Section 806 to reach a federal court (the first involved JDS Uniphase Corp.).

But it remains to be seen whether Sarbanes-Oxley will have a significant impact on whistle-blower litigation. Although the number of such filings has increased, most will probably be dismissed as lacking merit. And even with the new protections of Section 806, would-be whistle-blowers still face a painful cost-benefit decision: whether a lawsuit with uncertain chances of success is worth the professional and personal sacrifices that will assuredly be required.

A Reasonable Belief
In theory, disgruntled ex-employees have always been able to accuse their ex-employers of misdeeds in order to claim wrongful termination. But until the passage of Sarbanes-Oxley, most public-company employees had little to gain financially if the company denied the charges and refused to settle. Since the mid-1980s, the federal government has protected whistle-blowers whose work affects public welfare, including, for example, federal employees, government contractors, power-plant operators, and airline staff. But people who spoke out about financial fraud had no legal protection except for a handful of state laws—and then, often, only if the matter affected the general public.

Today, the law says that an employee needs only "a reasonable belief" that his or her employer is violating a securities law or is in any other way imperiling shareholder value to qualify for government protection from retaliation. "Retaliation" encompasses everything from firing to verbal threats and missed promotions. Within 90 days of experiencing retaliation, an employee can file for protection, which means anything from reinstatement with back pay to a full federal court trial with the potential of compensation for pain and suffering. These protections apply even if the employee is wrong about his or her accusations.

"The employee could be wrong, but if they have a reasonable belief there's been a violation and the company retaliates against them in any way, it triggers the whistle-blower protection in Section 806 and leaves the company wide open," says Neil Aronson, a partner with Mintz Levin Cohn Ferris Glovsky and Popeo in Boston.

A separate section of the law puts managers who allow retaliation against a whistle-blower at risk of jail time or fines. That, in turn, exacerbates the enormous public-relations risk to the company. Add to that the praise heaped on whistle-blowers like Enron's Sherron Watkins and WorldCom's Cynthia Cooper, and what does an angry employee have to lose?

Plenty, it turns out. Most people who have publicly accused their companies of securities fraud say Sarbanes-Oxley does little to mitigate the high personal price of coming forward.

"It's the exception that a whistle-blower is looking to get even, because it's very painful to break ranks with [your company], even if [you] have strong legal rights," says Thomas Devine, an attorney who has counseled more than 2,000 whistle-blowers protected by other federal statutes through the Government Accountability Project, a nonprofit group based in Washington, D.C. Even with legal protection, once whistle-blowers go public, their reputations are called into question and their future career prospects hampered, all for the dubious goal of reinstatement to a work environment in which they are considered troublemakers.

Even if a case does go all the way to a federal court, whistle-blowers would probably have to change industries if they ever want to work again, says Devine, since they will be considered "wild cards" regardless of the outcome. And despite the attention given Watkins et al., most whistle-blowers are rebuffed, not supported, by the federal government. Since Sarbanes-Oxley was passed, about 131 public-company employees have reported violations of whistle-blower protections to the Occupational Safety and Health Administration (OSHA) of the Department of Labor (DoL). (The agency was directed to oversee these violations because it has handled the industry-specific whistle-blower statutes.) Most of these investigations—83 percent of the 60 completed so far—have been dismissed or withdrawn.

True, the percentage of cases upheld may increase, since about one-third of claims have been thrown out for technical reasons—for instance, because the company is private or the alleged retaliation began before passage of the law. But in general, says John Spear, OSHA's head of investigative services, 75 percent of cases brought each year under other whistle-blower statutes are found to lack merit.

Even when the claims of fraud and retaliation are justified, it's unclear what the whistle-blower will gain. Attorneys can name wildly different figures depending on whether the underlying assumption is that the whistle-blower will never work again, will work but won't be promoted, or will have to retrain for a new profession. No one yet knows what civil juries or federal-court judges will accept.

Final Straw at Coke
From that perspective, Matthew Whitley represents all the reasons whistle-blowers are more to be pitied than feared. As he tells it, losing his $140,000-a-year job was the final straw in what had been a long personal battle against earnings management.

In his 11 years at Coke, 9 of them as an internal auditor, the 37-year-old Whitley claims he caught various attempts to minimize current expenses, using such techniques as stretching out capitalization periods or booking payments to bottlers as assets. Under previous CEO Robert Goizueta, he says, such concerns were heard and addressed. Since Goizueta's death in late 1997, though, Whitley says he has seen a progressive deterioration in accounting controls and an increasing reluctance to fully correct problems.

For example, Whitley led an internal investigation in 2001 that found vice president John Fisher had used fraudulent marketing schemes to sell Frozen Coke products and equipment to Burger King. Since the scheme violated Coke's code of conduct, among other problems, Whitley recommended the executive be fired. Instead, Coke's audit committee, which includes Warren Buffett, simply demanded that Fisher forfeit half of his 2000 bonus and 2001 stock-option award. Fisher was later promoted to a senior vice president post, while Burger King was allegedly never informed of the incident.

When outsider Steve Heyer (he had been COO of Turner Broadcasting) was promoted to COO in December 2002, Whitley saw hope for more systemic changes. On December 30, Whitley sent an E-mail to Heyer outlining some of his concerns about recent incidents. Heyer mailed back an invitation to provide more details, and a month later Whitley sent Heyer an E-mail with a nine-page memo attached, listing many of the violations of Coke's code of conduct he had helped investigate and the subsequent light punishments that generally resulted.

Heyer, who through a spokesperson claims he received but never opened the twice-sent attachment, never responded, according to the complaints Whitley filed in May. Nor did any word come from CFO Fayard, with whom Heyer had indicated he would share the memo. But in mid-February 2003, Whitley received the worst performance review of his career, according to his complaint, after a history of above-average marks and positive comments about his integrity. On March 26, he was laid off as part of a companywide reorganization.

When Heyer stopped responding to Whitley's ongoing attempts to follow up by E-mail, Whitley sent a copy of the memo to Coke's general counsel, Deval Patrick, in mid-March, offering to meet with him. Whitley says he continued to press for a meeting after his layoff, but finally gave up in order to file for whistle-blower protection within the 90-day window.

"I didn't want to go public, but I didn't know what choice I had because no one would listen to me," says Whitley. The proposed $44.4 million settlement "was intended to get Coke's attention," he says, adding that he never expected Coke to pay that amount.

Coke has not responded so far to any of the specific allegations, but the company denies that it fired Whitley in response to the claims he raised, and downplays the claims themselves. "As we have investigated all of the allegations raised by Mr. Whitley, we have found nothing material that requires a restatement of our financial statements, or we would be doing that right now," said Heyer in July's second-quarter conference call.

Still, while the issues might not be material to Coke at a corporate level, it's hard to say Whitley was just grousing. In response to his lawsuit, Coke conducted an internal investigation and subsequently agreed to pay Burger King $21 million as recompense for the marketing frauds, after firing Fisher in April for a further (and unrelated) violation of the corporate conduct code. The company announced in June that it was writing down $9 million due to overvalued assets in its Fountain division, and said it would continue to investigate financial arrangements with its suppliers. In August, Coke announced that Tom Moore, Fountain president and a named defendant in Whitley's suit, was stepping down.

Whose story—Whitley's or Coke's—is the real thing could be decided by a civil-court jury or the DoJ, which is investigating the alleged Frozen Coke fraud. But Whitley isn't pinning his hopes solely on Section 806 and OSHA. Why? "In many ways, Sarbanes-Oxley is toothless," says Marc Garber, Whitley's attorney, "because the [DoL] has no subpoena power and no authority to interview employees without a company representative present." That makes it difficult to gather the evidence necessary to win a case.

Thus, while OSHA is still investigating Whitley's case, Garber, a former federal prosecutor, is also relying on broader state and federal lawsuits. The latter offer the opportunity for fuller investigation, he explains, and the potential for a larger settlement.

Hanging on at Duke
Other whistle-blowers who have endured OSHA investigations agree that the protections aren't as strong as they might seem. "People ask me, do I think Sarbanes-Oxley will cause more people to come forward? I don't think so, not if they know their careers will be forever altered," says Barron Stone, an 18-year employee of Duke Energy Corp.'s finance department.

Stone's efforts to blow the whistle at Duke started in early 1999, when he told the American Institute of Certified Public Accountants, the South Carolina Board of Certified Public Accountants, and the Securities and Exchange Commission that Duke was intentionally understating revenues for its regulated energy division to avoid having its rates lowered. Stone says he waited in vain for regulators to catch the problems on their own, and finally, in July 2001, he decided to step forward. He put in an anonymous call to the company's ethics hotline and met with the head of the Public Service Commission of South Carolina (PSCSC).

As a result of the call and the meeting, both Duke and the PSCSC launched investigations into the accounting disputes, which to varying degrees vindicated Stone's claims that earnings had been understated. In November 2002, Duke agreed to pay the states of North Carolina and South Carolina $25 million to be applied toward rate reductions in connection with the charges.

Stone went public with his story last August because he believed that Duke officials had apprised senior finance staff of his call to the ethics line and had dropped hints to his colleagues as well (see "Talk, or Walk?" October 2002). Since then, Stone has also revealed that he tipped off the SEC about some other efforts to manipulate earnings in Duke's unregulated businesses.

Through it all, incredibly, Stone has hung on to his job (and even received an 8 percent raise)—but not to his career prospects, he says. Once a senior forecast analyst, Stone says he was essentially demoted to an undefined role in February 2002, and passed over for a new position that August after a history of frequent promotions and increasing responsibilities. He has been assigned to execute entry-level projects, and has been moved to an office far away from the rest of his unit. While he is technically a manager, he has no employees to manage—and has been told he will not get any. "They have been very calculated and very precise in trying to wear me down," he says. "They would never promote me again. They probably never will if I stay here 30 years."

For that reason, Stone and his attorney, Gerry Bos, sought whistle-blower protection under Sarbanes-Oxley in November 2002. But the DoL dismissed the case in March 2003, in part because the alleged retaliation started before the law went into effect, and in part because of insufficient evidence.

Stone and Bos contend that the dismissal was based on OSHA's deficiencies, not theirs. For instance, Stone says that for lack of subpoena power, OSHA investigator Dale Boyd "told me point-blank, 'I can talk to the controllers and the vice presidents, et cetera, but if they lie to me, I accept whatever they tell me.'" Boyd was also of little help in building Stone's case, the accounting manager says, eschewing much of the critical information he had previously provided to regulators. "He was very unclear about what he wanted, how he wanted it, and the ramifications of what had happened," says Stone. "I spent inordinate amounts of time getting him what he said he needed, and then he didn't use most of it."

Duke, for its part, sees the dismissal as the final chapter in the case. "Obviously, the [DoL] has looked at this case and found no wrongdoing on Duke's part," says spokesperson Randy Wheeless. Duke has contended all along that Stone's manager didn't know that Stone was a whistle-blower when he transferred him. The company maintains the transfer was part of a larger reorganization. "From our perspective, it's pretty much settled," says Wheeless. Stone notes that there is still a complaint pending in federal court in Charlotte filed on his behalf.

Waiting for OSHA
Anyone waiting to be rescued by OSHA is liable to be waiting for Godot," charges Devine of the Government Accountability Project. He says that given OSHA's track record handling other whistle-blower cases, "it's a black hole...cases languish indefinitely."

Although Sarbanes-Oxley gave OSHA new responsibilities, the agency received no additional resources to go along with them. It did bring in representatives from the SEC and DoJ to speak with its investigators, says OSHA's Spear, and "familiarize them with issues related to Sarbanes-Oxley." In any case, connecting the dots between a red flag raised and a subsequent act of retaliation—particularly if it doesn't involve a layoff or a salary cut—is always difficult.

Moreover, the remedies OSHA can offer are weak. None of its initial findings are binding, so it must broker a voluntary settlement between employee and employer. Even then, at best an employee can hope to be reemployed at the same seniority level—potentially in another division—with back wages plus interest for lost time, along with litigation costs, expert-witness fees, and attorneys' fees. OSHA has no power to order accounting procedures reformed, numbers restated, or other employees fired. "We focus on making the complainant whole, not on changing the work environment," says Spear.

A whistle-blower's allegations of fraud, in general, fall to more-powerful agencies, like the DoJ and the SEC. But those agencies also offer little in the way of subsequent reward, protection, or even information about the case. "The SEC is kind of a one-way street," says Stone, who had provided documents to the SEC's regional Atlanta office. So far he has not been deposed by the SEC, which is reportedly investigating Duke.

Others complain that investigations go nowhere. Roy Olofson, a former vice president of finance at Global Crossing who made allegations of accounting fraud, was interviewed only once—by the U.S. Attorney's office in winter 2002, according to his attorney, Paul Murphy. "After that, we saw no follow-up," says Murphy. The investigation has since been dropped, despite a $1 billion earnings restatement related to Olofson's concerns in late 2002.

Some whistle-blowers say they can't get heard at all. "I'm starting to feel like the wallflower at the dance," says Lynn Brewer, who worked in various divisions of Enron from 1998 to 2000. She has been trying to share her Enron documents and experiences with the DoJ and various members of Congress since the day the company filed for bankruptcy in December 2001 and nullified her confidentiality agreement with Enron. "At that point, I was getting desperate to get my story out there, because I was getting concerned about my own culpability," she says.

Yet getting government officials even to return her phone calls has been a challenge. For instance, she says she E-mailed and phoned Sen. Byron Dorgan (D—N.Dak.), but never heard back, nor has she heard from anyone from the SEC or the DoJ. Now on the lecture circuit for organizations such as The Conference Board and the Association of Certified Fraud Examiners, Brewer says she gets 15 to 20 E-mails or phone calls per month from people who feel trapped by illegal activity at their companies. "My official answer is to send them to OSHA," she says, "but I also give them the name of a good lawyer." In the long run, of course, there's hope that Sarbanes-Oxley may have the desired effects on whistle-blowing. "A case could be made that there will be fewer claims in the future," says OSHA's Spear, "because the act puts more mechanisms in place for companies to hear from whistle-blowers early. Plus, there's a criminal penalty attached to [retaliation], which tends to get people's attention."

But reporting ethics violations is still perilous. While Coke, for example, now has a link on its Website for employees who want to report issues regarding accounting, controls, auditing, or other matters, all comments are forwarded to senior management rather than to the board or a third party. And while the site's FAQs section assures employees that they can "report suspected violations of the [conduct] code without fear of reprisal or retaliation," few are likely to do so after Whitley's experience.

Meanwhile, whistle-blowers still have to find their next job. Olofson is now consulting as he looks for permanent employment. "While this cloud is hanging over him, it's very difficult for him to find work that would make sense for him otherwise," says Murphy, his attorney. "His career path has been dramatically impacted by coming forward with his concerns."

And after sending out about 150 résumés, networking with about 50 people, and working with six recruiters, Whitley has had one interview in three months. For anyone else, that could be chalked up to the state of the economy. But Whitley has no doubt what has blown an ill wind on his job prospects: blowing the whistle at Coke.

Alix Nyberg is a staff writer at CFO.

How to Respond to Whistle-Blowers

Many companies are scrambling to establish toll-free hotlines and Web-based mechanisms that allow audit-committee members to hear directly from employees, suppliers, and customers who want to voice concerns about accounting or internal controls. According to the Sarbanes-Oxley Act of 2002 and Securities and Exchange Commission rules, such systems must allow for anonymity and be in place by a company's first annual meeting after January 15, 2004, or by October 31, 2004, whichever comes first.

But CFOs may do well to become better listeners. Most whistle-blowers say they never would have gone public with their concerns about the financial statements if senior management had been more attentive to them. And opening up the lines of communication doesn't necessarily mean opening Pandora's box.

Only about 5 percent of anonymous employee complaints received at United Technologies Corp. (UTC) each year relate to possible financial wrongdoing, says Patrick Gnazzo, the vice president in charge of investigating such claims. (UTC employees can report abuse anonymously through the company's Dialog program, which uses printed and online forms, or its ombudsman office, which fields phone calls.) Neither that percentage, nor the absolute volume, has changed much in the 17 years the office has been in existence, he says, not even after Sarbanes-Oxley. "If you're all trying to do the right thing in the first place, what's the fear of hearing from people?" asks Gnazzo.

The big question, of course, is how to separate the wheat from the chaff when confronted with an allegation. In fact, attorneys say the threshold for launching an investigation is pretty low. "If it violates the laws of nature, you don't have any obligation to investigate," says Jeff Stone, an attorney with McDermott, Will and Emery in Chicago. "But if it could be true, the prudent and wise thing to do would be to conduct an investigation." Indeed, at UTC, Gnazzo will check out accounting-related complaints even when the financial exposure is extremely low, or even zero. "If you take care of the $120 cases, you take care of the larger issues at the same time," he says.

Once a complaint is received, companies need to make every effort to protect a whistle-blower's anonymity, attorneys say. That task is considerably easier at big companies like UTC, where internal audits are routine. At smaller companies, they say, the best option may be to question senior-level managers in confidence before broadening the inquiry to rank-and-file workers.

Companies should also keep track of complaints, since OSHA's 90-day statute of limitations starts when the alleged retaliation occurs, not when the concerns are raised. "This means every time you let someone go or reduce compensation or turn them aside for a promotion, the audit committee has to ask the question: Has this person in any way questioned our audit practices?" says Neil Aronson, a partner at Mintz Levin Cohn Ferris Glovsky and Popeo. "Theoretically, you could disagree now with the CFO, and then bring a claim when the CFO demotes you two years later."

So is it ever OK to fire someone who has previously raised concerns? Of course, say attorneys. "If it turns out the person has maliciously spread false information about the company, you'd have good grounds to consider terminating that relationship," says Stone.

Neither of these attorneys, however, advocates rewarding employees who report allegations that turn out to be true. Says Aronson: "What you're asking them to do is their job, and you don't want to create a bounty system that might further skew incentives." —A.N.

Telling on Yourself

Almost from the day he joined medical-equipment maker Vital Signs Inc. in late 2001, Joseph Bourgart had suspicions about the Totowa, New Jersey­ based company's accounting choices. As a result, he approached CEO Terry Wall, audit-committee members, and the general counsel as many as 30 times between January and November 2002 about what he considered to be inflated valuations for inventory and an investment in China, as well as understated values for expenses such as supplier rebates and taxes, among other issues.

Bourgart was summarily demoted and then forced to resign in January. Since then, the $175 million firm has taken charges of about 40 cents per share to correct many of those concerns. So why hasn't he been protected by whistle-blower statutes? Bourgart was CFO at the time, and as such certified the financial statements he was challenging.

Bourgart filed a civil lawsuit in New Jersey state court in May. His attorney, Jon Green, of Green Lucas Savitz and Marose LLC, insists that his client was bullied into signing the statements by Wall, who is also chairman, founder, and majority stockholder, but later realized the error of his ways. Wall, meanwhile, claims Bourgart had conceded that the accounting was appropriate after an audit-committee review last summer and furthermore "voiced no objection" to any part of the 10-K in December. Vital Signs has moved to dismiss the case, and has threatened to countersue. Under Section 906 of Sarbanes-Oxley, Bourgart could face fines of up to $1 million or 10 years in jail for "knowingly" signing erroneous statements. Meanwhile, Green says he has eschewed the law's whistle-blower statutes, "because we felt they didn't provide adequate protection." Instead, Bourgart is making his case under the long-standing New Jersey Conscientious Employee Protection Act, a whistle-blower-protection law with higher damage payouts.

Other attorneys say that, hypothetically, such a case isn't impossible for a CFO to win. "The question is really whether he exhausted his responsibilities of due diligence before he signed, and took action on anything that didn't pass the smell test," says Jeff Lerer, an attorney with Foley Hoag in Boston. Provided Bourgart can show why he couldn't have known the truth at the time of the filing, he's probably off the hook, Lerer speculates, at least for criminal penalties. —A.N.

Blowing the Whistle: Six Recent Cases

Sticker Shock

When Congress passed the Sarbanes-Oxley Act of 2002, it didn't worry about how much it would cost companies. Today, CFOs are totting up the compliance bill -- and they don't like what they see.
Alix Stuart, CFO Magazine
September 1, 2003

Bill Teuber prickles a bit at the notion that the landmark Sarbanes-Oxley legislation has forced major reforms within EMC Corp. "I think about internal controls all the time; I didn't need the law to get me to think about them," says the CFO of the $5.4 billion information-storage giant. For the past decade, Hopkinton, Massachusetts-based EMC has carefully tracked its financial results with monthly closes and updated forecasts, says Teuber. In the same spirit, his regional controllers have been attesting to their compliance with EMC's procedures since mid-2001 — before Enron imploded. Teuber has also been thinking about financial transparency since being promoted to CFO in 1998, breaking down revenue streams by product classes rather than broad categories, and disclosing the quarterly earnings impact of stock options as early as July 2002.

Yet by the end of the year, EMC will have spent more than $1 million and thousands of man-hours complying with two of the main statutes in the Sarbanes-Oxley Act of 2002 — Section 404, related to internal controls; and Section 302, mandating CEO and CFO certifications of quarterly financial statements. Teuber won't even speculate on the price tag for full compliance, except to say "it's not insignificant." Moreover, he doesn't expect that burden to lift, thanks to ongoing testing and disclosure requirements. "Even maintenance mode will require a sizable effort," he says.

Like Teuber, CFOs across America say they are spending more time and money trying to shoehorn existing practices into legally acceptable formats. Forty-eight percent of companies will spend at least $500,000 on Sarbanes-Oxley compliance, according to finance executives who participated in a recent CFO magazine survey. Unlike Teuber, however — who sees the increased internal-controls documentation as "a chance to get best-of-breed solutions in our sales offices across 50-plus countries" — other CFOs (nearly 40 percent) see the increased burden as having "very little" or "no effect" on their current processes. Moreover, only 30 percent believe the benefits outweigh the costs.

