Monday, February 28, 2005
Are We Finally Finished? Ongoing Sarbanes-Oxley Activities for Internal Auditors
By Robert Moeller
March 2005 — Many internal auditors are just now experiencing their first full year of helping their organizations comply with Section 404 -- the internal control reviews -- of the Sarbanes-Oxley Act (SOX). This has been a difficult experience for many internal auditors. Some have been very busy drafting test plans and helping their organizations achieve Section 404 internal compliance while others have stood on the sidelines as hordes of expensive consultants arrived to complete the work.
In either event, internal audit often did not have the attention of management to effectively perform their ongoing reviews of internal controls and other audit activities. For many, this first year of achieving Section 404 compliance has been a difficult and time-consuming task. And it is not over quite yet.
Even if they were not heavily involved with that first year of SOX Section 404 work, internal auditors are ideal catalysts to help their organizations to reevaluate and somewhat rethink that first and often very hard year of effort. Some SOX-related internal audit projects to help make the next year a perhaps a little more painless for an organization include:
I. Auditing the Section 404 Compliance Project – Lessons Learned
No matter what their role during the first round of Section 404 compliance work, internal audit should launch a "lessons learned" type of evaluation audit covering the overall SOX project but with an emphasis on the Section 404 work. Internal auditors often perform similar types of reviews such as an audit of the results of an IT disaster recovery test. These are not audits – to use that old line – to visit the battlefield after the battle to shoot the wounded. Rather, this is the type of audit where internal audit should rely on its project oriented skills and abilities to look at what happened and how it could be done better in the future. Even if the SOX Section 404 project went extremely well, this is a time to consider what could be done more efficiently and effectively in the future.
The Section 404 project should have been managed similar to any other major project activity, such as for the installation of a new information system. This would include a definition of the tasks to be accomplished, documentation describing how the various project elements are linked together, some type of progress reporting process, and a mechanism to keep track of the time and expenses. Internal audit should look at this past 404 exercise in terms of how the project was managed and to identify a series of "lessons learned."
II. Cleaning up Reported Control Deficiencies
Almost all organizations ended up with a list of control deficiencies, ranging from major to minor as part of their Section 404 work. After the initial work was completed and assuming there were no major items on this list, it becomes easy to forget them until "next time." However, that next time will soon arrive. Internal audit can perform a real service to management by taking responsibility for this deficiency reporting process. This is very similar to the process of following up on the status of internal audit report findings and recommendations. This is a natural ongoing activity for any internal audit group.
III. Keeping SOX Documentation Current
Many organizations completed their 404 work with a mixture of hard and soft -- paper and computer systems based -- documentation that often was not organized all that well. A plant controller at a remote location, for example, may have ended up with several three ring notebooks of documentation placed in the controller’s office. That arrangement works as long as that same controller stays on the job. However, we all know how often organizational charts and people change. Internal audit should review the existing documentation retention standards, determine that all key processes have been covered, and then perform some limited tests to determine that the documentation is still in place. It is far better to know where things are located at present than to have to do a frantic search for the next round of Section 404 work.
IV. What did it Cost?
Virtually every organization soon found that the entire compliance exercise was very expensive. However with the tight due dates and many outside consultants involved in the process, there often was little attention given to monitoring the cost of this project. Internal audit might perform a real service to management by performing an audit of the costs associated with this compliance. They may find such things as departments that charged totally non-applicable expenses to their Section 404 project. In any case, such an after-the-fact audit will allow financial management and the audit committee to have a better understanding of the costs associated with SOX going forward.
V. Initiating a Continuous Improvement System
Audits of the past SOX Section 404 work will be much more valuable if those "lessons learned" can be turned in to some positive suggestions for improvements. Internal audit should initiate an ongoing process to work closely with the audit committee, financial management and their external auditors to improve the process as we move in to the future.
VI. Internal Audit’s SOX Role Going Forward
The basic requirements of Sarbanes-Oxley and its section 404 will certainly not change all that much in the short term years. Things hopefully will be less focused on paperwork and more on substance, but organizations will soon be faced with another round. Since much of the documentation has been done, things should be easier going forward. Internal auditors should keep themselves very aware of this process and its ongoing changes. Rather than bringing in teams of outside consultants, who are difficult to locate in future period, they should consider taking a more active and ongoing role in many aspects of SOX compliance.
posted by Brian Moran @ 2:44 PM
Friday, February 25, 2005
Witness: Scrushy Advised 'Hang in There'
Fired HealthSouth CEO Richard Scrushy gave a pep talk to a subordinate involved in a scheme to inflate earnings at the rehabilitation giant, instructing him to "hang in there," according to testimony at Scrushy's trial.
Former assistant controller Ken Livesay, one of 15 executives to plead guilty in the scheme, said Thursday that Scrushy told him: "We're not going to have to do this forever."
But Scrushy didn't explicitly mention fraud, Livesay said. The testimony came on his second day on the stand at Scrushy's trial on corporate fraud charges.
By early 1999, after about 2 1/2 years of inserting bogus numbers into HealthSouth's books to inflate earnings, Livesay said he had developed psoriasis linked to stress. He said then-finance chief Mike Martin arranged a meeting for him with Scrushy.
Livesay said Scrushy told him: "`I know you've been working hard, I really appreciate it. We're not going to have to do this forever.'"
Scrushy talked about a plan to sell HealthSouth and said they would all "make a lot of money."
"`We can all go to the lake and retire,'" Scrushy said, according to Livesay.
Livesay left the accounting department and moved to information technology in late 1999, but he said he was aware that the fraud was continuing. Livesay didn't go to the government until after the fraud became public in March 2003.
Livesay said he confirmed the fraud to two colleagues who grew suspicious but weren't involved in the conspiracy, Leif Murphy and Diana Henze, but previous testimony showed neither reported the scheme to prosecutors. Both Murphy and Henze testified against Scrushy earlier.
Livesay also corroborated testimony by former chief financial officer Bill Owens, saying he heard Scrushy talk about getting back to "accurate numbers" in a conversation where he told Owens how to answer questions from an investigator with the Securities and Exchange Commission.
During cross-examination, defense lawyer Art Leach asked why Livesay failed to report his concerns about the scheme to HealthSouth's corporate compliance staff or to Scrushy himself after the fraud swelled beyond $600 million in 1998.
"I ask myself that question a lot," said Livesay.
But, Livesay added, there was concern within the company about "the potential of losing your job if you confronted Mr. Scrushy about this." Livesay said he got "four or five" promotions with raises and more than $1 million in stock options while involved in the crime.
Prosecutors claim Scrushy was behind a conspiracy to inflate HealthSouth earnings by some $2.7 billion for seven years beginning in 1996. He is accused of making millions off the scam through stock sales, bonuses and salary.
The defense argues subordinates committed the fraud on their own and lied to Scrushy for years to keep it hidden.
In describing the nuts and bolts of the fraud, Livesay said HealthSouth paid so much in taxes on bogus income it had to borrow money to make ends meet.
Livesay said he prepared a report in mid-1998 showing the rehabilitation giant had to pay $145 million in taxes on false income of $407 million when its real income was only $160 million.
"We weren't making enough money to pay our income taxes," he said.
Speaking slowly and deliberately, Livesay said he showed the document to Martin, who had asked him why the company was still borrowing so much money.
"It was like a light bulb went off in his head," Livesay said of Martin. "He grabbed the schedule from me and said, `I've got to show this to Richard,' and he walked out of the office."
Livesay did not say if he knew whether Scrushy actually saw the document.
Livesay, Martin, Owens and 12 other former HealthSouth executives have pleaded guilty and are cooperating with prosecutors. Livesay was ordered to pay $760,000 in restitution and fines but avoided jail time.
Scrushy is charged with conspiracy, fraud, money laundering, obstruction of justice and perjury. He also is charged with false corporate reporting in the first test of the 2002 Sarbanes-Oxley Act against a chief executive.
If convicted, Scrushy could receive what amounts to a life sentence and be ordered to forfeit as much as $278 million in assets.
posted by Brian Moran @ 9:19 AM
Thursday, February 24, 2005
Do You Need A Chief Compliance Officer?
No C-level position is the subject of more discussion than the chief compliance officer. The role has long existed at companies that operate in heavily regulated industries such as financial services, government agencies, and health care. For other companies, the rash of recent accounting scandals, the Sarbanes-Oxley Act, and the recommendations of the U.S. Federal Sentencing Guidelines are urging CCO appointments.
The responsibilities of the position often include leading enterprise compliance efforts; ensuring compliance with internal standards and state and federal laws; managing audits and investigations into regulatory and compliance issues; and responding to requests for information from regulatory bodies.
Given that the CCO's responsibilities significantly impact a company's strategic and operational decisions, senior management should carefully consider the following questions when conducting a search for the position:
Who should fill the CCO role? By choosing wisely, top executives can rest assured that when a regulatory body performs a compliance audit or an outside investigation is launched, no surprises are likely to turn up. Choosing unwisely raises the potential for the company's hard-earned reputational value to vanish.
When selecting a CCO, the company should target an individual with a deep, nuanced understanding of the compliance issues and regulatory requirements germane to the company and industry. The candidate should have a proven track record of demonstrating high integrity, good business judgment, and perseverance. And the person should be able to engender trust among company employees.
The CCO needs a thorough understanding of the expectations of the leadership team, including the CEO, CFO, CIO, board of directors, and legal counsel. And the candidate should be up to the challenge of filling an emerging position. As the role and responsibilities of the position evolve, the CCO needs to grow along with them, and anticipate and address future issues.
Most management teams have looked to their legal departments to staff the CCO position, and, in some cases, the general counsel has taken on the added responsibilities of this role. This offers several advantages in that the general counsel is familiar with critical compliance areas, likely has established relationships with relevant regulatory bodies, and enjoys access to senior management and the board.
