Custom-Tailored SOX

From NYU: Sarbanes-Oxley compliance must be applied differently from company to company.
David KatzAugust 1, 2003

Despite the 40,000 or so words that make up the Sarbanes-Oxley Act (SOX), the language of the 130-page law can be maddeningly spare.

Take Sec. 404, “Management Assessment of Internal Controls.” Corporations will spend more to comply with Sec. 404 that with any other section of SOX, according to Paul Brown, an accounting professor at New York University’s Stern School of Business.

In two brief paragraphs, the section lays out three strikingly broad requirements: 1) annual reports must spell out management’s responsibility for the company’s internal financial reporting controls; 2) the reports must contain an assessment of how well the controls are working; and 3) auditors must report on and OK the assessment.

And that’s it. As far as providing details about what a specific company and its auditors might be required to do to comply with the requirements, Sec. 404 is about as detailed as a haiku.

Because the language of SOX tends to be so “generic,” says Brown, executives and board members have to work hard to determine how the act applies to their particular company and which aspects are most crucial to them.

How can they set priorities for complying with such a broadly worded law? One good way to start the analysis is to zero in on a company’s industry, according to the professor.

That, in fact, is the route Brown and other Stern professors will take in teaching a new executive-education course in SOX compliance, tailored to fit the needs of an individual company’s board members. Designed in collaboration with a company’s audit committee chair — and likely with hefty input from the CFO — the course will involve about six hours of education and typically be held before a scheduled board meeting.

By learning how SOX applies to their company’s particular industry, board members can start to get a handle on which financial reporting controls need to get the most immediate attention, according to the professor. For instance, revenue recognition is a much more pressing issue for a computer-technology company like IBM than it is for a company in the retail sector.

That’s because the mix of products and services typically offered by software providers makes the timing of the recognition of revenue a complicated matter. While vendors often bundle the leasing and maintenance of software in one contract, the revenues gained from those actions must be recognized differently.

Under general accepted accounting principles, for instance, companies leasing software must immediately recognize nearly all the revenue attributed to the product’s value. But they must spread recognition of revenue for services provided over the life of the lease.

Obviously, software vendors must take special care to distinguish between the reporting of the two kinds of revenue streams to adhere to the letter of Sarbanes-Oxley. Revenue recognition for a pure provider of retail goods like Gap Inc., on the other hand, is much more clear-cut, says Brown.

What’s more, the Gap “has such a good operations-management control system that when I buy their pale blue T-shirt, the register information goes [straight] to San Francisco,” he adds. “They document immediately in their headquarters that the product is sold.”

Thieves Like Us

But even a retailer with top-flight revenue controls is likely to have worries about how it accounts for its costs, especially its cost of goods sold. One particular concern for a company like the Gap is the set of internal controls associated with the valuation and recording of inventory, according to Brown, who often uses the Gap as a case study in his financial statement analysis courses at Stern.

Pilferage, for instance, can be a big problem for a retailer trying to translate its inventory records into the language of financial statements. “An item can go out the door at the Gap, and [the company would] not get any revenue for it,” says Brown, suggesting that how efficiently such companies record inventory theft could be a crucial Sec. 404 issue.

Besides studying a company’s industry, Brown expects to spend a good chunk of his preparation time — about two days per course — looking at the corporation’s business model. In the case of a company with a large unionized workforce, for example, he’s likely to assume that pension liability will become a key part of the discussion.

One major goal will be to help board members identify the six or so most important issues involved in their companies compliance with SOX. As part of their spadework, Brown and other Stern professors involved in teaching the course expect to ask audit committee chairs about the major points of committee discussions for the prior year or so.

Armed with detailed background information on the company, Brown hopes to provoke a fair amount of soul-searching among board members. To get a meaningful discussion about SOX compliance rolling, says the professor, he’s not above asking a well-placed board member a provocative question.

Brandishing a 10-K or a 10-Q, Brown might well ask a chairman about the actions the company took when auditors “pointed out two years ago that you had a problem.”

The “Sarbanes-Oxley Act Custom Program” is designed by professors from New York University’s Stern School of Business, in cooperation with a company’s audit-committee chair. The program is typically offered over a single day at the company’s location — if appropriate, in connection with a scheduled board meeting.