Risk & Compliance

Feeling the Pain

Are the benefits of Sarbanes-Oxley worth the cost?
Tim ReasonMay 1, 2005

Bob Ross used to love his job as controller of clothing and housewares retailer Urban Outfitters. Today, he says, “I have no passion for this at all. If something doesn’t change soon, I’ll have to throw in the towel.”

Ross says he now spends his days “documenting countless procedures and processes, which to most employees of this company are second nature.” Section 404 of the Sarbanes-Oxley Act, which requires companies to document their controls, cost his company at least a penny per share in 2004, he says, and turned his job into “a struggle to explain common sense.”

“I implore our lawmakers to repeal the internal-control requirements of 404,” wrote Ross in a recent, heartfelt comment letter sent to the Securities and Exchange Commission.

Wrong crowd, right address. If companies get any relief from 404, it will come not from Capitol Hill, but from the SEC.

Last month saw a veritable orgy of regulatory navel gazing—including an oversight hearing by Rep. Michael G. Oxley’s (R-Ohio) Financial Services Committee scheduled for April 21. But the main event was an SEC roundtable in which businesses vented their frustration with 404. (Ross, ironically, couldn’t make it, because he was putting in 18-hour days to prepare his company’s 10-K). Any changes to 404 rules that result will depend heavily on SEC chairman William H. Donaldson and, to a lesser extent, his counterpart at the Public Company Accounting Oversight Board (PCAOB), William McDonough.

Strong Supporters?

Chalk up this concentration of power in part to the government’s unified front just as the first big wave of 404 certifications began rolling in. The normally business-friendly White House has been noticeably silent on the issue. And Oxley and Sen. Paul Sarbanes (D-Md.) shut down any suggestion of legislative changes during a joint appearance at Georgetown University on March 10. “Most CFOs I talk to can quote [the act’s] cost down to the dollar,” said Oxley. “Actually, they’ll quote it down to the dime.” But, he argued, that cost “is an investment in the strength of the United States capital markets.”

“The voices calling for a rollback of portions of Sarbanes-Oxley, citing Section 404 as the poster child for overregulation, are shortsighted,” Donaldson wrote in a Wall Street Journal op-ed piece on March 29. On the facing page, Oxley himself also took issue with “the pro-business voices now loudly calling for rollback.”

But exactly whose voices are these? Certainly, Ross begged for a repeal of 404 in his comment letter (which, he says, was originally intended for his senator). And a survey released March 22 by executive search firm Christian & Timbers claims a third of 186 executives at Fortune 1,000 companies favor repeal of Sarbox.

Yet, in the week before Donaldson’s and Oxley’s comments appeared in the Journal, not a single major business or finance association contacted by CFO would admit to any legislative effort to repeal or even change the act. Quite the contrary, most were quick to describe themselves as strong supporters.

“We were one of the few business groups to support the act,” says Financial Executives International (FEI) president and CEO Colleen Cunningham. “[Sarbox] itself doesn’t require any change.”

“The Business Roundtable supported [the act],” echoes Thomas J. Lehner, director of public policy. “There is no desire to open up the legislative process.”

Observers who point to the Financial Services Roundtable as aggressively supporting a rollback are mistaken, says president Steve Bartlett. “We supported the act’s creation, and we support it today.”

Maybe Donaldson’s and Oxley’s references were aimed primarily at U.S. Chamber of Commerce president and CEO Thomas J. Donohue, who publicly fulminated about both 404 and the SEC’s aggressive enforcement practices earlier in the month. “The pendulum has swung too far,” intoned Donohue — 10 times — while speaking about 404 to the Securities Industry Association on March 3.

Wishing Carefully

Yet, even Donohue professed the Chamber’s support for “many provisions” of Sarbox, and stopped short of calling for repeal, even of 404. Those who claim the Chamber is agitating for congressional repeal or changes are “incorrect,” insists David Chavern, director of the Chamber’s Corporate Governance Initiative.

What’s this? Has the business lobby rolled over? After all, it continued to find plenty to complain about in the past two months. According to a March survey of 106 large-company CEOs who belong to the Business Roundtable, nearly half said Sarbox and other new compliance requirements would cost in excess of $10 million annually. An FEI survey the same month of 217 public companies with average revenues of $5 billion pegged the average 404-compliance cost alone at $4.36 million. Almost all — 94 percent — said the cost of compliance exceeded the benefits.

Investors don’t necessarily agree. “Obviously, to the extent 404 impacts earnings negatively, it’s a concern,” says Cynthia L. Richson, corporate governance officer for the $64.5 billion Ohio Public Employees Retirement System (OPERS). “On the other hand, who is measuring the cost of corruption and accounting scandals we’ve been through? Some cite that as contributing to a $7 trillion, even as high as $9 trillion, collapse in the capital markets.”

