Risk & Compliance

What You Don’t Know about Sarbanes-Oxley

Snares, pitfalls, and trapdoors: Sarbanes-Oxley is full of surprises. These five top the list.
David KatzApril 22, 2003

If all goes well, FirstEnergy Corporation just might dodge a major financial reporting bullet. All management needs to do is meet its planned June 1 deadline for overhauling the company’s computer system.

That’s because the Securities and Exchange Commission isn’t likely to have gotten around to defining “internal controls” under Section 404 of the Sarbanes-Oxley Act by then.

If the SEC comes out with a definition before FirstEnergy’s conversion, the electric utility holding company would find itself under a crushing reporting burden. To comply with the section, FirstEnergy — and every other public corporation — must include an annual assessment of its “internal control structure and procedures for financial reporting” in its annual report.

The issue is: How broadly do you define financial controls? For instance, when FirstEnergy switches its ERP software from Oracle to SAP in the next few months, the change will affect a bevy of functions, including supply-chain management, human resources, work-order management, and general ledger. David Richards, the company’s director of internal auditing, says some of those functions — like general ledger — are clearly within the financial purview. Others, like work-order management, might not be.

Right now, it’s up for grabs whether the SEC would require only information about FirstEnergy’s finance function in the company’s internal controls report. It’s possible government regulators might want the company to cast its net over operations as well in the report. Richards says some auditors are expecting the commission to lay out broad requirements for internal controls reports. “They’re talking about the whole enchilada,” he says.

Lucky for First Energy that it’s likely to avoid the possibility of such a definitional nightmare. Even luckier for the company: By coming in on deadline, the company can sidestep documentation of its internal controls under both Oracle and SAP. Such documenting would involve a massive boost in record-keeping, the internal auditor thinks.

Many companies won’t be so fortunate, however. Now that the dust has settled on some of the more obvious tidbits of Sarbanes-Oxley (the requirement that CFOs and chief executive officers certify company financials, for example), a slew of disclosure concerns is emerging to trouble the sleep of finance chiefs.

Like the internal-controls provision, parts of Sarbanes-Oxley — and the SEC’s implementation of rules related to the act — threaten to spread far beyond finance and accounting, spilling over into operations reporting as well. For instance, a pending commission requirement would force companies to disclose a burgeoning menu of material events in just two days.

The real-time rule would put “pressure on the operational side of the business,” says Rick Fumo, a senior vice president with Parson Consulting, a financial management advisory firm.

One for-instance: If a company truck delivering toxic chemicals springs a leak, operations employees might have to speed that news up the chain of command to the comptroller so that an 8-K form could be filed. To grease the wheels, companies will need to tool up their reporting software and train line managers to communicate faster, Fumo says.

The act also has surprises in unexpected areas, things like compensation, executive relocation, and overseas operations. And contrary to popular belief, private companies aren’t entirely immune to the provisions of Sarbox, as some finance managers have come to refer to the law.

Indeed, if you thought the provisions of Sarbanes-Oxley only concerned corporate finance, independent auditing, and equity research, you’ve missed the fine print. Sarbox also covers such disparate corporate functions as information technology, human resources, compensation, and environmental compliance.

Why? Because these areas — and a host of others — affect company financials.

In fact, after the SEC gets finished implementing the provisions of the bill, Sarbanes-Oxley might be a whole lot more far-ranging than its proper title suggests. That moniker? “Public Company Accounting Reform and Investor Protection Act.”

Here, then are five of the more nettlesome — and less publicized — edicts of the Sarbanes-Oxley Act of 2002.

1. Material changes must be reported at lightspeed.

Most CFOs are aware that they now must provide the SEC with an 8-K form within five business days if their company issues an earnings release.

They also know that if they follow up an earnings release by dishing up important new details in a conference call, they might need to issue another 8-K.

Such requirements could make it “difficult to have open discussions,” says Brian Jarzynski, CFO of Comshare Inc. It could also make it harder for finance chiefs “to get people listening” by holding out some of the good stuff for the conference call.

