Risk & Compliance

CFOs: Risk Magnets

New certification and internal control requirements are heaping new hazards on finance chiefs.
Marie LeoneJune 4, 2003

A few weeks before every quarterly close, John Adamovich receives 225 representation letters from 75 reporting locations in 30 countries. The letters come to Adamovich, the CFO of Pall Corp., from three sources: in-country general managers and controllers, operations committee members that have oversight responsibilities, and group controllers. In some cases, the letters are three or four pages long.

J.D. Edwards & Co. CFO Rick Allen collects about 75 rep letters from his managers every quarter, while John Hendrix, the finance chief at the smaller Cornell Companies Inc., reviews the same kind of upstream certifications from eight managers on a quarterly basis.

The flood of letters vouches for the validity of material financial and non-financial information bubbling up from each company’s far-flung operations. Getting such testimonials became imperative after July 30, 2002. On that day, Pres. Bush signed into law the sweeping Sarbanes-Oxley Act, which was intended to restore public confidence in corporate accounting. Toward that, Sarbox requires executives, among other things, to certify financial statements (Sections 302 and 906) and verify that internal control systems are adequate (Section 404).

Whether the wide-ranging provisions of Sarbanes-Oxley actually keep corporate corruption in check remains to be seen. In a recent poll of finance executives conducted by Parson Consulting, only 6 percent of the respondents said they thought the law would curb accounting abuses.

The burdensome requirements spelled out in the law may curb CFOs’ enthusiasm for their jobs, however. One headhunter recounts a job-hunting finance chief who told him, “[Since Sarbox], being a CFO just isn’t as much fun anymore.”

Adamovich, Allen, and Hendrix, for instance, all say they’ve started requesting upstream certification of data to satisfy sections of the new legislation — an onerous task. And all are looking hard to see if their internal controls pass regulatory muster. “There are no if, ands, or buts,” notes Adamovich. “We have to comply with Sec. 404, and in the short term, that’s our main focus.”

Anything less would be short-sighted. A slew of experts, including lawyers, risk managers, auditors, and finance chiefs all say CFOs are clearly charged with managing the law’s daunting mandates — and the attendant risks that come with it. “[Sarbanes-Oxley] increases some risks for CFOs, at least for those who take their job seriously,” notes Allen of J.D. Edwards. “But risks have always been there.”

Maybe so. But these days, all roads seem to lead to CFOs. Indeed, in the Parson survey, 58 percent of the executives polled said they expect the company finance chief to bear the primary responsibility for overseeing the entire compliance effort. And with that responsibility comes liability — a lot of it. “CFO are in a more precarious position [since Sarbox was passed],” insists John Challenger, of outplacement firm Challenger, Gray & Christmas Inc. “They are in the direct line of fire, and can wind up as a scapegoat.”

The scope of Sarbanes-Oxley alone should worry CFOs. As John Tonsick, managing director at risk consultancy Citigate Global Intelligence and Security, points out: “What CFOs are now being asked to certify is very broad.”

The Hours

Then again, some of the provisions of Sarbanes-Oxley are quite well-defined. A CFO convicted of signing off on misleading or inaccurate financial statements, for instance, will be subject to a fine of up to $5 million and a prison sentence not to exceed 20 years.

But Congress’s draconian punishment for rogue CFOs is more PR than IR — the legislators way of looking like they’re getting tough on corporate crime. In short, a headline grabber.

What doesn’t generate headlines is that Sec. 404 requires a company’s CFO and CEO (and external auditors) to vouchsafe for the effectiveness of internal control procedures for financial reporting. Says Richard Rubin, an attorney with Jenkens & Gilchrist: “The real issue regarding certification resides in Sec. 404 requirements that call for attestation of internal controls by executives and auditors.”

Indeed, Sec. 404 mandates continuous monitoring, testing, and appropriate improvements to internal controls processes — a much more onerous and complicated task than keeping tabs on disclosure controls.

Moreover, that trio of internal control controls is interrelated. In fact, Deloitte & Touche Partner Steven Wagner says he wouldn’t be surprised if the Securities and Exchange Commission turns the triad into a single certification by the end of the year.