In fact, many CFOs, such as Borland Software Corp.'s Ken Hahn, who expects to spend $3 million on compliance — including having some 25 percent of Borland's employees sign papers "saying they're not doing anything wrong" — see Sarbanes-Oxley as nothing more than "an efficiency tax." Stephen P. Bishop, CFO of Berkshire Hathaway­owned NetJets Inc., speaks for many when he says the "documenting and papering" of internal controls for Section 404 compliance will result in little "value-add." And E. Follin Smith, CFO of $4.7 billion Constellation Energy Group, goes so far as to say the law could eventually make the "fear of personal liability so great that managers are afraid to take risks on innovation."

Indeed, many finance executives believe that in seeking to curb the freewheeling ways of the likes of Enron, Tyco International, and WorldCom, Congress has committed some excesses of its own. Part of the problem, of course, was the haste with which the law was written. "If Congress had given the [Securities and Exchange Commission] more time to promulgate the regulations and the SEC had given companies more time to comply, costs would have been lower," says Goodwin Procter LLP partner Steve Poss. Instead, by rapidly legislating a whole set of processes, the law has become a windfall for auditors and lawyers and a time drain on overburdened finance departments. Moreover, the liability implications have "put people so on edge that they're looking over their shoulders all the time to see whether they're perceived as doing the right thing, not whether they are doing the right thing," says LCC International senior vice president and CFO Graham Perkins. "I don't think the legislators really understood all of the adverse consequences."

Perception Versus Reality
It's hard to know exactly what Congress expected, since it did not assess any costs when it passed the law. That's not unusual, since "there's no formal process for Congress to calculate benefits or costs of legislation," says Thomas McCool, head of financial markets and community investment at the General Accounting Office. "Sometimes they try to get indications from various parties, but when it's something prospective like this, [costs] would be very hard to tell."

The SEC, though, is required to estimate the burdens associated with its information requests under the Paperwork Reduction Act of 1995, and so has offered some guesses at future costs in piecemeal fashion. Such guesstimates have been chronically low. For one thing, they are typically limited to disclosure activities, and don't attempt to quantify costs like software purchases, audit-fee increases, or management and staffing requirements. The agency also tends to lowball the number and costs of hours of external help involved. "Most professionals look at these estimates and laugh," says Poss.

Reg FD compliance, for example, was projected to add a maximum $49.5 million to total annual disclosure costs when the rule was passed in August 2000, but actually cost somewhere between $250 million and $450 million, according to a Securities Industry Association (SIA) study in May 2001. That divergence was in large part based on the SEC's assumption that hourly legal fees were $85 to $175, compared with the $450 to $550 the SIA reported.

The same mistakes plague Sarbanes-Oxley, says Poss. The agency's new assumption is that outside legal fees will run $300 per hour, a figure with which most CFO respondents concur. Poss argues that fees will run higher. "These are not quick consultations, and they're usually with senior partners," whose rates run from $400 to $700 per hour in most big cities, he says.

No doubt, the SEC's biggest miscalculation was its original estimate that Section 404 compliance would require an additional five hours' worth of work per annual and quarterly filing. The figures were too low "by at least a factor of 100" if not more, wrote Cary Klafter, director of corporate affairs for Intel's legal department, in a November letter to the SEC. "We can only hope that the Commission's burden estimates are not used for any substantive governmental purpose, since they are completely incorrect."

While the SEC typically receives few comments on such estimates, this one raised the ire of so many companies that the agency was forced to recalculate — ending up instead with an average 383-hour workload per company, for a total annual price tag of $91,000, not including additional auditors' fees. "We recognize the magnitude of the cost burdens and we are making several accommodations to address commenters' concerns and to ease compliance," the agency said in its final rules on Section 404, released June 5.

Those accommodations included changing the requirement to test internal controls from a quarterly to an annual activity (unless they are materially changed) and extending the compliance deadline from September 30, 2003, to fiscal years ending on or after June 15, 2004, for accelerated filers; all others will have a compliance deadline of April 15, 2005. The delay "was an effort to help reduce the burden in general, and help make sure it was done right," says SEC commissioner Cynthia A. Glassman. "We did not want a system where [companies] were going to have to redo things."

Just doing it the first time, however, will not be a picnic. While the year extension has prevented a lot of what SPSS CFO Edward Hamburg calls "unnecessary thrashing and spending," the rules make little accommodation for companies of different sizes and growth stages. And even the revised cost estimates are considered "low" or "very low" by more than 80 percent of survey respondents. That irks those who believe the SEC should be held to the same standard as the firms it regulates. "In Corporate America, if you make a bad prediction of what cost of sales or revenues are going to be in a future period, you're likely to get grilled by the SEC about why you thought it was reasonable," says Poss. "It would be interesting to see the same standard applied to regulators."

The Usual Beneficiaries
The yearlong respite reduces the need for outside help, and hence the cost. However, it won't change the fact that two constituencies — auditors and lawyers — stand to reap great gains as firms plow ahead. And given the uncertainty over what will get a pass from the SEC, the final tab is a moving target.

EMC has hired Deloitte & Touche to help sift its balance sheet and income statement into 30 processes (like sales and stock-option granting) and 250 subprocesses (like order taking, shipping, and billing), document them, test them, and package them into a central database for future audit purposes. But EMC's external auditor, PricewaterhouseCoopers, is also "part and parcel of the process," according to Teuber, giving informal approval to the firm's compliance strategy and fielding audit-committee questions on how well EMC is doing on compliance compared with other firms. (Companies can't use their external auditors to help them prepare the controls, but can consult with them on compliance strategies.)

Teuber says it's helpful to have two of the Big Four audit firms on the project. "It's all virgin territory," he says, "so you wouldn't want to do this in a vacuum." But those firms will be the ones collecting the bulk of EMC's $1 million compliance payments for 2003, excluding the final attestation fee.

Many of the Section 404 projects, such as documentation, are one-time efforts. But Sarbanes-Oxley is also guaranteeing audit firms a future income stream by requiring them to attest to the soundness of management assessment of internal controls once a year starting with 10-Ks filed on or after June 15, 2004. The final annual tab for that exercise is uncertain. The Public Company Accounting Oversight Board has yet to issue standards regarding how many controls must be tested, in what manner, and according to what criteria, so audit firms appear to be taking their time estimating the fees for attesting to internal controls. But so far, according to a Financial Executives International survey, CFOs expect to see audit fees increase 35 percent on average, and up to 100 percent at some companies.

What exactly audit firms will do to justify such increases is also cause for consternation. At Digene Corp., a Gaithersburg, Maryland, biotech firm, for example, president and CFO Charles M. Fleischman has watched his audit bill with Ernst & Young and other compliance-related fees increase by 72 percent for 2003. He is currently negotiating fees for 2004, which could jump by another 70 percent. And while he insists he has a good relationship with his auditor, Fleischman just wants "to understand what the scope of the work is — and how that matches up against the bill." So, before he authorizes payment for 2004, he is working with his audit committee and E&Y to determine exactly "what they are doing and where they are going to draw the line between assuring quality in financial reporting and just adding costs."

Legal costs are also on the rise, although CFOs say they are not generally as onerous as audit fees. Magma Design Automation Inc. CFO Greg Walker expects to spend an incremental $200,000 to $300,000 for legal work in the next 12 to 18 months, including efforts to monitor compliance, set up a whistle-blower program, and train employees. That's on top of an additional $750,000 in audit and consulting fees. On average, legal fees nearly doubled, to $404,000, between 2002 and 2003, according to an April survey by law firm Foley & Lardner.

Ranking low on the list of costs is software. Forty percent of finance executives say compliance will not affect their IT budgets, while another 25 percent say it will involve minimal IT costs, according to a CFO IT survey. "Tools are often bundled with consulting fees; I don't think [software is] an integral part of the solution," says Kim Roll-Wallace, vice president of consulting for The Johnsson Group Inc. EMC, in fact, uses Excel. "We've found it works quite well in this regard," says chief accounting officer Mark Link, largely because "everyone already knows how to use it."

Multiple Price Tags
Then there are the indirect costs. The requirement to disclose off-balance-sheet structures more clearly has encouraged some companies to bring these structures on the balance sheet and others to collapse them entirely. Financial experts have become hot properties now that companies are required to disclose if they have one on their board. Restrictions on nonaudit work that a company's auditor can perform has left CFOs scrambling for new tax consultants. Meanwhile, the whistle-blower provision has sparked untold numbers of costly internal investigations.

Of course, there's also an opportunity cost associated with compliance activities. In fact, 33 percent of respondents say they've delayed or canceled projects as a result of Sarbanes-Oxley. Internal staff development is the most common casualty. Moreover, executives say the focus on compliance has also left them frazzled, with less time to mull strategic decisions, as compliance efforts absorb more than 10 percent of a CFO's time in roughly 4 out of 10 companies.

One example of the strain: LCC's Perkins says he has made more lengthy and complicated trips, partly to spearhead compliance efforts across operations at more than 10 locations in six countries. "Instead of being a business partner and doing all the positive things you'd like to do, you're doing the negative things, like triple-checking a filing," says Perkins. In fact, he says he might have thought twice about taking his job at the $100 million wireless-services firm last January if he had known how much compliance-related work it would involve. "I did not anticipate when I joined this company that I would become a surrogate for the SEC," he says.

And this is just the beginning. About 35 percent of survey respondents expect annual compliance efforts to absorb at least $500,000 of their revenues and more than 10 percent of their time going forward, thanks in large part to Section 404's mandate for ongoing controls testing and auditor attestation. That's not counting, of course, the price of changing auditors every five years, as Sarbanes-Oxley mandates.

No one should look for additional relief from the SEC. Glassman says she believes changes could be a possibility "if we start hearing that companies are spending a lot of money to comply but there are no apparent benefits, or if we hear there are more efficient ways to accomplish the same objectives." However, there are no formal efforts under way within the government to test cost assumptions, and she says such a study would be hard to design. "It's a very difficult equation. The costs are explicit. There's also some distraction from running the business. But the benefits are very intangible."

No Guarantees
Indeed, survey respondents are about evenly split on whether going through the compliance process has yielded internal benefits, such as more-efficient processes or more respect for the finance department. "It's a constant struggle to try to get benefit out of 404 work," says consultant Roll-Wallace. "In any given company, about 50 percent is work that puts in best practices and the other 50 percent is a dog-and-pony show, putting everything into a neat package for the auditors."

There may be some external benefits, however, says Magma's Walker. The legislation has sped up his time frame for reporting improvements at the $75 million company, he says, but to good effect. "I probably do better deals with customers — the earlier you can detect issues, the better you can structure a contract," he says. And there may be spillover effects, says Borland's Hahn, who is hoping to leverage his new director of financial governance as a "process-improvement specialist."

As for the SEC's larger goal of improving investor confidence, though, there's little agreement on how that will be achieved. On one hand, "you're more confident that senior people are taking extra care to derive the best possible information," says Robert D. Spremulli, a TIAA-CREF senior analyst. But it's hard to see the direct effects of those sentiments, given the multivariate nature of the market. Indeed, major indices showed varying degrees of improvement on Sarbanes-Oxley's one-year anniversary, with the Nasdaq composite index closing up 30 percent from its year-earlier level, but the New York Stock Exchange, the S&P 500, and the Dow Jones Industrial Average up by only 8, 8, and 6 percent, respectively.

And many still question whether Sarbanes-Oxley is an effective inoculation against future financial frauds. "Just having a good control environment doesn't guarantee that people will act ethically," says Deloitte & Touche enterprisewide risk-service partner Stephen Curry. Enron's trading operations, he points out, were cited as a model for enterprisewide risk management in former Andersen partner James DeLoach's 2000 book on the topic. Those close to the company agree. "What allowed Enron to melt down was its culture, and I don't think Sarbanes-Oxley would have changed that," says Sterling Chemical Inc. controller John Beaver, whose Houston office is across the street from Enron's headquarters.

Even companies touched by scandal are skeptical of Sarbanes-Oxley's healing powers — at any price. Tyco, for example, is spending north of $5 million to comply with the act and generally clean up its image by developing new editions of its controllership guide and ethics manual. Still, "that's not to say that we can document routines and controls and be assured that nothing improper will happen," says corporate-governance head Eric Pillmore. "What we hope is that by doing this, we detect problems earlier."

Across the Board

With the Sarbanes-Oxley act of 2002 raising expectations and liabilities for directors, it's no surprise that board-related costs are rising for most public companies — albeit slowly. To date, only about 14 percent of companies have seen those costs jump by more than 50 percent, according to the CFO survey, while 17 percent have not seen any hikes yet.

Those numbers are likely to increase as more companies confront higher directors' and officers' insurance premiums. Many are also in the process of adding new directors to comply with independence requirements and sweetening the pots for current ones. At its annual meeting in August, for example, Computer Associates International Inc. was seeking shareholder approval to boost the value of its annual directors' compensation from about $95,000 last year to $150,000 this year, and reversing its longtime policy of stock-only payments to allow directors to take up to half of that fee in cash.

"Board members, audit-committee members in particular, have been given a whole host of new duties," says CA corporate-governance head and corporate secretary Robert Lamm. (Audit committees, for example, must now oversee the auditors, preapprove any nonaudit services they provide, and decide how to classify nonaudit services in annual filings.) The fee increases "represent the time involved in additional documentation, for better or worse, and the checking of additional boxes."

A Silver Lining for Some

At this point, many companies are still performing low-tech risk-mapping processes to gauge the impact of Sarbanes-Oxley. But the technology sector has high hopes that soon that will give way to a need for new tools. In fact, First Albany technology strategy analyst Gerard Hallaren expects spending on compliance-related technology to grow by $8 billion to $12 billion in the next year. "We've seen a modest push from Sarbanes-Oxley so far, but I think the real spending will kick in at the end of this year," he says.

Content and document management tools, along with analytics, are likely to be among the first beneficiaries of the law, predicts Hallaren, since "auditors are going to have a hard time auditing lots of individual spreadsheets" in the Excel formats that many companies now use. Data-storage companies are likely to be next in line, as analytical and data-management systems become more voluminous.

EMC Corp., which recently debuted the "compliance edition" of its Centera product, is one of the companies waiting for the windfall. The product codes information with a unique identifier, and can automatically delete documents at the end of their required retention period. "It's more accidental offense than planned," says CFO Bill Teuber, "but any number of regulations out there...require more information to be stored, and clearly our products help in that regard."

Tough Act to Follow In August, CFO Magazine E-mailed a questionnaire on Sarbanes-Oxley compliance to senior financial executives drawn randomly from our circulation list. We received 220 responses; 139 from executives at publicly traded companies. The results below represent a combination of both public and private company responses. Note: Numbers may not add up to 100%, due to rounding. 1) Who is responsible for Sarbanes-Oxley compliance at your company? CFO 55% Controller 30% Assistant Controller 2% Treasurer 1% Other 12% 2) Are you tracking the costs to your company of implementing Sarbanes-Oxley? Yes 44% No 56% 2a) If not, when do you expect to do so? Within 3 months 13% Within 6 months 16% Within 12 months 16% More than 1 year 7% Never 48% 3) What do you estimate to be the total costs to your company to implement all portions of Sarbanes-Oxley requirements in the first year (including external audit, legal, and consulting fees; new hires; and software purchases, but not board-related costs)? Less than $500,000 52% $500,000 to $999,000 23% $1 million to $2.9 million 16% $3 million to $5 million 6% More than $5 million 3% 4) What do you expect annual compliance costs to be going forward (including external audit, legal, and consulting fees; new hires; and software purchases, but not board-related costs)? Less than $500,000 65% $500,000 to $999,000 22% $1 million to $2.9 million 7% $3 million to $5 million 3% More than $5 million 3% 5) What percentage of your time has been spent on Sarbanes-Oxley compliance, on average, per month, over the past year? None 14% 1% to 10% 51% 11% to 20% 20% 21% to 35% 9% 36% to 50% 3% More than 50% 3% 6) Going forward, how much time do you expect to spend on Sarbanes-Oxley compliance monthly? None 10% 1% to 10% 56% 11% to 20% 24% 21% to 35% 6% 36% to 50%   0% More than 50% 3% 7) Have projects or initiatives been delayed or canceled as a result of Sarbanes-Oxley compliance? Yes 33% No 54% Not sure 13% 7a) If yes, please check all that apply. Internal staff dvlpmnt. 24% Technology purchases 14% Other capital expenditures 9% M&A activity 6% Other 9% 8) How much have internal processes changed in response to compliance-related efforts at your company? Very much 6% Some 56% Very little 28% Not at all 10% 9) Has going through the Sarbanes-Oxley compliance process yielded any internal benefits for your company? Yes 49% No 52% 9a) If yes, please check all that apply. More efficiencies in reporting processes 23% More accurate numbers 10% Cost savings 3% Other 22% 10) Overall, do you think the benefits of compliance outweigh the costs? Yes 30% No 70% 11) How much have total costs to retain directors (including salaries and directors' and officers' insurance) increased over last year? None 28% 1% to ­10% 20% 11%­ to 25% 27% 26%­ to 50% 15% 51%­ to 100% 9% More than 100% 1%

Not Adding Up How realistic are the following cost assumptions made by the SEC? Note: Numbers may not add up to 100%, due to rounding. 1) External legal and audit fees run an average of $300 per hour. Very low 3% Low 24% Accurate 56% High 16% Very high 1% 2) Internal professional staff costs are $125 per hour. Very low 2% Low 13% Accurate 47% High 33% Very high 5% 3) Complying with Reg G (reconciling pro forma to reported earnings) can be accomplished by an in-house junior accountant in about 30 minutes per filing, at a cost of $13 including overhead. Very low 50% Low 39% Accurate 11% High 0% Very high 0% 4) Disclosure associated with off-balance sheet arrangements costs $10,000, including in-house staff time and outside professional fees. Very low 15% Low 45% Accurate 33% High 5% Very high 2% 5) Additional disclosure associated with nonaudit fees and changes in practices to promote auditor independence takes about two hours, half a page of a proxy and/or 10-K, and costs about $418 per filing, including internal and external staff fees. Very low 23% Low 53% Accurate 23% High 2% Very high 0% 6) The average annual cost of implementing Section 404 is around $91,000 per company. Very low 23% Low 53% Accurate 13% High 6% Very high 0%

Command and Controllers

Sarbanes-Oxley may bring new risks to the CFO's office, but it's raising the profile of the once-faceless company controller.
Marie Leone, CFO.com | US
July 14, 2003

Ah, the delicious irony of it all.

In the early Nineties, with the arrival of powerful financial and enterprise software, CFOs began shucking their roles as numbers cop. During that period, enlightened boards of directors began insisting that finance chiefs focus less on closing the books, less on accounts receivable, less on the general ledger. Instead, they wanted finance chiefs to start zeroing in on top-line initiatives, strategic acquisitions (are there any other kind?), and nebulous brand exercises.

But the passage of the Sarbanes-Oxley Act of 2002 has landed many CFOs in the Way Back machine. Suddenly, certifying the validity of a company's financial statements and internal controls — once done almost by rote — has become a very big deal. Sound internal controls, previously relegated to the back-office, have moved front-and-center.

For controllers, arguably the hardest working employees in the corporate world, looking after internal controls is old hat. That may explain why, as a group, these top accounting managers barely flinched when Sarbanes-Oxley was passed. In fact, many controllers welcomed the new mandates, noting that the rules actually validated their daily routines. "I wasn't shocked by the provisions," notes Jody Bradford, vice president and controller for Penton Media Inc. "It was probably time for Sarbanes-Oxley."

Many controllers agree, insisting that the process tweaks and documentation efforts sparked by Sarbox don't mean that controllers have been lax about conducting financial reviews or discussing appropriate disclosure. Instead, says Mark Hood, senior vice president of finance and administration at Panera Bread Co., "Sarbanes-Oxley just formalizes that process around quarterly and annual review schedules."

And with that formalization, comes awareness. Many controllers contend that, with the passage of Sarbanes-Oxley, the rest of the corporate world is finally catching up to their rigorous oversight. Financial discipline, they say, is in again.

Kevin Sonsky, controller of corporate accounting for software maker Citrix Systems Inc., claims that non-financial managers are now much more aware of accounting issues. As a result, he says, "controllers are getting more buy-in" when they make tough decisions that affect operations.

Training Days
That buy-in is helping controllers spread the gospel of financial discipline to other business units.

The bulk of the Sarbox work at cereal maker Kellogg Co., for instance, is in documenting existing accounting and reporting processes. Jeffrey Boromisa, senior vice president and controller at the Kellogg Co. says he is shifting around employees and working with outside auditor PricewaterhouseCoopers to make sure documentation is consistent across Kellogg's six global regions.

Boromisa says that outsourcing the documentation process was not an option because he wanted ownership of the process — a process that Kellogg considers a critical part of their $8 billion-in-revenues business. Kellogg's operations and finance department is closely integrated, says Boromisa — so much so that the unit managers don't think of finance as a separate function, but rather an extension of operations.

At Panera, Hood says one of the major changes is simply circulating the 10-Qs and 10-Ks among all senior management, and setting up a formal feedback mechanism in the form of a questionnaire.

While the tasks may sound a bit pedestrian, they're also vital to the new regimen of internal controls attestation. And the need for such attesting — wrought by Sarbanes-Oxley — has placed controllers squarely in the corporate spotlight.

Take Tupperware's Judy Curry. As vice president of finance and corporate controller at the plastic-ware manufacturer, Curry is not only formalizing her controls and procedures — she's also focusing on training the rest of the company about the impact of Sarbox.

Curry, who has 12 area controllers reporting to her from 45 different operating units around the world, believes that these additional training tasks are directly tied to the success of the operating units. How so? She thinks the hype surrounding Sarbox compliance may actually stop some operations managers from taking sound business risks for fear of crossing the Sarbox line.