Indeed, observes the PCAOB’s McDonough, “the reason this legislation is so tough is because the American people rose in fury. They believed corporate leadership in America had let them down, which I believe [is true].” Sarbox, he points out, passed the Senate unanimously, and missed unanimous House passage by just three votes.

It is those numbers that best explain the muted response of business groups and individual company executives. The Business Roundtable, observes Lehner, “knew investor confidence was shaken and a lot had to be done to restore it.”

There is, however, a massive effort under way to convince rule makers that their interpretation of Section 404 has gone far beyond what is needed to restore investor confidence. “The SEC and the PCAOB get lobbied just as much as Congress these days,” notes Lehner. In fact, he says, their narrow focus may be preferable to the reactionary tendencies of Congress. “Any time you open up a piece of legislation, you do run a risk. You could end up with something you didn’t anticipate.”

Congress devoted just 168 words to Section 404, notes the Chamber of Commerce’s Chavern. “There are a lot of links in the chain between those 168 words and the $10 billion to $20 billion being spent to comply,” he says. “They include SEC rulemaking, and most particularly PCAOB standard-setting and how audit firms are putting those standards in place.”

Litany of Complaints

So exactly what changes would the business world like to see from the SEC, the PCAOB, and auditors? Perhaps the top complaint about 404 is that auditors must opine on management’s own assessment of internal controls. Since auditors already issue their own opinion about internal controls, that second auditor’s opinion is widely considered by business to be a duplicative and unnecessarily costly addition.

Not so, counters OPERS’s Richson. “Investors think that extra step is very much an important piece of making sure there are no weaknesses in controls,” she says, noting that investors have not forgotten the way auditors “rubber-stamped” management representations in the past. Indeed, former SEC chief accountant Lynn Turner noted during the roundtable that management at 87 percent of companies announcing material control weaknesses had previously certified the effectiveness of their controls.

All debate aside, the audit opinion on management’s assessment is one of the very few requirements actually spelled out by Congress in the original legislation, making any change highly unlikely.

Beyond that, however, many of the concerns expressed by CFOs arise from PCAOB Auditing Standard No. 2 and the resulting behavior of auditors. As its name implies, AS2 was written for auditors. But with few other sources of guidance, auditing standards have become “‘back-door’ management requirements,” as Alamo Group internal-audit director Dennis M. Stevens noted in his comment letter. Regulators have certainly indicated a willingness to consider changes to the standard if necessary. “The board’s interest is not in preserving the very first version of this standard for all eternity,” says PCAOB associate chief auditor Laura Phillips.

“Are things being done that are unnecessary? My guess is yes,” said McDonough at a Harvard Law School panel on regulation on March 7. “It is insane for small companies to have the same internal controls as General Electric.” The SEC roundtable, he says, is an opportunity to learn. “Then we — the SEC and the PCAOB — have to figure out how to do as much as we can administratively.”

But before any changes take place, regulators will have to decide whether the fault lies with AS2, or with the auditors who apply it. Irritation with the auditors’ indiscriminate approach to all controls regardless of risk ran high during the April 13 roundtable, a sentiment compounded by the auditors’ refusal to provide any advice or counsel for fear of violating independence rules. AS2, notes the FEI’s Cunningham, “states throughout the standard that the auditor needs to use judgment. But the auditors were terrified to use judgment.”

That issue was high on the PCAOB’s agenda for the roundtable, says Phillips, who wondered in advance whether auditors are “taking advantage of the flexibility the standard was designed to provide.”

The answer, most CFOs would say, is no. The most mundane and frequently cited example is the emphasis on signing or initialing control documents as proof that a control actually worked. “We believe AS No. 2 properly outlines…appropriate tests of controls,” Plum Creek Timber Co. CFO William R. Brown told the SEC. In practice, however, Brown and others say auditors focus largely on documentation, doling out deficiencies for missing paperwork or initials even if the control in question is working.

“Some of it is just silly,” agrees Mike Coke, CFO of AMB Property Corp. “If you have proof the review happened, why do you need to keep a piece of paper?” Santa Fe, New Mexico­based Thornburg Mortgage told the SEC that auditors noted a deficiency because there was no record of the installation of the company’s up-to-date antivirus software.

“We need to deal with the real possibilities of management override and financial-reporting risk,” argues Computer Sciences Corp. (CSC) chief financial officer Leon J. Level, who put reducing unnecessary levels of documentation high on his list of recommendations to the SEC. “Making sure every piece of paper is initialed before handing it over to auditors doesn’t change the likelihood that financials are fairly presented. Initials don’t prove anything. If you have massive collusion, you can have fraud.”

