Hardly Ready for Sarbanes-Oxley

It's crunch time for U.S. companies to vouch that their internal controls meet the new higher standard. Many won't make it

By Amey Stone

Inside the sleek office towers of Corporate America, far from the façade that most businesses present to outsiders, publicly traded companies are racing against the clock. Their task: To comply with some of the most far-reaching federal regulatory changes they've ever faced -- and to do so before yearend. Many execs find their stomachs churning.

Section 404 of the Sarbanes-Oxley Act, which passed in July, 2002, in the wake of major corporate scandals, requires that management of any large public company that ends its fiscal year on Nov. 15, 2004, or later, assess its internal controls over financial reporting. These are the nitty gritty of procedures that govern actions such as issuing checks and recording sales. Then, companies must hire independent auditors to "attest" to the accuracy of management's report. Both management's and auditors' assessment must make it into the annual report for 2004.

"It's a fire drill," says John Hagerty, an analyst at AMR Research in Boston. Companies have spent much of the last 18 months racing to comply with the 404 deadline, which has already been extended twice. The Securities & Exchange Commission has indicated the deadline is unlikely to be pushed back again (see BW Online, 9/20/04, "Coping with the Compliance Crunch").

"CUEING UP A STORY."

  Even with the deadline delayed twice, many companies likely will be forced to admit to deficiencies in their internal controls -- mainly because they don't have time to fix all the problems that are cropping up before the end of their fiscal years. Auditors estimate that they'll report shortcomings at 10% to 20% of public companies.

"There are some problems," says Lynn Edelson, a partner at accounting firm PricewaterhouseCoopers. "Do I think it's massive? No, I don't. But there will definitely be some companies that get an adverse opinion on their internal-control environment." Edelson notes that timetables for getting the job done are slipping, and these issues are "causing some concern at the board level."

Already this year, more than 300 companies have admitted in SEC filings to some weaknesses in their internal controls, according to newsletter Compliance Week, which tracks such disclosures. In August alone, 96 outfits reported problems -- and the monthly number has been rising steadily all year. "It appears that companies are cueing up a story," perhaps in anticipation that they'll need to report internal-control deficiencies in their annual reports, says Scott Cohen, editor of Compliance Week, who notes that recent disclosures include detailed plans to fix the problems that are uncovered. "The market hates surprises, and companies are trying to avoid surprises."

FIRST-YEAR MERCY.

  At stake is the company's market value, reputation with investors and regulators, and possible exposure to lawsuits. Although Hagerty doesn't expect companies to actually miss the SEC's filing deadline, if they report weaknesses, essentially they'll be signaling the public that their financial statements may be inaccurate. Then, if the stock price goes down because of financial error, plaintiffs can argue that a company should have had stronger internal controls in place.

If companies miss the deadline altogether -- perhaps because they didn't give auditors enough time to complete their testing -- technically they would be noncompliant with SEC rules. Given the possible repercussions, SEC officials promise some leniency this first year as deficiencies crop up.

Why are companies finding complying with Section 404 so difficult? Partly because they're at a stage in the process where their own internal testing, as well as their auditors' testing (which comes after they've officially asserted that controls are in order), is turning up more problems than expected. A survey of large multinational companies released in late July by PricewaterhouseCoopers found that 79% said they still had to make improvements to processes -- including financial reporting, auditing, computer controls, and security controls -- to comply with Section 404.

"SMALL IMPERFECTIONS."

  In their defense, companies complain that the scope of the requirements has widened since Sarbanes-Oxley first passed, and that guidelines for auditors, which were issued only last March, are more demanding than they expected. Initially, companies thought they had to improve controls only in finance departments. Now they're finding they must beef up controls in operations and info-tech departments as well, explains Hagerty.

"We're looking at everything from payroll to accounts receivable," says Dan Churay, general counsel of trucking company Yellow Roadway (YELL ). "Auditors are being very conservative, which is forcing people to remediate very small imperfections that might never have been a problem. These aren't the sorts of things the law was intended to grab at."

Time is already running out for fixing problems. For some checks performed at the end of the month, auditors require that any fixes be in place for two months. For companies on a calendar year, "that leaves them until Nov. 30 to fix a problem they find now," says Tim Welu, chief executive of Paisley Consulting in Cakto, Minn.

Video Q&A: Compliance Rush

Paisley Consulting CEO Tim Welu on why many companies will be late meeting the new Sarbanes-Oxley rules

SECURITY SNAFUS.