To prevent such an outcome, Curry has increased her annual management training schedule to four times a year (twice for managing directors, twice for area controllers). She also provides periodic updates to the sales staff on revenue recognition and accrual accounting issues. This is especially important to Tupperware franchisees and distributors, most of whom take their orders by phone and need to be careful about the timing of booking revenue.

Interestingly, Curry's Sarbox-inspired training program underscores a major transformation in the role of the controller: The move from accounting watchdog to financial communicator. Curry says she's had to develop her speaking skills because part of her job is to communicate accounting nuances to senior management.

For example, Curry says her regular meetings with Tupperware's CFO and CEO (to explain monthly operations, as well as the accounting nuances associated with earnings estimates and financial statement reporting) have changed markedly since Sec. 404 rules went into effect. These days, Curry says she is being asked to participate at the beginning of the process — rather than being called in for ad-hoc requests.

Not surprisingly, the new role requires better articulation of the business impact of accounting and finance issues. "I don't have to tell senior management how the clock is made," she says, "but I do have to tell them what time it is."

The fact is, most controllers will have to develop better "people skills," posits Gary Previts, an accounting professor at Case Western Reserve University's Weatherhead School of Management. In this post-Sarbox world, Previts say controllers will also be called on to step back and assess long-term business prospects. In essence, successful controllers will move away from the conventional short-term, profit measure mindset.

Previts believes the big picture often gets muddied by the day-to-day operation of the controllership, especially as time gets tight and reporting deadlines loom. Still, he sees a hiring trend that gives greater weight to candidates with "right and left brain skills." Previts reckons that from now own, CFOs who interview potential controller hires will look at "people, not degrees."

Not Playing Games
Dov Seidman agrees. Seidman, chairman and CEO of LRN, a Los Angeles-based compliance training company, believes the evolution of the controller position is underway, and Sarbanes-Oxley compliance is the springboard. "A CPA is a ticket to entry for the controller's job," he says, "but today a controller must be a business leader."

For instance, Seidman believes the controller's outlook will become less focused on the numbers — other than making sure that they're accurate — and more focused on a long-term approach to corporate success. As guardians of transparency and compliance champions, Seidman says good controllers will sidestep the pressures of earnings management, and other gaming techniques, to zero-in on dealing with financial problems directly and swiftly. As a result, controllers will grow more independent.

But he believes corporate reporting structures will have to be reworked before controller's gain real reporting independence within the corporation. For example, controllers will need the authority to put processes in place, as well as the authority to act or react if those processes are not followed. With that authority should come incentives, as well as penalties, tied to the controller's decisions, says Seidman.

The consultant also predicts that the controller position will be the next to rise to the executive suite, just as risk, diversity, ethics, and compliance officers have been elevated. But, he says it may be too early to tell what the new organizational structure surrounding the controller will look like.

Filter Tips
Tatum Partners' Joe Noga doesn't think it's too early to prognosticate about organizational structures. As a partner with Tatum, Noga has been an interim CEO, COO and CFO, and he thinks controllers should report to the CEO — an opinion Noga says isn't popular with most of his colleagues.

But Noga believes many of the corporate accounting scandals that made headlines during the past two years could have been avoided if information from the controller — the top accounting watchdog — was not filtered by a CFO who "was clouded by strategy." Noga also believes that scandals could have been nipped in the bud if honest controllers were made to certify financial statements, the way Sarbox requires CEO and CFO to attest to those numbers.

The interim CFO says that finance chiefs are almost always well meaning when they filter information to the CEO. Yet they can be "bound and determined" to sway from their controller's recommendations for accounting treatment if they are fogged by larger business interests. "The CFO should be man — or woman — enough to allow the controller access to the top," declares Noga, adding that the corporate control function should have a seat at the management table.

Noga admits that the unconventional reporting structure was not his idea. He credits Sunil Dovedy, president of Adizes Institute in Santa Barbara, with the revelation. As Dovedy explains it, the reason for the separation between the controller and CFO is a good one: it creates an independent point of view and a healthy conflict.

You're a Superstar, That's What You Are
In some ways, an independent controller would actually be a return to the way things used to be. Bala Dharan, an accounting professor at Rice University's Jesse H. Jones School of Management, says that 25 years ago, controllers were considered top management. It's really only been since the mid 1980s, Dharan says, that the controller lost sway, turning into a CFO report. Today, the professor claims, finance chiefs regard the controllership as another corporate function, like information technology or human resources.

In his opinion, the controllers will never be completely independent providers of information as long as they report to CFOs. But he doesn't think finance chiefs will voluntarily agree to a change in reporting lines. Why? Mostly, because controllers have evolved into the keepers of all things financial — and CFOs rely on that information.

Whatever the reporting structure, "superstar controllers are always in demand," says John Holland, vice president at A.T. Kearney Executive Search. Interestingly, Holland says top candidates that interview for corporate controller jobs are now performing more due diligence before accepting offers. They want to know, for example, what type of resources they can expect at their new job. They also want to meet with a company's audit team, audit committee, and talk to the corporate lawyers. Why meet the lawyers? To find out more about outstanding litigation or pending court decisions that may impact the controller's function. Attorneys can also talk about potential liabilities associated with the company's subcertification process related to Sarbox Sec. 403.

That downstream paper trail should not add a sizeable amount of risk to the controller's job, however. According to attorney Amy Goodman of Gibson Dunn Crutcher LLP, CEOs and CFOs (the executives who must certify the accuracy of financial statements under Sarbox) are still ultimately responsible for numbers released by a company.

But sub-certifications could be called into play in questions of proof during litigation or government investigations. What's more, the Securities and Exchange Commission (SEC) has targeted controllers in the past in connection with accounting and financial fraud cases.

Faster Better?
The Commission's emphasis on faster corporate reporting will also put controllers at risk. In the wake of the passage of Sarbanes-Oxley, the SEC is speeding up the reporting cycle for corporations. Material events — like the loss of a major customer or a significant environment liability — will soon have to be reported within two days. That could create snags for global controllers who are charged with gathering details from operating units strewn across several time zones, says Rick Fumo, senior vice president at Parson Consulting.

Furthermore, Fumo says he can't be sure whether reporting numbers faster is good for business. But he is sure that implementing the speed requirements will likely be one of the most painful Sarbox exercises controllers have to manage.

David Klementz, CFO at Progress Rail Corp, predicts that pumping out financial statements as fast as possible will be the biggest Sarbox-related shift for his department. He says that the accelerated filings will require some extra legwork from the finance department until the schedule becomes routine. For example, Klementz expects to spend extra time choosing key ratios to better describe the business, squelching errors and increasing accuracy, and resolving new compliance issues.

Much of the gathering of the information to support those ratios will be done by the company's controller. It's a crucial task — and one that's being repeated at scores of U.S. companies. Says Penton's Bradford: "We've got our marching orders from the CFO — and the attention of the CEO — since Sarbanes-Oxley went into effect."

How Audits Must Change

Auditors face more pressure to find fraud.
Kris Frieswick, CFO Magazine
July 1, 2003

Auditors have been on the defensive since Arthur Andersen LLP was shut down in the wake of the Enron scandal. But by this point, with the massive accounting fraud revealed at health-care behemoth HealthSouth Corp., all the remaining Big Four have been tarnished. Today, auditors are fighting a battle on two fronts. On one, they must defend their battered integrity — their very stock in trade. On the other, they are challenged to explain why they should not be expected to find accounting fraud — although they have long maintained that they can't.

They are faltering own both fronts. "I've never seen a time when auditor credibility has been called into question the way it is now," says Chuck Landes, director of the audit and attest standards team at the American Institute of Certified Public Accountants (AICPA). And with audit-malpractice settlements hitting all-time highs, the courts are making it clear that they do expect auditors to find fraud, regardless of the profession's insistence to the contrary.

Shaken by the Andersen example, Section 404 of the Sarbanes-Oxley Act of 2002, and the size of the settlements, accounting firms are changing the way audits are conducted. One auditor, PricewaterhouseCoopers, has broken with the pack and stated publicly that auditors must accept more responsibility for finding fraud.

But by and large, accountants still maintain that if a company wants to commit fraud, the auditors can't catch it. Asked to define auditors' responsibility for detecting fraud, Timothy P. Flynn, vice chair for audit and risk advisory services at KPMG LLP, responds by quoting from the AICPA's 1997 statement on the matter, SAS No. 82: "to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." It's unreasonable, in other words, to expect auditors to detect any and all fraud.

Many financial executives agree. And proposed changes to auditing practices will encounter an especially well funded and inhospitable political environment. Nonetheless, with the cost of corporate fraud estimated at $600 billion annually — according to the Association of Certified Fraud Examiners — pressure on auditors to reduce this number is going to intensify.

Deja Vu
Sarbanes-Oxley doesn't mark the first attempt to improve the audit process. During the 1970s, '80s, and '90s, a series of commissions — the Cohen Commission in 1978, the Treadway Commission in 1987, the Jenkins Committee in 1994, the Committee of Sponsoring Organizations in 1999, and the Panel on Audit Effectiveness of the Public Oversight Board, or POB in 2000 — issued reports recommending changes. Through the AICPA, the profession vowed to change, and approved new audit-standards language creating more audit-design procedures, tests of controls, and interpretations of accounting standards.

Notably absent were recommendations to view client financial statements skeptically and conduct audits accordingly. Not until 1988 was any AICPA auditing standard written using the word fraud, and not until 2002, when SAS No. 99 was issued, did the institute directly state that auditors should not assume that a client's management is honestly reporting results.

The POB's 2000 Panel on Audit Effectiveness, considered the most comprehensive study of the profession ever done, called for auditors to use forensic techniques in every audit, assume the possibility of management dishonesty, and incorporate an element of surprise into audits. After spending two years in committee at the AICPA, the suggestions finally emerged in much-watered-down form as SAS No. 99. For instance, the strongly worded POB report called for auditors to "modify the otherwise neutral concept of professional skepticism and presume the possibility of dishonesty at various levels of management including collusion, override of internal control, and falsification of documents." It recommends a forensic/fieldwork phase during every audit of a public company. SAS No. 99, in contrast, focuses more on risk assessment than on forensic procedures. "The AICPA was happy with the way things were," says Arthur Bowman, editor of Bowman's Accounting Report.

The New Sheriff in Town
The AICPA's reluctance to make dramatic changes may explain why Congress transferred responsibility for setting standards to the PCAOB. The board's newly named chief auditor, Douglas Carmichael, who has gone from writing audit standards to testifying as an expert witness against audit firms, calls current auditing standards "a lot of explanation about what an auditor does or might do, and very little about what he is required to do."

Carmichael's appointment to the PCAOB has been applauded by a variety of observers. Industry critics love him because they believe he will be less influenced by both corporate finance executives looking to hold down costs and by the industry itself.

Frank Borelli, former CFO of Marsh & McLennan Cos. and chairman of the Express Scripts Inc. audit committee, lauds the appointment as well. "Carmichael is going to make a difference," he says. "I'm glad to see they appointed someone with that kind of vigilance. That's the only way we're going to see if auditors are doing what we want them to do."

The fundamental question is: What do we want them to do? What is the point of an audit? Auditors and companies contend that the purpose of an audit is to back up a company's contention that its numbers are "reliable." "An audit is a test of a company's records that backs up the company's representation of the company results," says Greg Weaver, national managing partner for assurance at Deloitte Touche Tohmatsu. "We're doing a test of assertions."

But can auditors be sure results are reliable without testing for fraud? Auditors say it's not that they don't want to catch fraud, but since it's impossible to catch it 100 percent of the time, they shouldn't be held responsible if they miss it. "We get it right 98 percent of the time," says Weaver. "But to do 100 percent verification, you'd basically be recreating the records. There's no way that anyone could do that at a cost the public would consider acceptable."

History of a Profession
Historically, accounting has been considered a highly professional and trustworthy profession. Firms have always trained new accountants in the audit function, but with keen oversight from senior partners who saw their firm's integrity riding on every engagement.

At the same time, auditors have always called their customers "clients," and have worked hard to cultivate them. Partners routinely entertained clients two to three nights a week, and not uncommonly moved on to work in their clients' firms. But the inherent conflicts of these relationships were kept in check by the firm's commitment to professionalism.

All that changed as consulting services grew, spurred on by increased IT consulting work in the late 1970s and early '80s. By the mid-'80s, the AICPA had lifted its ban on advertising. Revenue generation became the foundation on which the partners' compensation was based. Revenues for management consulting in early 1999 accounted for more than 50 percent of the Big Five's revenue stream as a whole.

The audit function itself became a commodity service — a loss leader accounting firms offered in conjunction with vastly more lucrative consulting fees. As they competed more aggressively on price, they were forced to shrink the number of procedures performed for the audit. Auditors claim these reductions didn't harm audit quality, but it often meant they used increasingly computer-based test controls and statistical models, and fewer of the basic, time-consuming auditing practices that could increase the likelihood of finding fraud — site visits to multiple locations, observation of assets, or random sampling at nonmaterial levels.

In addition, junior auditors were often assigned the crucial oversight roles usually filled by senior partners, who were increasingly busy selling to prospective clients. "A lot of the audit changes were [prompted by] competitive proposals based on pricing decisions by management," says Ellen Masterson, global head of audit methodology at PwC and point person for the firm's new antifraud auditing initiative, "and as a profession we allowed that to happen."

Roster of Reforms
The Sarbanes-Oxley provisions that make the auditors report to the audit committee will somewhat increase the distance between management and auditing firm. The act also places far more responsibility for the integrity of the financial statements on audit-committee members, who can be prosecuted by the Securities and Exchange Commission for fraudulently influencing or misleading a company's auditors. "Uppermost in the [client management's] mind was reducing the cost of the audit," says Masterson. "They pressured auditors to do the minimum. Now, with the untold number of fraudulent activities by managers, the minimum is not where we should be. We spent 15 years in a cost-pressured audit situation, and now we have a lot more interest in quality audits by those who hire us — the audit committee."

With nervous audit committees calling the shots, and with a far-less-accommodating PCAOB about to start dictating standards for auditors, accounting firms are seeing the writing on the wall. PwC is going to implement a program involving the use of extended procedures performed by fraud specialists at a subset of its audit engagements. "For so long we've said we're not responsible for detection of fraud," says Masterson. "In the court of public opinion, however, that's not holding true. We recognize that if the books and records don't reflect the company's performance, it's our responsibility."

Here Masterson is bridging the semantic barrier between "detecting fraud" and "attesting to reliable financial statements." While her peers might not go quite so far, they are taking the initiative to add forensic (or investigative) capabilities to their audits. KPMG, for instance, added more than 300 "forensic professionals," including some who trained at the Federal Bureau of Investigation, who will take part in some routine audits. At one recent audit, KPMG ran all the addresses of a client's vendors to see if any of them matched a list of rental post office box addresses — a hallmark of a fictitious vendor. It found 17 addresses fitting that description. The firm is also launching a pilot program to conduct due-diligence-type reviews on certain audits.

Deloitte is comparing clients' financial results with those of their industry peers, and taking a closer look at outliers. All the firms are adopting new software programs that will allow them to more quickly run checks for duplicate addresses, duplicate employees, or statistical outliers that may be red flags for fraudulent activity.

They all report spending much more time working with clients to meet the reporting standards set out in Section 404 of Sarbanes-Oxley, which require companies to attest to the internal controls they have in place to deter fraud. They are also dropping more high-risk companies than in previous years, and are subjecting clients to closer scrutiny. In addition, they are stressing the importance of management involvement in creating controls that inhibit fraud, and they are fosterng an institutional intolerance for fraudulent behavior. CFOs report that above all, auditors are becoming far more confrontational and less congenial in their audits.

Meanwhile, new auditor independence rules will remove many of the auditors' incentives to use audit services as a loss leader and to reduce the number of audit procedures, or overlook questionable accounting treatments. SAS No. 99 encourages auditors to be more skeptical, vary materiality levels, and "start thinking like a fraudster," says Landes. The standard also goes into great detail about how to structure a risk assessments to identify highest risk areas at a client, and how to structure an audit to best catch material misstatement.

Shoe Leather and Gray Hair
While the new initiatives are impressive and may help catch more fraud, critics say that they don't go quite far enough because there are still holes in basic audit methodology and structure.

"If insiders are perpetrating fraud, I agree that it is almost impossible to find it," says Arthur Bowman. "But if there's a general failure of audit firms, it's that the individual auditor is not doing his or her job properly. We have too many rules, and we need to get back to principles-based work. It comes down to individuals failing."

The most damaging failure is that many of the new forensic antifraud measures are targeted at the employee level. According to a recent E&Y survey, although individuals on the company payroll committed 85 percent of the worst frauds, more than half of those company insiders were from the management level.

At the end of the day, management is still writing the check for the audit. Although the new reporting lines mandated by Sarbanes-Oxley may ease this inherent conflict, it's not likely to go away. Even though they are required to report to audit committees, auditors still spend their days with management.

"It's not as if auditors are being managed directly day-to-day by the audit committee," says Jay Morse, CFO of The Washington Post Co., who says he has seen an increase in auditor scrutiny at his company. "Boards don't have time for that. Most directors don't have the expertise. The audit committees will get more involved, but taking a strong managerial role just won't happen."

Robert Halliday, CFO of Varian Semiconductor Equipment Associates Inc., in Gloucester, Massachusetts, thinks auditors can't be skeptical if they don't understand what they're looking at. "They have so much mechanical work — no one stands back, thinks about it, and asks, 'Does all this make sense?'" he says. "But auditors can only do that if they have experience or if they know the industry. Gray hair is helpful."

Under cost pressure, firms put less-senior auditors in charge of tasks more suitable for experienced auditors. "When people say that audit quality has decreased, that's what they're talking about — less-experienced people," says Frank Borelli. "We have to have specialist auditors who know the industry from a high level of experience, and these are the people who should be supervising the audits instead of selling new business."

Deloitte says it is reviewing its staffing plans for audits, and it now requires two audit-partner reviews for particularly risky engagements. "Every audit is different, and we have to make sure we have the right level of people on the audit," says Weaver at Deloitte. "There's no substitute for experienced people."

Carmichael faults auditors for failing to aggressively implement recommendations in the 2000 POB report that call for more "tests of details" instead of relying so heavily on tests of controls. "Audit firms seem to find ways not to go out to locations, and to do less of the type of work that involves actually counting things, observing physical inventory, doing test counts," he says. "It's required, but when a company has multiple locations, it gets complicated." But this has been a concern for some time. When auditors do test transactions, they frequently only sample above a certain dollar amount, he says, and are too predictable in their approach, "which is a problem more often than I'd like to see."

Audit firms contend they have always conducted the "shoe-leather work" that is a foundation of the audit process, but some CFOs disagree. "I suspect that in an effort to hold down fees and make the auditing profession more attractive to young people," says Morse, "they've cut out a lot of that type of grunt work. It's not very appealing, but at some point you have to ask: Did anyone on the audit engagement do anything substantive?"

The Reporting Problem
Some critics of the state of auditing don't blame the auditors as much as the financial reporting that they have to work with. Walter P. Schuetze, former SEC chief accountant and chairman of two audit committees, says that as long as management is allowed to estimate so much of a financial statement, auditors' hands will be tied. "The way accounting rules are written, management has control of the numbers," says Schuetze. "Auditors have no traction to change the numbers."

He advocates fair-value accounting for all assets and liabilities, thus ensuring that a third party is involved in evaluating the market, not historical, value. With third-party involvement, overstating assets à la HealthSouth would be much more difficult, because someone would verify each item. Barring that change, he adds, auditors must be more diligent in seeking underlying evidence to prove the existence of assets and liabilities "instead of just accepting a copy of an invoice. We need to require evidence," insists Schuetze. "There's a difference between evidence and hearsay. If auditors presented a court of law with a lot of the backup material that they base their findings on, they'd get thrown out because it's all hearsay."

"Peekaboo" Takes Charge
PCAOB personnel will now take over the peer-review process once administered by the AICPA, says Carmichael. "There's obviously a need for better training," he says. "For our inspections, we'll come in and select audit engagements to review, and we'll see whether there's conformity to standards. We'll be able to tell if they should be giving their people better training and if they're getting the basics right."

Even auditors seem pleased that the PCAOB has taken over standards setting. They see an opportunity for the board to mandate a clearly defined "bright line" minimum for the basic audit work that is now recognized as crucial in finding fraud, but that often gets pared back by auditors' cost concerns. Deloitte's Weaver states the obvious: "I don't think there's any objection by us to doing more-expansive audits. But it needs to be an obligation that is established by the PCAOB. Mr. Carmichael can have a significant influence on what those standards are and apply them consistently across all companies. Then we'll have an obligation that we must meet, and companies will have to pay for it."

Talk like that makes CFOs nervous, especially in light of the increased compliance costs associated with Sarbanes-Oxley. Auditors will already have to do more extensive work because of Section 404 of the act (which requires auditors to review and sign off on management's attestation of internal controls, and is expected to bump audit fees by 35 percent, according to a recent study by Financial Executives International). But CFOs are justifiably concerned that if the PCAOB mandates a more expansive "standard minimum" audit for all companies, it would give auditors carte blanche to charge more for a level of audit quality that they should have been providing all along. "If auditors ask for a massive fee increase, you have to ask, what are you going to be doing differently now that you weren't doing before?" says Bob Agate, former CFO of Colgate-Palmolive and chairman of the audit committee at The Timberland Co.

For its part, the AICPA has publicly stated that it embraces the work of the new oversight board, and that "it doesn't matter who comes up with the better mousetrap," says Landes. Despite statements to the contrary, the AICPA is not making the transition easy. Even after the PCAOB was given authority to set all future audit standards, the AICPA issued an exposure draft for new rules on implementation of Section 404, eliciting a stern rebuke from the SEC, which reminded the association that it was no longer responsible for auditing standards.