To CFOs, all this signing of documents feels more like punishment — the equivalent of writing “I will not commit fraud” 100 times. Yet regulators like the basic concept of sign-offs and certifications, if only because they believe they help assure accountability. After all, it was the SEC that first proposed requiring CEOs and CFOs to certify financial statements in June 2002 — six weeks before Sarbanes-Oxley Section 302 made it law. More recently, the unfolding American International Group Inc. (AIG) scandal prompted the New York State Insurance Department to require insurance company CEOs to certify the economic legitimacy of certain transactions that can be used to manipulate financial reporting.

The FEI’s Cunningham hopes that a reasonable approach by the PCAOB as it begins to inspect auditors’ work will eliminate such overkill. “It’s the first time the auditors are being regulated, and the inspection process from the PCAOB will drive their behavior.” At the roundtable, McDonough promised “evenhanded” inspections. “It is at least as likely that we will find that the work [auditors] did was excessive as it was inadequate. Now, will we throw someone in jail for an excessive audit? Not likely. However, will we have a very severe conversation with the management of that audit firm? You bet.”

Bright Llines

Another major concern for CFOs is the definitions of “significant deficiency” and “material weakness.” “This was the great unknown,” says AMB’s Coke. “What is a significant deficiency, and how do you aggregate [those deficiencies] to become a material weakness?”

There are no specific figures in the auditing standard. But CSC’s Level and his staff parsed the accounting world’s definitions of “inconsequential” and “remote” to conclude that auditors would define a significant deficiency as one that had a greater than 5 percent chance of resulting in a misstatement of one percent of earnings before taxes. Coke says he arrived at the same conclusion. But, he adds, “one percent of net income would have been a penny and a half a share, and I think in terms of pennies, so we ended up going with a more conservative threshold.” Either way, Level says the threshold is too low, causing companies and auditors to spend far too much time on minor issues. “In a lot of cases, we are looking at deficiencies that are quite unlikely to result in a misstatement,” he says.

That’s a widely held sentiment. A less onerous definition of “significant deficiency,” says Level, would do more than any other change to reduce the cost of 404. But is that likely? When it comes to materiality, let alone a material weakness, the SEC has long eschewed bright-line tests. And while Level claims to want principles-based guidance, his own exercise shows how quickly auditors tend to put a price on a principle.

Moreover, any effort to raise the threshold on internal controls could be seen as weakening 404. “I believe [costs are] heavy because firms are repairing corporate infrastructures that have been neglected for years,” Jack T. Ciesielski, publisher of The Analyst’s Accounting Observer, told the SEC. Not every material weakness he has seen reported “pointed to a future financial meltdown—but I’d have to say every weakness I’ve noticed would have raised concerns about the reliability and fairness of published financial information if they went uncorrected….”

Ciesielski and OPERS’s Richson note that companies have been responsible for maintaining controls since the Foreign Corrupt Practices Act of 1977, a point echoed by Alan Beller, head of the SEC’s Corporation Finance division, during the roundtable. “The complaints ring hollow,” wrote Ciesielski. “If there is supposed to be an adequate internal-control system in place already, and it costs so much to comply with Section 404, how adequate was the system before?”

Nonetheless, both the SEC and the PCAOB already have shown a tendency to respond to certain corporate concerns. On March 2, the SEC announced a one-year extension of the 404 deadline for foreign firms and small companies with a market cap of less than $75 million.

“I have great sympathy for the small and midsize companies that in some cases actually have very good internal controls, but are much less formal than a large, complicated company,” the PCAOB’s McDonough told CFO in August 2004.

On March 31, the PCAOB proposed a new standard for companies that have fixed a material weakness. If it is adopted, those companies could hire an auditor to attest to the fix immediately, rather than waiting until year-end for an auditor to confirm the company’s assertion. That doesn’t actually change any existing rules, but it does show an understanding of the corporate need to reassure investors.

Whither the Regulators?

Still, it’s far from clear how all this will play out. Both Donaldson’s and McDonough’s constant references to small companies are likely small consolation for executives like Urban Outfitters’s Ross, whose company is small by retail standards, with 142 stores, but has a market cap of $3 billion. Yet “concessions for small business” don’t make Richson happy, either. “Research I’ve looked at suggests small business is oftentimes a higher risk,” she says.

“The benefits of Sarbanes-Oxley are only just starting to show up,” insists Richson. “The business community is really pushing hard on this, and I understand why. It’s an expensive change. But just focusing on the dollars is really shortsighted.” As for changes, Richson is unequivocal. “At a minimum, the SEC should leave everything alone for at least the next year.”

