Risk & Compliance

A Tough Act to Follow

What CFOs really think about Sarbox — and how they would fix the *!#& thing. Including the results of our exclusive survey.
David KatzMarch 15, 2006

Last November, a small group of Unica Corp.’s senior executives, lawyers, and auditors gathered over dinner in downtown Boston to celebrate the launch of the company’s initial public offering. Overall, they were pleased; the August IPO had raised more than $55 million in a tough market. But over drinks, the group began to engage in some good-natured bantering about the events of the previous year.

The road to the successful IPO had been challenging. Unica’s managers had raced through a road show in 12 cities in two weeks. Getting material ready for the filing registration process with the Securities and Exchange Commission had been almost as exhausting. The reason: Rick Darer, the company’s CFO at the time, says auditors had grown unwilling to draft disclosures responding to SEC comment letters in the run-up to the offering. Darer (who left the company earlier this year) thinks the auditors wanted to make sure the issuer — not the auditors — took responsibility for all disclosures, even though the audit firm signed off on the final prospectus.

Such wariness did not go unnoticed. At the dinner party, someone asked what kind of gift would be appropriate for the company’s external auditors. What present, they wondered, would best symbolize the accountants’ work on the project? Without hesitation, Darer piped up: “a set of invisible-ink pens.”

Grousing about external auditors is nothing new. Since the passage of the Public Company Accounting Reform and Investor Protection Act (aka, the Sarbanes-Oxley Act) nearly four years ago, finance managers have done a whole lot of complaining about their suddenly soured relationship with engagement partners. They have also grumbled about the massive amount of work needed to comply with Sarbanes-Oxley. And they have questioned whether the law will prevent another Enron or another WorldCom.

It appears those complaints are not going away, either. According to a poll of 237 finance executives conducted in early January by CFO magazine, widespread dissatisfaction with Sarbox has led to a real desire to change the law. A fair number of surveyed executives would be pleased if several parts of the act were jettisoned. Some managers, particularly those at smaller companies, would like to gut many of the measure’s provisions. Even those who said they believe Sarbox is beneficial would revise the statute in some fashion. And while 19 percent of the respondents said they’re happy with the law as it stands, Don Barger, the CFO of YRC Worldwide Inc., is more typical of how finance executives view Sarbox. “There have been benefits,” says the finance chief at the Overland Park, Kansas-based trucking company. “But the cost is not worth the benefit.”

Control Freaks

The costs are indeed substantial. AMR Research estimates that, by year-end, U.S. businesses will have spent $20 billion on Sarbox compliance since the law was enacted. On average, AMR estimates that companies are laying out about $1 million on Sarbox compliance for every $1 billion in revenues.

CFO’s survey shows an even greater hit to income. Finance managers at companies with annual revenues of $500 million or more indicated that Sarbox compliance had taken an average yearly earnings bite of more than 2 percent. Smaller companies were worse off. Respondents at businesses with sales of under $500 million said Sarbox compliance was devouring 4.5 percent of their earnings each year.

Much of that spending appears to be going for increased manpower — things like added internal auditors and extra accountants. Many of those employees are being used to document, test, and certify internal controls, as mandated by Sections 404 and 302 of Sarbox. The latter requires CEOs and CFOs to certify, based on their “knowledge,” the accuracy of all annual and quarterly reports, as well as the adequacy of internal controls over financial reports. Section 906 establishes criminal penalties for violators, with prison sentences running up to 20 years.

It’s fair to say the prospect of going to jail is hugely unpopular. “Nobody wants to take on any more legal liability,” says Eric Bur, CFO of NIC Inc., a government Website builder based in Olathe, Kansas. Not surprisingly, more than half of the respondents believe the certification threshold should be lowered to from “knowledge” to “best of knowledge and belief.” About one in four would like to see the quarterly certification limited solely to changes in disclosure controls and procedures.

Those results suggest finance executives have real questions about the value of identifying and monitoring hundreds, if not thousands, of internal controls. Even regulators have commented on the massive documenting. In a speech given in December, SEC commissioner Paul Atkins noted that “people seem to be driven by the impulse to document virtually every process in an effort to be thorough and to avoid being second-guessed by regulators and litigators.”