Still, that five-day 8-k isn’t expected to produce all that many ripples.

What might spawn bigger waves is the realization that companies will have to issue 8-Ks in real time when something big and unexpected happens. Under Section 409 of Sarbox, companies must report material changes in the financial or operating condition of the company “on a rapid and current basis.”

How rapid is rapid? In a footnote to a rule on non-GAAP financial reporting issued in January, the SEC said it plans to tackle that issue in the near future. Last June, the commission made it clear that it meant those 8-Ks to be filed in two business days. That’s a big change from the five business days the commission now requires to report material changes — and the 15 calendar days it asks for others.

What’s more, the topics deemed worthy of an 8-K filing would vastly expand. Currently, companies must file when they undergo nine specific events, including a change in control, a significant acquisition, or a bankruptcy.

To that, the SEC is proposing to add a whopping 11 triggering events. Among them: ending (or merely reducing) a significant business relationship with a customer; large write-offs and restructuring charges; material impairments; and a change in a rating agency’s decision.

Because the SEC’s policy was proposed before the passage of Sarbanes-Oxley and the ensuing brouhaha surrounding it, however, finance chiefs are only just now waking up to the implications of “a whole new disclosure regime,” says Deborah Meshulam, a partner with Piper Rudnick in Washington.

One result could well be a dramatic change in the nature of the CFO job. Finance chiefs will likely have to dig much deeper into how their companies disclose their operations, says Meshulam, a former assistant chief litigation counsel with the SEC’s enforcement division. “That’s not a quarterly and annual involvement, with episodic 8-Ks,” she adds, ” but a steady stream — [or] a daily onslaught.”

Finance chief will need reinforcements to cope with the flood of required filings. One solution: Hire a full-time disclosure-controls supervisor or manager with a direct report to the CFO or another top executive, says Kevin Lesinski, a partner with Seyfarth Shaw in Boston. Can a boom in Chief Disclosure Control Officers (CDCOs) be far behind?

2. “Internal Controls” could mean much more than getting the numbers right.

On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls.

The SEC has made statements suggesting it agrees with such limits. In a proposed rule it published in October, the commission provided an unremarkable definition of financial controls. Essentially, the regulatory agency said such controls are there to ensure that transactions are properly authorized, recorded, and reported, and that assets are safeguarded against improper use.

Nevertheless, the SEC remains vague about defining what “internal controls” will mean under Sarbox 404. Remember, since the findings of the private-sector initiative known as COSO (Committee of Sponsoring Organizations) were issued in 1992, the term has included operations and regulatory compliance, as well as finance.

A broad definition could have CFOs brooding over regulatory matters that are a far cry from what’s normally considered finance. FirstEnergy, for instance, is currently fighting Environmental Protection Agency charges that one of its plants is in violation of the Clean Air Act. But if the company is found to be out of compliance with the law, it faces heavy fines. Says Richards: “That’s an operating issue that can sure have financial ramifications if we were wrong.”

Further complicating matters is another feature of Sarbox 404: Auditors must attest to and report on management’s assessment of internal controls. “That will lever [compliance] up into something that’s going to cost a lot more time and expense,” says Steve Clark, a partner with Chapman and Cutler, a Chicago-based financial services law firm.

One problem, for sure, is that auditors will have to piece together new procedures to assess client controls programs. That will make it tough for quantitative-minded accountants to gauge performance evaluations and other soft information provided in management reports, Clark thinks.

3. Sarbox doesn’t stop at the shoreline.

Laws governing exports and imports and foreign-based bribes and money laundering don’t seem to have much to do with the domestically focused act.

But the onus that Sarbanes-Oxley puts on audit committees and independent auditors to ferret out wrongdoing is spurring a closer look at global operations, says Sturgis Sobin, a partner and director of the International Trade Regulatory Practice for Miller & Chevalier in Washington.