Donaldson’s and McDonough’s public comments to date suggest they intend to respond rapidly to the comments delivered at the roundtable. But they seem far more likely to offer additional guidance and clarifications than to alter or eliminate existing requirements. Even before the roundtable, there were hints that the SEC and the business community may have very different expectations. CSC finance chief Level initially wrote to the SEC that “we are encouraged” by the SEC and PCAOB’s decision to solicit feedback, as well as by statements from Donaldson and his staff. In a follow-up letter written after Donaldson’s Wall Street Journal op-ed appeared, Level insisted that CSC does not want nor expect a legislative rollback. But, he worried, the op-ed “left us with the impression the commission may not be fully receptive to constructive suggestions regarding refinements and improvements.”

Then there is the question of the commission itself. In a February 24 speech, Republican commissioner Cynthia Glassman noted, “I have been concerned from the beginning that Section 404 would become an expensive, short-term, check-the-box exercise.” By contrast, at the March 7 event at Harvard, Democratic commissioner Roel C. Campos was far more sanguine, noting that he expected the cost of 404 compliance to go down in subsequent years. “We’re not at all certain that’s the case,” says the Business Roundtable’s Lehner.

The business community may well be out of luck if Donaldson is less receptive to suggestions than it hopes. Not only is he the SEC’s chairman, he’s also the swing vote between the two Republican and two Democratic commissioners. And while McDonough has made sympathetic noises, any changes the PCAOB makes must be approved by the commission.

“I was skeptical that we would even get any movement on this,” says AMB’s Coke. “But I actually am hopeful that they may listen and say let’s do version 2.0.”

If not, there’s always Capitol Hill. Says Lehner: “If these [cost] numbers continue to increase, that’s something we would revisit.” Echoes Bartlett of the Financial Services Roundtable, “Our focus for 2005 and 2006 will be on regulatory and implementation changes. When we get closer to completion on that, we can revisit the legislation.”

Tim Reason is a senior writer at CFO.

The Coming Tax (Department) Hike

Of the 223 companies that have so far reported material weaknesses in their internal controls, more than a third — some 88 companies — cited tax as the area of deficiency.

Unlike accounts payable or other system-driven processes that are easy to document, notes Brad Brown, KPMG’s national tax leader for Sarbanes-Oxley 404, “tax is a nonsystem-driven, nonroutine activity that is highly open to human error.”

While some of Enron’s schemes involved dodgy tax treatments, tax is not traditionally considered a likely source of financial-statement manipulation. “It’s not a high fraud area,” notes Brown, “but it is high risk. In many companies, the tax charge will be a third of the cost basis.”

With a 40 percent effective tax rate, says Urban Outfitters controller Bob Ross, “if there were an error in tax, it would definitely have a material impact.” That, he says, makes auditors jumpy. State tax departments and the IRS, “who look at taxes in their own interest, have given us a clean bill,” he says, “yet we do see an awful lot of recommendations for deficiencies in this area.” His response? “I go back and say, ‘Your recommendations don’t mirror real life.’”

Ross has yet to receive a final list from his auditors, but many of the tax-related deficiencies already reported for other companies revolve around lack of skills and resources within the tax department. Ironically, this is partly caused by Sarbanes-Oxley itself, with auditor-independence rules severing many existing relationships between companies and their traditional tax advisers. The bottom line? “Often there’s a business case that wasn’t there before for increased head count or more resources for IT” in the tax department, says Brown. —T.R.

What CFOs Want

The Securities and Exchange Commission received a variety of suggestions aimed at reducing the cost and burden of Section 404 of the Sarbanes-Oxley Act. Many were general criticisms of 404’s perceived failings, such as suggestions to focus testing on high-risk controls, create a tiered compliance system for companies of different sizes, and improve integration between financial and control audits. Below is a sample of various concrete suggestions pulled from comment letters submitted to the SEC by CFOs or other financial executives.

The Common Suggestions:

  • Eliminate the external auditor’s opinion of management’s assessment of internal controls.
  • Reduce dependence on initialing and dating of documents as proof that a control was effective.
  • Raise the threshold of what constitutes a significant deficiency and provide a bright-line test.
  • Allow rotational testing—say, three years for manual controls or five or more for IT systems, if they have not changed.
  • Allow interim testing throughout the year.
  • Change or reinterpret independence rules to allow auditors to give more guidance to clients.
  • Allow external auditors to rely more on the work of internal auditors.
  • Create a tiered compliance system, and base it on the number of employees or asset size rather than market cap.

Other Suggestions:

  • Allow costs associated with 404 to be capitalized.
  • Allow management to choose not to correct a significant deficiency, without automatically elevating it to a material weakness.
  • To avoid the equivalent of an internal 404 effort on a quarterly basis, specify that the quarterly certifications required by Section 302 need only certify to any changes in disclosure controls and procedures — or allow CEOs and CFOs to certify “to best knowledge and belief.”
  • Extend the one-year grace period for testing controls of acquired companies to other major changes, such as bringing an outsourced procedure back in-house.

Source: SEC comment letters submitted in advance of April 13 Roundtable on Section 404.