Such a move would likely heap more work on already-overworked finance executives. In the Parson survey, 66 percent of the respondents said they’re spending more time on risk assessment than in the past.

To handle this extra work wrought by Sarbox, some finance chiefs are adding staff. John Cox, CFO of BMC Software, Inc. says the Houston-based software vendor added two new full-time positions to the 400-strong global accounting staff to help with the increased disclosure. BMC has also added another staff member to the company’s 12-person internal audit team.

With the recession still on, however, not all CFOs will be eager — or able — to staff up their finance departments. Rick Fumo, executive vice president at Parson, predicts that over the next few months, the workload for corporate finance departments at mid-size and large companies will increase by two hours per week for each staffer, thanks to Sarbox compliance requirements. He expects senior financial executives to put in three more hours per week because of the legislation.

Three hours a week may not sound like much. But assuming a typical CFO works from 8 a.m. to 6 p.m., that’s another 15 days of work per year. Shoe-horning three additional business weeks into an already cramped schedule means CFOs may need to show some ID to get into their own homes.

In This Corner

Of course, spending long hours at the office is nothing new for finance chiefs. What is new: trying to cope with accounting requirements that seem more concept than concrete. According to the Parson Consulting survey, fully a quarter of the finance managers polled said that the Sarbox is “very confusing.”

Some of the uncertainty comes from lack of SEC guidance, argues BMC’s Cox. He notes that the legislation was passed in rapid fashion as politicians pushed policy through to restore investor confidence quickly. “It’s unfathomable that all the Sec. 404 rules will be finalized by September — and companies will be in compliance by the end of the year — without SEC guidance,” says Cox.

Deloitte & Touche’s Wagner, who is also co-leader of the firm’s Sarbanes-Oxley Sec. 404 steering committee, figures that the SEC will weigh-in on some Sec. 404 issues by the end of May. So far, though, he says final rules are a moving target.

That’s not good news for the folks doing the shooting. What’s more, attempts to comply with Sarbox are triggering some unexpected problems. For one thing, the new regulatory regimen is changing trusted business partnerships, asserts Robert Williamson, chairman and CFO of CityMerch Corp. in Miami Beach. Says Willliamson: “The relationship between CFOs and external auditors has become more adversarial.”

By Williamson’s lights, this tilting of the auditor/client relationship is the most dramatic corporate event for finance chiefs since the Enron fiasco.

You don’t have to tell that to Keith Gorman. Gorman, former CFO of Universal Health Services Inc., was fired in February over a row with company auditor KPMG about certification of the auditor’s management representation letter.

Gorman, a 16-year company veteran, reportedly wrote a candid letter to KPMG explaining that, while he was willing to sign the management rep letter (attesting that the financial statements he submitted for audit were, to the best of his knowledge, accurate), he was relying on the Big Four firm to ensure that the accounting treatment was in accordance with GAAP. Turns out that Gorman, who has a reputation on Wall Street for being “brutally honest about coming forward with the good and bad news,” was a bit too straightforward this time.

By admitting that he was leaning on KPMG for accounting treatment advice, Gorman lived up to the spirit of Sarbanes-Oxley — if not the letter of the law. But his candor cost the Universal Health CFO his job. “Gorman was fired for his temerity,” asserts Williamson, adding that the finance chief “said publicly, what other CFOs say and think privately.”

But Universal Health is not the only example of the souring of the auditor/client relationship. In April, Amerco Inc. sued its former auditor, PricewaterhouseCoopers, for seven years of alleged bad advice on how to properly account for special purpose entities.

Swimming Upstream

Clearly, a retooling of internal finance processes — not to mention external relationships — will take time.

Everett Gibbs, managing director of financial consulting specialist Protiviti Inc., says that most companies have a certification process in place. But he claims the maturity of the programs vary. In fact, Gibbs predicts it will take many companies up to two years to bring their compliance procedures in line with Sarbanes-Oxley.

At Pall Corp., CFO Adamavich is taking a three-prong approach to Sarbox compliance. First, he’s working on improving the reporting from the financial and operations side of the business. Second, he’s encouraging thorough disclosure committee discussions (the Sarbanes-Oxley Act requires the formation of such groups). And finally, Adamavich says he’s requring upstream certification of financial data.

