Most large public companies now have until Nov. 15 to meet one of the most onerous provisions of the Sarbanes-Oxley Actthe requirement that they document their internal financial controls and then get an outside auditor to attest to the reliability of those controls. But what happens once that deadline for compliance passes? How will the Securities and Exchange Commission police Sarbanes-Oxley? Who will be the enforcers?
To answer these questions, technology journalist Elizabeth Wasserman interviewed two experts, one with experience in government, and the other with a background advising public companies on how to comply with accounting regulations. Laura Unger, an SEC commissioner from 1997 to 2002 and the acting head of the SEC from February to August 2001, is now a private consultant on financial services and technology to such companies as JP Morgan Chase & Co. Scott Green, head of audit and compliance at Weil, Gotshal & Manges LLP, is a CPA and author of Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud, published in February by John Wiley & Sons Inc.
Laura Unger Former SEC Commissioner
A Culture of Compliance
CIO Insight: How will Sarbanes-Oxley be enforced?
Unger: The point of Section 404 is to make sure a company manages, in a sufficient way, to gather material information at the company level and ensure the integrity of that information before it reaches the marketplace. To the extent that company officials or an outside auditor determine that a company's internal controls are not adequate, that information would be provided in the company's public SEC filings. The staff of the SEC's Division of Corporation Finance, who review SEC filings, will work with the Division of Enforcement to make sure that management undertakes whatever is necessary to cure any deficiencies.
The public filings will also allow shareholders to get information about how their companies are gathering the information that's being reported to the marketplace. A lot of times the commission gets referrals from the public. So you, as a shareholder of a company, could read in the public filings that a year ago a company said it would fix its internal control structure by instituting a code of conduct for employees, forming a disclosure committee, etc. But this company hadn't done anything about it. That would raise issues for the commission.
So we're not going to see a unit within the SEC going out and looking for violators?
They can't go inspect. They can review the filings.
Should we read anything into the fact that the deadline for compliance with Section 404 has twice been pushed back by the SEC?
I think that companies are finding it incredibly hard to meet the requirements of Section 404. It's not necessarily because of mismanagement, but because it's a very broad and onerous provision.
So they've gotten feedback from companies saying they're not yet ready?
They want to know what the section means and how they're supposed to determine what "adequate" controls are.
What does it mean to be ready for Sarbanes-Oxley?
From what I've heard anecdotally, it's a huge cost burden for even the most well-run companies. The problem is that "internal controls" is not a well-defined term. People are still grappling with what it means. As with the certification of financial statements, management is concerned about their potential liability if they sign off on something they could be wrong about, so they want to make sure they get it right. When you layer on top of that the auditors' attestation to the internal controls, and the amount of scrutiny auditors have received in the whole two-year period of Enron, WorldCom and Sarbanes-Oxley, I think they are very skittish about certifying that the internal controls are adequate when they don't exactly know what it means. They are still looking for guidance on that.
Are these companies getting the guidance they need?
I'm not sure it's possible for the SEC to give broad-based guidance on what good internal controls are. Each company is so different in terms of operations. They should give guidance on where companies should be looking and how they can develop a process. Even if the SEC can give broad-based guidance, ultimately the CEO and auditor are going to have to go with an interpretation of that guidance they feel comfortable with. That has a lot to do with this being a new provision. It's also a function of the environment we're in right nowthe anti-corporate-scandal environment. Nobody wants to be the test case.
What does the term "adequate financial controls" mean to you?
Adequate financial controls means that the company is getting all the information to the auditors that they need to prepare the financial statements, and that there's a good dialogue between the company and the auditors, and the auditors and the board. Look at the situation at Computer Associates. Did management have sufficient internal controls to make sure the sales people weren't backdating the customer sales agreements to make the numbers for the quarter? What were the adequate financial controls to make sure the numbers that got to the auditors were accurate?
Is there such a thing as minimum compliance?
Minimum compliance would be following the letter of Sarbanes-Oxley. Yet I think you have to read between the lines of the language of that. You have to look beyond the plain meaning of the act and keep in mind its goalsto promote accountability, independence and credibility in the marketplace. That means don't just do the bare minimum. Broker-dealers now realize they have to keep e-mails. That doesn't mean just taking all the e-mails and throwing them into a box. It means realizing they should have a system to make sure e-mails are easily retrievable if they are requested by the SEC, or by any other regulatory body.
Several SEC officials have said in speeches that companies also need to have a "culture of compliance." What does that mean?
You have to promote the right attitude and the right culture in corporate America. The right attitude is not to fleece the investors. It's to maximize the return to investors and promote transparency and credibility and promote accountability. I think we've seen over the last couple of years how important the right culture and the right attitude toward strong corporate governance are for a company, and how devastating it is if you don't have that. In fact, the head of the SEC's inspection office has said they are going to start inspecting broker-dealers and investment-advisory firms for cultures of compliance. Firms that have a strong culture of compliance are going to be inspected less frequently than firms that have a weaker culture of compliance. That's a whole new way of looking at regulation and inspection and enforcement. The SEC has the authority to regulate the conduct of broker-dealers and investment advisors. But that should also translate to what they want to see in the rest of corporate America.
Will the SEC bring a few high- profile cases to set an example?
The commission, if they find an egregious violation, will bring a case expeditiously. But I would not expect the commission to seize on a company that tried to comply with the requirements but somehow got it wrong, just in order to make an example of it. I don't think they're going to randomly pick on people. I think the commission is very sensitive to the number of regulatory and compliance burdens Sarbanes-Oxley has imposed.