The most ironic element of the transition is that the AICPA holds the copyright for all of the auditing standards it has drafted since it began issuing them 60-plus years ago. Until the PCAOB writes its own standards, it must use the ones the AICPA wrote, and some reports indicate that the AICPA is trying to charge the board a fee for their use. Landes wouldn't comment on the allegation, saying only that "we want to find a satisfactory arrangement that will allow the PCAOB to do the work that is before it. But we're also cognizant of our members' interests and the assets of the AICPA." Critics say that perhaps that was the root of the problem all along.

Dissecting HealthSouth

According to the complaint filed by the Securities and Exchange Commission in U.S. District Court for the Northern District of Alabama against health-care provider HealthSouth Corp. and its former CEO, Richard Scrushy, the company orchestrated a scheme to overstate earnings in order to hit analyst estimates — a scheme concocted in a way to avoid detection by its auditors, Ernst & Young LLP. Between 1999 and the second quarter of 2002, the company overstated income by $1.4 billion by making false journal entries overestimating the amount of third-party insurance reimbursement, and by decreasing expenses.

The firm used the auditor's own processes against it to perpetrate the fraud, according to the complaint. Executives increased earnings not by boosting revenues directly, which auditors would have been more likely to find, but by reducing a revenue-allowance account that was used to record the difference between gross billings and reimbursement amounts expected from third-party payers. This account, which would then be netted against revenues, has a limited paper trail and is based largely on estimates, and the amounts booked to the account are more difficult to verify. And because HealthSouth executives knew that E&Y did not question fixed-asset additions below a certain dollar threshold, it made random entries to its balance-sheet accounts for fictitious assets worth less than that amount. Senior accounting personnel created false documents to support asset purchases. In this way, the company allegedly overstated property, plant, and equipment by more than $800 million. It also overstated cash accounts by $300 million.

So far, 11 executives, including all five former CFOs, have pleaded guilty to participating in the fraud, which prosecutors believe had gone on since 1986. Scrushy continues to maintain his innocence.

Who Will Audit the Auditors?

When your accounting firm sets up software to help monitor your internal controls, are you implementing solutions -- or risk?
Craig Schneider, CFO.com | US
July 14, 2003

The hottest software for corporate managers these days might be too hot to handle.

Just ask Scott A. Taub, the deputy chief accountant for the Securities and Exchange Commission. He recently issued a caveat emptor for software marketed by accounting firms to help clients track and evaluate internal controls under Section 404 of the Sarbanes-Oxley Act.

Such applications, he said during a recent meeting, may breach auditor independence rules if accounting firms are helping to set up the control systems they later evaluate. Noted Taub, "Companies and their auditors need to be mindful of those requirements."

Several of the Big Four accounting firms, as well as technology companies and consultants, have designed or are designing software intended to help finance managers comply with Section 404 or the Act as a whole. Those managers are being bombarded with choices, but at least they can be thankful that the ultimate responsibility of judging auditor independence falls squarely on the audit committee.

It appears that the SEC has good reason to issue a reminder about where the domain of external auditors ends and where that of management begins. "We have heard concerns about the extent of work that auditors might be asked or might want to do," stated Taub, regarding "assisting management in documenting controls and in developing tests of those controls so that management can make its assertion [about their effectiveness]."

Bruce Rosen, partner in charge of assurance services at Eisner LLP, raises similar concerns. He believes that some of his peers in the accounting industry are "living dangerously" by offering services above and beyond software.

"It's very clear that company auditors at best can provide some low-level assistance — a staff person to do some of the documentation — but that's probably the extent of it," says Rosen. "And I know several of the firms are taking a different approach, meaning they're willing to do the whole project."

Gary Barton, senior audit manager at J.C. Penney, counters that major accounting firms are setting strict boundaries. "Right now I'm not seeing where there could be a conflict," says Barton. The retailer — pending the approval of its audit committee — has decided to use software from its external auditor, KPMG, to help it comply with Section 404. Among the guidelines, notes Barton: KPMG can't be involved in documentation or in the first testing that internal audit will do.

KPMG's comfort with its proprietary software during tests of J.C. Penney's internal controls, adds Barton, reassured managers when they chose KPMG over other vendors. "Hopefully they're familiar with their own software and understand it," he says.

John Hagerty, vice president of research at AMR Research, agrees that external auditors and clients are stepping carefully around independence issues. "The auditors are all very cautious on what they can and cannot do, and it is one of the first things they talk about" when the subject turns to separation of duties, says Hagerty. "The line between audit client and consulting client is very well drawn."

According to a recent AMR study, over 61 percent of companies are enlisting help from an external auditor/risk management consultant — namely the Big Four — to define, analyze, and improve best practices for managing internal controls.

"Conflicts don't seem to be a problem area today," adds Hagerty. "But the mood of the buyer [the client] is one of caution as well. So if they think it even smells remotely like conflict, they're putting the brakes on."

AMR estimates that Fortune 1000 companies will spend up to $2.5 billion this year on work related to Sarbanes-Oxley compliance. But a few critics say that for some businesses, upgrading technology may not be worth the expense. "Most of the software packages are overkill" for middle-market companies, says Rosen, who notes that their primary benefit is as a tool for gathering documents. "When you cut though it all," he says, "it's not a magic elixir that you buy the software, push a button, and the work is done for you. You still need to go through and make the same assessments."

Anthony Sirica, BDO Seidman's national director of risk consulting and advisory services and a former audit partner, agrees: "It's nuts-and-bolts internal controls work that companies and accounting firms used to do 10 to 15 years ago." Nonetheless, BDO Seidman has aligned itself with several companies offering software that helps with Section 404, so the accounting firm can provide its clients with a menu of choices.

Such alliances are becoming quite common. PeopleSoft has partnered with risk consulting and internal audit firm Protiviti. (and, reportedly, Ernst & Young). Oracle's Internal Controls Manager is a collaboration with the risk assurance practice at PricewaterhouseCoopers. SAP says it is currently working with accounting and auditing professionals to extend its current offering and to design more tools. Documentum, which offers content management and collaboration software, has partnered with BearingPoint, formerly KPMG Consulting. Others companies with offerings in the offing include Steelpoint Technologies, FileNet, and OpenText.

Some accounting firms, it has been suggested, are advocating this software not so their clients can better comply with Sarbanes-Oxley, but only so the firms themselves can use the software to assist in their attestation. In that case, says Taub, "there should not be anything — so long as it is limited to that — that would be a problem."

Eisner LLP's Rosen nonetheless suggests that companies sidestep the independence issue altogether. "Given what the SEC says in its release, if I was an audit committee member, there isn't a prayer that I'd use my own audit firm to do it," says Rosen. "How many times do you need to be hit in the head to realize it hurts? At some point you just get knocked out."

Nothing to Hide

Eager to be more transparent, companies are using a range of technologies to communicate with shareholders.
Laton McCartney, CFO IT
June 16, 2003

Grouse all you want about the costs and headaches of Sarbanes-Oxley compliance, but the new regulations are having a major and largely positive impact on the way many publicly traded companies view their investor relations (IR) function. CFOs and other senior executives, in fact, are now enlisting IR as a primary means by which to restore investor trust and drive shareholder value. These efforts are being aided by new technology that greatly expands what IR can do.

Traditionally, IR "has been a fairly static function," says Stephen Schultz, director of corporate governance programs at Shareholder.com, a company that supplies its clients with Web-based technologies and services for disseminating information to shareholders. Beginning in the '90s, CFOs did take a more active interest in how company information was presented to investors, but their enthusiasm for technology tended to be slight.

At best, "you had IR using the 'push' approach to generate information out to shareholders," says Eric E. Olsen, a senior vice president of Boston Consulting Group (BCG). "That approach doesn't get you clear information about your investor base. It tends to ignore the fact that your investor base is segmented and doesn't allow you to establish a dialogue with investors."

Today, however, many corporate IR departments are adopting technologies that allow investors to access multiple levels of information in innovative, interactive formats. They are targeting specific information to investor segments to better align corporate objectives with those of their shareholder base and are employing a range of IT solutions to obtain feedback and other data involving investor concerns.

At the same time, IR continues to gain more executive mind share. "There is a lot more emphasis on IR these days," says Brian Miller, treasurer and vice president of finance at Tyler Technologies, a small-cap firm that he says must "go the extra mile in IR" in order to get visibility among investors.

"IR as a discipline is beginning to escalate within public companies," agrees Schultz. "And because of its increasing importance, it's attracting interdisciplinary teams — investment-relations officers, CFOs, chief legal officers — who work together as a disclosure committee and are active in determining what needs to be communicated." Given that most of the technology solutions aimed at senior executives are Web-based, they provide an economical way (usually priced by the month) to manage the increasing volumes of information that companies are eager to convey to shareholders.

Sarbanes-Oxley comes on the heels of a number of developments that have propelled IR, including the unprecedented bull market, Reg FD, and early experiences with Web conferences. Progressive companies are not only complying with the new regulations but also adopting best practices in IR, such as those established by Pfizer and General Motors. At the heart of those efforts is a desire to do more than merely disclose information. "You can disclose a lot of information that's buried in footnotes and [therefore] meets all of the regulatory requirements. But until that information is presented in a clear, understandable manner, it's not transparent," says Louis M. Thompson, president and CEO of the National Investor Relations Institute (NIRI).

The Internet — or, more specifically, using the Web as a venue for investor relations — is quickly proving to be a valuable tool for dealing with transparency and governance issues. Of course, companies were using the Internet to communicate to investors well before Sarbanes-Oxley enforcement was imminent. A 2002 survey by NIRI underscores how important the Web has become as a source for investor information. Of the 200-plus members surveyed, 99 percent used the Web for quarterly earnings releases, 95 percent for annual reports, 92 percent for Securities and Exchange Commission filings such as 10K or 10Q reports, and 68 percent for stock price information.

That usage is increasing markedly as a result of Sarbanes-Oxley. "With Sarbanes-Oxley, the providence of Web disclosures came to the fore," says Greg Radner, vice president of marketing at CCBN, which builds, manages, and hosts the IR sections of Web sites for more than 2,500 companies. It also hosts live and archived conference calls for some 3,000 companies each quarter. Radner explains that in conjunction with the passage of Sarbanes-Oxley, the SEC officially sanctioned the Web as a venue for disclosure.

The Web's suitability as a communication channel is fairly obvious, but some companies, including Pfizer, Cisco Systems, and American Express, are also using it to address corporate-governance concerns raised by Sarbanes-Oxley. "We have a corporate-governance Web site where, among other things, we display Form 4 filings electronically," says Peggy Foran, Pfizer's corporate secretary and vice president for corporate governance. Form 4 details "changes in beneficial ownership of securities," including stock purchases and sales, as well as the exercise of options on the part of company executives and directors.

Thanks to the governance site, Pfizer investors are privy to these transactions almost immediately. The site also provides CEO/ CFO certifications, company charters, and other governance-related information. Shareholder.com recently added a Whistleblower Hotline service to its array of Web functions; the service gives would-be whistle-blowers several ways to communicate confidentially with a company's audit committee.

Drilling Down On Rig Counts
In addition to the expanding services of companies such as Shareholder.com and CCBN, a number of other technology vendors now offer products that bring enhanced transparency and other benefits to IR.

Recently, more than 1,000 companies tried out new software from a company called Enumerate that replaces the usual static financial charts presented on Web sites with what enumerate calls interactive data views (IDVs). Investors can visit a company's Web site and create a variety of views of corporate data, drilling down for details that could help them to, for example, draw more-accurate comparisons between one company and another. "The software enables IR to present information in a more meaningful way," says Jeffery Erber, director of marketing at enumerate. "Transparency builds credibility."

Enumerate's customers include public companies such as Sallie Mae, Wilson Greatbatch, and Baker Hughes, a large-cap oil-field services company. According to Gary Flaharty, director of IR at Baker Hughes, the software boosts both communication and transparency by, for example, enabling his firm to provide a weekly summary of so-called rig counts, one key measure of the industry's drilling activities around the globe. Investors can click on the rig-count data and the underlying IDV technology will allow them to create tables and charts that can be transported into other presentations.

Interactivity is at the heart of many new IR technologies, in large part because, as Shareholder.com's Schultz says, "companies want to provide greater business context around complex financials." Software maker MicroStrategy, which parlayed its business-intelligence prowess into a boom-and-bust ride that typified the dot-com era, now seems to be stabilizing and sees plenty of opportunity in winning sales by stressing the demands of Sarbanes-Oxley compliance.

The company claims that providing "live reports as opposed to static printed reports" represents one of the best practices for ensuring financial transparency and that live reports enable investors to drill down to "really understand the root cause of any problem or anomaly." MicroStrategy, which says the latest version of its software was designed specifically to meet new financial reporting and analysis requirements, claims that more than 60 percent of CFOs believe that their existing financial applications are inadequate to meet such requirements.

No doubt there is marketing spin at play in some of this. MicroStrategy's new Sarbanes-Oxley-friendly release, for example, reached the market just a little more than a month after President Bush signed the act, and is labeled Version 7.2.1 — hardly a massive overhaul. Of the many companies hoping to leverage Sarbanes-Oxley as a sales tool, in fact, few have made any substantial changes to their products. But that doesn't mean they can't play a major role as companies enhance their internal controls and processes regarding disclosure, transparency, and risk management.

Board Gains
An overarching concern addressed by Sarbanes-Oxley is the frequent disconnect between the objectives of shareholders and those of management and the board. As Gerry Hansell, a vice president of BCG, notes, "The board is supposed to represent shareholders but rarely has direct contact with them." Pfizer's Foran says that at the least, a CFO or investor-relations officer should communicate shareholder sentiments to boards on a regular basis, and BCG's Olsen says, "Information from [investors] needs to get into the corporate dialogue more explicitly and earlier, when plans are being made rather than implemented."

Here again, new Web-based software and services may help by aligning investor and management/board objectives and providing management with an accurate and timely assessment of shareholder expectations. As an example, b2i Technologies offers a full array of corporate-governance online software applications, not with the aim of giving investors a clear view into corporations but vice versa. The products allow companies to see what investors are doing on corporate Web sites, and graphically displays investor understanding, reaction, and expectations in real time. The software captures information about site visitors, for example, and automatically adds them to a contact list while also prompting them to sign up for E-mail alerts.

The software puts a premium on E-mail contact, allowing companies to push out feature-laden E-mails (including pictures, hyperlinks, embedded financial data, and polling questions) while receiving and categorizing feedback from current and would-be investors. "These capabilities allow investors to participate in a two-way dialogue with the company and provide information that can be incorporated into management decisions," says Troy A. Ussery, president and CEO of b2i.

"We brought in b2i to enhance our investor-relations Web site," says Tyler's Miller. "It's enabled us to set up different kinds of distribution, and provides content-management capabilities so we can target our information."

Tyler allows investors to create their own customized portals so that they can receive the information they're most interested in, be it charts, E-mail alerts, or various presentations. Tyler also gives investors easy E-mail access to headquarters so that Miller and other executives can answer any questions investors may have, and posts questionnaires on the site to gather additional information from site visitors. Miller says he uses all the data about investor impressions and concerns when he makes quarterly reports to the CEO and board.

While many companies are using Sarbanes-Oxley as a selling aid today, experts say that long after meeting those requirements becomes second nature to corporations, the role of IR should continue to benefit from new capabilities. BCG's Hansell and Olsen say that from the perspective of the financial markets, equity drives the company. "Equity funds the company to do its business, serve customers, and provide value to the economy," says Hansell. "The company must be run in a fashion to give competitive returns to equity shareholders."

Investors As Customers
Hansell and Olsen believe that most corporations have some pieces of technology in place to effectively treat investors as customers, profile their objectives, and tailor outbound information to suit their specific interests. "Some of the infrastructure is already there," says Hansell, who cites, for example, global research services from Thomson Financial, which offer a means of "knowing who is buying and selling [and] how their styles line up with your objectives."

Still missing, Olsen says, is "a system that enables you to gather and control all the information you need to talk to your investors about the issues that concern them." Which is to say that despite the flurry of activity in IR-oriented IT, technologies have tended to come onstream piecemeal — an "ERP of IR" is a murky concept some way off. Even if it did exist, says Shareholder.com's Schultz, it would need to be matched to a new skill set within IR. "Soon IR will have to develop expertise in marketing," he says. "This is all about fine-tuning the information flow to specific investors."

Laton McCartney is a New York­based writer and editor. His most recent book, Across the Great Divide: Robert Stuart and the Discovery of the Oregon Trail, will be published later this year.

Sidebar: Compliance -- Who's At The Internal Controls?
The Sarbanes-Oxley stipulation that management must have effective internal controls over financial reporting in place (Section 404, the requirements of which were approved by the SEC in late May) has given rise to a miniboom in Sarbanes-Oxley controls-oriented technology. Scores of vendors and consultancies are rushing to develop solutions or position existing technology as a means of enabling customers to meet compliance requirements. For example, BearingPoint and Hyperion now provide a suite of out-of-the-box solutions that support disclosure-control processes. Other players in this emerging market include KPMG, Ernst & Young, and Deloitte & Touche, as well as various business-process management (BPM) and workflow software vendors such as HandySoft in Vienna, Virginia, and OpenPages in Westford, Massachusetts.

The former offers BizFlow, a BPM and workflow solution. "The technology allows customers to streamline and automate business processes throughout the enterprise," says Daryn Walters, HandySoft's vice president of worldwide marketing and strategy. BizFlow, he claims, enables corporations to leverage existing financial, ERP, and other legacy systems to minimize the cost of compliance. It also provides the project and task management capabilities for defining significant accounts, processes, risks, and internal controls that conform to the standards laid out by Sarbanes-Oxley. In addition, BizFlow identifies problems and improvement opportunities in auditing and internal-control processes, including real-time monitoring capabilities to assess the status and performance of controls, the company says.

The OpenPages solution, SOX Express, is made up of a controls-design module and an operational-deployment module, and works with enterprise software from Oracle, BEA Systems, and others. Its approach is to create a centralized and secure home for the documentation of internal controls and to enforce financial reporting and internal-control workflows while providing audit trails and archives of internal-control processes and the required testing procedures. "One of the big challenges," says OpenPages CEO Michael Duffy, "is to document those accounts where there is risk and show that controls are in place to deal with that risk." Like Thomson Financial, Hyperion, and other vendors, OpenPages also provides management dashboards that CFOs and investor-relations officers can use to monitor internal controls.

Some of the controls-oriented Sarbanes-Oxley technology is targeted at chief legal officers as much as financial executives. For instance, Steelpoint Technologies has come out with what it calls compliance and litigation risk-management software, which company vice president Mark Jesser claims enables customers

to monitor critical internal-information flow — both paper-based and electronic — through workflow and document-management capabilities. Using the company's litigation-support software, Introspect eCM, a user can place all this information in a common repository, locate conflicting information and problem areas, and assess potential risk. "The customer has to be able to access compliance and litigation risks and manage the documents involved in larger case and enterprisewide litigation," explains Jesser. "There may be 50 [million] or 60 million pages of information being accessed by 20 or more law firms concurrently." Steelpoint is partnering with both Filenet and IBM to develop Sarbanes-Oxley-related content-management applications.

Risk concerns are clearly one of the prime drivers of this market. A recent PricewaterhouseCoopers survey of 137 large U.S. multinationals indicates that 65 percent of the respondents believe that Sarbanes-Oxley represents increased risks for CEOs, CFOs, and other key executives who are required to certify financial reports. PwC says that a more-mature system of internal controls is key to risk mitigation.

Sidebar: Setting Sites On Better IR
With so much investor-relations activity moving to the Web, usability becomes a key concern. Nielsen Norman Group, a consulting firm that specializes in Web-site usability, recently studied how dozens of consumers and investment professionals sought IR information on 20 corporate Web sites and found the following:

• The overall success rate (finding answers to specific IR-related questions) was 70%, compared with 55%­65% for other usability studies, indicating that IR is often handled well.
• But 35% of users couldn't locate the most recent quarterly report, and 77% couldn't find high/low share prices for earlier quarters, suggesting that essential investor information is often buried.
• Professionals (institutional investors, financial analysts, and journalists) deplored the marketing and promotional aspects of many IR sites but said they did welcome management comments on where the company is going; that is, they want the story behind the numbers.
• PDF files and interactive stock charts often impede fast access to basic information.

The New Rules of Engagement

With the passing of Sarbanes-Oxley -- and the advent of the PCAOB -- audits may never be the same again.
David M. Katz and Craig Schneider, CFO.com | US
June 11, 2003

Douglas Carmichael can be a hard man to track down these days.

Shuttling between New York and Washington, the newly named chief auditor of the Public Company Accounting Oversight Board (PCAOB) has been busy making the switch from the academic world to the regulatory one.

Carmichael, who's taking a leave of absence from his Baruch College accounting professorship, has been occupied with moving into a new apartment, getting onto the PCAOB payroll, and dealing with a controversy about his role as an expert witness in cases involving auditors.

But if the move to Washington is causing changes in Carmichael's personal life, it's producing equal upset in other circles. In fact, some Washington watchers say Carmichael's hiring is a clear signal that the accounting industry oversight board is actually committed to overseeing the accounting industry. And a rigorous PCAOB, experts say, will likely lead to a real toughening up of external corporate audits.

The changes PCAOB plans to enact are indeed formidable. Among them: the replacement of peer review with government inspection. By year's end, the board plans to hire a cadre of at least 100 accountants to do the inspections.

An even more dramatic power shift has already happened in Carmichael's own area, that of audit standards. For a while, it looked as if the PCAOB might delegate standards development to the American Institute of Certified Public Accountants (AICPA), the lobbying group/trade association that's long been a supporter of accounting industry self-rule.

In a move that could be seen as a regime change, however, the board voted in April not "to designate or recognize any professional group of accountants to propose standards."

Translation: Auditors won't be the only ones calling the shots about audit standards. Instead, the PCAOB, a non-profit organization set up under the Sarbanes-Oxley Act to oversee the audit industry, intends to name an advisory group consisting of finance executives, investors, auditors, and other folks.