  Some companies may already have run out of time. If their auditor is requiring that a control work without a hiccup for two quarters in a row and it fails in September, the company may not get a clean report for 2004 even if the control is fixed by December. "I don't think we have any issues, but that's the sort of thing that creates anxiety," says Churay.

Even worse, "these are not always easy fixes," says PricewaterhouseCoopers' Edelson. Consider security clearance as one small area needing a fixup. Let's say an employee gets moved from one department to another. Ideally, the company would revoke all the security clearances for that employee for her old job. A cornerstone of internal-controls policy is that certain duties have to be segregated (so, for example, the same person can't both unload inventory and access inventory computer records, which would make it easy for the employee to cover tracks if he or she stole from the company).

The problem: Auditors are finding that companies have to go back and revise rules for many procedures. "Companies move people, and they aren't very good about going back and cleaning up their access rules," says Edelson.

For a huge multinational with thousands of employees, that job alone is daunting. Repeat that level of fix across hundreds of different internal-control processes and you get a sense of the overall challenge. By Amey Stone

"LOST IN THE FOREST."

  Are companies sounding the alarm? Not yet, most experts say. "I believe there is probably less panic than probably is justified," says Barry Lurie, a partner in IT consulting firm Unisys' (UIS ) Global Infrastructure Services business. "I've talked to a number of clients who aren't sure how far they need to go," he says. "They sort of think they have it covered."

But he says another group is finding the process a quagmire. "They're saying, 'Now that we're into it, we're lost in the forest and can't find the path.'"

Companies that are running behind are scrambling for help. In many cases, neither experienced auditors nor software tools are available. Consultants and software companies say they field daily calls asking for compliance help but often have to refer callers back to accounting firms that already have all the work they can handle. "There's a real shortage of resources that really understand how to do this work," says Edelson.

SAPPING TIME.

  Even companies that are on track with Section 404 aren't happy about it. Cost is a primary concern. A rough estimate used by Hagerty is that companies will spend $1 million on meeting the regs for every $1 billion in revenues. Trade association Financial Executives International found in August that the cost of compliance has exceeded budgeted plans by 62% on average, with a company that has revenues of $2.5 billion typically spending around $3.1 million.

PSS World Medical (PSSI ), which markets and distributes medical products, estimates it will spend $1.5 million to comply and so far has found no material or significant weaknesses in controls. "In my view, we had reasonably sound internal controls before," says David Bronson, chief financial officer. "I have a hard time finding a return on that investment."

He estimates it's taking 20% of his time as CFO, in addition to weekly meetings involving most of senior management. Moreover, the company's fiscal year doesn't end until next Mar. 31. PSS is "reasonably on time," he says.

NEGLECTED PROBLEMS.

  Churay points not only to the cost of compliance but also to the time and effort, which diverts management's attention from work that would do more to help build the business. Yellow Roadway was formed from a merger last December. "There could have been upsides [from the merger] that will be more difficult to realize because of resources that have been deployed on this project," he says.

Companies also may have other compliance-related risks that are going unchecked because of so much emphasis on internal controls, worries Anthony Miller, an executive vice-president at LRN, which provides software for compliance and ethics-related training. "With all the focus and resources are being spent on the Nov. 15 deadline, there's a real risk of significant exposures in other areas," he believes.

Many economists maintain that the massive attention to complying with these regulations is a drag on economic growth. An Aug. 16 analysis from Moody's Investors Service noted, "Time spent complying with compliance requirements is time lost to product development and revenue enhancement." The software sector has been particularly hard hit. In a survey Hagerty conducted in September, 30% of companies said they had delayed software purchases due to Section 404, a finding that surprised him.

LONG AND PAINFUL ROAD.

  Next year, this effort should go much better. Software companies are racing to design better tools that will aid compliance with Sarbanes-Oxley while also generating benefits from having stronger controls in place. "This started out as a process problem, and IT didn't get to the table until late in the game, which is unfortunate," says Lurie.

Ultimately, strengthened internal financial controls will be healthier for Corporate America. "You want to have a mechanism in place for preventing abuses like Enron from occurring again," says Selva Ozelli, an international tax expert with research firm RIA-Thomson. "You don't want people to lose faith in the market-based economy because of a few corporate scandals."

That's certainly a worthy goal. But for now, companies are more focused on the minutiae of their internal-control processes, and many of them are hating every minute of the ordeal. While the race is on, the rush to meet the Section 404 deadline is likely to eclipse most everything else. Maalox, anyone?

Stone is a senior writer at BusinessWeek Online in New York

Before it's here, it's on the Bloomberg Terminal. LEARN MORE