Page 2

By Elizabeth Wasserman

Expert Voices: The Letter and the Spirit

Most large public companies now have until Nov. 15 to meet one of the most onerous provisions of the Sarbanes-Oxley Act—the requirement that they document their internal financial controls and then get an outside auditor to attest to the reliability of those controls. But what happens once that deadline for compliance passes? How will the Securities and Exchange Commission police Sarbanes-Oxley? Who will be the enforcers?

To answer these questions, technology journalist Elizabeth Wasserman interviewed two experts, one with experience in government, and the other with a background advising public companies on how to comply with accounting regulations. Laura Unger, an SEC commissioner from 1997 to 2002 and the acting head of the SEC from February to August 2001, is now a private consultant on financial services and technology to such companies as JP Morgan Chase & Co. Scott Green, head of audit and compliance at Weil, Gotshal & Manges LLP, is a CPA and author of Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud, published in February by John Wiley & Sons Inc.

Laura Unger Former SEC Commissioner

A Culture of Compliance

CIO Insight: How will Sarbanes-Oxley be enforced?

Unger: The point of Section 404 is to make sure a company manages, in a sufficient way, to gather material information at the company level and ensure the integrity of that information before it reaches the marketplace. To the extent that company officials or an outside auditor determine that a company's internal controls are not adequate, that information would be provided in the company's public SEC filings. The staff of the SEC's Division of Corporation Finance, who review SEC filings, will work with the Division of Enforcement to make sure that management undertakes whatever is necessary to cure any deficiencies.

The public filings will also allow shareholders to get information about how their companies are gathering the information that's being reported to the marketplace. A lot of times the commission gets referrals from the public. So you, as a shareholder of a company, could read in the public filings that a year ago a company said it would fix its internal control structure by instituting a code of conduct for employees, forming a disclosure committee, etc. But this company hadn't done anything about it. That would raise issues for the commission.

So we're not going to see a unit within the SEC going out and looking for violators?

They can't go inspect. They can review the filings.

Should we read anything into the fact that the deadline for compliance with Section 404 has twice been pushed back by the SEC?

I think that companies are finding it incredibly hard to meet the requirements of Section 404. It's not necessarily because of mismanagement, but because it's a very broad and onerous provision.

So they've gotten feedback from companies saying they're not yet ready?

They want to know what the section means and how they're supposed to determine what "adequate" controls are.

What does it mean to be ready for Sarbanes-Oxley?

From what I've heard anecdotally, it's a huge cost burden for even the most well-run companies. The problem is that "internal controls" is not a well-defined term. People are still grappling with what it means. As with the certification of financial statements, management is concerned about their potential liability if they sign off on something they could be wrong about, so they want to make sure they get it right. When you layer on top of that the auditors' attestation to the internal controls, and the amount of scrutiny auditors have received in the whole two-year period of Enron, WorldCom and Sarbanes-Oxley, I think they are very skittish about certifying that the internal controls are adequate when they don't exactly know what it means. They are still looking for guidance on that.

Are these companies getting the guidance they need?

I'm not sure it's possible for the SEC to give broad-based guidance on what good internal controls are. Each company is so different in terms of operations. They should give guidance on where companies should be looking and how they can develop a process. Even if the SEC can give broad-based guidance, ultimately the CEO and auditor are going to have to go with an interpretation of that guidance they feel comfortable with. That has a lot to do with this being a new provision. It's also a function of the environment we're in right now—the anti-corporate-scandal environment. Nobody wants to be the test case.

What does the term "adequate financial controls" mean to you?

Adequate financial controls means that the company is getting all the information to the auditors that they need to prepare the financial statements, and that there's a good dialogue between the company and the auditors, and the auditors and the board. Look at the situation at Computer Associates. Did management have sufficient internal controls to make sure the sales people weren't backdating the customer sales agreements to make the numbers for the quarter? What were the adequate financial controls to make sure the numbers that got to the auditors were accurate?

Is there such a thing as minimum compliance?

Minimum compliance would be following the letter of Sarbanes-Oxley. Yet I think you have to read between the lines of the language of that. You have to look beyond the plain meaning of the act and keep in mind its goals—to promote accountability, independence and credibility in the marketplace. That means don't just do the bare minimum. Broker-dealers now realize they have to keep e-mails. That doesn't mean just taking all the e-mails and throwing them into a box. It means realizing they should have a system to make sure e-mails are easily retrievable if they are requested by the SEC, or by any other regulatory body.

Several SEC officials have said in speeches that companies also need to have a "culture of compliance." What does that mean?

You have to promote the right attitude and the right culture in corporate America. The right attitude is not to fleece the investors. It's to maximize the return to investors and promote transparency and credibility and promote accountability. I think we've seen over the last couple of years how important the right culture and the right attitude toward strong corporate governance are for a company, and how devastating it is if you don't have that. In fact, the head of the SEC's inspection office has said they are going to start inspecting broker-dealers and investment-advisory firms for cultures of compliance. Firms that have a strong culture of compliance are going to be inspected less frequently than firms that have a weaker culture of compliance. That's a whole new way of looking at regulation and inspection and enforcement. The SEC has the authority to regulate the conduct of broker-dealers and investment advisors. But that should also translate to what they want to see in the rest of corporate America.

