FEELING THE PAIN
Are the benefits of Sarbanes-Oxley worth the cost?
By Tim Reason

Bob Ross used to love his job as controller of clothing and housewares retailer Urban Outfitters. Today, he says, “I have no passion for this at all. If something doesn’t change soon, I’ll have to throw in the towel.”

Ross says he now spends his days “documenting countless procedures and processes, which to most employees of this company are second nature.” Section 404 of the Sarbanes-Oxley Act, which requires companies to document their controls, cost his company at least a penny per share in 2004, and turned his job into “a struggle to explain common sense,” he says. “I implore our lawmakers to repeal the internal-control requirements of 404,” wrote Ross in a recent, heartfelt comment letter sent to the US Securities and Exchange Commission (SEC).

Wrong crowd, right address. If companies get any relief from 404, it will come not from Capitol Hill, but from the SEC. Last month saw a veritable orgy of regulatory navel gazing – including an oversight hearing by US Representative Michael G Oxley’s Financial Services Committee on April 21. But the main event was an SEC roundtable in which businesses vented their frustration with 404. (Ross, ironically, couldn’t make it, because he was putting in 18-hour days to prepare his company’s 10-K). Any changes to 404 rules that result will depend heavily on SEC chairman William H Donaldson and, to a lesser extent, his counterpart at the Public Company Accounting Oversight Board (PCAOB), William McDonough.

Strong Supporters?

Chalk up this concentration of power in part to the government’s unified front just as the first big wave of 404 certifications began rolling in. The normally business-friendly White House has been noticeably silent on the issue. And Oxley and Senator Paul Sarbanes shut down any suggestion of legislative changes during a joint appearance at Georgetown University on March 10. “Most CFOs I talk to can quote [the Act’s] cost down to the dollar,” said Oxley. “Actually, they’ll quote it down to the dime.” But, he argued, that cost “is an investment in the strength of the United States capital markets.”

“The voices calling for a rollback of portions of Sarbanes-Oxley, citing Section 404 as the poster child for overregulation, are shortsighted,” Donaldson wrote in a Wall Street Journal op-ed piece on March 29. On the facing page, Oxley himself also took issue with “the pro-business voices now loudly calling for rollback.”

But exactly whose voices are these? Certainly, Ross begged for a repeal of 404 in his comment letter. And a survey released March 22 by executive search firm Christian & Timbers claims a third of 186 executives at Fortune 1,000 companies favor repeal of Sarbox.

Yet, in the week before Donaldson’s and Oxley’s comments appeared in the Journal, not a single major business or finance association contacted by CFO, CFO Asia’s sister publication in the US, would admit to any legislative effort to repeal or even change the act. Quite the contrary, most were quick to describe themselves as strong supporters. “We were one of the few business groups to support the Act,” says Financial Executives International (FEI) president and CEO Colleen Cunningham. “[Sarbox] itself doesn’t require any change.”

“The Business Roundtable supported [the Act],” echoes Thomas J Lehner, director of public policy. “There is no desire to open up the legislative process.”

Observers who point to the Financial Services Roundtable as aggressively supporting a rollback are mistaken, says president Steve Bartlett. “We supported the Act’s creation, and we support it today.”

Maybe Donaldson’s and Oxley’s references were aimed primarily at US Chamber of Commerce president and CEO Thomas J Donohue, who publicly fulminated about both 404 and the SEC’s aggressive enforcement practices earlier in the month. “The pendulum has swung too far,” intoned Donohue – ten times – while speaking about 404 to the Securities Industry Association on March 3.

Wishing Carefully

Yet, even Donohue professed the Chamber’s support for “many provisions” of Sarbox, and stopped short of calling for repeal, even of 404.

What’s this? Has the business lobby rolled over? After all, it found plenty to complain about in the past two months. According to a March survey of 106 large-company CEOs who belong to the Business Roundtable, nearly half said Sarbox and other new compliance requirements would cost in excess of US$10 million annually. An FEI survey the same month of 217 public companies with average revenues of US$5 billion pegged the average 404-compliance cost alone at US$4.36 million. Almost all – 94 percent – said the cost of compliance exceeded the benefits.

Investors don’t necessarily agree. “Obviously, to the extent 404 impacts earnings negatively, it’s a concern,” says Cynthia L Richson, corporate governance officer for the US$64.5 billion Ohio Public Employees Retirement System (OPERS). “On the other hand, who is measuring the cost of corruption and accounting scandals we’ve been through? Some cite that as contributing to a US$7 trillion, even as high as US$9 trillion, collapse in the capital markets.”

Indeed, observes McDonough, “the reason this legislation is so tough is because the American people rose in fury. They believed corporate leadership in America had let them down, which I believe [is true].” Sarbox, he points out, passed the Senate unanimously, and missed unanimous House passage by just three votes.

It is those numbers that best explain the muted response of business groups and individual company executives. There is, however, a massive effort under way to convince rule makers that their interpretation of Section 404 has gone far beyond what is needed to restore investor confidence.

Litany of Complaints

So exactly what changes would the business world like to see from the SEC, the PCAOB, and auditors? Perhaps the top complaint about 404 is that auditors must opine on management’s own assessment of internal controls. Since auditors already issue their own opinion about internal controls, that second auditor’s opinion is widely considered by business to be a duplicative and unnecessarily costly addition.