Without a doubt, Section 404 wins as the most hated provision of Sarbox. Nearly three-quarters of those surveyed want to see it revised or repealed. Respondents at some smaller companies don’t think there’s any fixing it: 20 percent want the provision ditched entirely. Only 5 percent of all respondents believe Section 404 should be left as is.

Offered choices on how to fix 404, about 70 percent say they would like to see regulators raise the bar for “material deficiency.” Close to half want the attestation of internal controls performed once every three years, rather than annually.

This Is Only Attest

Certainly, many CFOs say they would like auditors to take a more sensible approach to testing. Rich Goudis, CFO of Herbalife International of America Inc., a Los Angeles–based weight-management company, wants auditors to abandon the checklist approach that forces clients to put the same level of effort into mending each risk. Instead, Goudis believes public filers should be able to proceed on the basis of “risk-based assessments.”

The major flashpoint of the argument is the way auditors attack 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No. 2, which instructs engagement partners on how to check their clients’ internal-controls reviews. As a result, CFOs say auditors test and retest internal controls to ensure their sign-offs are beyond question. Finance managers contend the prospect of auditor nit-picking forces clients into indiscriminate documentation of internal controls.

The PCAOB appears to be aware of the situation. In a November 2005 report on the initial implementation of AS2, the board criticized auditors who “did not alter the nature, timing, and extent of their testing to reflect the level of risk.”

By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles of individual companies. “As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas,” the board stated, noting that “in some cases, a higher-risk area should have received more audit attention than it did.”

Robert Daleo, CFO of Stamford, Connecticut-based Thomson Corp., would like to see a little more specificity coming from the PCAOB. He believes the board should spell out “where the real pain points of cost and errors are.” Daleo notes, for example, that the PCAOB has stated that external auditors may rely on the work of internal auditors and others rather than retracing steps. But Daleo maintains that the board should say that auditors must rely on the work of others. By taking discretion out of auditors’ hands, he argues, the board would also relieve engagement partners of the temptation to test everything.

Other finance managers echo that sentiment. Indeed, 6 out of 10 respondents to the CFO survey said an auditor should be allowed to rely on the work of a client’s internal-audit staff when assessing internal controls. And close to half of the polled executives indicated they would alter AS2 to allow for greater input from independent auditors before the attestation phase. Says Donna de Winter, CFO of Waltham, Massachusetts-based Geac Computer Corp.: “We have to get to a practical position where [auditors] can provide you with advice without losing independence on all the numbers you represent.”

You Make the Call

That’s not likely to happen soon. Robert Kueppers, deputy chief executive of Deloitte & Touche USA LLP, counsels engagement partners to work with clients on technical issues but to stop just shy of providing them with the answers. The principle is simple, Kueppers says: while there should be “a robust discussion of the alternatives,” clients must arrive at their own conclusions.

The concept is spelled out in Section 103 and Section 201, which limits the types of services an external auditor can provide. That provision was intended, in part, to eliminate the type of clubbiness that led to problems at Enron and WorldCom, et al. But as CFO reported in “Fractured Fraternity” (September 2005), finance managers say external auditors even shy away from offering advice on topics that aren’t restricted by Sarbox, things like mergers and acquisitions and tax issues.

In practice, many finance executives miss their auditors’ advice. Two years ago, for instance, David Koeninger, CFO of Radiation Therapy Services Inc., in Fort Myers, Florida, sought information from his company’s auditor about how to calculate and report the sales of a minority interest in a business. To his surprise, Koeninger says he found the accountant suddenly tongue-tied. “Make your decision,” the auditor purportedly told the finance chief, “and we’ll tell you whether it’s right or wrong.”

Koeninger would like a more collaborative relationship. He believes independent auditors should be allowed to review a company’s work and offer their observations on it, rather than providing a certified opinion. If you just “require them to attest to completeness and accuracy,” the CFO adds, “you don’t get your money’s worth.”