Will the SEC bring a few high- profile cases to set an example?

The commission, if they find an egregious violation, will bring a case expeditiously. But I would not expect the commission to seize on a company that tried to comply with the requirements but somehow got it wrong, just in order to make an example of it. I don't think they're going to randomly pick on people. I think the commission is very sensitive to the number of regulatory and compliance burdens Sarbanes-Oxley has imposed.

Page 2

Scott Green Head of Audit & Compliance, Weil, Gotshal & Manges LLC

Good-Faith Compliance

CIO Insight: What will enforcement of Sarbanes-Oxley look like?

Green: The first line of enforcement lies in the role of the outside auditors, the external accountants. The new Public Company Accounting Oversight Board has set out new standards, and they will evaluate those standards and, where appropriate, take action through investigations and enforcement recommendations. That regulatory oversight previously had been performed by self-policing within the auditing profession.

Then we have the SEC, which has the ultimate authority and oversight. They will continue, as they have in the past, to take action against companies they believe are not meeting the spirit of the financial reporting requirements. They have a broad mandate. In the past, the SEC has reviewed financial statements issued by companies. Where they had a problem, they raised issues. I think they will continue to do that.

What whistle-blowers provide is also important. If a whistle-blower does contact the SEC, and the complaint is credible, I suspect the SEC will launch an investigation. Will they continually have people out in these companies, continually evaluating them? It's doubtful.

Do you expect that in the next few years there will be some high-profile enforcement actions to send the message that this act has teeth?

To the extent that there's real criminal activity, yes. Having said that, I do think corporate America is doing everything it can to comply with the letter and the spirit of Sarbanes-Oxley. If we enter a quiet period in the next couple of years after this, I would view that as a good thing, not necessarily lax enforcement or oversight.

Why did the SEC twice push back the deadline for Section 404?

Section 404 compliance has turned out to be a bigger job than most people originally envisioned. Companies are working hard to comply, and it's my opinion that the SEC recognized that companies are trying hard to do the right thing here, and that they need more time to do it. And with the PCAOB just putting out the auditing standards, it gives more people time to react.

What does it mean to be ready for Sarbanes-Oxley?

It means that you're able to prove to your auditors—because they are going to attest to your assertions—that you have a strong system of internal controls that can reasonably ensure the reliability of your financial reporting. People have to be prepared to provide their documentation to support their internal control structure. You have to be able to prove that you regularly test your internal control structure and that you believe it's operational. In the past, many of these controls may have been present but may have been informal. In other words, they weren't thoroughly documented, or the results were just communicated verbally—they weren't necessarily put in report form and sent periodically to management for review and sign-off.

How can information technology help companies comply?

Technology can play a key role in strengthening the internal controls structure. Automated preventive controls tend to be the strongest controls and manual detective controls the least strong. Wherever you can implement a technological solution that will prevent an event that you don't want to occur, that's best. Technology can also help monitor that control structure by automating key-performance-indicator reporting to senior management. If we can automate that reporting to senior management regularly and, more important, flag whenever there's an exception, that can add greatly to the control structure. Finally, you use technology to maintain documents. There are systems out there you can buy to help bring this all together so you know you have some type of documentation that addresses every significant control. That can be helpful, especially for large companies with far-flung operations.

Should companies just try to meet the minimum requirements?

It's certainly good business to take it further, as long as there's a cost benefit. You're trying to manage risk. You need to evaluate the downside and put in cost-effective controls. At the end of the day, if a control risk could severely hamper the corporation, you may want more than one point of control. You may want several points around that risk. Even the simplest businesses will have certain risks that they want to have a belt-and-suspenders approach to.

Do you anticipate any unintended consequences of the act?

I am concerned about how small and medium-size companies will be able to comply. It's not clear to me what is expected of them at this point. Basically, the PCAOB has referred back to the COSO Framework, the Committee of Sponsoring Organizations. They put out a framework in 1992 that recognizes that smaller companies may not have the same level of control as bigger companies, either due to their size or lack of resources.

Rather than have perfect segregation of duties across the organization, you will have the CEO or CFO or a small management team that is able to provide effective oversight that basically eliminates the need for a particular control. By oversight, they know that no fraud is occurring, that the checks that are clearing are properly authorized—those sorts of things. They see it all as it crosses their desks. But as an organization grows, obviously this is no longer effective because the managers can't keep their hands on everything. That's when you need to start implementing formal controls and formal segregation of duty and system-access restrictions and such. It's not clear to me how the auditors will see where the bright line is that says, "now you need to implement formal controls."

Elizabeth Wasserman is a Washington, D.C.-based writer. Formerly, she was Washington Bureau Chief for The Industry Standard.

This article was originally published on 05-01-2004