Not so, counters OPERS’s Richson. “Investors think that extra step is very much an important piece of making sure there are no weaknesses in controls,” she says, noting that investors have not forgotten the way auditors “rubber-stamped” management representations in the past. Indeed, former SEC chief accountant Lynn Turner noted during the roundtable that management at 87 percent of companies announcing material control weaknesses had previously certified the effectiveness of their controls.

All debate aside, the audit opinion on management’s assessment is one of the very few requirements actually spelled out by Congress in the original legislation, making any change highly unlikely.

Beyond that, many of the concerns expressed by CFOs arise from PCAOB Auditing Standard No. 2 (AS2) and the resulting behavior of auditors. As its name implies, AS2 was written for auditors. But with few other sources of guidance, auditing standards have become “‘back-door’ management requirements,” as Alamo Group internal-audit director Dennis M Stevens noted in his comment letter. Regulators have certainly indicated a willingness to consider changes to the standard if necessary. “The board’s interest is not in preserving the very first version of this standard for all eternity,” says PCAOB associate chief auditor Laura Phillips.

“Are things being done that are unnecessary? My guess is yes,” said McDonough at a Harvard Law School panel on regulation on March 7. “It is insane for small companies to have the same internal controls as General Electric.” The SEC roundtable, he says, is an opportunity to learn. “Then we – the SEC and the PCAOB – have to figure out how to do as much as we can administratively.”

But before any changes take place, regulators will have to decide whether the fault lies with AS2, or with the auditors who apply it. Irritation with the auditors’ indiscriminate approach to all controls regardless of risk ran high during the April 13 roundtable, a sentiment compounded by the auditors’ refusal to provide any advice or counsel for fear of violating independence rules. AS2, notes the FEI’s Cunningham, “states throughout the standard that the auditor needs to use judgment. But the auditors were terrified to use judgment.”

Most CFOs would agree. The most mundane and frequently cited example is the emphasis on signing or initialing control documents as proof that a control actually worked. “We believe AS No. 2 properly outlines ... appropriate tests of controls,” Plum Creek Timber CFO William R Brown told the SEC. In practice, however, Brown and others say auditors focus largely on documentation, doling out deficiencies for missing paperwork or initials even if the control in question is working. “Some of it is just silly,” agrees Mike Coke, CFO of AMB Property. “If you have proof the review happened, why do you need to keep a piece of paper?”

“We need to deal with the real possibilities of management override and financial-reporting risk,” argues Computer Sciences (CSC) CFO Leon J Level, who put reducing unnecessary levels of documentation high on his list of recommendations to the SEC. “Making sure every piece of paper is initialed before handing it over to auditors doesn’t change the likelihood that financials are fairly presented.”

The FEI’s Cunningham hopes that a reasonable approach by the PCAOB as it begins to inspect auditors’ work will eliminate such overkill. “It’s the first time the auditors are being regulated, and the inspection process from the PCAOB will drive their behavior.” At the roundtable, McDonough promised “evenhanded” inspections. “It is at least as likely that we will find that the work [auditors] did was excessive as it was inadequate. Now, will we throw someone in jail for an excessive audit? Not likely. However, will we have a very severe conversation with the management of that audit firm? You bet.”

Bright Lines

Another major concern for CFOs is the definitions of “significant deficiency” and “material weakness". There are no specific figures defining a significant deficiency or material weakness in the auditing standard. But CSC’s Level and his staff parsed the accounting world’s definitions of “inconsequential” and “remote” to conclude that auditors would define a significant deficiency as one that had a greater than 5 percent chance of resulting in a misstatement of 1 percent of earnings before taxes. Coke says he arrived at the same conclusion, but adds: “One percent of net income would have been a penny-and-a-half a share, and I think in terms of pennies, so we ended up going with a more conservative threshold.” Either way, Level says the threshold is too low, causing companies and auditors to spend too much time on minor issues. “In a lot of cases, we are looking at deficiencies that are quite unlikely to result in a misstatement,” he says. A less onerous definition of “significant deficiency”, says Level, would do more than any other change to reduce the cost of 404.

But is that likely? When it comes to materiality, let alone a material weakness, the SEC has long eschewed bright-line tests. Moreover, any effort to raise the threshold on internal controls could be seen as weakening 404. Nonetheless, both the SEC and the PCAOB already have responded to certain corporate concerns. On March 2, the SEC announced a one-year extension of the 404 deadline for foreign firms and small companies with a market cap of less than US$75 million. “I have great sympathy for the small- and mid-sized companies that in some cases actually have very good internal controls, but are much less formal than a large, complicated company,” McDonough told CFO in August 2004. And in March the PCAOB proposed a new standard for companies that have fixed a material weakness. If adopted, companies could hire an auditor to attest to the fix immediately, rather than waiting until year-end. That doesn’t change any existing rules, but it does address the corporate need to reassure investors.

But the business community will be out of luck if Donaldson is less receptive to suggestions than it hopes. Not only is he the SEC’s chairman, he’s also the swing vote between the two Republican and two Democratic commissioners. And while McDonough has made sympathetic noises, any changes the PCAOB makes must be approved by the commission.

“I was skeptical that we would even get any movement on this,” says AMB’s Coke. “But I actually am hopeful that they may listen and say let’s do version 2.0.” If not, there’s always Capitol Hill. Says Lehner: “If these [cost] numbers continue to increase, that’s something we would revisit.” Echoes Bartlett of the Financial Services Roundtable: “Our focus for 2005 and 2006 will be on regulatory and implementation changes. When we get closer to completion on that, we can revisit the legislation.”

Tim Reason is a senior writer at CFO in the US.