No one group will represent more than a third of the advisory group. What's more, the PCAOB says any group — or individual, for that matter — will be allowed to propose new accounting standards and treatments.

How drastically audit standards may change under the PCAOB is unclear. For the moment, the standards-setting group has adopted AICPA's generally accepted auditing standards (GAAS) while board members deliberate on what the final rules will be.

Whatever happens, Carmichael is likely to have a strong say in the matter. And given his reputation as a stern critic of the accounting industry, that likely means more stringent audit standards.

Ironically, Carmichael actually spent a good deal of time working for the association representing the profession he now helps oversee. From 1969 through 1982, Carmichael worked in various AICPA staff posts, including auditing vice president. In those positions, and afterward as a hired consultant, he helped write many standards for the AICPA. Considering Carmichael's earlier AICPA connection, Bruce Rosen, an executive committee member for the trade association, doesn't expect drastic changes in the nature of corporate audits.

Maybe so. But if Carmichael seems likely to retain a fair number of existing standards, he isn't quite the industry insider he once was. Example: Before 1997, Carmichael was heavily involved in writing two AICPA anti-fraud standards, SAS 16 and SAS 53. But by the time association members began writing a new standard (SAS 82), "they were keeping me out of standard-setting." Why? "Because I had testified against some major CPAs [charged with auditor malpractice]," Carmichael claims.

AICPA staff executives deny that members methodically shut Carmichael out of standards setting. "I don't think that's a fair characterization of our process," says Linda Dunbar, director of public relations. "A couple of people can't just get together in a room and make a decision like that."

But with the advent of the PCAOB, several people will get together in a room — an office, actually — and make decisions. Already, Carmichael says he's keen to put more teeth into many existing audit standards, including those involving fraud detection and risk assessment. "I'd like the standards to be more definitive and specific than they've been in the past," he says, and more focused "on what auditors are really required to do."

What auditors are really required to do is going to change. And not solely because of the advent of the PCAOB, either. Auditors and their clients say they're still coming to grips with Section 404 of Sarbanes-Oxley. The section, which deals with internal-controls assessment and reporting, requires companies to inject operating information into their financial reports. It also requires a company's independent auditor to sign off on the client's internal controls — a new wrinkle in the audit process.

Moreover, the seeds sown by Arthur Andersen's sudden and dramatic collapse have already borne regulatory fruit — and thorny auditor-client relations, as well. In the wake of the Andersen demise, not to mention an increasing number of lawsuits filed by businesses against their accountants, the auditor-client relationship has turned decidedly chilly of late. "There's no question that when you see one of the largest auditing companies fail, it heightens people's sensitivity to those issues," says Mike Starr, a managing partner for strategic services at Grant Thornton in Chicago.

Indeed, some auditors, regulators, and CFOs expect the external corporate audit — long a mainstay of corporate financial reporting — to be altered and deepened over the next few years. Some say they're seeing changes already. Below, we look at five of the most striking shifts on the audit horizon.

1. Closer Scrutiny of Internal Controls

The first shoe dropped last August 29, when CEOs and CFOs at selected public companies certified that their financial statements were adequate. Since then, senior executives have been signing off on internal controls on a quarterly basis.

Now auditors will join their clients at a signing party involving annual reports. Under Section 404, auditors must OK management's yearly controls assessments. In a rule proposed last October by the Securities and Exchange Commission, the annual signoff would have started to apply to companies whose fiscal years end on or after September 15. But when the commission got around to issuing its final rules, many senior managers got a breather: The internal-controls signoffs will actually start at companies with fiscal years ending on or after June 15, 2004.

Still, while some of the pressure's been relieved, there's a whole lot of work to do at companies both large and small in what amounts to a little over a year. Managers at pharmaceuticals giant Eli Lilly, for instance, are toiling to make sure that checks and balances are in place and well documented at all the company's subsidiaries, says Arnie Hanish, Lilly's chief accounting officer.

Similarly, executives at Exponential Inc., a small company that owns 26 pawn shops, are struggling to find ways to restructure tasks among employees, says Bob Schleizer, a Tatum Partners consultant who's Exponential's acting CFO. It's a challenge to keep duties separate, since Exponential has just ten home-office employees among which to divvy up the tasks.

What's more, some finance executives and auditors are befuddled about how to test internal controls — and are likely to be befuddled for quite a few months more. That's because the PCAOB hasn't yet issued a rule on the matter or set a timetable for doing so.

Still, the committee's audit chief knows the general direction he'd like the rule to take. Carmichael wants "greater specificity" in the controls guidance, he says, "but not as much as in other cases, because what AICPA has done is relatively thorough." (In March, the accounting institute, which already had a standard in place, issued an exposure draft of a new standard on internal-control reporting.)

In hatching the new guidance, Carmichael says he will focus on "major policy issues." He expects to retain much of the nuts and bolts of the AICPA's work, such as details about how to choose which locations to visit for internal-controls checks.

Absent a PCAOB guidance, however, accounting firms have been auditing at least partly in the dark. "We're in a time warp, with people waiting for the rules," says Ellen Masterson, global leader of audit methodology at PricewaterhouseCoopers. "And we're stating, 'you can't be waiting for the rules.' "

Nevertheless, it's clear that Section 404 has spawned a real change in audit priorities. With the buildup in accounting complexity over the last two decades, auditors have been spending much more time on corporate compliance with generally accepted accounting principles, according to Masterson. "I'm not saying we're going to reduce that amount of time," she says. "But if we had to shave time out, sometimes it was the time [involved] with understanding the controls within the company."

Not anymore. Now, auditors are demanding densely detailed flow charts and narratives describing control activities. Even executives at companies with decent controls are finding it a pain to document them. The result? A pile of mostly unexpected work to be done in a New York minute. "You're talking culture shock for a lot of them," Rosen, the partner in charge of auditing and accounting at Eisner LLP, says of his clients. "I don't think they grasp the amount of work that needs to be done for Section 404."

Take a relatively simple example: making sure that employees who true up company bank accounts don't have access to cash records. Such a procedure can help make sure that a worker "can't steal cash and then cover it up," Rosen notes.

But that's only the beginning. Once the control is set up, management must check that it works, document it, and see that a high-level executive monitors it regularly. "Multiply that by every aspect of business purchasing, sales, payroll, inventory," and you get an idea what needs to be done at many companies, Rosen notes.

On top of all that, management's got to amass internal-controls data so that auditors can see and understand it. At Eaton Corp., a diversified manufacturer, internal controls have long been handled locally, and "without visibility on the part of the corporate office or the engagement partner's line of sight," says Billie Rawot, the company's controller.

Now Eaton executives plan to assemble a massive controls database that Ernst & Young, the company's external auditor, can tap into. Eaton has hired another accounting firm to piece together a "formal, centralized, systematic repository of internal control information," Rawot says.

Anyway you slice it, it's a lot of work.

2. Increased Forensics

Auditors appear to be a bit uncertain about how much they should broaden the scope of their audits in the search for fraud. On one hand, says Carmichael, "the auditor's job is to give people rather high levels of assurance that financial statements are not materially misstated."

That suggests a big anti-fraud role in the future. On the other hand, auditors can't be expected to go looking for fraud in every audit. The fact is, auditors (at least in the past) have been hired to make sure that a company's accounting treatments are proper — not to ferret out fraud. Smoking out that kind of information has generally involved a forensic audit — a whole different kind of audit animal.

Striking a balance between the two could prove difficult. Even Carmichael concedes that "articulating [what the proper] response is in that range has been a problem."

AICPA tried to provide a solution last year in issuing its Statement on Auditing Standards No. 99, "Consideration of Fraud in a Financial Statement Audit." Among other things, the standard advises auditors to be skeptical about their clients' honesty, to perform unpredictable audit tests, and to be alert to management overrides of journal entries.

The standard's a step in the right direction, says PwC's Masterson. But auditors need more guidance on how to define fraud, as well as how to detect and deter it. "Sometimes, there's just that fine line between fraud and error," she says. "In the past, as long as we corrected the error, it's [been] OK."

Then there's the question of materiality. "Do people think that auditors will look within every type of fraud, or just those that would result in a material misstatement to financials?" Masterson asks.

Answers — in the form of new rules — appear to be on the way. While providing auditors with an internal-controls standard remains the top priority for the PCAOB, Carmichael says fraud detection is high on PCAOB's agenda as well. The reason? The board's inspectors and investigators need fodder for their own fraud probes.

Scrutiny of management overrides of accounting controls — via bogus journal entries — will be the focus of new rulemaking. Despite "sophisticated accounting systems and elaborate routines," says Carmichael, some senior managers have been able to commit fraud by making large reporting entries manually. Indeed, manual entries into an accounts-receivable ledger seems to be at the heart of the HealthSouth scandal.

One way SAS 99 addresses fraudulent management overrides is by requiring auditors to pore over reporting adjustments for material misstatements. That positive move, however, is undercut in the standard by wordy discussions of the risks of journal entries being improper, he says. "The amount of work the auditor would have to do on journal entries is very unclear."

To Carmichael, the issue is simple. "You'd better always review all the journal entries made during the end of the accounting [period]," he says.

To make their new detection work easier, auditors are likely to develop new software — or get use out of existing systems. Deloitte & Touche, for instance, is developing an automated way to access client computer files, says Greg Weaver, a managing partner.

The software, which D&T auditors are using for a few clients, can pick out duplicate payments, duplicate employees, and other "specific types of characteristics that might be fraud indicators," says Weaver. He expects it to be used in most of the firm's audits within the next year and a half.

Similarly, PwC plans to make some of its software amenable to fraud detection. One problem, however, is that anti-fraud software can be too predictable, Masterson notes. Designers have to find ways to block would-be frauds from working their way around the system, she adds.

Either way, corporate audit clients can expect more sniffing around by their independent auditors.

3. Skyrocketing Prices

The one-two punch of internal-controls and fraud-detection work is driving audit costs into the stratosphere, auditors say. New anti-fraud work alone has jacked up PwC audit fees by 15 percent to 20 percent, says Masterson. But add in internal-controls work, and the increases can be well over 50 percent.

Obviously, some hikes can stem simply from a rise in billable hours. But auditors are likely to add a premium for the new internal-controls and forensics work, which is uncharted terrain for many of them. For instance, while the controls testing for a tightly run company could bump up overall audit hours by 20 percent to 25 percent, total audit fees could jump 30 percent to 40 percent, predicts Deloitte's Weaver.

Indeed, average annual audit fees should jump by more than 35 percent to cover auditor testing of corporate internal controls, according to a survey of 83 executives at public companies with annual sales revenue averaging $3.27 billion done last month by Financial Executives International (FEI).

Start-up investments in Section 404 compliance will doubtless spur increases. The respondents to the FEI survey expect their companies to average a $480,000 spending boost for such things as evaluation software, consulting, and worker training. Mostly, however, "it's not a one-time hit on the part of the auditor, because the auditor will have to opine on a continual basis," notes Eaton's Billie Rawot.

The altered economics for public accounting firms is also likely to launch audit fees into low-earth orbit. Sarbox, after all, bars auditors from offering a slew of non-audit services, including bookkeeping, financial-information-systems design, and internal auditing. Because they can no longer rely on the fees for those services, accounting firms who offer them are likely to charge more for audits, says Eisner LLP's Rosen.

Under Sarbox, accountants can still do tax work for audit clients. Since the PCAOB can bar auditors from performing "any other service," however, the board could choose to curb tax services, thinks David Hardesty, a tax specialist with Wilson, Markle, Stuckey, Hardesty, and Bott.

Given the current taste for auditor independence, many company managers are likely to seek separate tax consulting and audit vendors — even if auditors aren't banned outright from tax consulting. "The loss of those tax services is going to kick up the price of the audit," predicts Hardesty.

Firms have long sold audit services at a discount or even at a loss because such business gave them an inside track in selling more lucrative tax services, he explains. Without that incentive, audit firms will have to make a profit off their audit services. Upshot? A big jump in audit fees.

4. Greater Skepticism

Expect the shift from self-rule to government inspection to inject friction into a clubby world. "When it was firm on firm, the premise was that [a review] was to be to everybody's benefit, not like an IRS-type audit, in which you're guilty until proven innocent," says Rosen. Now, however, "the pressure might be to find issues."

Still, auditors agree that the inspections should yield better audits. "If somebody knows his work will be subject to oversight, that makes them [audit] with a greater sense of skepticism and diligence, especially if it's a government body," says Wayne Kolins, national director of accounting and auditing at BDO Seidman. "But that's not to say there won't be frauds, because you can't legislate morality."

Still, given PCAOB's powers, regulators can do a lot. If an accounting scandal breaks, for instance, board inspectors can go on with their work even if lawsuits ensue, Carmichael notes, adding that peer reviews shut down if there's litigation. Also new: inspections will include a look at audit-partner pay incentives.

Firms can expect some confusion at first. After all, conducting a peer review of a Big Four firm is typically a "massive effort," taking as many as 10,000 hours to finish, says Kolins. And the inspections are expected to be much more rigorous.

Peer reviews aren't completely vanishing yet, however. They might continue to exist side-by-side with board inspections, since 39 states currently require audit firms to undergo peer review every three years. "Unless all 39 of those states decide to go with a PCAOB review, we may be subject to our tri-annual peer-to-peer review, plus the PCAOB," says PwC's Masterson. The firm's tactic: Continue with peer reviews until further notice.

5. Adversarial Relations

The new rules of audit engagement have already started to drive wedges between auditors and clients. While relations aren't quite hostile yet, corporate executives and CPAs are "getting less chummy," says Stephen Giusto, CFO of Resources Connection, a professional services firm. One shining example: "It's hard for a partner in a public accounting firm to refer to their client as a 'partner' " any more, Giusto says.

That small change indicates a drastic shift in how auditors view clients. Clients may also have a different view of auditors after enduring incessant requests from them. Guided by SAS 99, for example, auditors might ask for numbers for each subsidiary — rather than for an aggregate figure — says Rosen. "The audit is an imposition on most companies," he adds. "The more you're there and bothering them, the more problems for the company."

One way senior mangers can relieve some of the pressure is to share lots of information with auditors and share it early. For example, Eli Lilly executives let Ernst & Young accountants know as soon as the company embarks on a significant business development, like licensing or selling a compound, says Hanish.

The intent is to avoid putting auditors in a bind. If they learn about questionable transactions too late, they could feel compelled to compromise their principles and let smaller miscues go because they don't seem material, Hanish claims.

If auditors are brought in early, however, "they don't have to opine based on materiality. They opine based on the facts and circumstance of a situation," Hanish asserts.

Even with such precautions, tempers are sure to fray. "Trying to help companies understand the meaning of unproven mandates is frustrating," says Jim Powers, a partner at Crowe, Chizek and Company. "We certainly have had spirited discussions with our clients on some of these subjects."

Expect more of the same.

Fear Factor

Sarbanes-Oxley offers one more reason to tackle enterprise risk management.
Russ Banham, CFO Magazine
June 1, 2003

Rick Navarre wanted the audit committee at Peabody Energy to know exactly how he is managing risk at the company. As Peabody's CFO, Navarre developed a comprehensive methodology for analyzing and quantifying risk, in large part to educate the audit committee about all the risks confronting the $2.8 billion St. Louis-based producer and distributor of coal.

Although Navarre developed this methodology prior to the passage of the Sarbanes-Oxley Act of 2002, he notes that "under Sarbanes-Oxley, the audit committee is mandated to understand how we assess and handle the risks confronting the company. I wanted them to be comfortable that we had identified each and every risk we face and prescribed specific risk transfer and mitigation strategies for those risks we did not want to retain."

Navarre's approach to risk management illustrates the difference between traditional risk management and enterprise risk management (ERM). Traditionally, operational and strategic risk management have been static — an examination of risks as they were in January 2003, for example. "You know where you were three months ago, but now it's April and you don't have a clue about your risks until the next audit," explains Frank Terzuoli, senior vice president of business-risk consulting at New York­ based insurance broker Marsh Inc.

Traditional risk management works best on financial and hazard risks — the risks that are transferable. ERM, by contrast, stresses the management of operational and strategic risks. "A bank's operational risk would be its back office, in terms of how its payments are made and its credit-underwriting processes in terms of how it makes loans, monitors credit, and ensures repayment of loans," says Terzuoli. "A manufacturer's operational risk would involve the manufacturing process and the processes embedded in building ideas. While traditional risk management requires more accounting-type skills, ERM requires skill in strategic planning, process reengineering, and marketing."

What Peabody Energy and a few other pioneering companies have undertaken is a risk-management discipline that extends beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputational, regulatory, and information risks. Some companies, like Agricore United, a Canadian agricultural-services firm, have been using ERM for several years now. Other companies have found ERM useful in theory but tedious in practice, and have resisted the effort and expense.

That may change, following passage of Sarbanes-Oxley and its stricter corporate-governance and accountability provisions. Although the act doesn't say anything about better risk management, more robust risk-reporting would seem to provide more assurance to anxious audit committees, and to CEOs and CFOs who must now certify financial statements.

The devil is in the details — translating the implications raised by the act into actionable items. "[Sarbanes-Oxley] certainly talks a lot about risk transparency — the risks you know that are not shared with other stakeholders, particularly investors," says Terzuoli. "While hiding this information was never acceptable, [the act] affirms that it definitely is not acceptable. As for the risks you should have known about but didn't, [the act] obligates companies to uncover them through a process that is rigorous enough to ensure a reasonable chance of uncovering them. This is implied, not specific. Still, wise companies believe the effort is worth it. And ERM is a methodology to get there."

Terzuoli, it must be pointed out, works for a firm that offers ERM services, charging substantial fees to help companies identify risks, quantify them, and so on. Other insurance brokers also see ERM as a fruitful market, as do audit firms and consulting firms, many of which are competing to facilitate the risk scorecard/matrix process at the behest of their clients.

Given the tepid response accorded ERM before Sarbanes-Oxley, the service providers are remarketing their ERM practices to capture the marketing cachet offered by the new governance and accountability provisions. "The stick is Sarbanes-Oxley," says Terzuoli.

Ted Senko would agree. "Since the assessments a company performs are ultimately reflected in the corporate financial statement, organizations can benefit by viewing this compliance process as a risk-management exercise," the KPMG LLP partner says. "Companies that execute their internal-controls assessment within the framework of an enterprisewide risk-management program can help ensure the integrity of their financial statements and preserve investor confidence in the company's economic sustainability."

How Peabody Recast Risk
The system Navarre installed at Peabody offers a good example of a best practice in ERM. He polled more than a dozen executives, from the C-level suite down to departmental managers, to extract what each believed were the risks challenging their respective areas of oversight.

The varied risks cited fell into four categories — operational, financial, strategic, and IT. Once the risks were captured on a scorecard, Navarre and his fellow risk overseers in treasury, operations, and the various departments calculated the expected probability of each risk in terms of frequency and severity. "For instance, the likelihood of a business interruption is low, but the severity of that event, in terms of monetary risk, would be off the charts," says Navarre. Peabody arrived at this quantification via a mixture of experience, intuition, and research, he says.

Using risk-mapping software developed internally, the group then plotted the risks on a PowerPoint risk matrix — a template depicting low-level infrequent risks in the bottom left quadrant, and the risks presenting the greatest threat of frequency and severity in the top right quadrant.

Once a risk is plotted in the matrix, it is color-coded to indicate how it has been addressed: red indicates that a risk has had little or no transfer; blue indicates that a risk has been transferred; and a partial risk transfer, such as workers' compensation, is in green, showing that Peabody is partially self-insured in this regard. "You don't want to see something red in that upper right-hand quadrant," warns Navarre.

Drill down on a particular risk and a detailed analysis of that risk emerges, from its relative importance in the risk hierarchy to how or if it is transferred or mitigated to whose responsibility it is to manage the risk.

Governance risks posed by Sarbanes-Oxley are managed by Peabody's active board of directors and by audits, a code of business conduct, and a comprehensive set of controls as mitigations, says Navarre. Although such regulatory risks as stricter environmental controls cannot be insured, he notes that even these risks are mitigated, in this case through lobbying efforts.

The entire process is dynamic: Peabody formed a cross-functional risk-management committee with Navarre as chairman that meets monthly to continually assess the company's risks. "If a new risk emerges — say we enter into a joint venture or acquisition — we meet to assess the inherent risks and feed them into the ERM process," explains Navarre.

Why is this a better mousetrap? "This is a broadly focused process that involves the entire senior-management teams across all functions to evaluate risk," the CFO replies. "Instead of looking at individual risks, ERM gives us the ability to assess all the risks of the company and understand them, separately and in relation to each other, potentially identifying risks we may not otherwise have identified, and then making a determination to either mitigate that risk or choose to accept it."

Evidently Peabody's audit committee is pleased. "We've learned through this process not only the scope and breadth of risks inherent in the business, but also the various methods that management is using to effectively manage and balance those risks," says William Rusnack, chairman of the audit committee.

Still a Costly Process
The value of ERM must be balanced against its cost. Several third-party firms approached Peabody to facilitate the ERM process, not one of which quoted less than a $200,000 fee. Instead, Navarre decided to facilitate the process internally.

But even without a consultant, the process and infrastructure costs associated with uncovering material risks are significant. "You have to be more invasive within the organization, meaning that you have to ensure that each of the business units is examining its risks in a rigorous, well-defined, systematic way, as opposed to ad hoc oversight," says Terzuoli. "That costs money, since you have to put in place policies and procedures and then ensure that these are being complied with. Then you have to automate this process with an IT component, building a conduit from back-end legacy systems to capture risk-based data to provide risk transparency in a dynamic environment — a flow of information that typically is daily or at the very least weekly."