What are the CCO's reporting relationships? To ensure that information is unconstrained and shared in a timely fashion, we recommend that the CCO report directly to the board. The board—under Sarbanes-Oxley, SEC regulations, and the Federal Sentencing Guidelines—is responsible for evaluating the effectiveness of ethics and compliance programs throughout the enterprise. Board members can be subject to prosecution for compliance violations. A reporting relationship with the board helps the CCO ensure that information regarding violations is acted upon quickly, before it becomes systemic, and that emerging issues are anticipated.
In order for the CCO to perform effectively, he or she needs a close working relationship with the CIO. One of the CCO's primary roles is monitoring compliance issues and initiatives, and periodically reporting on these to the board. In a complex and increasingly global environment, this would be virtually impossible without a robust technology infrastructure.
Ideally, the CCO should leverage a real-time, enterprisewide reporting system that provides a clear picture of the company's compliance program. The system should retain necessary records in accordance with federal and industry regulations, and gather, interpret, and generate the compliance-related data that forms the basis of reports provided to executive management. The CCO must work collaboratively with the CIO to implement and manage a technology solution that meets these needs.
In addition to providing data and managing records, the technology solution should satisfy all relevant compliance regulations. It should maintain the confidentiality of data submitted via electronic help lines in compliance with Sarbanes-Oxley section 103; ensure that required financial and audit records are retained for the necessary period of time in compliance with Sarbanes-Oxley section 301; meet best practices for electronic-communications protocols and security; and where relevant, comply with all relevant European Union privacy laws regarding employee data.
For many companies, selecting the CCO and defining the position's role is one of the most important decisions that will be made in the near term. By reflecting on the issues raised here, senior management can ensure that your company's CCO has the inherent qualities and skills to succeed.
posted by Brian Moran @ 8:34 AM
Wednesday, February 23, 2005
The Human Side of Compliance
A company's ability to comply with financial reporting regulations is only as good as its people. Some businesses are doing a lot to ensure that their people are doing the right thing.
CFOs often complain that the Sarbanes-Oxley Act represents a harsh overreaction to the corrupt acts of a few bad apples. Besides, they say, the new law cannot prevent fraud if an unethical manager is determined to skirt the rules. This argument points to one of the steepest challenges of sustaining compliance over the long haul: people. "As good fraud auditors already know, any individual -- from the most pious to the most incorrigible -- can be prone to commit fraud due to fundamental 'people factors' that emerge given the right external stimulus," notes Dwayne Jorgensen, director of the Sarbanes-Oxley services practice for consulting firm CTG's information security solutions division in Duluth, Ga. Public companies have strengthened their financial reporting processes and installed new technology to help monitor internal controls, but one bad apple on staff can poison those staggering investments. Companies with a long-term commitment to Sarbanes-Oxley compliance and corporate governance address the human challenge through effective communication, compliance training and staffing decisions. Most important, compliance leaders translate the abstract notion of "tone at the top" into a practical and visible component of daily decision-making throughout the organization.
Drilling Tone Into the Ranks
The executive team at Santa Clara, Calif.-based Sun Microsystems Inc. shone a spotlight on compliance issues well before Sarbanes huddled with Oxley. "When you have 30,000 employees, there's always a chance somebody is going to apply bad judgment or make a mistake," notes Sun vice president and chief compliance officer (CCO) David Farrell. "We stress a very strong expectation for integrity at the top. We typically err very much on the side of being conservative in our judgments, and we work to set that tone throughout the company."
Farrell drafted his company's original "Standards of Business Conduct," and in early 2001 he helped establish the business conduct office, which he managed until stepping into the CCO position. A glance at Sun's board of directors -- which includes former SEC chief accountant Lynn Turner -- confirms Farrell's claim that a commitment to governance and compliance resides in the company's DNA. And Farrell credits the board and executive team with ensuring that the company puts its good-governance genes to use.
Shortly after Sarbanes-Oxley became law, CFO Stephen McGowan asked Farrell and Robyn Denholm, the company's vice president and corporate controller, to develop a series of compliance and governance training sessions that became known as Sun's "fiduciary boot camp." The program, named for its intensive-indoctrination approach, delivers in-person sessions on legal and compliance issues, including Sarbanes-Oxley, Reg FD, analyst and media relations, export laws, global anti-corruption laws, and related issues. It's mandatory for all of the company's vice presidents and directors, as well as for other managers whose responsibilities require a sharp understanding of compliance issues (e.g., people in analyst relations or financial reporting, overseas sales managers).
The day-and-a-half program is divided into hour-long sessions led by managers from Sun's business conduct office and other internal subject-matter experts. In 2003 1,000 employees attended the training; last year that figure doubled. One hundred to 250 employees attend each boot camp event, a dozen of which were held in locations throughout the world in 2004.
Farrell believes that the most effective way to train people on compliance-related subjects is to engage them in a dialogue rather than bombarding them with slides. "There is a lot of gray area in many of these areas, a lot of judgment calls," he notes. Sun boot camp attendees flex their decision-making muscles by working through case studies set in those gray areas and debating sticky issues with their colleagues.
The fiduciary boot camps are now overbooked because many graduates have requested that their teams attend future sessions. The sessions have also attracted interest from the companies that benchmark with Sun. "Our approach is to be as innovative and effective as we can from a preventative perspective," Farrell says, pointing out that the key to effectiveness is to keep these issues top of mind throughout the organization.
Skills Available Online
In addition to disseminating its governance message through the boot camp training, Sun relies on technology to expand the reach of its compliance instruction. The content developed for the boot camps is summarized and placed on the company's intranet so that all employees can access the material. All Sun workers also complete online training courses related to the company's business conduct standards and compliance issues related to exports; the courses' content is customized according to the student's job function.
Sempra Energy has taken a similar approach to corporate governance training. Roughly 200 top managers have attended the San Diego-based energy services holding company's financial literacy workshop in recent months (see Compliance Everlasting in the August 2004 issue). All Sempra employees must complete Web-based compliance training related to their responsibilities, on topics such as the U.S. Foreign Corrupt Practices Act, anti-trust laws, state-specific energy regulations, and other environmental and safety rules. "We are also in the process of developing Web-based training around internal controls and other aspects of Sarbanes-Oxley," reports Sempra Energy's chief compliance officer Randall Peterson.
Peterson notes that his company's emphasis on the importance of internal controls is not new. "We've conveyed that message for a long time," he explains. "We have an internal-controls policy that we make management aware of periodically to drive home the point that [controls] are not just something that auditors and accountants need to worry about. They need to be embedded in everyone's responsibilities."
Sempra Energy's business-conduct guidelines and related training hammer home the importance of seeking help from supervisors when tough judgment calls arise. The company has also established a decision-making model that Peterson and his staff consistently communicate. Faced with a gray-area decision, employees in the finance function first ask whether their choice is consistent with company policy and company values. If they're still unsure after reviewing the corporate guidelines, they turn to their supervisor -- or, if they prefer, their divisional controller or the corporate controller.
Internal controls expertise is a much more concrete skill than, say, tone at the top. Such concrete skills are a vital but frequently overlooked determinant of a compliance program's success, notes John Hall, president of Hall Consulting Inc., a Chicago-based training and consulting firm specializing in risk management and internal auditing. The question, Hall explains, is whether each function within the organization has employees who possess the proper skills to successfully execute their responsibilities in a compliant manner.
For example, to help sustain compliance, the bank reconciler needs to know what fraud indicators to look for when conducting a reconciliation. The bank reconciler also needs to know what actions to take after spotting a sign of fraud. In other words, the bank reconciler needs to know how to do his or her job.
Compliance and related skills training should be tailored to job function. "All I need to say to the person in charge of the receiving dock is, 'Here are five signs I want you to look for; call me every time you see one of them,' " Hall says. The receiving dock manager does not need to learn the finer points of Sarbanes-Oxley or corporate fraud theory; finance managers and internal audit managers, on the other hand, most certainly do. "The signs and indicators of fraud have to be in the hands of the people who review and approve transactions," Hall asserts.
Some of Hall's clients began this year by initiating a second, post-404 phase of Sarbanes-Oxley compliance processes, in which they are assessing skills and compliance competency on a function-by-function basis. The purpose of the exercise is to correct skill deficiencies before they result in a bad decision that leads to a potential material weakness.
A Compliance Labor Crunch
Many companies, particularly small to midsize enterprises, would love to beef up compliance and governance education programs -- if only they could muster up more teachers. Finance professionals with solid auditing backgrounds are in high demand. Micros Systems Inc., a fast-growing IT solution provider to the hospitality and retail industries, has created an internal audit department in tandem with its Sarbanes-Oxley compliance efforts. Cindy Russo, vice president and corporate controller for the Columbia, Md.-based company, says Micros competes with the Big Four firms, the SEC and the Public Company Accounting Oversight Board (PCAOB) for accounting and audit talent. "These resources are in high demand right now, and some of those other organizations pay very, very well," says Russo, who notes that her company considers Big Four experience an attractive quality in internal auditors.
In nearby northern Virginia, QuadraMed Corp., an IT solution provider to the health-care industry, recently rebuilt its 50-person finance department from the ground up after relocating its corporate headquarters from northern California to Reston, Va. One of QuadraMed CFO John Wright's first hires was senior director of internal audit Kevin Haggerty.
"In the past, there was an image of the internal auditor as someone who sat in the back office reviewing expense reports and waiting to say 'Gotcha!' " Wright explains. "Well, that's not Kevin." Haggerty has been deeply involved in QuadraMed's implementation of a new PeopleSoft ERP system, which includes a compliance module. He worked closely with the project teams to ensure that the system's design and capabilities were in line with many of the company's internal controls and compliance processes. "He has very good communication skills," Wright says, "and he instills confidence in the people he works with across the organization."