Sobin offers a hypothetical: While performing an annual audit of a multinational, auditors find suspicious payments on the books of the company’s Indonesian subsidiary that have all the earmarks of bribes. “The liability becomes very real,” the lawyer says, “and the auditors, under pressure of Sarbanes-Oxley, have to recommend to the corporate client that they undertake a rigorous analysis” of the situation and disclose the results. The disclosure might then lead to heavy fines under the Foreign Corrupt Practices Act (FCPA).

That’s a sea change from the previous way multinationals handled discoveries of baksheesh. Under FCPA and export/import rules, corporate executives don’t have a duty to disclose questionable practices, Sobin says.

Instead, international business disclosure regulators tend to employ a “carrot-and-stick” approach involving incentives for compliance and penalties for transgressions.

That’s spawned a Clintonesque “ask-but-don’t-tell” attitude among corporate officers. “In the past, because there was no requirement to make a disclosure, [executives said,] ‘Let’s just make sure it doesn’t happen again’ ” and leave it at that, the lawyer says.

But leaving it at that is often no longer an option for CFOs, who must now certify the validity of their financials under Sarbox’s Section 302.

That’s because the penalties following such things as an improperly reported import can be a balance-sheet liability. Fines of 100 percent of the value of the goods are not uncommon, Sobin says. If, for instance, a company is illegally importing $50 million of disk drives from a restricted country, that can amount to a decent chunk of change.

The good news is that companies can mitigate — or even eliminate — the fines by fessing up before the customs agents find out. “If you are first in door to report, they will provide you with leniency,” the lawyer adds.

4. Executive mobility just got a whole lot tougher.

Remember the home loans that employers made to company managers, either to relocate an executive or to lure new talent to a different part of the country?

Forget about them for the higher-ups. Under Section 402 of Sarbanes-Oxley, corporations are barred from making personal loans to officers or directors.

That creates a problem for executives who have borrowed from the company to buy a home and must sell it to relocate. Joe Rich, executive vice president at Clark/Bardes Consulting, illustrates the problem: “Let’s say you bought a $4 million ranch home in Palo Alto, and now it’s worth $3 million,” he posits. “The company moves you to Boston. Now you’re upside-down on that loan, and can’t get a new loan [from the company] in Boston.”

Still, the money can come from elsewhere. To help pay for housing, companies could offer new officers heftier signing bonuses and existing ones residence bonuses, according to Rich. Or they might buy executive housing outright and let officers live in it rent-free. Under Sarbanes-Oxley, however, the SEC might consider the free housing a loan, Rich cautions.

The loan prohibition could also create a whole class of embittered officers and directors: the folks who borrowed money to invest in company funds and stock before the equities market went kerflewy. Before Sarbanes-Oxley, a company could adjust the terms of the loan to keep an executive happy.

Post-Sarbox, such adjustments violate the act’s ban on arranging for or renewing loans, Rich notes. Of course, the company could always forgive the loan. Then again, given today’s scandal-ridden environment, maybe not.

5. Private companies aren’t immune to Sarbox.

The Sarbox loan ban also figures into problems that nonpublic companies can encounter under the act. Officer loans are common practice in private companies, particularly in single-owner outfits, notes Parson Consulting’s Rick Fumo.

The owners can continue to bestow largesse as long as they please — provided they don’t want to sell their holdings to a public company or launch an initial public offering. If private company owners do want to go public, they would have to see that the loans are paid back before an initial public offering, Fumo says. That could amount to a pretty penny for some officer/borrowers.

The internal-controls reporting required under Sarbanes-Oxley might also inhibit private owners not used to doing a whole lot of documentation from making a public offering.

Public company finance chiefs and their bosses, for their part, are sure to be probing the governance practices of private merger targets, says Fumo. “The due-diligence process will take on another level of significance and detail because there’s a higher price to pay for a mistake,” the consultant says. That, in turn, could leave finance managers at the acquiring company plenty embarrassed.