Fortunately the software tools to construct a dynamic ERM technology infrastructure already exist in package form, sold by vendors Hyperion, Cognos, and Active Strategy, among others. The tools identify the dozens of data elements that require ongoing monitoring, extract them from legacy systems, and gather them in one place, typically a data warehouse. The tools then create a conduit from the data warehouse to a front-end dashboard that alerts users when risks emerge. "Once tied together, the data may reveal, for example, a cash-flow surprise relative to market expectations," says Terzuoli.

The cost of a good back-end to front-end system, with all the hoopla in between? Another $500,000.

Seminole's Strategy
Cost concerns didn't stop Seminole Electric Cooperative Inc., a not-for-profit Tampa-based electrical generation and transmission cooperative with $714 million in 2002 revenues, from pursuing ERM. Seminole's strategic plan mandated a broad corporate-risk profile. "We needed to create a broad list of risks facing the company, not just the risks that executive staff had cited, but risks perceived by executives across all corporate lines," says Seminole vice president of financial services John Geeraerts.

To create it, Geeraerts and Timothy Rogers, manager of tax risk and property accounting, put together a fully fledged ERM strategy with assistance from London-based global insurance broker Willis Group Holdings. Like Peabody, they assembled a multi-departmental committee that included risk overseers from internal audit, tax, finance, and power-plant operations — roughly 8 people altogether. The committee wrote up a detailed questionnaire that was E-mailed to 110 other people in the organization asking them to identify and list risks in their individual areas of oversight, what Rogers calls "brainstorming across all corporate lines."

The process generated more than 60 defined risks, which the committee then boiled down to the top 25. Two workshops were held without executives, who were questioned separately. The goal was to drill down into each of the risks to determine what actions, if any, were being taken to mitigate them, and who was accountable for ensuring and monitoring these actions. "We wanted to know the probability of each risk causing financial harm, from both a frequency and a severity standpoint. [We also wanted to know] who was watching the store," explains Geeraerts.

Ultimately, the company was able to force-rank the five top risks challenging Seminole. Number one was electrical-generation capacity — the loss of a generating plant due to an unplanned or forced outage. The company evaluated factors such as tornadoes and terrorist incidents that would disrupt power supply or cause a unit to go down. The second-highest risk was loss of market, a concern given Seminole's status as a cooperative. Filling out the top five risks were the need to have an optimum mix of power resources to serve customers, fuel price volatility, and regulatory risks, such as the impact of potentially stricter environmental standards.

A dollar number was ascribed to most risks, representing probability, frequency, and severity. All the risks were then assembled on a matrix. The final part of the process — a determination of risk-mitigation options and a process for monitoring risk-management compliance — is still under way. "For fuel price volatility, the option is a fuel hedging program; for the loss of power lines, the option is insurance; for the risk of terrorism, the option is elevating our security officer to senior staff level," notes Geeraerts.

Agricor's Granular Approach
Agricore United could tell both Peabody and Seminole a thing or two about ERM. The Winnipeg, Canada-based company initially went through the risk-identification phase in 1997, only to learn its risk-management focus was misplaced on more-transferable risks like a fire to a facility, rather than on the one major operational risk that could doom it, a reduction in grain volume.

Agricore's first step was to form a steering committee to identify and evaluate the major threats to earnings. More than 30 employees from all levels gathered in 1997 in one room at headquarters to identify the risks facing the company. This meeting was repeated earlier this year. "The world is a dynamic place and risks are constantly changing," says Peter Cox, CFO of Agricore, with $422 million (Canadian) in 2002 revenues. "It's much of the same thing with markets to transfer or mitigate risks. Nothing is static."

At the last outing, more than 30 areas of exposure were tabulated. In both years, the number-one risk was grain volume. "When a drought causes less grain to grow, we handle less grain volume, which depresses revenues accordingly," explains Cox. "Last year our revenues plunged almost 50 percent due to drought."

But Agricore went further than Peabody and Seminole to find a risk-mitigation solution to its primary risk problem. At first, the steering committee examined a weather-based financial instrument to hedge the grain-volume risk. But wide geographic regions in which grain is grown in Canada, and divergent weather patterns affecting each region, made such an instrument impossible to structure.

With help from its broker, Willis Group Solutions, Agricore assembled a unique risk-transfer program, combining nearly all its risks, including the grain-volume exposure, in a portfolio for transfer as a single block of risk to insurer The Citadel, which was reinsured by Swiss Reinsurance Co. of Canada. The losses from different risks would aggregate into an annual loss total that, if exceeding a prearranged dollar threshold, would result in an insurance payout.

A trigger for the grain-volume risk was built into the multiline insurance program, based on volumes reported by the Canadian Grain Commission, an independent body. The innovation was the fact that Agricore was able to transfer an operational risk to the insurance market that had never been transferred to insurers before.

When the novel three-year program expired at the end of 2002, Agricore sought to reinstate it. But back-to-back droughts and tightening terms, conditions, and premiums in the insurance market dissuaded Swiss Re, not to mention other reinsurers, from a similar deal. Yet Agricore again scored a unique contract, an insurance policy covering grain volume solely. The policy, bought from European International, a Swiss Re company based in Barbados, runs through July 2006, offering up to $25 million in coverage each year — minus an undisclosed deductible — and three-year coverage limits of $52.8 million. The payout is based on a simple formula that takes into account a five-year rolling average of industry grain volumes, Agricore's market share, and average profit margin per ton of grain handled.

Adding It Up
ERM has many proponents, but companies aren't exactly racing to install it. A survey of clients with at least $500 million in revenues conducted by KPMG found that only 28 percent had formal ERM programs, even though most of the same companies rated risk identification as their most important risk-management issue. Almost half the respondents (47 percent) without an ERM strategy stated they did not see the value proposition in ERM.

The resistance can be chalked up to two factors: cost and apathy. "Companies tend not to do something unless they have to," says Terzuoli. "While Sarbanes-Oxley raises the bar, companies just don't see the benefit from risk-scorecarding or matrixes or even ERM, in terms of added revenue or stock value. It's the old story — 'Here is what the law says and here is what I can get away with.' I'm just hoping that with a new [Securities and Exchange Commission] chief [Wall Street veteran William Donaldson], his diligence about interpreting the law and actions taken will compel companies to really do something about their risk."

Perhaps another reason for resistance is the complex nature of ascribing dollar values to risks like customer loyalty or corporate reputation. "Not all risks are strictly mathematically calculable," explains Senko. "ERM has created this sense of exactitude that just doesn't exist. There is still some art and judgment involved in quantifying risk."

Still, observers argue there is tremendous value in the process. "Smart CFOs know that their jobs call upon them to do two things — protect what they have and create more of what they have," adds Terzuoli. "Risk scorecards, matrixes, and ERM offer a proactive way to manage risk as a source of competitive advantage. And they reduce risk as a way of preserving assets. While the stick may be Sarbanes-Oxley, the carrot is good common sense."

Not only do companies forge a methodology for reporting potential surprises, this structure forces communication across functional lines. And arguably more important, accountability for risk is explicitly stated and monitored.

"When a risk event occurs," says Senko, "you want someone to step up, take responsibility for it, and take immediate action to manage or mitigate that risk. Wading through layers of corporate approvals would be disastrous."

Best of all, ERM is shareholder-friendly. "Perhaps the most important benefit from the whole process is a reduced gap between the knowledge an investor has about the company and the true risks embedded in that company," says Terzuoli. "That gap will be smaller than ever before."

Off the Street

Stricter rules and wary investors are prompting more companies to exit the public markets.
Tim Reason, CFO Magazine
May 1, 2003

These days, John Henderson thinks of himself as a brewer. That's not to say the former CFO of Genesee Corp. actually brews beer: "We have talented guys who take care of that," he notes. But ever since Henderson and two other executives orchestrated a management buyout, turning the company's Rochester, New York-based brewing operation into a private entity, he has finally been able to focus entirely on the business of making and selling suds.

Dealing with the requirements of being public "took an awful lot more time than I expected," recalls Henderson, now COO (he shares the CFO duties with the CEO) of High Falls Brewing Co. And while the brewery is still managed as if it were a public company, he says it's "a huge relief" not to have to comply with securities regulations. "I'm thankful that resources can be directed at managing the day-to-day [operations], not complying for compliance's sake," he says. By contrast, the all-but-empty shell of Genesee, which disposed of its three main business units as part of a planned liquidation, was still filing Securities and Exchange Commission documents as late as April, more than two years after High Falls was created to buy out the brewery for $22 million.

Henderson isn't the only one who's relieved. While most companies aren't choosing High Falls's particular method of "going private" — an asset disposition rather than a merger or tender offer — they are leaving the public markets in increasing numbers. In fact, according to Mergerstat, going-private transactions have risen steadily, from 197 in 2000 to 316 in 2002, with 93 announced as of April 1.

Their reasons for exiting differ greatly from those of spurned not-coms -- industrial companies that couldn't compete for equity dollars during the Internet bubble. Today, onerous regulations, depressed stock prices, and investor hostility are sparking a wider withdrawal.

Small-cap companies account for the majority of these transactions, but companies of all sizes have been stepping off Wall Street. The most prominent recent example is $4.4 billion Dole Food Co., in Westlake Village, California, whose chairman and CEO, David H. Murdock, cited "the short-term pressures and constraints of the public equities market" as reasons for taking the company private in late March.

Apparently, those same constraints are leading many more companies to wonder if they can do better without the market looking over their shoulder — or giving them the cold shoulder, as the case may be. Says Richard Kline of Houlihan Lokey Howard & Zukin: "There is a gestation period for these deals, but the inquiry level has increased significantly."

Stepping Out
Fueling this newest exodus from the public market, in part, are the onerous regulations embodied in the Sarbanes-Oxley Act of 2002. Recent filings with the SEC clearly illustrate that the new legislation drove many companies out even before the rules were finalized.

In one example, in an SC13e3 filing (the SEC form for reporting going-private transactions) on March 4, Tampa-based Coast Dental Services Inc. complained that the management time and resources devoted to compiling and distributing annual and quarterly reports "are considerable and will likely increase significantly in the future as a result of the [act]."

Similarly, Greenville, Tennessee-based Landair Transport Inc., a $106 million (2001 revenues) firm bought out by its founder and the COO in March, specifically cited the increased costs of complying with both Sarbanes-Oxley and the rules adopted by the National Association of Securities Dealers, adding that "such increased regulation would place additional burdens on management that would further distract them from managing the business operations of Landair."

A backlash against such additional burdens is not surprising. "The intersection of all this stuff — more disclosures, more internal controls, and a stronger audit committee — is frequently in the CFO's office," observes Stephen D. Poss, an attorney with Boston-based Goodwin Procter LLP, who adds that another word for intersection is "crosshairs." For smaller public companies, where the CFO is sometimes a one-man finance department, the new regulations, certifications, and the spectacle of finance chiefs doing perp walks may be a powerful deterrent to staying public.

Or perhaps there is a deliberate effort to scare companies away from the public markets. "I wouldn't be surprised if someone at the SEC is thinking, ÔWe need to make being a public company so expensive and onerous that we get these smaller companies off the screen,'" says Poss. "And that's not necessarily a dumb way of thinking."

Market Correction?
What Poss and others suggest, and depressed stock prices seem to confirm, is that the trend toward going private is actually an appropriate market correction. "At the height of the bull market, there were approximately 18,000 publicly traded companies," declares Scott Larson, assistant professor at the business school of Chicago's National-Louis University. "Investors threw money at certain segments of the public equity markets at unsustainable levels, so the implied cost of equity in the more-speculative segments of the market dropped to near zero."

Larson doesn't blame those companies for pursuing the practically free capital offered by the public equity markets during the 1990s. But now that that bubble has burst, he believes that "the same sort of analysis that CFOs apply to determine whether to buy back debt or shares ought to be applied to determine whether they should still be public."

While some CFOs are clearly doing just that, he says, others are reluctant, or dismiss the out-of-pocket expense of being public as minimal when compared even with their depressed market cap. That's the wrong calculation. In addition to increased compliance costs, Larson explains, the cost of being public includes the cost of equity — that is, the return shareholders expect from their stock.

But with hostile or frightened investors fleeing to large, blue-chip stocks — or exiting the market themselves — the trading liquidity that gave stocks additional value and kept the cost of equity low has disappeared. Three years ago, thin trading drove certain industrial companies out of the stock market. In 2003, that problem afflicts the market's entire bottom tier. "Today, it really isn't very attractive to be a public company of under $500 million market cap," notes Chicago-based managing director Michael Murphy of Minneapolis-based U.S. Bancorp Piper Jaffray Inc., whose research focuses on small-caps that are likely takeover targets or going-private candidates. Analysts ignore thinly traded stocks, denying them the very coverage they need to attract investors, and many once-hot initial public offerings are finding themselves as "forgotten as last year's prom queen," says Goodwin Procter attorney John LeClaire.

Not Exactly a Private Matter
Still, going private is no easy task. The classic method is for the company to merge — if shareholders approve — with a private acquisition company created by management and their financial backers (for other methods, see "Tender Squeezes," right). Yet the same fear and loathing that is driving some companies off Wall Street has made their boards extremely wary of such management buyouts.

Moreover, the duty of boards to maximize shareholder value ensures a tug of war over price. Private equity firms like to buy at multiples of 6 to 10 times cash flow, says LeClaire, but public boards think in terms of premium to stock price. That, says Roger Kafker, managing director of Boston-based private equity firm TA Associates, is difficult for directors who fondly recall the 52-week high of their stock. "Many boards are still reluctant to believe the good old days aren't coming back," he says.

The difficulty of holding bank financing together during the six to nine months this process can take is one reason many deals fall through. That's ironic, because once the decision to go private is made, companies enjoy ample access to capital to make it happen. The overhang in the private equity market is so large that it can help make up for the relative dearth of debt financing, says LeClaire. "No longer is being a public company the best venue from which to obtain capital," says Kafker.

Indeed, Larson believes the relative cost and availability of private equity is yet another variable CFOs should include in calculating the cost of remaining public.

The Tyranny of the Quarter
By far the best thing about getting such a deal done, according to those who have done one, is that private equity frees companies from the market's relentless focus on quarterly earnings. The universal corporate irritation caused by such a short-term focus was underscored recently when a handful of large public companies — McDonald's and Coca-Cola among them — announced they would no longer provide quarterly guidance.

"The Coca-Colas of the world can decide not to give guidance anymore, but if Comp Benefits was a public company, we wouldn't have that luxury," notes CEO David Klock, who took that company private in the summer of 1999. Not only does the market demand guidance from companies without Coke's clout, he says, but it has zero tolerance for any expenditure that isn't instantly accretive. "I am glad we are private," says Klock, "not because of governance issues, but because of the ability to make investments that may take two or three quarters to give a good return. That's difficult to do as a public company."

The benefits of a longer-term focus can also be seen in the February acquisition of Dallas-based Monarch Dental Corp. — a public company — by privately held Bright Now Dental Inc., of Santa Ana, California. Both companies started as rollups of private dental-practice management firms, a red-hot stock sector in the late 1990s. Bulging with pricey new acquisitions and highly leveraged, Monarch went public just before that sector tanked. Bright Now, about the same size, chose to stay private, says CFO Brad Schmidt.

The result? Bright Now spent the next four years combining businesses and installing an integrated information system. Meanwhile, the market's focus on top-line growth forced Monarch to defer such investments and spend capital on additional acquisitions.

By February 2002, that strategy — or lack thereof — had taken its toll. Monarch's stock was trading at about $1.50, the company was in violation of its debt covenants, and the CEO and CFO had been replaced with a team looking to sell the company. With $80 million in annual revenues, Bright Now bought Monarch ($180 million in revenues) for roughly five times EBITDA. "Their operations proved to be extremely competent, but because they hadn't integrated, they weren't able to do what they did best," says Schmidt.

Schmidt says he has full support from his investors to spend the next 12 to 18 months integrating Monarch's businesses and installing Bright Now's platform. "The one big benefit of the private sector is that you end up with a business partner instead of a shareholder," he says.

That's a common sentiment. "People say it must be nice being private — you don't have to report to a lot of people," says Klock. "That's a misconception. I have a dozen institutional people I report to every month and three different VC firms." The difference, say private-company executives, isn't the level of reporting, it's the nature of the relationship. "It always amazes me to sit in on analyst calls for public companies and realize the questions are just scratching the surface," says Schmidt. In Bright Now's case, he says, he not only meets regularly with investors, he also relies on them "in many respects as mentors."

Typically, of course, those investors are still looking for some sort of exit strategy — including going public again. But executives at once-public firms don't seem keen on that idea. While opportunities may arise sooner, says Schmidt, he's comfortable keeping Bright Now private for the next three or four years while it digests Monarch. If High Falls Brewing needs more money, adds Henderson, "I think there are more than enough places to go besides the public equity markets." And while going public again is a possibility for Comp Benefits, it probably won't happen before 2005. "That's assuming there is a capital market," says Klock.

In the next few years, there will likely be far more companies dropping out of the public markets than joining them. To steal a phrase from Wall Street, going private is the next big thing.

Sidebar: Going Private...
There are several ways to take a company out of the market, although going private typically involves some combination of the first two of these techniques.

Leveraged Recapitalization Merger. The classic going-private method, involving a proposal to merge with an acquisition company created by management and financial sponsors for the purpose. A special committee of the board typically is established to negotiate, and may feel compelled to solicit competing bids.

Tender Offer and Merger. Tender offers are common when there is a need for speed, since they can close in 20 business days (rather than the three months or more for the merger proxy-vote process). Tenders can be used to gain majority control to ensure a smooth merger process, but this can require a pricey bridge loan until the post-tender merger closes. Tenders are more common when management's goal (and often a condition of the offer) is to gain the 90 percent of shares needed to execute a short-form merger.

Reverse Stock Split. Also known as 'the squeeze out.' A rare technique used in small companies where the majority of shares are closely held by a few controlling shareholders. The split is engineered to leave minority shareholders holding fractional shares, which are paid out in cash. The goal, typically, is simply to eliminate public reporting requirements (and those shareholders), rather than to recapitalize the company.

Asset Disposition. Acquisition companies purchase all of the company's assets through a planned liquidation that returns funds to shareholders. Although not typically thought of as a going-private transaction, the effect can be similar if management purchases some of those assets with outside funding.

Sidebar: Wanna Buy Your Company?
In this era of intense investor scrutiny, everyone from private equity advisers to CFOs is circumspect about the personal payout that comes with a buyout. 'The CFO is a fiduciary of the company, and ought not to be directing the company to where his best personal interests lie,' warns attorney John LeClaire of Goodwin Procter. But make no mistake: taking a company private can be the most lucrative move of a CFO's career.

In fact, CFOs who take their companies private often wind up with a 1 to 3 percent equity stake and a key role as liaison with the bank and equity investors. 'It can be a great outcome for the CFO,' concedes LeClaire. Along with the payout that comes when the firm exits, the CFO of a successful effort can expect to be tapped by private equity firms to repeat that performance elsewhere.

Of course, personal interests aren't always financial. CFO John Henderson and the executives of Genesee Corp. orchestrated a buyout of the company's brewery after a sale to outsiders fell through. Rochester, New York, natives all, their move saved the 125-year-old hometown institution, and 400 jobs that went with it. As if that weren't satisfying enough, they're also now owners of Genesee Cream Ale — something of a fabled label in the Northeast. Recalls Henderson, 'We had a couple to celebrate the event.'

Chart: Going Private - Deals are steadily increasing

    Year        Number of Deals
    2003*       93
    2002        316
    2001        282
    2000        197

*As of 4/1/03
Source: Mergerstat

Chart: Market Movers
Not all market defectors are small companies.

    Year      Company                   Size of transaction
    2003      Ameripath*                  $839.4 million
    2003      Dole Foods                     $2.5 billion
    2003      National Golf Properties   $1.1 billion
    2002      Herbalife International   $685.0 million

*Pending
Source: Scott Larson, National-Louis University

Facing a Stronger Board: Two Masters?

In the wake of Sarbanes-Oxley, CFOs must now contend with more inquisitive directors.
Alix Stuart, CFO Magazine
May 1, 2003

Walter Schuetze, once the Securities and Exchange Commission's chief enforcement-division accountant under Arthur Levitt, can hardly contain his exuberance about being audit-committee chair for Computer Associates International Inc. "I like getting into the nitty-gritty of the business," says the 70-year-old Schuetze, who has won a reputation at Islandia, New York-based CA as a stickler for details — pointing out an erroneous date on a fax cover sheet, for example. "It's great fun," he says of his role.

Less fun, perhaps, for CFO Ira Zar. He might be forgiven for finding last April's board addition a bit unnerving, given that the SEC and the Justice Department are still investigating certain past accounting practices at CA. But far from being uncomfortable, Zar says he values Schuetze's insights, delivered in frequent "mutual exchanges" with the finance chief. "It's not just a how-are-you-handling-this-issue sort of relationship," says Zar. There's more planning of the pre-meeting packages being sent out to board members, and more push to implement what directors consider best practices, like filing SEC reports in tandem with earnings releases. "It's an evolution, not a revolution," according to the CFO.

Welcome to life under the Sarbanes-Oxley Act, where many finance chiefs find new authority figures placed on boards that may have once been the personal fiefdom of the CEO. Sometimes, these new figures make demands of their own, quite separate from the wishes of the CEO. Rather than calling for reforms or setting agendas, though, these recently anointed audit-committee czars or nonexecutive chairmen are at first firing questions at finance and at the CEO — as they seek to learn the intricacies of the new companies.

"The CFO is in a great position to assist audit-committee members [in getting] the best information," said Joseph Fontana, managing director of corporate value consulting at Standard & Poor's, at a recent BusinessWeek conference for finance executives. The relationship "doesn't need to be confrontational."