Haggerty also has Big Four experience, which Wright lists as a key qualification for post-Sarbanes-Oxley finance and internal audit professionals, along with integrity, internal audit experience and technology-systems savvy. "I wanted to make sure we had people here who were accustomed to working in a disciplined environment, like public accounting, and I wanted people who were also accustomed to using technology fully," Wright explains. "You can't comply with 404 just by throwing people at it. You have to have systems and processes in place."
Few companies can afford to throw a lot of people at their compliance efforts. That may be why finance executives at small to midsize companies like QuadraMed and Micros Systems frequently mention technology when discussing the human side of Sarbanes-Oxley compliance.
"It's much easier to test controls when they are automated and you don't touch them nearly as much," explains Russo. She says that technology is vital to the compliance effort; Micros Systems relies on a compliance application from OpenPages. But Russo also emphasizes that the value of the software depends on the people who use it. "Individuals input the information into the system," she notes.
Haggerty agrees that it is beneficial "to have as many control activities as possible be automatically taken care of by the system without a lot of human intervention." For example, once a software company has programmed into its accounting system the proper approach to calculating revenue from software contracts, it no longer requires an individual plugging away on a spreadsheet to judge how proceeds from a particular sale should be recognized. "That's what Sarbanes-Oxley tells you," Haggerty notes. "Most of the attention should be focused on where a human judgment has to be made."
Once a company's controller or CFO establishes how revenue should be recognized, that process can be automated, which limits the likelihood of a poor judgment call by an individual. "If you have the right kind of tool," Haggerty adds, "it assigns those business processes out to the real owners of those processes and it allows for automatic checking for whether the process and related internal controls are in place."
Given the high cost of compliance, which may increase further before it subsides, CFOs and other executives have a right to grouse about Sarbanes-Oxley. A July 2004 Financial Executives International (FEI) survey estimated that internal and external Section 404 compliance costs are averaging $8 million annually for companies with more than $5 billion in revenue. A recent AMR Research study pegs Sarbanes-Oxley compliance costs at $1 million annually for every $1 billion in revenue. And more than half of U.S. and European multinational executives polled in a late-November PricewaterhouseCoopers study reported that their companies will increase compliance spending by an average of 23 percent during the next one to two years.
But bellyaching about the sweeping impact of other companies' bad apples is not an adequate response to the governance crisis. Leading businesses are establishing a strong and broad base for their compliance programs so that they can be sure to weed out the possibility of bad decisions wreaking havoc on their future growth.
posted by Brian Moran @ 1:31 PM
Unizan: Internal controls inadequate
Unizan Financial Corp., the parent company of Unizan Bank, said Friday it has identified deficiencies with its internal financial control, but the company expects to remedy those problems shortly.
The disclosure was made in Canton-based Unizan's fourth-quarter and full-year earnings report.
According to Unizan, those shortcomings include inadequate computer controls for security and infrastructure, as well as inadequate documentation. These factors could have a material effect on 2004 results, the company said.
"The company's weaknesses will not be considered remediated until new internal controls are operational for a period of time and are tested, and management and its independent registered public accounting firm conclude that these controls are operating effectively," Unizan said in a prepared statement.
Also Friday, Unizan said it earned $3.3 million, or 15 cents per share, during the fourth quarter. That's a 28 percent increase from $2.6 million, or 12 cents per share, during the same period last year.
Current results include a $2.2 million charge for the impairment of certain investment securities.
For the fiscal year, net income totaled $11.7 million, or 53 cents per share, a decline from $23.2 million, or $1.05 per share, during fiscal 2003. The 2004 results were affected adversely by $5.1 million in salary expense for the exercise of stock options and $2.7 million for professional fees and severance costs associated with its pending merger with Huntington Bancshares Inc.
Unizan and Huntington (Nasdaq:HBAN) agreed in January 2004 to merge, but that merger is on hold until January 2006 pending the resolution of regulatory investigations of Columbus-based Huntington's methods for how it accounted for auto leases in the years prior to 2002.
Unizan (Nasdaq:UNIZ) manages more than $235 million in deposits at six bank branches in the Dayton area. Overall, the company has more than 40 branches in Ohio and also operates Unizan Financial Advisors Inc.
posted by Brian Moran @ 9:13 AM
Judge Orders Reinstatement for First Sarbanes-Oxley Whistleblower
A federal Labor Department judge, ruling in a closely watched test case of a new corporate whistleblower law, has ordered a tiny Virginia bank to reinstate a former employee who questioned its accounting practices.
In the ruling issued Feb. 15, Administrative Law Judge Stephen Purcell ordered Cardinal Bankshares Inc. to reinstate its former chief financial officer, David Welch, and pay him nearly $65,000 in back pay and damages.
The ruling, while focusing on a tiny company little known outside its region, with just a few hundred shareholders, touches on many of the issues that have drawn substantial attention to the case.
Last year Welch, became the first person to win protection as a whistleblower under the Sarbanes-Oxley Act, passed by Congress in 2002 in the wake of corporate scandals at Enron, WorldCom and other firms.
The bulk of the law sets strict requirements for financial reporting by publicly traded companies.
But it also contains a provision designed to protect business insiders who blow the whistle on accounting trickery.
Since the law took effect in mid-2002, workers have filed 144 claims with the Department of Labor, alleging that their employers retaliated against them for calling attention to financial mismanagement.
Welch is one of just three workers to win protection so far. Another 16 cases have ended in settlements.
In his ruling last week, Purcell affirmed his decision in January of last year ordering Welch's reinstatement at Cardinal, a holding company for the 65-employee Bank of Floyd.
But the new ruling sets out specific terms and conditions, and rebuts point-by-point arguments by Cardinal Bankshares that bringing Welch back would be too onerous.
"While Welch's reinstatement will pose certain difficulties, those difficulties are not insurmountable and cannot defeat reinstatement," Purcell wrote in his decision.
In addition to the reinstatement and backpay, Purcell also ordered the bank, based in the southwest Virginia town of Floyd, to pay $108,000 in legal fees to Welch's lawyer.
An attorney for Cardinal, Laura Effel, said Tuesday that the bank's board was determined to appeal the ruling.
"I think this decision by the administrative law judge is so flawed and so disturbing that the board is not interested in resolving this case in a way that would permit this decision to stand," Effel said.
The bank plans to file an appeal with a labor department Administrative Review Board over the next week.
If that board decides not to take up the case, then the bank will consider whether to appeal it to a federal court, she said.
Welch, who now lives near Huddleston, Va., said Tuesday he was encouraged by the ruling.
The ruling of reinstatement, while difficult, answers prayers for a clear-cut resolution in the case, he said.
"If the door is open at Cardinal Bankshares, I've got to keep up my end of the bargain and walk through that door," he said.
posted by Brian Moran @ 8:57 AM
Tuesday, February 22, 2005
SOX Catch-22: Certifying Controls Later Found Weak
Companies that previously certified "disclosure controls and procedures" under Section 302 of Sarbanes-Oxley may find themselves this year in the uncomfortable position of having internal control audits under Section 404 reveal material weaknesses?with regulators wondering why those flaws weren't reported earlier.
The SEC's final rule implementing Section 302 of SOX requires company management to present "conclusions about the effectiveness of the [company's] disclosure controls and procedures based on the required evaluation." Under Section 404, management must disclose any material weaknesses in internal controls and will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses.
Stephen Poss, head of the securities group at the Boston law firm Goodwin Procter, told Compliance Week that the 302/404 dynamics present a possible "Catch-22" for companies. "The SEC has made it abundantly clear that disclosure controls and procedures include many elements of internal controls over financial reports," Poss said. "To the extent that CEOs and CFOs have been making certifications, those certifications subsume some statement about the effectiveness of internal controls."
When 404 reports are issued, many companies are going to be facing conclusions that their internal controls were ineffective. Though the exact number of companies that might face such an "adverse opinion" is not known, estimates have ranged from 10 percent to 20 percent of public companies. If that's the case, it is likely that many companies that fail the 404 test might have indicated in their 302 certifications that their controls were effective. "If internal controls are not effective, how is it that you signed off on the financials when they included some element of [internal controls]," Poss asks.
William Tolbert Jr., a former associate director of the SEC?s Division of Corporation Finance, told Compliance Week that companies ?have an absolute reason? to be concerned. "It's not a situation to be ignored," said Tolbert, now a partner in the Washington office of Jenner & Block. Tolbert predicts that the Commission will indeed be checking whether companies certified disclosure controls and procedures that were later found to be ineffective. "The SEC is not going to be terribly sympathetic if you've already certified," he says.
posted by Brian Moran @ 9:55 AM
Monday, February 21, 2005
Companies Pushing For Lower Audit Fees for 2005
AccountingWEB.com - Feb-21-2005 - U.S. public companies are looking for a price break from their auditors this year.
The internal control requirements of the Sarbanes-Oxley Act forced many companies to spend more than twice what they budgeted last year, so they're looking to pay far less this year, according to a study given to Reuters by CFO Executive Board, a division of Washington research group Corporate Executive Board Co.
Section 404 of SOX requires that the companies' external auditors produce details of their internal controls and how those controls will combat fraud by next month. At the beginning of last year, the study said that most companies figured the cost of Section 404 would amount to between 20 percent and 60 percent of what they normally paid in annual audit fees, but the real figure was between 60 percent and 120 percent.
Executives say that auditors were charging by the hour last year instead of by the job, a practice they attributed to some of the additional cost. AMR Research says U.S. corporations will spend more than $11 billion between 2004 and 2005 on Section 404.
