A TOUGH ACT TO FOLLOW
What CFOs really think about Sarbox – and how they’d fix the *!#& thing.
By David M Katz

Last November, a small group of Unica’s senior executives, lawyers, and auditors gathered over dinner to celebrate the launch of the company’s initial public offering. Overall, they were pleased; the August IPO of the US enterprise marketing management software provider had raised more than US$55m in a tough market. But over drinks, the group began to engage in some good-natured bantering about the events of the previous year.

The road to the IPO had been challenging. Unica’s managers had raced through a road show in 12 cities in two weeks. Getting material ready for the filing registration process with the US Securities and Exchange Commission (SEC) had been almost as exhausting. The reason: Rick Darer, the company’s CFO at the time, says auditors had grown unwilling to draft disclosures responding to SEC comment letters in the run-up to the offering. Darer (who left the company earlier this year) thinks the auditors wanted to make sure the issuer – not the auditors – took responsibility for all disclosures, even though the audit firm signed off on the final prospectus.

Such wariness did not go unnoticed. At the dinner party, someone asked what kind of gift would best symbolize the accountants’ work on the project? Without hesitation, Darer piped up: “a set of invisible-ink pens.”

Grousing about external auditors is nothing new. Since the passage of the Public Company Accounting Reform and Investor Protection Act (aka, the Sarbanes-Oxley Act) nearly four years ago, finance managers have done a whole lot of complaining about their suddenly soured relationship with engagement partners. They have also grumbled about the massive amount of work needed to comply with Sarbanes-Oxley. And they have questioned whether the law will prevent another Enron or another WorldCom.

It appears those complaints are not going away, either. According to a poll of 237 finance executives conducted in early January by CFO magazine, CFO Asia’s sister publication in the US, widespread dissatisfaction with Sarbox has led to a real desire to change the law. A fair number of surveyed executives would be pleased if several parts of the act were jettisoned. Even those who said they believe Sarbox is beneficial would revise the statute in some fashion. And while 19% of the respondents said they’re happy with the law as it stands, Don Barger, the CFO of YRC Worldwide, is more typical of how finance executives view Sarbox. “There have been benefits,” says the finance chief at the US trucking company. “But the cost is not worth the benefit.”

Control Freaks

The costs are indeed substantial. AMR Research estimates that, by year-end, US businesses will have spent US$20 bn on Sarbox compliance since the law was enacted. On average, AMR estimates that companies are laying out about US$1m on Sarbox compliance for every US$1 bn in revenues.

CFO’s survey shows an even greater hit to income. Finance managers at companies with annual revenues of US$500m or more indicated that Sarbox compliance had taken an average yearly earnings bite of more than 2%. Smaller companies were worse off. Respondents at businesses with sales of under US$500m said Sarbox compliance was devouring 4.5% of their earnings each year.

Much of that spending appears to be going for increased manpower – things like added internal auditors and extra accountants. Many of those employees are being used to document, test, and certify internal controls, as mandated by Sections 404 and 302 of Sarbox. The latter requires CEOs and CFOs to certify, based on their “knowledge”, the accuracy of all annual and quarterly reports, as well as the adequacy of internal controls over financial reports. Section 906 establishes criminal penalties for violators, with prison sentences running up to 20 years.

“Nobody wants to take on any more legal liability,” says Eric Bur, CFO of NIC, a government website builder in the US. Not surprisingly, more than half the respondents think the certification threshold should be lowered from “knowledge” to “best of knowledge and belief”. About one in four would like to see the quarterly certification limited solely to changes in disclosure controls and procedures.

Those results suggest finance executives have real questions about the value of identifying and monitoring hundreds, if not thousands, of internal controls. Even regulators have commented on the massive documenting. In a speech in December, SEC commissioner Paul Atkins noted that “people seem to be driven by the impulse to document virtually every process in an effort to be thorough and to avoid being second-guessed by regulators and litigators.”

Without a doubt, Section 404 wins as the most hated provision of Sarbox. Nearly three-quarters of those surveyed want to see it revised or repealed. Respondents at some smaller companies don’t think there’s any fixing it: 20% want the provision ditched entirely. Only 5% of all respondents believe Section 404 should be left as is.

Offered choices on how to fix 404, about 70% say they would like to see regulators raise the bar for “material deficiency”. Close to half want the attestation of internal controls performed once every three years, rather than annually

Many CFOs say they would like auditors to take a more sensible approach to testing. Rich Goudis, CFO of Herbalife International of America, a weight-management company, wants auditors to abandon the checklist approach that forces clients to put the same level of effort into mending each risk. Instead, public filers should be able to proceed on the basis of “risk-based assessments”.

The argument’s major flashpoint is the way auditors attack 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No 2 (AS2), which instructs engagement partners on how to check their clients’ internal-controls reviews. As a result, CFOs say auditors test and retest internal controls. Finance managers contend the prospect of auditor nit-picking forces clients into indiscriminate documentation of internal controls.

The PCAOB appears to be aware of the situation. In a November 2005 report, the board criticized auditors who “did not alter the nature, timing, and extent of their testing to reflect the level of risk.” By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles of individual companies. “As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas,” the board stated, noting that “in some cases, a higher-risk area should have received more audit attention than it did.”