Both Mentor and Watchdog
Sometimes the relationship provides a healthy dose of prudence for both finance chief and audit committee. Steve Shevick, who was elevated from vice president and general counsel to CFO of Synopsys Inc. in January, says the audit committee for the electronics-design software maker, based in Mountain View, California, has begun holding "sign-off meetings" before every round of SEC filings. Previously, he says, only the 10-Ks were reviewed; now, the 10-Qs are as well. And Checkers Drive-In Restaurants Inc. recently delayed releasing its earnings by two weeks, after its audit committee sought a review of the Tampa — based fast-food chain's treatment of tax-deferred assets, impairment charges, and surplus property reserves.

"Because of the heightened scrutiny dictated to a certain extent by Sarbanes-Oxley, we felt it necessary to closely work with our auditors and audit committee to make sure we were taking the appropriate approach on these matters," Checkers CFO David Koehler told investors in a March conference call.

Cheryl Francis, audit-committee chair for Hewitt Associates, HON Industries, and Morningstar, agrees. "Without talking to management, we don't have enough knowledge of what's going on inside a company," says the former CFO of R.R. Donnelley. From a position on the HON board that predates Sarbanes-Oxley (she joined the Hewitt and Morningstar boards more recently), Francis notes some changes today in the way things are done. She now spends as much as 30 percent more time with HON CFO Jerry Dimmer, she says, and routinely asks the CFO to educate the committee on risk areas, such as revenue recognition, and to prioritize them.

But in general, Francis views herself as a mentor as well as a watchdog at the companies on whose audit committees she serves. One of her projects, for example, has been to introduce Morningstar CFO Martha Dustin Boudos to associates with international business expertise. Boudos, though, will have to "figure out how to apply those conversations to Morningstar," says Francis. "I can't do that. I don't know the company as well as she does."

A Champion Chairman
A lead director or a nonexecutive chairman can present a different challenge than a strong audit-committee chair. That's because the chairman sets the board agenda, and if that chairman has views that are different from those of the CEO, the CFO can be faced with having to serve two masters.

The move to balance CEO power by naming a nonexecutive chair, or a lead director, has been slow to take off. Fewer than 10 percent of midsize and large firms currently have either structure in place, for example, according to a survey by Sibson Consulting. A Conference Board task force led by John W. Snow (who has since become Treasury secretary) recommended the arrangement in a January report, but it has yet to be mandated by the SEC or stock exchanges.

In the past, a split chairman-CEO structure often has been designed to team a company veteran, the chairman, with a young CEO. Such was the case with Wintrust Financial in 1998, when the naming of a nonexecutive chairman was considered a nonevent for the CFO, says executive recruiter Peter Crist, who is on Wintrust's board. "In the best-case scenarios, you get a separation of age and experience that will allow the company to do more," says Crist, who has seen that dynamic "more often than I've seen infighting."

Some CFOs find a champion in their nonexecutive chairs. Jack Healey, CFO of Industrial Distribution Group since 1997, has worked with nonexecutive chairman Rich Seigel through the tenures of three CEOs. The two forged a strong relationship when Seigel first took the post along with an interim CEO title in 1999. Seigel relied on the CFO's expertise to run the Atlanta — based provider of maintenance, repair, operating, and production products and services while he searched for a new CEO. When a subsequent CEO later challenged Healey's profit forecasts to the board, the CFO found Seigel more than willing to hear both sides.

"When I called Rich, he never asked me to prove my numbers; he just asked me to sit tight," says the CFO. After sounding out other board members and managers, Seigel ultimately put his trust in Healey and the management staff. The CEO later resigned from his post.

Having a nonexecutive chairman "is a lot harder on my staff, because you put a lot more in writing, and you cannot have him surprised," says Healey. But having a boss who also has a boss, he adds, "gives me a little more leeway."

CFOs: Risk Magnets

New certification and internal control requirements are heaping new hazards on finance chiefs.
Marie Leone, CFO.com | US
June 4, 2003

A few weeks before every quarterly close, John Adamovich receives 225 representation letters from 75 reporting locations in 30 countries. The letters come to Adamovich, the CFO of Pall Corp., from three sources: in-country general managers and controllers, operations committee members that have oversight responsibilities, and group controllers. In some cases, the letters are three or four pages long.

J.D. Edwards & Co. CFO Rick Allen collects about 75 rep letters from his managers every quarter, while John Hendrix, the finance chief at the smaller Cornell Companies Inc., reviews the same kind of upstream certifications from eight managers on a quarterly basis.

The flood of letters vouches for the validity of material financial and non-financial information bubbling up from each company's far-flung operations. Getting such testimonials became imperative after July 30, 2002. On that day, Pres. Bush signed into law the sweeping Sarbanes-Oxley Act, which was intended to restore public confidence in corporate accounting. Toward that, Sarbox requires executives, among other things, to certify financial statements (Sections 302 and 906) and verify that internal control systems are adequate (Section 404).

Whether the wide-ranging provisions of Sarbanes-Oxley actually keep corporate corruption in check remains to be seen. In a recent poll of finance executives conducted by Parson Consulting, only 6 percent of the respondents said they thought the law would curb accounting abuses.

The burdensome requirements spelled out in the law may curb CFOs' enthusiasm for their jobs, however. One headhunter recounts a job-hunting finance chief who told him, "[Since Sarbox], being a CFO just isn't as much fun anymore."

Adamovich, Allen, and Hendrix, for instance, all say they've started requesting upstream certification of data to satisfy sections of the new legislation -- an onerous task. And all are looking hard to see if their internal controls pass regulatory muster. "There are no if, ands, or buts," notes Adamovich. "We have to comply with Sec. 404, and in the short term, that's our main focus."

Anything less would be short-sighted. A slew of experts, including lawyers, risk managers, auditors, and finance chiefs all say CFOs are clearly charged with managing the law's daunting mandates -- and the attendant risks that come with it. "[Sarbanes-Oxley] increases some risks for CFOs, at least for those who take their job seriously," notes Allen of J.D. Edwards. "But risks have always been there."

Maybe so. But these days, all roads seem to lead to CFOs. Indeed, in the Parson survey, 58 percent of the executives polled said they expect the company finance chief to bear the primary responsibility for overseeing the entire compliance effort. And with that responsibility comes liability -- a lot of it. "CFO are in a more precarious position [since Sarbox was passed]," insists John Challenger, of outplacement firm Challenger, Gray & Christmas Inc. "They are in the direct line of fire, and can wind up as a scapegoat."

The scope of Sarbanes-Oxley alone should worry CFOs. As John Tonsick, managing director at risk consultancy Citigate Global Intelligence and Security, points out: "What CFOs are now being asked to certify is very broad."

The Hours
Then again, some of the provisions of Sarbanes-Oxley are quite well-defined. A CFO convicted of signing off on misleading or inaccurate financial statements, for instance, will be subject to a fine of up to $5 million and a prison sentence not to exceed 20 years.

But Congress's draconian punishment for rogue CFOs is more PR than IR -- the legislators way of looking like they're getting tough on corporate crime. In short, a headline grabber.

What doesn't generate headlines is that Sec. 404 requires a company's CFO and CEO (and external auditors) to vouchsafe for the effectiveness of internal control procedures for financial reporting. Says Richard Rubin, an attorney with Jenkens & Gilchrist: "The real issue regarding certification resides in Sec. 404 requirements that call for attestation of internal controls by executives and auditors."

Indeed, Sec. 404 mandates continuous monitoring, testing, and appropriate improvements to internal controls processes -- a much more onerous and complicated task than keeping tabs on disclosure controls.

Moreover, that trio of internal control controls is interrelated. In fact, Deloitte & Touche Partner Steven Wagner says he wouldn't be surprised if the Securities and Exchange Commission turns the triad into a single certification by the end of the year.

Such a move would likely heap more work on already-overworked finance executives. In the Parson survey, 66 percent of the respondents said they're spending more time on risk assessment than in the past.

To handle this extra work wrought by Sarbox, some finance chiefs are adding staff. John Cox, CFO of BMC Software, Inc. says the Houston-based software vendor added two new full-time positions to the 400-strong global accounting staff to help with the increased disclosure. BMC has also added another staff member to the company's 12-person internal audit team.

With the recession still on, however, not all CFOs will be eager -- or able -- to staff up their finance departments. Rick Fumo, executive vice president at Parson, predicts that over the next few months, the workload for corporate finance departments at mid-size and large companies will increase by two hours per week for each staffer, thanks to Sarbox compliance requirements. He expects senior financial executives to put in three more hours per week because of the legislation.

Three hours a week may not sound like much. But assuming a typical CFO works from 8 a.m. to 6 p.m., that's another 15 days of work per year. Shoe-horning three additional business weeks into an already cramped schedule means CFOs may need to show some ID to get into their own homes.

In This Corner
Of course, spending long hours at the office is nothing new for finance chiefs. What is new: trying to cope with accounting requirements that seem more concept than concrete. According to the Parson Consulting survey, fully a quarter of the finance managers polled said that the Sarbox is "very confusing."

Some of the uncertainty comes from lack of SEC guidance, argues BMC's Cox. He notes that the legislation was passed in rapid fashion as politicians pushed policy through to restore investor confidence quickly. "It's unfathomable that all the Sec. 404 rules will be finalized by September -- and companies will be in compliance by the end of the year -- without SEC guidance," says Cox.

Deloitte & Touche's Wagner, who is also co-leader of the firm's Sarbanes-Oxley Sec. 404 steering committee, figures that the SEC will weigh-in on some Sec. 404 issues by the end of May. So far, though, he says final rules are a moving target.

That's not good news for the folks doing the shooting. What's more, attempts to comply with Sarbox are triggering some unexpected problems. For one thing, the new regulatory regimen is changing trusted business partnerships, asserts Robert Williamson, chairman and CFO of CityMerch Corp. in Miami Beach. Says Willliamson: "The relationship between CFOs and external auditors has become more adversarial."

By Williamson's lights, this tilting of the auditor/client relationship is the most dramatic corporate event for finance chiefs since the Enron fiasco.

You don't have to tell that to Keith Gorman. Gorman, former CFO of Universal Health Services Inc., was fired in February over a row with company auditor KPMG about certification of the auditor's management representation letter.

Gorman, a 16-year company veteran, reportedly wrote a candid letter to KPMG explaining that, while he was willing to sign the management rep letter (attesting that the financial statements he submitted for audit were, to the best of his knowledge, accurate), he was relying on the Big Four firm to ensure that the accounting treatment was in accordance with GAAP. Turns out that Gorman, who has a reputation on Wall Street for being "brutally honest about coming forward with the good and bad news," was a bit too straightforward this time.

By admitting that he was leaning on KPMG for accounting treatment advice, Gorman lived up to the spirit of Sarbanes-Oxley -- if not the letter of the law. But his candor cost the Universal Health CFO his job. "Gorman was fired for his temerity," asserts Williamson, adding that the finance chief "said publicly, what other CFOs say and think privately."

But Universal Health is not the only example of the souring of the auditor/client relationship. In April, Amerco Inc. sued its former auditor, PricewaterhouseCoopers, for seven years of alleged bad advice on how to properly account for special purpose entities.

Swimming Upstream
Clearly, a retooling of internal finance processes -- not to mention external relationships -- will take time.

Everett Gibbs, managing director of financial consulting specialist Protiviti Inc., says that most companies have a certification process in place. But he claims the maturity of the programs vary. In fact, Gibbs predicts it will take many companies up to two years to bring their compliance procedures in line with Sarbanes-Oxley.

At Pall Corp., CFO Adamavich is taking a three-prong approach to Sarbox compliance. First, he's working on improving the reporting from the financial and operations side of the business. Second, he's encouraging thorough disclosure committee discussions (the Sarbanes-Oxley Act requires the formation of such groups). And finally, Adamavich says he's requring upstream certification of financial data.

That's not uncommon. In an attempt to create a paper trail, most CFOs appear to be insisting on certification of financial and operating data from other managers and department heads.

While upstream certification doesn't guarantee that CEOs and CFOs won't be hearing from the SEC, experts say the process does show a good faith effort to ensure correctness.

But even upstream certification has its limitations. Rubin of Jenkens & Gilchrist points out that a sign-off has to be properly targeted so the manager certifying reports is privy to the work being performed. In addition, Rubin says controls must ensure that the reports are actually being read and reviewed, and not just rubber-stamped. Rubin believes upstream certifications should be designed to force employees to think about the materiality of entries.

Even then, senior executives are still required to address exceptions that managers list on the lower-level certifications. What's more, Rubin says they're still obliged to resolve any conflicts that might mislead investors or omit material information.

Stratego?
Not surprisingly, all this certifying and addressing and resolving has many CFOs flat-out worried. The fact is, nobody in finance land is exactly sure what Sarbox landmines await, or where -- or whether the SEC will aggressively enforce the law's provisions.

For his part, Parson's Fumo believes many of the best practices for handling the new risks will emerge from peer group discussions facilitated by auditors and other financial consulting firms. That's particularly true for small and mid-size companies which don't have accounting staffs big enough to juggle accounts payable, new GAAP guidance, and internal controls design.

In fact, CityMerch's Williamson suggests that such companies should consider hiring a third-party accounting firm to mitigate certification risks. "During the audit season last year, it seemed like the SEC changed rules once a week," explains Williamson, who was at the time CFO of Vfinance Inc., a small public financial services company. "8-Ks were flying out the door because the SEC was asking companies to resubmit filings based on the new rules."

According to Williamson, there was no way he could physically keep up with the changes, plus tend to his CFO duties, without the help of outside accounting counsel.

So Williamson brought in Ahearn, Jasco + Co., an accounting firm that also did Vfinance's tax work. Interestingly, Frank Jaumont, a partner at the audit and financial services firm, says that Sarbox compliance is really hurting companies in the $30-million-and less revenue range. Why? Because CFOs at those companies focus on operations and raising funds, rather than non-revenue producing activities such as tax accrual schedules or MD&A drafts to explain new events.

Since the passage of Sarbox, the 25-person Florida-based accounting firm has taken on the role of accounting advisers for four new clients. The price tag for hiring a second accounting firm is not cheap, however -- about $150,000 annually, says Jaumont. For the fee, a company generally gets an SEC audit partner, a tax attorney, and an audit staff with internal audit expertise.

I Believe You Know My Attorney
Ultimately, however, it's the CFO's signature -- and not a consultant's -- that goes on the quarterly and annual certification forms sent to the SEC. And consultants aren't likely to go to jail or lose their homes if they proffer bad advice to CFOs. A finance chief who signs off on a moderately inaccurate 10-K...well...who knows? /p>

Ironically, Tom Malone, CEO of Portland-based SRC Software, thinks the added risks now shouldered by CFOs will eventually lead to higher salaries for CFOs. "No one is ignoring the fact that risk exists," he notes. "And executives expect different compensation because of it." Malone thinks compensation negotiations will focus more on severance triggers and parameters than salary, however.

Others say it's too soon to tell whether CFOs will command larger salaries because of Sarbox risk. But John Wilson, president and CEO of J.C. Wilson Associates LLC, a recruitment firm that specialize in CFO searches, confirms that finance chiefs are looking for "either protection, reward, or both," since Sarbox became law. "A CFO knows that his net worth can be wiped out by one bad scenario," says Wilson. "So he wants assurance."

An exaggeration? Possibly. But consider this: Wilson notes that an increasing number of CFO candidates are bringing in lawyers to scrutinize employment contracts. "[CFOs] are more serious and more on guard then ever before," he claims. "They are pouring over details about employment terms and conditions, severance, causes for dismissal, and offer letters."

And backing off if they don't like what they find. Wilson says finance executives appear reluctant to snatch up coveted CFO positions these days, even with the lousy job market. In part, he believes the hesitance comes from newfound concerns about accountability. Says the recruiter: "Personal liability always trumps a bad market."

Under Pressure

Sarbox is just one of many new regulatory requirements companies face. Can IT help?
Scott Leibs, CFO IT
March 17, 2003

Last year, in a speech before the American Society of Corporate Secretaries, the Securities and Exchange Commission's Cynthia Glassman took the corporate-governance group for a not-terribly-invigorating walk down Memory Lane. "The public eagerly sought stocks of companies in certain 'glamour' industries...in the expectation that they would rise to a substantial premium — an expectation that was often fulfilled," she said. "Within a few days or even hours after the initial distribution, these so-called hot issues would be traded at premiums of as much as 300 percent above the original offering price. In many cases, the price of a 'hot' issue later fell to a fraction of its original offering price."

Then she delivered the kicker: she wasn't quoting from an account of the dot-com bubble, but from an old SEC document about the mania for electronics stocks that dominated Wall Street in the late 1950s and early '60s.

Her point was that the current raft of regulations is not new, and it's high time that companies take corporate governance seriously. As part of that, she suggested they engage in "real self-examination and learning...."

All in the Timing
She meant it in the sense that the unexamined corporate life may ultimately be lived in jail, but other interpretations spring to mind. They especially spring to the minds of software companies and other purveyors of IT, which see in the Sarbanes-Oxley Act of 2002 and other recently enacted or proposed regulations a prime opportunity to sell products to their corporate customers.

Some of these efforts have to be chalked up to opportunism. As we noted in CFO in December 2002 (see "Partial Clearing"), there is nothing in Sarbanes-Oxley that unequivocally mandates a technology upgrade. While the technology sector would certainly benefit from another Y2K-like buying frenzy, this is not likely to trigger one. Longer term, however, regulatory pressure may have a substantial impact on a range of IT buying decisions.

Today most CFOs we spoke to agree with Terry J. McClain of Valmont Industries Inc., a designer and manufacturer of irrigation systems, utility poles, and other products. "Sarbanes-Oxley is a costly exercise for us, both in terms of time and money, but very little of that involves IT," he says. Consultants and lawyers, he says, are the current beneficiaries. "I can see a role for IT in providing some systematized checks and balances," he states, "and maybe we'd use software as a sort of checklist to keep us on track, but it's really more about your processes and governance structure."

Yet McClain also says the full implications of new regulatory requirements can be difficult to fathom because "they come out a spoonful at a time, and there haven't been any test cases that can shed light on areas that are wide open to interpretation."

That murkiness is at the heart of many IT companies' marketing pitches, which essentially argue that companies shouldn't focus too closely on the letter of the law, but rather on the spirit. And the spirit emphasizes visibility, accountability, and better governance. There's a strong role for IT, they say, in all three areas.

"Half of all the calls I get involve Sarbanes-Oxley," says John Van Decker, an analyst at Meta Group Inc. who focuses on financial applications, "so I'm certainly seeing signs that IT spending will get a boost from this." Most likely, he says, companies will view Sarbanes-Oxley as a catalyst, making long-delayed upgrades to financial systems in order to meet the faster reporting times now mandated, and to give them greater confidence that the numbers their CEOs and CFOs are liable for are accurate.

Some software companies are making their own upgrades, tweaking products to meet new regulatory requirements. PeopleSoft Inc., for example, had already started down the road toward performance management before Sarbanes-Oxley came along, but is now adding an investor portal to its Financial Management Solutions Blueprint product suite, as well as new workflow and approval capabilities to its financials modules to speed the preparation of 10-K and 10-Q reports.

"One prospect had set aside three to four months to review potential IT solutions," says Renee Lorton, senior vice president and general manager of PeopleSoft's financial solutions group, "but then met with us and said, 'We have to make a choice and begin implementation within a month — our board is demanding it.' "

While she says that such top-level pressure will boost sales, particularly among the many companies that still use older, "legacy" applications, she also believes such forthcoming rules as Sarbanes-Oxley Section 404, which would require management to state in annual reports how it has addressed a range of internal controls and financial-reporting procedures, "could be a huge driver" for financial software.

"Could be," because Section 404 is one of two provisions that have no specified deadline; the other, Section 409, concerns "real-time" disclosure of any material change in a company's financial condition. Thus, two of the mandates with the most potential to demand IT fixes will trail behind other provisions of the legislation. "Software companies would love to offer ready-made products for internal control," says Scott Bohannon, executive director of the Working Council for Chief Financial Officers, a membership organization that researches best practices in financial management. "But no one knows what the final rules are yet."

Oracle Corp. is already producing a series of white papers and workshops built around the specific regulatory pressures facing various vertical industries; in many cases, Sarbanes-Oxley is just one of several new laws that companies must comply with.

Phase Value
Despite the uncertainty, there are enough information-oriented provisions within Sarbanes-Oxley, from Section 302 (corporate responsibility for financial reports) to Section 806 (accommodation of and protection for whistle-blowers), that the implications for IT are already becoming clear — at least to some companies. "It often comes down to whether companies are in the rationalization phase, the realization phase, or the optimization phase," says Brian Kinman, leader of the enterprise risk management practice at PricewaterhouseCoopers LLP.

Kinman says companies tend to evolve through all three phases, at first believing they already comply with Sarbanes-Oxley requirements, then realizing they have work to do, and finally moving on to optimization, in which they don't simply comply but put systems in place to make sure they remain compliant even as requirements change. "That often involves an IT investment," he says. "For example, putting in automated reporting systems to make sure you always have control over and visibility into current financial results."

Very few CFOs seem to be at that stage today. "Most are focused on creating an internal-control framework that allows auditors to attest to the validity of management assertions," says Steve Wagner, co-chair of the Sarbanes-Oxley internal-control committee at Deloitte Touche LLP. "IT tends to play into that via a 'controls repository,' a place to document your goals and activities."

While that could be as simple as a spreadsheet, many software companies — particularly ones that don't concentrate on financial software — see this as a ready opportunity to extend products that were originally developed for other purposes. Compli Corp. has offered software since 2002 that addresses employment practices, helping companies fend off lawsuits by communicating policies on, for example, sexual harassment, and then allowing them to track complaints and log actions taken by human-resources departments. The company says its software is well suited to issues of financial compliance, providing a Web-based means of creating and communicating policies, assessing their effectiveness, and providing well-documented follow-up.

Similarly, shareholder.com and CCBN Inc., among others, have expanded their Web-based investor-relations services to include corporate-governance issues. In a sense, this brings the practice of leveraging Sarbanes-Oxley for marketing purposes full circle: companies with solid governance policies and internal controls can let investors know all about them, possibly making their stock more attractive. (In fact, a survey by Parson Consulting found that companies that release financial results earlier than their peers achieve an average 15.5 percent premium in their P/E ratios.)