The study said companies are now seeking to keep their fees this year at between 20 percent and 80 percent of annual audit fees. "CFOs are hoping to reduce their SOX costs in year two by capitalizing on any sort of efficiencies to be gained in the documentation and testing process, or perhaps even a reduction in their overall scope of testing," said Kurt Reisenberg, managing director of the CFO Executive Board.
Overburdened small companies have told the Securities and Exchange Commission that complying with Section 404 has been too time-consuming and expensive. The SEC has scheduled a conference on the issue in April.
posted by Brian Moran @ 10:06 AM
Friday, February 18, 2005
U.S. Public Companies Changing Audit Firms at Record Pace
The Sarbanes-Oxley Act of 2002 did not require public companies to regularly change audit firms, but it seems many of them are doing so anyway.
The Wall Street Journal reported on a study released Wednesday by proxy-advisory firm Glass Lewis & Co. that showed more than 1,600 public companies left their audit firm last year, which represents a 78 percent increase over 2003.
Over the two-year period, 2,514 companies switched audit firms, which is nearly a quarter of all U.S. public companies, according to a database of public companies.
Smaller accounting and auditing companies are reaping the benefits of the revolving auditors and the Big Four firms are feeling the pinch. Second-tier firms gained a total of 117 new clients last year while the Big Four-Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP-had a net loss of 400 clients, the Journal reported.
BDO Seidman LLP gained the most new clients-109-and Ernst & Young lost the most clients with 200 dropping the firm last year, the Journal reported.
Smaller public companies were more likely to change auditors. Among the smaller firms that made a switch, 85 percent of them posted $100 million or less in revenue last year, the report said.
Companies switching auditors listed a number of reasons for the change, including auditors getting out of the business due to the new regulatory environment, corporate mergers and a better deal at the new firm, the Journal reported.
Since Sarbanes-Oxley was enacted in 2002, there has been significant debate about whether mandatory auditor rotation is necessary to protect investors. The law requires audit partners to rotate away from clients every five years. This week's report indicates that audit committees are taking it upon themselves to shake things up with their audit firms, even though the law does not require them to.
The increased changes are "inconsistent with the arguments put forth in the past by the accounting firms, that changing auditors reduced audit quality," research analyst Jason Williams said in the report.
posted by Brian Moran @ 10:18 AM
Corporate Governance in the Age of Eliot Spitzer
By Theodore F. di Stefano
Part of the ECT News Network
02/18/05 5:00 AM PT
If you are an active participant in the corporate affairs of the company for which you sit on the board, you have very little to worry about when it comes to SEC actions, or even class action lawuits. Just keep in mind that directors are custodians of the stockholders' money. They are serving to protect the stockholders, not to protect management.
IBM Workplace Services Express provides an integrated portal, making it easy for people to work together with customizable work spaces. See the four-minute demo: Boost Productivity and Improve Collaboration. Easily and Affordably.
These appear to be trying times for officers and directors of publicly held companies. But, are they really? Many people involved on the management and directorate level with public companies are quite leery nowadays. But, should those of us involved with corporate boards and corporate governance be afraid, or just cautious? In my opinion, there is no real need for concern.
Let me explain. I know that the Enron debacle was followed by continuing news of corporate malfeasance. It seemed that almost every day, we learned of more disturbing news about corporate shenanigans.
In a previous article, Serving on a Board After SOX: Opportunities and Perils, I talked about the responsibilities of board members and how they can keep themselves out of trouble by being proactive.
Did You Know the Name Eliot Spitzer Before Enron?
This article will revisit, to some extent, the principles that I put forth which show how a well-meaning director can serve with dignity and effectiveness without being intimidated by untoward and unexpected negative consequences emanating from board service. But first, let's take a close look at Eliot Spitzer's legacy.
If you really think about it, you didn't know who Spitzer (the attorney general of New York) was until a very short time ago. He rose to prominence on the wave of corporate scandals and appeared to be setting a new standard for corporate probity and governance.
Before Enron and people like Spitzer, board members had pretty much free rein to run their companies as they saw fit. Frankly, there was very little accountability. The only time that something hit the newspapers was when the actions of the board were so egregious that people had to sit up and take notice.
What he did, in my opinion, was to help raise the bar for directors and officers and make them more aware of the consequences of intentionally negligent and reckless service.
He was in the right place at the right time. And, from what I've been reading, he'll leverage his new-found fame into a yet more prominent political career. Who can blame him?
Most of the criticism leveled at these high-profile cases was more than justified. The fallout will continue until all of the lawsuits are settled and all of the malefactors are dealt with.
Good Return, Passive Investors
The fact is that the vast majority of investors are more focused on the current value of their stockholdings than on what is going on within the executive suite. In a sense, you can't blame them for this.
They expect the SEC and the company auditors to expose wrongdoing and reckless behavior. The truth of the matter is that the SEC cannot closely monitor all of the publicly held companies. It's an impossible task.
Nor can we expect the company auditors to aggressively monitor and criticize their clients. If they're too aggressive, they lose the client to a more pliable auditing firm.
One major contribution of Eliot Spitzer is that he made directors and officers more aware of what will happen if they ignore ethical corporate governance. This alone, in my opinion, does a great deal to advance good corporate behavior.
Safeguarding Stockholders' Investments
Even though most stockholders are more concerned with the market value of their stock than with corporate governance, they've got to become more active in assuring themselves that affairs are being properly run by those responsible.
How can they do this? Well, they've got to read the material that is sent to them by the company in which they hold stock. They have got to take the time and do at least some perfunctory due diligence.
If they are either confused or appalled by what they see, they have several choices, including: call the investor relations line of the company; and report any apparent malfeasance to the SEC (be sure to make the company officials aware of the fact that you have done so).
Shareholders are asked to vote when they receive the annual packet from the company in which they have invested. They must realize the importance of their vote. We have to think of the responsibility of the shareholder as being quite similar to the responsibility of the voting public. It is, in a sense, the same responsibility that is put on each citizen: be aware of the issues and be sure to vote.
What Should the Director or Officer Do?
Anyone involved in corporate governance must take a proactive role in "running" the business. For directors, this means perfect attendance at board meetings, as well as vocal participation at those meetings. It's OK to be a gadfly, an irritant.
My feeling is that any director who is actively engaged in the ethical monitoring of the overall operations of the company for which he/she serves has very little to worry about when it comes to SEC actions or Sarbanes-Oxley. (Please see my article, Sarbanes-Oxley: Avoiding Its Pitfalls.)
In order for a director to become liable for the mismanagement of a company, the director must be either actively involved in such mismanagement, or close one's eyes to it.
If you are an active participant in the corporate affairs of the company for which you sit on the board, you have very little to worry about when it comes to SEC actions, or even class action lawuits. Just keep in mind that directors are custodians of the stockholders' money. They are serving to protect the stockholders, not to protect management.
The same can be said of corporate officers. They are merely custodians of the corporation that is owned collectively by the stockholders. Therefore, they must act as caretakers and guardians.
Officers should also keep in mind that their compensation, including bonuses, should be the total salary that the board has approved for them. They must not take advantage of perks as a supplement to their salaries.
Nepotism should also be roundly avoided. If an executive has a relative on the payroll, that person had better be performing real services and be compensated according to the "market value" of the services and not by some arbitrary standard.
By keeping in mind the caveats I've addressed for both the directors and the officers of a company, you should not have to be unduly concerned about the "Eliot Spitzers" of this world.
posted by Brian Moran @ 10:06 AM
Thursday, February 17, 2005
Scrushy, Ebbers, Tyco Trials Show Investors `Cry for Scalps'
Feb. 16 (Bloomberg) -- In 1992, Ollie Dean Couch, chief executive officer of Texas lender Couch Mortgage Co., was convicted of 16 counts of fraud and making false statements involving $45 million in home loans. He got a year in prison.
Now, former HealthSouth Corp. CEO Richard Scrushy, whose trial began last month, faces as many as 450 years behind bars on 58 charges, including fraud and money laundering. ``I wouldn't want to be a CEO in today's environment,'' says Joel Androphy, who was Couch's lawyer.
Scrushy is the first CEO tried under the Sarbanes-Oxley Act, passed by Congress in July 2002, which increased white-collar criminal fines and prison time as much as 10-fold. He leads an unprecedented parade this year of half a dozen CEOs and other top executives on trial, as the three largest U.S. stock exchanges still struggle to recover from the record $7.5 trillion decline in market value from March 2000 through September 2002.
``The aftermath of the bubble created so much pain for everybody that there was a hue and cry for scalps,'' says Steve Hoedt, 33, who manages 1.6 million Tyco International Ltd. shares at Cleveland-based National City Corp.
On trial are Scrushy, former WorldCom Inc. CEO Bernard Ebbers, and former Tyco CEO Dennis Kozlowski and his chief financial officer, Mark Swartz. They may be joined this year by former Enron Corp. Chairman Kenneth Lay. All are likely to face longer prison terms than executives in savings-and-loan and insider-trading scandals of the 1980s and 1990s, making investors such as Cecil Duke more secure in owning stocks.
``Instead of being slapped on the wrist, they need to serve some time in prison,'' says Duke, 69, a retired junior high- school football coach in Pleasant Grove, Alabama, who owns 5,900 HealthSouth shares. He is among investors suing the company in a federal securities-fraud case. ``This was going on for years before it boiled over. Now they're cleaning up their act.''
Other investors who see a silver lining in the trials include Kevin Bannon, chief investment officer at New York-based Bank of New York Co., which manages $102 billion. He says the trials may build confidence.
``We went through the discovery of the scandals, the government getting involved and cleaning up a lot of governance issues,'' says Bannon, 52. `I think it's mostly behind us.''