That’s not uncommon. In an attempt to create a paper trail, most CFOs appear to be insisting on certification of financial and operating data from other managers and department heads.

While upstream certification doesn’t guarantee that CEOs and CFOs won’t be hearing from the SEC, experts say the process does show a good faith effort to ensure correctness.

But even upstream certification has its limitations. Rubin of Jenkens & Gilchrist points out that a sign-off has to be properly targeted so the manager certifying reports is privy to the work being performed. In addition, Rubin says controls must ensure that the reports are actually being read and reviewed, and not just rubber-stamped. Rubin believes upstream certifications should be designed to force employees to think about the materiality of entries.

Even then, senior executives are still required to address exceptions that managers list on the lower-level certifications. What’s more, Rubin says they’re still obliged to resolve any conflicts that might mislead investors or omit material information.


Not surprisingly, all this certifying and addressing and resolving has many CFOs flat-out worried. The fact is, nobody in finance land is exactly sure what Sarbox landmines await, or where — or whether the SEC will aggressively enforce the law’s provisions.

For his part, Parson’s Fumo believes many of the best practices for handling the new risks will emerge from peer group discussions facilitated by auditors and other financial consulting firms. That’s particularly true for small and mid-size companies which don’t have accounting staffs big enough to juggle accounts payable, new GAAP guidance, and internal controls design.

In fact, CityMerch’s Williamson suggests that such companies should consider hiring a third-party accounting firm to mitigate certification risks. “During the audit season last year, it seemed like the SEC changed rules once a week,” explains Williamson, who was at the time CFO of Vfinance Inc., a small public financial services company. “8-Ks were flying out the door because the SEC was asking companies to resubmit filings based on the new rules.”

According to Williamson, there was no way he could physically keep up with the changes, plus tend to his CFO duties, without the help of outside accounting counsel.

So Williamson brought in Ahearn, Jasco + Co., an accounting firm that also did Vfinance’s tax work. Interestingly, Frank Jaumont, a partner at the audit and financial services firm, says that Sarbox compliance is really hurting companies in the $30-million-and less revenue range. Why? Because CFOs at those companies focus on operations and raising funds, rather than non-revenue producing activities such as tax accrual schedules or MD&A drafts to explain new events.

Since the passage of Sarbox, the 25-person Florida-based accounting firm has taken on the role of accounting advisers for four new clients. The price tag for hiring a second accounting firm is not cheap, however — about $150,000 annually, says Jaumont. For the fee, a company generally gets an SEC audit partner, a tax attorney, and an audit staff with internal audit expertise.

I Believe You Know My Attorney

Ultimately, however, it’s the CFO’s signature — and not a consultant’s — that goes on the quarterly and annual certification forms sent to the SEC. And consultants aren’t likely to go to jail or lose their homes if they proffer bad advice to CFOs. A finance chief who signs off on a moderately inaccurate 10-K…well…who knows? /p>

Ironically, Tom Malone, CEO of Portland-based SRC Software, thinks the added risks now shouldered by CFOs will eventually lead to higher salaries for CFOs. “No one is ignoring the fact that risk exists,” he notes. “And executives expect different compensation because of it.” Malone thinks compensation negotiations will focus more on severance triggers and parameters than salary, however.

Others say it’s too soon to tell whether CFOs will command larger salaries because of Sarbox risk. But John Wilson, president and CEO of J.C. Wilson Associates LLC, a recruitment firm that specialize in CFO searches, confirms that finance chiefs are looking for “either protection, reward, or both,” since Sarbox became law. “A CFO knows that his net worth can be wiped out by one bad scenario,” says Wilson. “So he wants assurance.”

An exaggeration? Possibly. But consider this: Wilson notes that an increasing number of CFO candidates are bringing in lawyers to scrutinize employment contracts. “[CFOs] are more serious and more on guard then ever before,” he claims. “They are pouring over details about employment terms and conditions, severance, causes for dismissal, and offer letters.”

And backing off if they don’t like what they find. Wilson says finance executives appear reluctant to snatch up coveted CFO positions these days, even with the lousy job market. In part, he believes the hesitance comes from newfound concerns about accountability. Says the recruiter: “Personal liability always trumps a bad market.”