If to date there has been more talk than action regarding the role of IT in helping companies deal with regulatory pressures, there are signs that technology will eventually become a bigger part of the discussion. Last month, Nationwide Financial Services Inc. announced it had developed an internal system based on Lotus Notes technology that documents 178 "unique processes" pertaining to internal audit, so that the financial-services firm's CFO and CEO can be comfortable with its internal controls. Bohannon says products such as "electronic audit committees," audit dashboards, and E-learning systems designed to communicate ethics policies are being developed by a number of software companies.

And Bill Hurley, national practice leader at Parson Consulting, says the Sarbanes-Oxley marketing spin isn't coming just from technology vendors. "We have clients who have wanted to reengineer their internal controls for years," he says. "Now Sarbanes-Oxley gives them the justification to get the money they need to build better systems." United Technologies Corp. may go even further: having upgraded its internal whistle-blower system to be Web-based, it's considering whether to offer it commercially. Maybe regulations aren't so bad after all.

Sidebar: Confidence Check

In light of Sarbanes-Oxley, how confident are CFOs that spreadsheet-based reporting processes provide adequate central control?

• Not confident: 47%
• Somewhat confident: 42%
• Very confident: 11%

What You Don't Know about Sarbanes-Oxley

Snares, pitfalls, and trapdoors: Sarbanes-Oxley is full of surprises. These five top the list.
David M. Katz, CFO.com | US
April 22, 2003

If all goes well, FirstEnergy Corporation just might dodge a major financial reporting bullet. All management needs to do is meet its planned June 1 deadline for overhauling the company's computer system.

That's because the Securities and Exchange Commission isn't likely to have gotten around to defining "internal controls" under Section 404 of the Sarbanes-Oxley Act by then.

If the SEC comes out with a definition before FirstEnergy's conversion, the electric utility holding company would find itself under a crushing reporting burden. To comply with the section, FirstEnergy — and every other public corporation — must include an annual assessment of its "internal control structure and procedures for financial reporting" in its annual report.

The issue is: How broadly do you define financial controls? For instance, when FirstEnergy switches its ERP software from Oracle to SAP in the next few months, the change will affect a bevy of functions, including supply-chain management, human resources, work-order management, and general ledger. David Richards, the company's director of internal auditing, says some of those functions — like general ledger — are clearly within the financial purview. Others, like work-order management, might not be.

Right now, it's up for grabs whether the SEC would require only information about FirstEnergy's finance function in the company's internal controls report. It's possible government regulators might want the company to cast its net over operations as well in the report. Richards says some auditors are expecting the commission to lay out broad requirements for internal controls reports. "They're talking about the whole enchilada," he says.

Lucky for First Energy that it's likely to avoid the possibility of such a definitional nightmare. Even luckier for the company: By coming in on deadline, the company can sidestep documentation of its internal controls under both Oracle and SAP. Such documenting would involve a massive boost in record-keeping, the internal auditor thinks.

Many companies won't be so fortunate, however. Now that the dust has settled on some of the more obvious tidbits of Sarbanes-Oxley (the requirement that CFOs and chief executive officers certify company financials, for example), a slew of disclosure concerns is emerging to trouble the sleep of finance chiefs.

Like the internal-controls provision, parts of Sarbanes-Oxley — and the SEC's implementation of rules related to the act — threaten to spread far beyond finance and accounting, spilling over into operations reporting as well. For instance, a pending commission requirement would force companies to disclose a burgeoning menu of material events in just two days.

The real-time rule would put "pressure on the operational side of the business," says Rick Fumo, a senior vice president with Parson Consulting, a financial management advisory firm.

One for-instance: If a company truck delivering toxic chemicals springs a leak, operations employees might have to speed that news up the chain of command to the comptroller so that an 8-K form could be filed. To grease the wheels, companies will need to tool up their reporting software and train line managers to communicate faster, Fumo says.

The act also has surprises in unexpected areas, things like compensation, executive relocation, and overseas operations. And contrary to popular belief, private companies aren't entirely immune to the provisions of Sarbox, as some finance managers have come to refer to the law.

Indeed, if you thought the provisions of Sarbanes-Oxley only concerned corporate finance, independent auditing, and equity research, you've missed the fine print. Sarbox also covers such disparate corporate functions as information technology, human resources, compensation, and environmental compliance.

Why? Because these areas — and a host of others — affect company financials.

In fact, after the SEC gets finished implementing the provisions of the bill, Sarbanes-Oxley might be a whole lot more far-ranging than its proper title suggests. That moniker? "Public Company Accounting Reform and Investor Protection Act."

Here, then are five of the more nettlesome — and less publicized — edicts of the Sarbanes-Oxley Act of 2002.

1. Material changes must be reported at lightspeed.
Most CFOs are aware that they now must provide the SEC with an 8-K form within five business days if their company issues an earnings release.

They also know that if they follow up an earnings release by dishing up important new details in a conference call, they might need to issue another 8-K.

Such requirements could make it "difficult to have open discussions," says Brian Jarzynski, CFO of Comshare Inc. It could also make it harder for finance chiefs "to get people listening" by holding out some of the good stuff for the conference call.

Still, that five-day 8-k isn't expected to produce all that many ripples.

What might spawn bigger waves is the realization that companies will have to issue 8-Ks in real time when something big and unexpected happens. Under Section 409 of Sarbox, companies must report material changes in the financial or operating condition of the company "on a rapid and current basis."

How rapid is rapid? In a footnote to a rule on non-GAAP financial reporting issued in January, the SEC said it plans to tackle that issue in the near future. Last June, the commission made it clear that it meant those 8-Ks to be filed in two business days. That's a big change from the five business days the commission now requires to report material changes — and the 15 calendar days it asks for others.

What's more, the topics deemed worthy of an 8-K filing would vastly expand. Currently, companies must file when they undergo nine specific events, including a change in control, a significant acquisition, or a bankruptcy.

To that, the SEC is proposing to add a whopping 11 triggering events. Among them: ending (or merely reducing) a significant business relationship with a customer; large write-offs and restructuring charges; material impairments; and a change in a rating agency's decision.

Because the SEC's policy was proposed before the passage of Sarbanes-Oxley and the ensuing brouhaha surrounding it, however, finance chiefs are only just now waking up to the implications of "a whole new disclosure regime," says Deborah Meshulam, a partner with Piper Rudnick in Washington.

One result could well be a dramatic change in the nature of the CFO job. Finance chiefs will likely have to dig much deeper into how their companies disclose their operations, says Meshulam, a former assistant chief litigation counsel with the SEC's enforcement division. "That's not a quarterly and annual involvement, with episodic 8-Ks," she adds, " but a steady stream — [or] a daily onslaught."

Finance chief will need reinforcements to cope with the flood of required filings. One solution: Hire a full-time disclosure-controls supervisor or manager with a direct report to the CFO or another top executive, says Kevin Lesinski, a partner with Seyfarth Shaw in Boston. Can a boom in Chief Disclosure Control Officers (CDCOs) be far behind?

2. "Internal Controls" could mean much more than getting the numbers right.
On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls.

The SEC has made statements suggesting it agrees with such limits. In a proposed rule it published in October, the commission provided an unremarkable definition of financial controls. Essentially, the regulatory agency said such controls are there to ensure that transactions are properly authorized, recorded, and reported, and that assets are safeguarded against improper use.

Nevertheless, the SEC remains vague about defining what "internal controls" will mean under Sarbox 404. Remember, since the findings of the private-sector initiative known as COSO (Committee of Sponsoring Organizations) were issued in 1992, the term has included operations and regulatory compliance, as well as finance.

A broad definition could have CFOs brooding over regulatory matters that are a far cry from what's normally considered finance. FirstEnergy, for instance, is currently fighting Environmental Protection Agency charges that one of its plants is in violation of the Clean Air Act. But if the company is found to be out of compliance with the law, it faces heavy fines. Says Richards: "That's an operating issue that can sure have financial ramifications if we were wrong."

Further complicating matters is another feature of Sarbox 404: Auditors must attest to and report on management's assessment of internal controls. "That will lever [compliance] up into something that's going to cost a lot more time and expense," says Steve Clark, a partner with Chapman and Cutler, a Chicago-based financial services law firm.

One problem, for sure, is that auditors will have to piece together new procedures to assess client controls programs. That will make it tough for quantitative-minded accountants to gauge performance evaluations and other soft information provided in management reports, Clark thinks.

3. Sarbox doesn't stop at the shoreline.
Laws governing exports and imports and foreign-based bribes and money laundering don't seem to have much to do with the domestically focused act.

But the onus that Sarbanes-Oxley puts on audit committees and independent auditors to ferret out wrongdoing is spurring a closer look at global operations, says Sturgis Sobin, a partner and director of the International Trade Regulatory Practice for Miller & Chevalier in Washington.

Sobin offers a hypothetical: While performing an annual audit of a multinational, auditors find suspicious payments on the books of the company's Indonesian subsidiary that have all the earmarks of bribes. "The liability becomes very real," the lawyer says, "and the auditors, under pressure of Sarbanes-Oxley, have to recommend to the corporate client that they undertake a rigorous analysis" of the situation and disclose the results. The disclosure might then lead to heavy fines under the Foreign Corrupt Practices Act (FCPA).

That's a sea change from the previous way multinationals handled discoveries of baksheesh. Under FCPA and export/import rules, corporate executives don't have a duty to disclose questionable practices, Sobin says.

Instead, international business disclosure regulators tend to employ a "carrot-and-stick" approach involving incentives for compliance and penalties for transgressions.

That's spawned a Clintonesque "ask-but-don't-tell" attitude among corporate officers. "In the past, because there was no requirement to make a disclosure, [executives said,] 'Let's just make sure it doesn't happen again' " and leave it at that, the lawyer says.

But leaving it at that is often no longer an option for CFOs, who must now certify the validity of their financials under Sarbox's Section 302.

That's because the penalties following such things as an improperly reported import can be a balance-sheet liability. Fines of 100 percent of the value of the goods are not uncommon, Sobin says. If, for instance, a company is illegally importing $50 million of disk drives from a restricted country, that can amount to a decent chunk of change.

The good news is that companies can mitigate — or even eliminate — the fines by fessing up before the customs agents find out. "If you are first in door to report, they will provide you with leniency," the lawyer adds.

4. Executive mobility just got a whole lot tougher.
Remember the home loans that employers made to company managers, either to relocate an executive or to lure new talent to a different part of the country?

Forget about them for the higher-ups. Under Section 402 of Sarbanes-Oxley, corporations are barred from making personal loans to officers or directors.

That creates a problem for executives who have borrowed from the company to buy a home and must sell it to relocate. Joe Rich, executive vice president at Clark/Bardes Consulting, illustrates the problem: "Let's say you bought a $4 million ranch home in Palo Alto, and now it's worth $3 million," he posits. "The company moves you to Boston. Now you're upside-down on that loan, and can't get a new loan [from the company] in Boston."

Still, the money can come from elsewhere. To help pay for housing, companies could offer new officers heftier signing bonuses and existing ones residence bonuses, according to Rich. Or they might buy executive housing outright and let officers live in it rent-free. Under Sarbanes-Oxley, however, the SEC might consider the free housing a loan, Rich cautions.

The loan prohibition could also create a whole class of embittered officers and directors: the folks who borrowed money to invest in company funds and stock before the equities market went kerflewy. Before Sarbanes-Oxley, a company could adjust the terms of the loan to keep an executive happy.

Post-Sarbox, such adjustments violate the act's ban on arranging for or renewing loans, Rich notes. Of course, the company could always forgive the loan. Then again, given today's scandal-ridden environment, maybe not.

5. Private companies aren't immune to Sarbox.
The Sarbox loan ban also figures into problems that nonpublic companies can encounter under the act. Officer loans are common practice in private companies, particularly in single-owner outfits, notes Parson Consulting's Rick Fumo.

The owners can continue to bestow largesse as long as they please — provided they don't want to sell their holdings to a public company or launch an initial public offering. If private company owners do want to go public, they would have to see that the loans are paid back before an initial public offering, Fumo says. That could amount to a pretty penny for some officer/borrowers.

The internal-controls reporting required under Sarbanes-Oxley might also inhibit private owners not used to doing a whole lot of documentation from making a public offering.

Public company finance chiefs and their bosses, for their part, are sure to be probing the governance practices of private merger targets, says Fumo. "The due-diligence process will take on another level of significance and detail because there's a higher price to pay for a mistake," the consultant says. That, in turn, could leave finance managers at the acquiring company plenty embarrassed.

Two Weeks in January

The SEC put much of the Sarbanes-Oxley Act into effect by passing a slew of new rules. Here's what was proposed and what was disposed.
Tim Reason, CFO Magazine
March 1, 2003

Resigning his post as Securities and Exchange Commission chairman on November 5 did nothing to keep Harvey Pitt from being the center of controversy. First, of course, he didn't leave. Then, two months later, the lame-duck chairman presided over what he described as "the busiest two weeks of rule-making in this agency's history." That was the last two weeks in January, during which the SEC wrapped up its six-month race to comply with the Sarbanes-Oxley Act of 2002 by voting on a stack of new — and often controversial — rules (see "Marching Orders" at the end of this article).

Reviews, predictably, have been mixed. Lawmakers have hailed the rules as the capstone on the most groundbreaking corporate reform since the 1934 Securities Act, and praised the SEC staff for its marathon effort. Investor advocates, by contrast, panned the results, claiming that in almost every case, the SEC softened the rules under pressure from special interests — particularly the accounting and legal professions. Some even claim Pitt — who was still waiting to relinquish his chair to incoming commissioner William Donaldson as CFO went to press — held on to his abdicated chairmanship as long as he did to gut the rules in favor of his accounting-industry cronies.

"It's becoming more and more clear to investors that the Administration kept Pitt in place to get done what the special interests wanted, which was to minimize Sarbanes-Oxley as much as possible," says former SEC chief accountant Lynn Turner, now an accounting professor at Colorado State University.

In fact, the resulting rules are as mixed as the public reaction. Initially many of the proposals by the SEC staff went further — often much further — than what Congress called for, causing near panic among the accounting and legal professions in particular. Then, after receiving floods of comment letters, the SEC backed off or softened some of its most aggressive stances in the final rules, angering investor advocates.

In the end, it's safe to say that no one came away unscathed. For public companies, the new rules include a requirement to reveal off-balance-sheet arrangements, strictures on the use of pro forma numbers, trading restrictions during employee blackout periods, and a description of the financial expert, if any, on the audit committee. Mutual funds must now disclose how they vote their proxies. For the accounting industry, the rules contain a slew of auditor-independence and record-retention directives that reflect the disgrace still hanging over the profession in the wake of Enron. And, finally, the commissioners passed rules for attorneys — accompanied by stiff warnings about the moral of the accounting profession's sorry tale — requiring them to report wrongdoing up the corporate ladder.

To be sure, some rules passed unceremoniously. Those requiring disclosures of off-balance-sheet arrangements in management's discussion and analysis and a table listing contractual obligations (read: guarantees that could cause a sudden massive drop in liquidity) passed unanimously, in part because the Financial Accounting Standards Board had already addressed special-purpose entities and guarantees after Enron. Likewise, the rules requiring reconciliation of pro forma numbers with generally accepted accounting principles were simply a reprise of guidance that the SEC delivered shortly after Pitt took office. But the controversies surrounding the auditor-independence and attorney-conduct rules promise not to end as implementation begins.

Auditor Independence
The SEC proposed, for example, disclosure requirements for audit fees that were never mentioned in the legislation. A victory for corporate reformers? Hardly, says Barbara Roper, director of investor protection at the Consumer Federation of America, in Pueblo, Colorado, who claims the new definitions of audit and "audit-related" fees actually muddy the distinction that the SEC's existing rules drew between audit and nonaudit fees. "It was the SEC's own doing that it was criticized," says Turner. "The SEC totally ignored comment letters from investors and consumers who stated that this change was a rollback of preexisting rules."

Roper is even more upset, however, about the rule that allows a company's audit committee to preapprove, in its written policies, certain nonaudit services. "This is where the SEC did its most serious damage," she says, arguing that Congress adamantly resisted this preapproval authority when it wrote rules requiring audit committees to individually examine any nonaudit service before allowing the accounting firm to perform it. "The SEC simply undermined that without offering any justification," she says.

Despite such criticisms, the final rules also contain wins for folks like Roper. Auditors are now completely banned from providing financial-system implementation and internal audits, as well as seven other types of services. That's "one thing the SEC deserves credit for," she says, since it could have interpreted the legislation to codify its existing rules, which had a number of exceptions.

Moreover, the SEC added a "cooling-off" period to the auditor rotation requirements. This gave teeth to what Roper considered otherwise a "largely meaningless portion of the legislation" by adding that after the five-year limit on audit work for a particular company, there was a five-year period before auditors could return. However, the SEC's initial proposal would have applied that to the entire audit team. The final rule applies it only to the lead and concurring partners, with a seven-years-on, two-years-off requirement for lesser members of the audit team. Roper, of course, would have preferred to see mandatory rotation of audit firms--something the SEC did not suggest.

Attorney Conduct
One controversial rule the commission did suggest — the "noisy withdrawal" proposal, which would have required attorneys who are unable to stop an ongoing fraud to resign and inform the SEC — was tabled for further review.

In the commission's opinion, Sarbanes-Oxley's "reporting up" requirement (which, with some modifications, the SEC did pass) — obligating lawyers to report corporate misconduct "up the ladder" to the audit committee or the board if management wouldn't correct the problem — did not go far enough. But the overwhelming objection to the added "reporting out" proposal, noted in almost all of the 171 comment letters received by the SEC, was that it violated attorney-client confidentiality.

That concern was shared by CFOs. "It did seem to me to be troubling to erode attorney-client privilege," notes CFO Harlan Plumley of Burlington, Massachusetts-based Lightbridge Inc., who says the SEC's apparent retreat "struck me as a good thing." Adds CFO Stephen Giusto of Costa Mesa, California-based Resources Connection Inc., "I would say lawyers and investment bankers have traditionally gotten off a lot easier than the accountants have, and certainly they share in the blame for some of these screw-ups. But you are going down a very slippery slope if you start to chip away at the attorney-client privilege."

Not everyone felt that privilege should be so inviolate, however. "Is there any reason to treat lawyers differently from the auditors and accountants when fraud is involved?" asked commissioner Harvey Goldschmid during the SEC's open meeting on January 23. "To me, the absolute emphasis [of the legal profession] on confidentiality is incomprehensibly out of balance."

Perhaps in part to avoid such criticism, many lawyers had noted that the proposed rules would also conflict with or preempt state laws: 9 states and the District of Columbia prohibit attorneys from revealing confidential client information, even to prevent the client from committing fraud (37 other states allow such an action, and 4 require it). "The primary problem is the SEC is trying to propose a uniform federal rule on an area that is currently the purview of the states," says attorney Fred Baumann of Denver-based Rothgerber, Johnson & Lyons LLP. "The issue here is whether Congress gave the SEC permission to do this."

However, the SEC staff and Pitt himself dismissed both the state preemption question and criticism of their go-slow approach during the open meeting. "There has been some suggestion that by not adopting what we put out, the commission is cutting back on protections for investors. I find these suggestions to be offensive and in any event completely wrong," said Pitt during the meeting. "I reject the suggestion of some that we didn't have authority to do everything we proposed, but more significantly, because the issue is one that is significant, it makes sense to have more time to consider it. That is not a withdrawal. That to me is the essence of responsible government."

The noisy withdrawal requirement is probably now a dead letter, although the SEC will likely revisit it late this month. In its place, however, is an alternative, apparently devised and favored by Pitt, that still requires attorneys to resign, but shifts the responsibility for informing the SEC to the company, which would have to report the resignation in an 8K report, much as it now must do when it changes auditors. That alternative seemed to have wide support, at least among the commissioners. "I frankly think this is one of those rare compromises that essentially solves all [the concerns] of the various interests," said commissioner Roel C. Campos.

Mutual Fund Disclosure
The broad wording of the Sarbanes-Oxley Act meant that section 302 — requiring CEO and CFO certification — as well as other sections covering disclosures regarding financial experts and codes of ethics, applied not only to public companies but also to managed investment companies, such as mutual funds. The SEC voted on rules that specifically applied these requirements to mutual funds. It also included a rule of its own, not mentioned in the act, requiring mutual funds and other managed investment companies to disclose how they vote their proxies. This was an issue that Pitt had championed from his first day on the job, and it won him rare praise from both his critics and corporate-governance hawks, for whom proxy-voting disclosure has long been a cause célèbre.

"In thinking about these recommendations," Pitt noted in his opening remarks at the January 23 meeting, "I start from the fundamental and unassailable proposition that mutual fund securities are held for the benefit of individuals who own mutual fund shares." Yet this was also the only vote that was not unanimous among the commissioners. Paul S. Atkins voted nay, dismissing 7,000 of the 8,000 comment letters received as form letters and noting that funds often have to "beg and plead" just to get fund-holders to return proxy statements. "We are subjecting funds to significant costs and additional burdens," he warned, "at a time when fund-holders are concerned with only one thing: returns."

Throughout the two weeks, the chairman's last stand was classic Pitt: the new rules had something in them to upset just about everyone. But while few would dispute Pitt's record of political clumsiness, the adversarial relationship that has developed between investors and corporate management runs deeper than the legacy of one SEC official. The question now is whether corporations, accountants, lawyers, and mutual funds will have time to digest these rules and regain investor trust through their actions, or whether these rules will be the source of more violations that undermine that trust.

Tim Reason a senior writer at CFO.

Marching Orders

How the SEC chose to implement the Sarbanes-Oxley Act.
Sources: CFO; Securities and Exchange Commission