Indictments were a buying opportunity to Ian Fields, who manages health-care investments at New York-based Exis Capital Management Inc., which bought 600,000 HealthSouth shares after Scrushy, 52, was indicted Nov. 4, 2003, and sold the stake as of Dec. 31, 2004. The shares had risen to $6.28 on Dec. 31, from a low of 8 cents on March 28, 2003. Fields sums up the negative effects of trials on his strategy in two words: ``No impact.''
More than 60 CEOs or presidents have been charged under federal law with corporate fraud in the past three years, according to the U.S. Justice Department. Among the executives charged since 2002 are former Adelphia Communications Corp. Chairman John Rigas, housewares-company founder Martha Stewart, and ImClone Systems Inc. founder Sam Waksal.
The simultaneous trials of CEOs are unprecedented in U.S. history, says Lawrence Mitchell, a law professor at George Washington University in Washington.
Those on trial may be victims of their own success, says Mitchell, 48. Until CEOs turned into celebrities after the Standard & Poor's 500 Index quadrupled in value in the 1990s, regulators were more likely to fine corporations accused of white- collar crimes, instead of seeking criminal convictions of individuals.
When Boeing Co. in 1982 faced 40 counts of covering up payments it had made to sell airplanes overseas, for instance, the company entered a guilty plea in federal court in the District of Columbia and paid $450,000 in fines.
After Chicago-based Boeing said in November 2003 it dangled a job before a U.S. Air Force official awarding a $23 billion contract, Congress killed the deal, CEO Phil Condit quit and federal prosecutors won guilty pleas from the two people involved: Darleen Druyun, a former Air Force acquisitions official; and former Boeing CFO Michael Sears.
Druyun is serving a nine-month sentence for violating federal conflict-of-interest laws. Sears is scheduled for sentencing this month. Condit wasn't charged.
New York Attorney General Eliot Spitzer, who is running for governor in 2006, has focused public attention on corporate fraud, says Robert McGuire, a former New York police commissioner.
In October, Spitzer all but demanded the ouster of Jeffrey Greenberg, CEO of Marsh & McLennan Cos., after filing a complaint accusing the world's largest insurance brokerage of rigging bids and taking kickbacks from insurers.
Greenberg quit 11 days after Spitzer filed suit, saying at a press conference that Marsh should ``look long and hard'' at its management. New York-based Marsh & McLennan last month agreed to pay an $850 million fine to settle the case. Greenberg hasn't been charged. A former Marsh & McLennan managing director and two employees from New York-based American International Group Inc. pleaded guilty to Spitzer's charges of rigging bids.
``He has used all of the levers of his office to move into areas that really hadn't been investigated before,'' says McGuire, 68, now an independent attorney.
The result has been a competition among regulators that didn't exist in the 1990s, says Alan Bromberg, a securities law professor at Southern Methodist University in Dallas.
The SEC has responded with higher fines and more enforcement actions against individual directors. In 2003, for instance, WorldCom agreed to pay a record $750 million fine to settle fraud allegations. Just a year earlier, Stamford, Connecticut-based Xerox Corp.'s $10 million fine for inflating revenue had been the commission's largest.
The Sarbanes-Oxley Act strengthened the SEC's hand. The law allows the SEC to place fines in a fund to benefit the victims of corporate fraud -- shareholders, rather than the U.S. Treasury -- increasing the commission's incentive to seek large penalties that would help investors. By September 2004, the SEC had imposed 15 fines of more than $50 million, dwarfing the Xerox record, according to the SEC's Web site.
Until the law was passed, the commission had to show that officers or accountants were ``substantially unfit'' before seeking to bar them from serving on corporate boards. The law lowered that standard to ``unfit.''
In the fiscal year ended Sept. 30, 2004, the SEC sought to bar 161 officers and directors, quadruple the 38 in fiscal 2000. Among those who have accepted lifetime bans are former Xerox Chief Financial Officer Barry Romeril and former Tyco director Frank Walsh.
Under Chairman William Donaldson, the SEC has a $913 million budget in the fiscal year that ends Sept. 30, more than double the $438 million in the 2002 fiscal year. The agency has hired almost 1,000 new attorneys, accountants and compliance officials since 2002.
Congress passed the Sarbanes-Oxley Act a year after the collapse of Enron, which hid debt in off-the-books partnerships capitalized by its shares. When the shares fell, Enron had to reduce profit by $586 million and seek bankruptcy protection.
The law boosted the penalty for both wire and mail fraud to 20 years from five years. The penalty for knowingly making a false statement in a financial report rose to 20 years in prison and a $5 million fine, from 10 years and a $1 million fine. Corporations that file false statements can be fined as much as $25 million, up from $2.5 million. The law requires CEOs and CFOs to certify financial statements quarterly.
Threat of Incarceration
In the biggest executive settlement related to Enron, former CFO Andrew Fastow, 43, pleaded guilty to fraud charges in January 2004 and agreed to serve 10 years in prison and to forfeit $29 million in assets. He agreed to pay $23 million to settle SEC civil claims over hiding the debt.
Sarbanes-Oxley followed decades of tougher sentences. In 1984, more than half of all white-collar crime convictions resulted in probation, according to the U.S. Sentencing Commission. By 2002, more than 60 percent led to prison sentences.
The threat of incarceration has encouraged more defendants to fight cases rather than seek plea bargains, contributing to the increase in trials, says Androphy, a partner at the Houston- based law firm Berg & Androphy.
Fraud, the focus of the tougher sentencing regulations, is the most prevalent charge at the CEO trials this year. Ebbers, 63, is on trial in New York federal court on charges of leading accounting fraud. He faces one count each of securities fraud and conspiracy and seven counts of making false filings to the SEC. If convicted, he faces a maximum of 25 years in prison.
Former Enron CEO Jeffrey Skilling, 51, may receive a prison term of as long as 325 years if convicted on 35 charges of fraud, conspiracy and insider trading at the Houston-based company. His one-time chief accounting officer, Richard Causey, 45, could get 265 years on 31 counts. Lay, 62, faces seven charges of fraud and conspiracy. All have asked for their trials, in Houston federal court, to begin this year.
In their retrial in New York state court, Kozlowski, 58, and Swartz, 44, are accused of taking $150 million in unauthorized bonuses. The two men face 31 counts of stock fraud, falsifying business records, grand larceny and conspiracy. The most serious charge carries a 25-year prison term.
John Rigas, founder of Greenwood Village, Colorado-based Adelphia, and his son Timothy Rigas were convicted of conspiracy and fraud in July for looting $3.2 billion from Adelphia and lying about its finances before the bankruptcy filing. John and Timothy Rigas both appealed their convictions. Another son, Michael Rigas, faces retrial on fraud charges after a jury was deadlocked on whether to convict him.
Martha Stewart Living
Scrutiny of Stewart, 63, wouldn't have been so intense a decade ago, says Christopher Bebel, who was an attorney in the SEC's Division of Enforcement in the 1980s and an assistant U.S. attorney in the 1990s.
Stewart, founder of New York-based Martha Stewart Living Omnimedia Inc., is serving a five-month sentence in a West Virginia prison for lying to government investigators about her trading of ImClone stock. She will complete her prison time next month. Stewart has appealed.
Waksal, 57, who tried to sell the stock after learning that regulators were about to reject a new cancer drug, pleaded guilty to insider trading and began serving a seven-year term in July 2003.
While the parade of trials has given such companies as HealthSouth and Tyco negative attention, it hasn't hurt some of those shares. Bermuda-based Tyco, the world's biggest provider of security systems, rose 90 percent to $33.90 on Feb. 14 from Kozlowski's indictment on Sept. 12, 2002.
Among the biggest beneficiaries was Bill Miller, the only fund manager to beat the S&P 500 Index 14 years running. Miller's Baltimore-based Legg Mason Value Trust started adding Tyco shares that year and owned 34 million as of Sept. 30, his second-biggest holding. Miller declined to comment.
Shares of HealthSouth, a Birmingham, Alabama-based hospital operator, rose 12 percent to $5.70 on Feb. 14 from Sept. 29, when prosecutors said Scrushy, who founded the company as AmCare in 1984, had charges of perjury and obstruction of justice added to fraud in fabricating profit to meet earnings estimates. The board placed Scrushy on administrative leave on March 20, 2003.
Enron, by contrast, has been in bankruptcy while more than 20 former executives have been under indictment, according to the Justice Department. Enron shares were delisted by the New York Stock Exchange on Jan. 15, 2002.
WorldCom filed for Chapter 11 bankruptcy protection in 2002. After winning court approval to exit bankruptcy in October 2003, the company listed new shares that began trading at $26.70. On Feb. 14 this year, they closed at $19.93.
The company officially exited bankruptcy in April 2004 as Ashburn, Virginia-based MCI Inc. Under Ebbers, the company had been based in Clinton, Mississippi. Verizon Communications Inc. said on Feb. 14 it agreed to buy MCI for $6.7 billion.
Even in this environment, prosecutors may still lose, says Charles Elson, head of the Center for Corporate Governance at the University of Delaware.
Kozlowski and Swartz's six-month trial ended in a mistrial in April. That month, federal jurors in Denver refused to convict four Qwest Communications International Inc. executives charged in connection with improper booking of a $33 million transaction.
Androphy, the lawyer who represented Couch, says public anger after the stock-market decline fueled a government emphasis on securities fraud. He said his client, who died in 1998, could have been sentenced to 10 years in prison under the new laws.
