Sarbox Run Amok

Think Sarbanes-Oxley has been a drain on resources? Well, you ain’t seen nothing yet.

April 1 2005 by Chief Executive


 

Pitney Bowes CEO Michael J. Critelli knew the only way to approach Sarbanes-Oxley was fast, hard and relentlessly. But even foresight and planning didn’t anticipate the need for greater business process centralization, more information technology outsourcing, and more time spent resolving the Sarbox problems of less prepared business partners. “There are things you do because of your processes, and there are things you do because someone else has a Sarbanes-Oxley issue,” Critelli says.

It’s turning out that the more obvious demands imposed by Sarbanes-Oxley in financial accounting€¦quot;the expense, the time investment, the extra audits€¦quot;are just the tip of the iceberg. The mandated mix of “proper” business controls and personal liability is causing a chain reaction affecting boards, organizational structures, relationships with professional advisors and daily efficiencies of all public companies, and many private ones, though they are technically unaffected.

The results are affecting the way companies hire, structure their organizations, work with attorneys and accounting firms, and even choose major software systems. They’re also driving higher than anticipated spending in unexpected areas. To continue to take credit card payments, for example, Pitney Bowes suddenly had to invest even more into electronic security, on top of what it had already spent, because the card vendors were demanding that the company meet their own Sarbox audit requirements. As frustrating as it is, ultimately, CEOs may have few options but to grit their teeth and find ways to make the Sarbox investment pay off, one way or another.

Subtleties To Watch
  • Segregation of Duties€¦quot;Departments that could affect transactions and the reliability of financial reporting could be candidates for firewalls€¦quot;i.e., IT staff, shipping and receiving, etc. Employees whose responsibilities change should immediately lose old system clearances to avoid unanticipated “integration” of duties or access.
  • Organizational Chart€¦quot;Through acquisition, reorganization, turnover or mistakes, employees can fall outside an organizational chart€¦quot;a red flag because there might be no control or conflicting control over a person’s activities.
  • Personnel Qualifications€¦quot;Controls could require a company to revisit qualifications to ensure that an employee remains matched to a job description as it changes over time. Waivers require documentation.
  • Whistle-Blowing€¦quot;Companies must be ready to protect whistle-blowers from discharge, demotion, harassment or discrimination€¦quot;even if the employee turns out to be wrong. This extends to subcontractors and agents.
  • Board Responsibilities€¦quot;Companies may want to reconsider charters and responsibilities of various board committees€¦quot;i.e., issues of strategic risk formerly under the audit committee might be better addressed by the board as a whole.
  • Avoid a Checklist Mentality€¦quot;A typical approach to regulation is to create procedural and operational checklists. That can actually inhibit full compliance if employees think that anything not on the list must be permissible. All employees, as well as officers, must be trained to balance a specific list with the principles underlying Sarbanes-Oxley.

To be fair, some of the changes forced by Sarbanes-Oxley should have happened years ago. Segregation of duties is one example. No experienced manager would allow one person to issue purchase orders, enter new vendors and cut checks. Yet relatively few companies had applied the same logic to other functions such as IT, where a programmer might write, debug and maintain codes for critical financial systems, giving that one person the opportunity to install electronic back doors for fraud.

The law has usefully forced dozens of other issues. But, as Booz Allen Hamilton principal Jim Newfrock points out, “Auditors are moving from fundamentally asking, €˜Do you have risk control around transaction activity?’ to a more nebulous €˜How good is the overall control environment?’”

The result has been scope creep, and outside audit firms are sometimes becoming draconian in their interpretations of the question. In author Bob MacDonald’s forthcoming book Cheat to Win: The Honest Way to Break all the Dishonest Rules, a former insurance industry CEO sat on the board of a company that had a whistle-blower complaint. An internal investigation, reviewed by both the audit committee and outside auditors, found no wrongdoing and the employee who complained was satisfied by the new information. But the auditors still insisted that management hire business forensic investigators and lawyers to the tune of several million dollars. “Their leverage was if you don’t do this, we won’t sign off on the end of year statement,” MacDonald says. “[Sarbanes-Oxley] is creating this chasm between the various professional disciplines charged with governance and financial controls. Instead of working with each other, they are going at each other.”

The reason is clear. CEOs, CFOs and boards all face financial and even criminal penalties, while the Public Company Accounting Oversight Board (PCAOB), created by Sarbox, has authority to punish accounting firms. Given the vague nature of the statute’s language€¦quot;”an adequate internal control structure”€¦quot;it was a good bet that professionals would seek to cover their posteriors. “Sarbanes-Oxley is so draconian in its threatened impact, I have seen people adopt the mentality of €˜every man for himself,’” MacDonald says.

Accountants as Regulators

The very nature of the term “auditor” has changed. “What it’s done is it’s made your outside accountants regulators,” says Anthony Abbate, president and CEO of Saddle Brook, N.J.-based Interchange Bank and an outgoing member of the Federal Reserve Board. In the past, he or his CFO could ask an auditor for an opinion on some plan. Now, he says, “they don’t even want to hear about what you’re doing. If they say, €˜Yes, you can do it,’ or they remain silent, they become complicit and subject to their own regulatory body. So you’re basically flying on your own.”