What’s more, failure to get an external auditor’s imprimatur on internal controls can prove disastrous for a company’s shareholders. In mid-January, management at Take-Two Interactive Software Inc. announced that the company’s external auditor was going to issue an adverse opinion on the game maker’s internal controls. Within days of the announcement, the share price of the maker of “Grand Theft Auto” dropped more than 20 percent — from around $19 to less than $15 — and has not made up much ground since.

Such an excessive loss of market capitalization is not necessarily what legislators envisioned when they okayed Sarbanes-Oxley. Finance chiefs say the auditor-rotation provisions of the law are also causing unexpected problems. The requirement, detailed in Section 203, makes it illegal for a firm’s lead audit partner to service an account for more than five consecutive fiscal years.

Before Sarbox, lead partners typically worked on one account for 7 or 8 years. Apparently, a lot of finance chiefs would prefer to go back to the old arrangement: over a third of the polled executives indicated they would like to see Section 203 ditched or the rotation requirement eased (to every 10 years, for example). And a large chunk of respondents — 64 percent — would oppose any legislation limiting the number of years an audit firm could work with a client.

The reason? Changing audit partners (or audit firms) can be a messy, expensive business. Bringing in a new firm means paying the old firm for the use of the previous two years’ audited numbers. And quick switch-overs in engagement partners can disrupt smooth-running relationships, actually leading to — not reducing — errors. Says Bob Davis, CFO of Islandia, New York–based Computer Associates International Inc.: “A lot of audit failures happen when a new audit partner comes on an account.”

Further, some finance chiefs believe that reducing the length of service of an independent auditor also reduces that auditor’s value to the client. “Speeding up rotation does a disservice to us,” argues Ken Minor, CFO of Sonic Foundry Inc., a software-applications company in Madison, Wisconsin. “Our company has a history and knowledge” that takes time for an auditor to absorb.

All Curriculum, No Vitae

It will also take some time before auditors absorb all the guidance coming from the PCAOB and the SEC. In the interim, finance executives say the lack of auditor input, along with the evaluation of internal controls every three months, has placed a heavy burden on corporate finance departments.

Although CFO has reported on this development before, the survey sheds light on just how extensive the problem is. Fully 75 percent of the respondents said that complying with Sarbanes-Oxley has substantially boosted their workloads, with about half noting that Sarbox compliance has made their jobs less satisfying. Even more worrisome, nearly one out of four controllers in the survey indicated the added load has made them consider a career outside of finance. That’s a remarkable admission, especially considering that competent controllers are generally seen as key players in the battle against accounting fraud.

While damning, such responses do not mean finance executives see no good coming from their Sarbox efforts. Almost a third of the managers in the survey indicated that Sarbanes-Oxley compliance has actually been good for their careers. At Stamford, Connecticut-based Pitney Bowes Inc., Steven Green was promoted from finance chief of global mailing (the company’s largest business unit) to corporate chief accounting officer. A large part of his job is helping with Sarbox compliance. “I think most CAOs are happy to have Sarbanes,” Green says. “It gives them a greater degree of comfort regarding processes and controls.”

Compliance with Sarbox has also led Pitney Bowes management to rethink how it handles some business processes. CFO Bruce Nolop reports that 404 documentation accelerated the company’s plans to bring all of its accounts-payable and accounts-receivable operations under one roof, throwing off a reported savings of more than $500,000. Adds Green: “When you have the head of a business thinking about controls in addition to making money, that’s clearly a positive.”

As for Darer, he thinks Sarbox has restored much-needed credibility to the numbers companies produce. That, in turn, has made potential shareholders more willing to invest in companies that go public. Says the onetime Unica CFO: “They know [the companies] have to be at a certain standard of governance.”

Time will tell if their faith in that standard is well placed.

David Katz is deputy editor of CFO.com. Survey conceived by research editor Don Durfee.

Retooling Sarbox

The surveyed finance executives had lots of ideas on how to alter Sarbox; easing requirements for internal-controls testing topped the list.