``Right now, you can rob a bank and be OK,'' says Androphy, the author of a textbook called ``White Collar Crime'' (Shepards/McGraw-Hill, 1992). ``We're in a securities fraud, white-collar stage right now. It will pass.''
posted by Brian Moran @ 5:28 PM
Wednesday, February 16, 2005
DEATH, TAXES & SARBANES -- OXLEY? Executives may be frustrated with the law's burdens, but corporate reform is here to stay
Nearly three years ago, Congress set out to clean up the way companies do business after accounting and governance scandals rocked investor confidence and damaged the reputation of companies large and small. Now, as the final stages of reform mandated by the Sarbanes-Oxley Act 2002 go into effect, much of Corporate America is in an uproar. CEOs and CFOs complain they're burdened with huge implementation costs as armies of nitpicky auditors check every corner of their operations. ``Common sense is gone,'' says Wisconsin Energy Corp. controller Stephen P. Dickson, voicing an increasingly common gripe. ``You have to document everything.''
True enough, it hasn't been the easiest year for CFOs and their staffs. And there's no denying that the costs of implementing Sarbanes-Oxley are high -- upwards of $35 million on average for large companies this year alone. Complicating matters, the promised benefits of the reform movement are hard to spot and difficult to quantify: frauds that never happened, or the boost to investor confidence that has helped bring life back to U.S. markets.
WORTH THE TROUBLE
Fears have thus taken hold that a backlash is under way. Clearly, executive complaints are reaching Washington: The U.S. Chamber of Commerce has targeted Securities & Exchange Commission Chairman William H. Donaldson and is compiling a dossier of examples of what it calls regulatory or enforcement overreach. And concern that the Administration's appetite for reform -- or support for Donaldson -- could wane in the second term were stoked in mid-December when Treasury Secretary John W. Snow called for more ``balance'' in regulation. Yet despite the grumbling, there's increasing evidence that reform has been well worth the trouble. Already, intense scrutiny of accounting methods and internal controls has unearthed lingering problems in the way companies operate. And fixing weak financial controls has nipped a lot of accounting problems in the bud. ``You know the CEOs and CFOs are doing much more due diligence inside their companies,'' says Neri Bukspan, chief accountant for Standard & Poor's, the credit-rating service. Perhaps most important, the reforms have helped renew investor confidence in companies' reports -- a payoff that will grow in time. Says Donaldson: ``The benefit will come in the long haul, with greater credibility in the marketplace and higher stock price multiples.''
What's more, there's little chance that the SEC will be reined in. Following Fannie Mae's $9 billion restatement and continued controversy over megamillion-dollar parachutes it handed ousted top execs, corporate scandal is still too fresh to allow politicians to backtrack. The White House made it clear on Dec. 16 that the President ``appreciates'' the job Donaldson is doing to crack down on corporate wrongdoers. Snow has affirmed his support for Sarbanes-Oxley and Donaldson -- although he still thinks regulators and prosecutors need to better coordinate their rulemaking and probes. ``The system may have become too prosecutorial,'' Snow told BusinessWeek on Jan. 4.
Nevertheless, the complaints, which have been growing through the fall, will probably intensify in coming weeks due to widespread frustration with a single feature of Sarbanes-Oxley, Section 404. It requires that corporate executives and their auditors document, and certify to investors, that their internal financial controls work properly. It is biting hardest now because the first deadlines for completing the work begin taking effect next month for large-cap companies.
The law requires, for example, proof that someone is cross-checking the numbers that make up earnings, such as the value of inventory and receivables. Seems reasonable enough, but execs grouse that auditors are applying the law in mind-numbing detail. ``It requires an army of people to do the paperwork,'' says William D. Zollars, chairman and CEO of Yellow Roadway Corp., the nation's largest trucking firm. Zollars dispatched some 200 Yellow employees to the task last quarter and paid about $9 million to accountants for their work -- or some 3% of annual profits for 2004.
Costs vary across companies, depending mostly on their complexity, auditors say. A survey of board members conducted by RHR International for Directorship magazine found that big companies with $4 billion or more in revenues are spending an average of $35 million to comply with the act. Another survey by Financial Executives International found $3.1 million in added costs for companies with average revenues of $2.5 billion.
Those numbers are grist for lobbyists in Washington. The U.S. Chamber of Commerce is collecting such evidence to take to Congress. The group's top priority this year is a ``push back'' for changes in Sarbanes-Oxley, says David T. Hirschmann, senior vice-president of the Chamber. He'll probably have plenty of ammunition. Mario J. Gabelli, CEO of Gabelli Asset Management, says he put off hiring 12 security analysts in order to pay for complying with Section 404. ``It has been a major drag on the economy,'' Gabelli says. But small public companies may have the best argument, since they have fewer revenues to offset basic compliance costs. ``This is a regressive tax against small business,'' says venture capitalist Gary J. Morgenthaler of Menlo Park (Calif.)-based Morgenthaler Ventures.
While accountants predicted that the internal controls section of Sarbanes-Oxley would be a burden, few people expected there to be this much grief. After all, Section 404 restates what was already required in other federal laws and regulations. Since the late '70s, the Foreign Corrupt Practices Act has required companies to have internal controls, and auditors have long been expected to test them before signing off on financial statements.
Sarbanes-Oxley only adds the requirement that execs and auditors certify the controls work. Lawmakers did that to ensure that top managers were held accountable for problems and to make it easier to prosecute cheaters. ``The fact that companies are having difficulty complying, after controls have been in federal law for 25 years, doesn't speak well for the quality of their controls,'' says one high-ranking regulator.
That may be an understatement. In November, 119 companies publicly reported finding weaknesses or deficiencies in their internal controls, up from 11 in the same month a year before, according to industry newsletter Compliance Week. Many problems involved closing books, reconciling accounts, or dealing with inventory. SunTrust Banks Inc. said in November that it had fired three officers after discovering errors in how it calculates allowances for losses in loan portfolios. Visteon Corp., a car-parts supplier, said it found problems recording and managing accounts receivable from its major customer, Ford Motor Co. It's now fixing those problems. ``We are finding that the focus on internal controls is uncovering problems at the best of companies,'' says Samuel A. DiPiazza Jr., CEO of auditor PricewaterhouseCoopers International Ltd.
Many businesses are discovering other benefits. General Electric Co., which spent about $30 million on the work last year, ``had good controls before this, but it has added more rigor,'' says CFO Keith S. Sherin. ``It certainly gives [CEO Jeffrey R. Immelt] and me more confidence when we're signing off on the results.'' United Technologies Corp. used the work to standardize checks on bookkeeping in its disparate businesses around the world. ``We had a fair degree of latitude in how people document things. We've tightened that up,'' says Jay Haberland, UTC's vice-president for business controls.
The biggest advantage of all, though, may be the greater confidence investors have in financial results. ``The auditors are doing better audits and charging for that. More questions are being asked by everyone,'' says Donald T. Nicolaisen, the SEC's chief accountant. That's why fine-tuning the regs, rather than any kind of rollback, is what's likely this year. Regulators are encouraging auditors to focus on critical issues that pose the biggest risks rather than sweating the little stuff that wastes time and resources -- and drives managers nuts. And come the spring, they have promised to review the complaints and determine whether the procedures can be improved.
Some officials say it could take three years for companies, auditors, and regulators to apply the law efficiently. That may seem like a long march for many executives. Yet in the long run, it will be a small price to pay for more smoothly running organizations and renewed investor confidence.
Sarbanes-Oxley: An Assessment
MEETING THE COSTS
Big companies are spending some $35 million on average to comply with auditing-disclosure requirements. As they become accustomed to the new regs, however, costs should drop sharply.
GETTING THE JOB DONE
Compliance is hugely time-consuming; complaints about redundant paperwork and nitpicky auditors abound. But the workload should ease with experience and more practical assessments by auditors.
Despite the complaints, hundreds of companies say they have uncovered festering accounting problems while implementing the regs. Others have found redundant administrative spending.
EASING THE BURDEN
The difficulties and cost of implementing Sarbanes-Oxley can be particularly heavy for smaller businesses. But the SEC is giving them extra time to comply -- and will review other complaints in the spring.
posted by Brian Moran @ 8:53 AM
Tuesday, February 15, 2005
SOX: Measuring the Costs and Searching for Tangible Benefits
By Patrick Taylor
After spending millions in 2004 to comply with the first phase of Sarbanes-Oxley (SOX), compliance officers and financial executives should evaluate their return on compliance. While the tangible benefits may be difficult to value today, most financial executives (57%) describe their company's SOX compliance as a good investment for stockholders, and 70% say they have stronger internal controls after complying with the law, according to the 2004 Oversight Systems Financial Executive Report On Sarbanes-Oxley Compliance.
About the Report
Through a combination of an invitation-only online survey and survey intercepts, 222 corporate financial leaders from across the U.S. participated in this study. Titles of those surveyed included CFO, controller, treasurer, vice president and director. Of the sample, 25% were in companies with more than $5 billion in annual revenues, 23% with revenues from $1 billion to $5 billion, 22% between $251 million and $999 million, and 30% with revenues of $250 million or less.
While still cataloguing the costs and difficulty of compliance, executives can identify the benefits they've achieved through their compliance efforts. The Sarbanes-Oxley legislation is far from perfect, but the survey shows that the law -- despite its costs and burdens -- has achieved at least one of its intended goals: to strengthen internal controls.
According to the survey, 16% of executives say their controls were already documented and sufficient for SOX compliance, 24% say their controls were in place but now have been fully documented, 18% say they've implemented more manual controls, 8% say they've implemented more systems-based controls, and 33% say they've implemented more manual and systems-based controls.
Nearly three-quarters (74%) say their companies realized a benefit from SOX compliance. When asked to identify the benefits from SOX, the Oversight Systems' survey reports that:
46% say SOX compliance ensures the accountability of individuals involved in financial reports and operations
33% say SOX compliance decreases the risk of financial fraud
31% say they have reduced errors in their financial operations
27% say SOX improvements in the accuracy of financial reports
25% say SOX compliance empowers the board audit committee by providing it with deeper information, and
20% say SOX strengthens investors' views of the company.