The concerns don’t end with the accountants. According to Jim Alterbaum, a corporate law partner at the New York firm of Moses & Singer, a board not heeding a lawyer’s caution about the Sarbanes-Oxley ramifications of an action could break the attorney-client privilege, which does not hold in a case of planned illegal activity. “There’s an open question of whether the lawyer has to take things to another level€¦quot;to a regulator,” he says. Read that as the Securities & Exchange Commission. Tellingly, the American Bar Association’s ethics board has refused to take a position on the issue, a departure from its previously absolute stand on privilege.

The self-protection extends into the companies themselves. A client of Alterbaum’s had acquired a public firm whose outside accounting firm a year earlier had agreed to the CFO’s allocation of the purchase price to such categories as hard assets and good will. But two days before the SEC filings were due, the CFO “looked at the acquisition treatment and he said, €˜I think this is a lousy deal and I want to write it off.’” Over that year, investors had put money into the company based on the acquisition, but the board decided that the CFO was right and the company wrote off the deal. “Maybe if there were no Sarbanes, he would not have been as concerned,” says Alterbaum.

When you consider that there has been no time for case law to settle interpretations of Sarbanes-Oxley, it’s easy to see how many feel the need to take extreme action. “Even a completely harmless error that nobody cares about takes up hundreds and hundreds of hours of the auditors, the CEO, the CFO and the audit committee,” says Keith Crow, a partner in the Chicago office of law firm Kirkland & Ellis.

Stuck in Time Sinks

Even the rank and file has its own share of time sinks. When Interchange Bank deployed a new automated consumer loan system, employees examined each stage of the preventative and protective mechanisms to be sure that no one could manipulate or defraud the institution. Prudent enough. But Sarbanes-Oxley then required that someone compare the old and new systems side by side and document how the change would make things better. “You can never get a competitive advantage under Sarbanes-Oxley because you’re spending all your time validating stuff,” says Abbate. The bank used to move quickly from conception to execution, he says, but no longer.

In fact, Abbate has hired external auditors to do the bank’s quarterly Sarbox updates “because I can’t have my people tied up in that, or else they’ll never meet a customer or make a loan.” The auditor charges $100,000 a year; audit expenses are up 40 percent.

Baltimore-based Wise Metals Group, a major producer of aluminum can stock, is privately held but started to offer public bonds. As a result, it, too, became subject to Sarbanes-Oxley. Chairman and CEO David F. D’Addario increased headcount to cover the additional segregation of duties and work, matching junior people to appropriate tasks. But that had its own problems. “You find there are some clerical errors and mistakes that the older employee catches,” he says. “You almost have to do the work twice to make sure it’s done right.”

Putting young people in such a vital role also puts corporate intellectual property at risk. “They’re going to school on you, and when they leave they take that knowledge,” he says. “The next year they go to work for your competitor and take some of that inside information.”

Intellectual property problems will only increase as time goes on. Advances by competitors, industrial theft or loss of key patents can cause wild shifts in the value of IP, and therefore of the company.

If shareholders claim that such changes should have been reasonably foreseen, the lawsuits could fly. “We’re waiting for somebody, probably on the regulatory side or the shareholder side, to connect two dots,” says Gary Morris, a partner at IP specialty law firm Kenyon & Kenyon in Washington, D.C. “Nobody sees it coming, but when it does arrive, I think it’s going to make a splash.”

Is it any wonder corporate officers are nervous? Those at the top can only verify so much without abandoning their own responsibilities. “There’s no way in heck that the CEO would know [everything],” says Interchange Bank’s Abbate. “The larger and more complex a company becomes, the more difficult it becomes.”

In an attempt to hold people responsible, management is demanding that employees all the way down the line sign off on results. “We have found a whole range of issues and information [our members have] been asked to certify,” says Jim Kaitz, CEO of Bethesda, Md.-based Association for Financial Professionals. “You wouldn’t think someone in finance would typically have to sign off on a company code of conduct.” Those farther down in the organization are unlikely to be covered by insurance, raising serious questions about personal liability.

Public companies also are finding it difficult to recruit board talent, particularly for audit committees, and qualified CFOs. “Just look straightforwardly at the requirements that the SEC proposed to be a financial expert,” says Jim Miller, chairman of CapAnalysis in Washington, D.C., an analytical arm of law firm Howrey Simon Arnold & White. “Alan Greenspan doesn’t qualify.”

A growing number of companies are trying to jump ship by going private, but in the long run that won’t be a solution. If a company wants to leave open the possibility of an acquisition, particularly by a public firm, it will likely have to show Sarbanes-Oxley compliance.

There are silver linings. Pitney Bowes CEO Critelli found that Sarbox could be used as a tool to force changes he wanted to make anyway, such as increasing shared services. “It turned out to be a blessing,” he says. Compliance can drive greater board awareness of strategic risk, and can uncover weaknesses that if improved can make a company more competitive. But as Sarbox keeps wending its way through more corporate processes, it’s increasingly having consequences no legislator could have anticipated.