Robert Daleo, CFO of US information services provider The Thomson Corporation, believes the PCAOB should spell out “where the real pain points of cost and errors are.” He notes, for example, that the board has stated that external auditors may rely on the work of internal auditors and others. But Daleo maintains that the board should say that auditors must rely on the work of others. By taking discretion out of auditors’ hands, he argues, the board would also relieve engagement partners of the temptation to test everything.

You Make the Call

Other finance managers echo that sentiment. Six out of ten survey respondents said an auditor should be allowed to rely on the work of a client’s internal-audit staff. And close to half indicated they would alter AS2 to allow for greater input from independent auditors before the attestation phase. Says Donna de Winter, CFO of US-based Geac Computer: “We have to get to a practical position where [auditors] can provide you with advice without losing independence on all the numbers you represent.”

That’s not likely to happen soon. Robert Kueppers, deputy chief executive of Deloitte & Touche USA, counsels engagement partners to work with clients on technical issues but to stop just shy of providing them with the answers. The principle is simple, Kueppers says: while there should be “a robust discussion of the alternatives,” clients must arrive at their own conclusions.

The concept is spelled out in Section 103, and Section 201, which limits the types of services an external auditor can provide. That provision was intended, in part, to eliminate the type of clubbiness that led to problems at Enron and WorldCom, et al. But finance managers say external auditors even shy away from offering advice on topics that aren’t restricted by Sarbox, things like mergers and acquisitions and tax issues.

In practice, many finance executives miss their auditors’ advice. Two years ago, David Koeninger, CFO of Radiation Therapy Services in the US, sought information from his company’s auditor about how to calculate and report the sales of a minority interest in a business. To his surprise, Koeninger says he found the accountant suddenly tongue-tied. “Make your decision,” said the auditor, “and we’ll tell you whether it’s right or wrong.”

Koeninger would like a more collaborative relationship. Independent auditors should be allowed to review a company’s work and offer their observations, he says, rather than providing only a certified opinion. If you just “require them to attest to completeness and accuracy,” the CFO adds, “you don’t get your money’s worth.”

What’s more, failure to get an external auditor’s imprimatur on internal controls can prove disastrous for a company’s shareholders. In mid-January, management at Take-Two Interactive Software announced that the company’s external auditor was going to issue an adverse opinion on the game maker’s internal controls. Within days of the announcement, the share price of the maker of “Grand Theft Auto” dropped more than 20% – from around US$19 to less than US$15 – and has not made up much ground since.

Finance chiefs say the auditor-rotation provisions of the law are also causing unexpected problems. The requirement, detailed in Section 203, makes it illegal for a firm’s lead audit partner to service an account for more than five consecutive fiscal years.

Before Sarbox, lead partners typically worked on one account for seven or eight years. Apparently, a lot of finance chiefs would prefer to go back to the old arrangement: over a third of the polled executives indicated they would like to see Section 203 ditched or the rotation requirement eased (to every ten years, for example). And a large chunk of respondents – 64% – would oppose limiting the number of years an audit firm could work with a client.

The reason? Changing audit partners (or audit firms) can be a messy, costly business. Bringing in a new firm means paying the old firm for the use of the previous two years’ audited numbers. And switch-overs can disrupt smooth-running relationships, actually leading to – not reducing – errors. Says Bob Davis, CFO of US-based Computer Associates International: “A lot of audit failures happen when a new audit partner comes on an account.”

All Curriculum, No Vitae

It will also take some time before auditors absorb all the guidance coming from the PCAOB and the SEC. In the interim, finance executives say the lack of auditor input, along with the evaluation of internal controls every three months, has placed a heavy burden on corporate finance departments. Fully 75% of the respondents said that complying with Sarbanes-Oxley has substantially boosted their workloads, with about half noting that Sarbox compliance has made their jobs less satisfying. Nearly one out of four controllers indicated the added load has made them consider a career outside of finance. That’s worrisome, considering that competent controllers are seen as key players in the battle against accounting fraud.

While damning, such responses do not mean finance executives see no good coming from Sarbox. Almost a third of the respondents indicated that Sarbanes-Oxley compliance has actually been good for their careers. At Pitney Bowes, Steven Green was promoted from finance chief of global mailing (the US office technology company’s largest business unit) to corporate chief accounting officer. “I think most CAOs are happy to have Sarbanes,” he says. “It gives them a greater degree of comfort regarding processes and controls.”

Compliance with Sarbox has also led Pitney Bowes management to rethink some of its business processes. CFO Bruce Nolop reports that 404 documentation accelerated the company’s plans to bring all of its accounts-payable and accounts-receivable operations under one roof, for a reported savings of more than US$500,000. Adds Green: “When you have the head of a business thinking about controls in addition to making money, that’s clearly a positive.”

As for Darer, he thinks Sarbox has restored much-needed credibility to the numbers companies produce. That, in turn, has made potential shareholders more willing to invest in companies that go public. Says the onetime Unica CFO: “They know [the companies] have to be at a certain standard of governance.”

Time will tell if their faith in that standard is well placed.

David Katz is deputy editor of CFO.com. survey conceived by research editor don durfee.