Tangible Costs and Perceived Benefits
As for the costs and work required in complying with Sarbanes-Oxley, 54% of financial executives surveyed in the Oversight report say they spent more than originally projected, and 63% describe their SOX compliance as "difficult" or "very difficult."
Many of those surveyed -- 37% -- say SOX increased shareholder value because investors know they operate as an ethical business, and 25% report that SOX boosts shareholder value by building overall confidence in the market. However, 33% say SOX compliance created a cost burden that suppresses stock prices, and 14% feel that SOX decreased their ability to pay out dividends because compliance expenses are a significant drain on earnings. (Respondents could select all that applied).
The negative reaction to SOX is understandable because the hard costs of compliance are easy to quantify - thousands of staff hours for controls documentation, increased audit fees, dozens of new internal auditors on the payroll and the ongoing testing of internal controls. As companies report their earnings, most reference SOX as a primary driver of increased operations costs.
However, the benefits of compliance are much harder to value in hard currency. In reality, preventing financial statement fraud or even preventing a restatement of earnings from an error protects billions of dollars of shareholder value.
The survey also shows other benefits of the law - how financial executives view SOX's effect on their own investments. Forty-four percent say "as an individual investor, SOX disclosures and compliance requirements allow you make better investment decisions or feel more confident in investments in public companies." Interestingly, 11% say they do not purchase stock in public companies, and 45% say SOX has no impact on their investment decisions or investor confidence.
Ongoing Compliance Costs and Controls Testing
Financial executives are more divided on their projected costs of SOX compliance for 2005 and their approach to ongoing compliance with Section 404 of the law that requires testing and reporting on the effectiveness of internal controls. The survey reports that:
26% say year-two compliance costs will total between 50% and 74% of first-year costs;
¥5% say year-two compliance costs will total between 25% and 49% of first-year costs;
17% say year-two compliance costs will total less than 25% of first-year costs;
16% say year-two compliance costs will total about the same as first-year costs;
12% say year-two compliance costs will total between 75% and 99% of first-year costs, and
3% say year-two compliance costs will be more than first-year costs.
The Oversight survey showed wide variation in the frequency of testing and monitoring of internal controls, where 38% say once a quarter, 23% say continuously as transaction are processed, 22% say monthly, 10% say weekly and 7% say daily.
This lack of a consensus on controls testing is most likely a result of the exhaustive work required in the first phase of SOX 404 compliance -- documentation. After spending 2004 to document their controls, executives are just now evaluating how they will address this recurring demand of the law.
However, ongoing costs of SOX compliance remain high because many companies will still rely on manual testing. When asked how they intend to monitor and test their internal controls, the Oversight survey showed that:
51% will run manual tests by independent observers, such as internal auditors or compliance consultants;
48% will rely on a control self-assessment program;
35% will utilize reports and monitoring features within financial applications such as SAP, Oracle, etc.;
34% say Internal auditors will test historical transactions for control violations with audit software; and
25% will implement a technology solution to continuously monitor key controls and transactions. (Participants could check more than one answer.)
Minimum SOX compliance demands at least quarterly testing of controls, and many executives may think they are reducing their ongoing compliance costs by simply shooting for the minimum. To these executives, continuous monitoring may sound expensive. However, technology solutions that continuously monitor the effectiveness of controls can actually reduce the costs of compliance by automating some of the manual work of internal auditors or SOX consultants.
A quarter of those surveyed (25%) say they plan to implement a technology solution to continuously monitor key controls and transactions to maintain SOX 404 compliance. However, we should expect this number to rise in the next 2 years as companies develop their plans for ongoing compliance.
As companies move toward continuous monitoring, the benefits of compliance should also expand. The initial cost saving from automated controls testing should also lead to a secondary savings by identifying and correcting control deficiencies before they become a "material weakness" as determined by external auditors. Essentially, executives can correct a problem when only two or three transactions are affected instead of testing at the end of the quarter when the same problem could cause a few hundred exceptions.
Continuous monitoring of controls for Sarbanes-Oxley compliance can produce other direct benefits from improving financial operations and reducing transaction errors in corporate expenditures, revenue and financial reporting. This concept borrows the idea of Six Sigma to continually strive to improve the business process by measuring and analyzing activity.
Active Audit Committees
While financial executives are divided on ongoing costs and controls testing, most are experiencing increased involvement from their board audit committees. Forty-five percent describe their board audit committee's involvement with SOX compliance as "active," and 19% say "highly active and interested in the details of our efforts."
The survey shows that SOX has compelled audit committee members who have not been as active have increased their involvement. While many are motivated by their own accountability, audit committee members should look to encompass the best practices of corporate governance.
As part of the survey, respondents were also asked to define their feelings toward SOX legislation. Of the group, 52% say Congress had good intentions when it passed SOX, but the costs of compliance were not fully considered. Thirty-eight percent say SOX was Congress's over-reaction to the unethical behavior of a few executives, and 28% say the market requires regulations like SOX to boost investor confidence in the market's integrity. Only 13% say the benefits of SOX outweigh the costs of complying, while 25% say the costs of complying with SOX outweigh the benefits. (Respondents could select all that applied).
With this mindset, it's no surprise that 81% of financial executives say Congress needs to revisit Sarbanes-Oxley. However, when asked about the most demanding sections of the law, an overwhelming majority say that if they were members of Congress, they would include those sections in the law. In regard to Section 302 that requires CFOs and CEOs to sign off on financial reports, 87% say they would include this section. In regard to Section 404 that requires the documentation, monitoring, reporting and attestation of internal controls, 75% say they would include this section. And 85% would include Section 409, which requires the timely disclosure of material changes that affect financial conditions or operations.
Other interesting data points show that 31% of financial executives say that more than 50% of their financial department professionals hold financial certifications (such as CMA, CFM, CIA, CPA, etc.) from an organization with enforceable ethical codes. When asked how many full-time employees are dedicated to SOX compliance, 18% said more than 15, and 37% report that they spend more time with their CEO as a result of SOX compliance.
After complying with the first year of Sarbanes-Oxley's demands, many finance and audit departments may be quick to celebrate their accomplishments or -- more likely -- to suffer from extreme burn out. However, financial executives should understand the ongoing requirements for compliance. Instead of repeating the same fire drill exercise for 2004 compliance, companies should look toward investments that derive real business value from the value process. And after spending millions to comply with the law, executives should evaluate their return on compliance. This survey shows that forward-thinking businesses are realizing valuable benefits. While the costs of compliance can squeeze any organization, the best-run companies will make SOX work for their businesses.
posted by Brian Moran @ 3:24 PM
The Compliance Chasm
A central debate in the effort to comply with Sarbanes-Oxley (Sarbox), particularly sections 302 and 404 which govern financial reporting and documentation of internal controls respectively, is whether operational benefits will outweigh the costs. RevenueRecognition.com and International Data Corp. conducted a survey of 220 business leaders in December 2004. The results suggest that while costs are front loaded, there is proportional value once companies get through the full compliance process. However, there are distinct differences between companies that crossed the compliance chasm and rated the effectiveness of major compliance activities equal to or higher than costs and those that did not.
Overall Effectiveness Offsets Overall Cost
In the survey, respondents were asked to rate the cost of six major Sarbanes-Oxley compliance tasks as well the effectiveness of those tasks for improving risk management. As shown in Figure 1 below, the costs and effectiveness ratings were approximately even for activities such as documenting accounting policies, certification and sign off on internal controls, certification of financial statements, and responding to external audit attestation processes. However, there were two exceptions:
1) The cost of documenting internal controls was rated substantially higher than its effectiveness for improving risk management; and
2) The cost of remediation of weaknesses found was rated substantially lower than its effectiveness for improving risk management.
The Compliance Chasm
While the overall cost and effectiveness ratings are equivalent, there is a distinct chasm between companies that rated effectiveness lower than costs and those who rated effectiveness equal to or greater than costs. Figure 2 presents the cost-effectiveness indexes for 79 public companies. There are 43 companies to the left of the green line and 36 companies to the right.
The group that did cross the compliance chasm required only 83% of the effort and achieved more satisfactory results than the second group. This seems to indicate that they had a smaller gap between existing practices and those required by Sarbox. As a result, their human resources were more focused on external auditing activities which represent a much smaller portion of the overall labor cost.
But there is more to the story. Surprisingly, those who crossed the compliance chasm are actually less likely to be planning to keep their existing processes and technology in 2005 than those have not crossed the chasm. The key factor being that they are much more likely to have plans to deploy new technology for key compliance activities in 2005.
Crossing the compliance chasm may be easier for companies that have a culture of continuous improvement and are therefore more prepared and able to manage the enterprise-wide changes required by Sarbox compliance. Not only were these companies more prepared to begin with, they also plan to do more in the future.
The High Cost of Compliance
The survey focused on costs for internal resources and outside consulting from both Big 4 and non-Big 4 audit firms. Total resource requirements to support Sarbox increased in direct proportion to the size of organization based upon revenue. For public enterprises with more than $1 billion in revenue, the average amount of labor spent on compliance activities was more than twelve person-years. Companies in the $200 million to $1 billion revenue range averaged more than six and a half person-years of effort.
Furthermore, the cost of external auditing services increased 52% for public companies. Mid-sized companies with $200 million to $1 billion in revenue reported an 81% average increase.