Which of the following statements about Sarbanes-Oxley are true for you?
(Respondents allowed to choose more than one)
Complying with Sarbox has made my job less satisfying 49%
Sarbox has significantly increased my workload 75%
Sarbox has made me consider a career outside of finance 16%
Sarbox has elevated the stature of my job within the company 26%
Sarbox will be good for my career 29%
None of the above 8%
If Congress were to revisit Sarbanes-Oxley, what three provisions would you most like to see substantially revised or repeated?
(% ranking #1, #2, or #3)
Sec. 404 (internal-controls assessment) 74%
Sec. 409 (real-time issuer disclosures) 43%
Sec. 201 (limits on services audit partner can provide) 41%
Sec. 203 (audit-partner rotation) 28%
Sec. 302 (executive certification of financial reports) 24%
Sec. 406 (senior executive code of ethics) 10%
Sec. 806 (whistle-blower protection) 10%
None 19%
How would you revise Sec. 409
(real-time issuer disclosures)?

(Respondents allowed to choose more than one)
Go back to old deadlines 20%
Decrease the number of filing triggers 34%
Offer more-precise definition of material event 53%
Drop it 4%
Leave as is 23%
How would you revise Sec. 201
(limits on services audit partner can provide)?

(Respondents allowed to choose more than one)
Allow audit partners to provide a client with unlimited services 8%
Allow audit partners to provide some additional consulting services, but not tax 33%
Drop it 7%
Leave as is 48%
How would you revise Sec. 203
(audit partner rotation every 5 or 7 years)?

(Respondents allowed to choose more than one)
Require audit-partner rotation later (for example, every 10 years) 18%
Require audit-partner rotation sooner (for example, every 3 years) 9%
Drop it 18%
Leave as is 57%
How would you revise Sec. 302
(executive certification of financial reports)?

(Respondents allowed to choose more than one)
Lessen penalties for violations 8%
Require board members to also certify financial reports 15%
Allow executives to certify to best of knowledge and belief 55%
Have quarterly certifications apply only to charges in disclosure controls and procedures 26%
Drop it 2%
Leave as is 29%
How would you revise Sec. 404 and its related Auditing Standard No. 2?
(Respondents allowed to choose more than one)
Require attestation/remediation of internal controls less often (for example, every 3–5 years) 46%
Allow for greater input from independent auditor before attestation phase 48%
Drop requirements that auditors review management’s assessment of internal controls 22%
Allow auditors to rely more on work of internal auditors 60%
Raise threshold of what constitutes a significant deficiency 70%
Allow costs of 404 to be capitalized 11%
Drop it 12%
Leave as is 5%
Would you favor or oppose a proposal to require the rotation of audit firms?
Favor 20%
Oppose 64%
Not sure 15%
What one provision of Sarbanes-Oxley has been the most beneficial to your company/shareholders?
Sec. 404 (internal-controls assessment) 35%
Sec. 302 (executive certification of financial reports) 20%
Sec. 406 (senior executive code of ethics) 8%
Sec. 806 (whistle-blower protection) 7%
Sec. 201 (limits on services audit partner can provide) 3%
Sec. 409 (real-time issuer disclosures) 3%
Sec. 203 (audit-partner rotation) 0%
None 23%
What one provision of Sarbanes-Oxley has been the least beneficial to your company/shareholders?
Sec. 404 (internal-controls assessment) 24%
Sec. 203 (audit-partner rotation) 22%
Sec. 201 (limits on services audit partner can provide) 12%
Sec. 409 (real-time issuer disclosures) 11%
Sec. 806 (whistle-blower protection) 8%
Sec. 302 (executive certification of financial reports) 6%
Sec. 406 (senior executive code of ethics) 5%
None 11%
Do you think having to comply with Sarbanes-Oxley has affected your company’s earnings performance?
Yes 67%
No 33%
If yes, by what percentage?
All companies -2.9%
Companies under $500 million in revenues -4.5%
Companies with $500 million or more in revenues -2.1%
Source: Survey of 237 senior finance executives at companies complying with Sarbanes-Oxley