“Sarbanes-Oxley compliance is a major undertaking,” said Kathleen Wilhide, compliance research director, IDC. “2004 was a baseline year for organizations to understand and execute on Sarbox section 404. Companies will now shift into sustainability mode, looking to optimize Sarbox processes through the use of technology and with an eye towards broader performance and risk management goals. While Sarbox 404 has been costly, the fact that organizations perceive real value in these efforts as they identify and remediate weaknesses is key.”
Where Risk Remains
When asked which financial processes present the most risk of restating financial results, approximately 40% of respondents selected revenue accounting—no other process received more than 15% as illustrated in Figure 3.
It is no surprise therefore to find that 83% of respondents from public companies indicated that in 2005 they plan to deploy or evaluate solutions for revenue accounting, billing, and/or financial consolidation—three areas that have a direct bearing on revenue reporting.
“All revenue related processes are under a high degree of scrutiny as a result of Sarbanes-Oxley,” said Gottfried Sehringer, executive editor of www.RevenueRecognition.com. “Having reliable internal controls in place with an audit trail for key revenue transactions, and the ability to fully document, analyze, report and forecast revenue is crucial to staying in compliance. With the costs of Sarbox compliance so high, it is encouraging to see that companies are seeing real benefits with improved processes and technologies.”
The survey was conducted during December 2004. In all, 220 high-ranking finance officials, including CFOs, controllers and vice presidents of finance, were surveyed.
posted by Brian Moran @ 9:02 AM
Companies Changing Fiscal Year End To Buy 404 Time
In an effort to buy more time under Section 404 of Sarbanes-Oxley, Chordiant Software, Inc. recently announced that its board had voted to change the end of its fiscal year from Dec. 31 to Sept. 30, beginning with FY 2004.
The move means that Chordiant will not have to comply with the Securities and Exchange Commission's disclosure rules relating to internal control over financial reporting until Dec. 15, 2005, seven and one-half months later than compliance would have been mandated if the company stuck to the Dec. 31 year-end date; accelerated filers must comply with Section 404 for their first fiscal year ending on or after Nov. 15, 2004.
Chordiant, which is based in Cupertino, Calif., is not alone in tweaking its fiscal year as a way of stalling Section 404?s impact. A review of SEC filings indicates that at least three additional companies recently moved their fiscal year-end from Dec. 31 to Sept. 30.
One of those companies, GoRemote Internet Communications of Milpitas, Calif., informed the SEC in October 2004 that it was changing the end of its fiscal year to Sept. 30. In doing so, the company cited four reasons for the change, including improving its "ability to obtain and schedule external audit and audit-related support required to ensure ongoing compliance with regulatory requirements."
posted by Brian Moran @ 8:51 AM
Monday, February 14, 2005
SEC considers extending compliance deadline
US regulators are considering giving foreign companies an extra year to comply with rules that require them to test and report on their internal controls against fraud.
The Securities and Exchange Commission staff is examining a delay that would mean foreign companies with US listings would not have to comply with the rules, which are required under section 404 of the Sarbanes-Oxley act, until 2006.
Under the existing timetable, foreign companies with US listings are due to comply with section 404 provisions on internal controls from July. However, SEC commissioners may reach a decision on revised compliance dates for foreign companies by the end of this month.
US public companies are busy preparing annual reports that will provide details on the effectiveness of their internal controls at December 31 2004. They have complained about the costs associated with documenting. The SEC staff is considering a delay in section 404 compliance dates for foreign companies, which would mean many of them would not have to give detailed information about their internal controls until annual reports published in early 2007.
Such companies would report on the effectiveness of their controls at December 31 2006.
European companies with US listings have been leading efforts to delay compliance dates on section 404 because they are focused this year on the change to international accounting standards.
Most European companies have a fiscal year end that mirrors the calendar year. Under the existing SEC timetable, they would have to give information on the effectiveness of internal controls at December 31 2005. William Donaldson, SEC chairman, said he was considering a “meaningful postponement” for foreign companies, which the SEC describes as foreign private issuers.
Donald Nicolaisen, SEC chief accountant, said: “For foreign private issuers with a calendar year end, the staff is considering a delay that would require them to report on their internal controls over financial reporting as of December 31 2006.”
Mr Nicolaisen said he was keen to get the second-year experiences of US companies that are already having to comply with section 404 before foreign private issuers have to report on their internal controls.
posted by Brian Moran @ 9:35 AM
Monday, February 07, 2005
HealthSouth fraud unraveled under SOX
BIRMINGHAM, Ala. - The massive fraud at HealthSouth Corp. began unraveling days after President Bush signed a new law with stiff penalties for false corporate reporting, according to testimony Friday by a former finance chief at the trial of fired CEO Richard Scrushy.
Bill Owens, who served in several top positions at the rehabilitation giant, said then-chief financial officer Weston Smith told him he was quitting on Aug. 5, 2002, rather than sign bogus financial statements under the Sarbanes-Oxley law, enacted less than a week earlier amid a wave of corporate scandals.
"He said he just couldn't sign the certifications and was quitting," said Owens.
Owens said he and Scrushy - the first chief executive tried under the law - tried to come up with a way to keep Smith "on the reservation" and get him to sign the financial reports, which Smith knew were fraudulent.
In a hastily arranged meeting, Owens said he and Scrushy decided to end the fraud and blame the subsequent earnings decline on new Medicare rules. Owens said they also decided to split HealthSouth in two as a "diversion" and to put Smith in the surgical division, where accounts were "clean."
Owens said he laid out the plan during a meeting in Smith's car as Smith drove him around on Interstate 459 for a couple of hours.
"I told (Smith) this gave us a fighting chance, that we could get things fixed and nobody would have to get hurt," said Owens.
The next day, after meeting with Scrushy, Smith agreed to sign the certification and become chief financial officer of the new surgical division, Owens said.
Seven months later, in March 2003, Smith became the first of 15 HealthSouth executives to plead guilty in what prosecutors describe as a scheme to overstate earnings by more than $2.6 billion. Among other things, Smith pleaded guilty to signing false statements under Sarbanes-Oxley on Aug. 14, 2002.
posted by Brian Moran @ 8:36 AM
Friday, February 04, 2005
Europe seeks US deadline extension
European companies are stepping up their efforts to secure more time to comply with the most complex and expensive provisions in the US Sarbanes Oxley legislation on accounting and corporate governance.
The UK's Confederation of British Industry will today send a letter to the Securities and Exchange Commission, the chief US financial regulator, asking for a significant extension to the deadline for non-US companies to comply with the legislation's provisions on internal controls.
If granted by the SEC, it would mean many European companies would not have to implement section 404 of the legislation, which requires controls to guard against fraud, until 2006.
The SEC is currently proposing that non-US companies must comply with section 404 for fiscal years ending after July 15 2005.
But William Donaldson, SEC chairman, said in a speech in London last month that he had asked the regulator's staff to consider “whether to recommend that we delay the effective date of the internal control on financial reporting requirements for non-US companies”.
Digby Jones, CBI director general, is expected to say in a letter to Mr Donaldson that non-US companies should not have to comply with section 404 until their fiscal years ending after December 31 2005.
About 300 European companies file reports with the SEC and will therefore have to comply with section 404.
More than 100 are UK based, and many of the companies have fiscal years ending on December 31.
European companies were pleased by Mr Donaldson's conciliatory speech in London last month, but they are keen to work out a better deal on extra time to comply with section 404 than some US companies recently did.
Large and medium-sized US public companies have to comply with section 404 for fiscal years ending after November 15 2004.
The SEC announced some limited concessions on November 30 when it said it would give some medium-sized companies an additional 45 days to file their reports on internal controls with the regulator.
European companies are already grappling with the European Union's requirements that they switch from national to international accounting standards this year.
The Sarbanes-Oxley provisions were introduced after a string of corporate scandals involving US companies.
Rhian Chilcott, head of the CBI office in Washington, said: “European companies have a uniquely difficult year in 2005, with the switch to international accounting standards.
“For this reason, we would like the SEC to delay implementation of section 404 for foreign companies until after December 31 2005.”
posted by Brian Moran @ 1:04 PM
Tuesday, February 01, 2005
SEC, PCAOB Provide More Answers On Internal Controls
Last week, the Securities and Exchange Commission and the Public Company Accounting Oversight Board provided additional answers to questions about Section 404 of The Sarbanes-Oxley Act.
Both statements, published in the form of "frequently asked questions," addressed the recent extension provided to smaller issuers in meeting internal control requirements. In November 2004, the SEC gave smaller companies an extra 45 days to file management and auditor reports assessing their internal control over financial reporting.
SEC's document focus, in part, on how the delayed filing of internal control reports will impact the securities offering process.
The SEC said in its original order that companies taking the extension would not be considered timely in filing their 10-K, which reduces their standing with the SEC for purposes of selling securities. The Q&As clarify how a company can navigate that 45-day gap between its 10-K filing and its amended 10-K filing to include the internal control reports.
Edwards Paul Edwards, an attorney with McDonald Hopkins in Cleveland and chair of the firm's Securities Law Practice Group, advises companies to pay particular attention to those procedures if they plan an offering during that 45-day delay.
The Q&As also reiterate the purpose of the 45-day extension. "The order allows companies to delay the filing of the internal controls reports, but it does not change the date of the assessment of effectiveness, which still must be as of the end of the company's fiscal year," the SEC says.
That means the SEC is not giving companies extra time to correct any internal control deficiencies that their assessments may reveal. That may be disappointing to companies who must report material weaknesses or deficiencies in their internal controls that they might otherwise have been able to correct in another 45 days.
The Q&As will help companies with the fine details of properly filing reports as a result of SEC's extension, but they do little to relieve the overall compliance burden for smaller companies, according to Edwards. "Nobody has enough people," he said. "It's taking longer than anyone expected, and it's more expensive than anyone expected."
posted by Brian Moran @ 9:06 AM