File this one under “B” for best-laid plans.
In March 2005, external auditors from PricewaterhouseCoopers began arriving at the Louisville headquarters of lighting fixture and controls maker Genlyte Group Inc. The engagement partners were there to review Genlyte’s inaugural round of internal-controls attestation. These annual love fests , stipulated by Section 404 of the Sarbanes-Oxley Act, require external auditors to thoroughly test the adequacy of clients’ key controls over financial reporting.
Genlyte CFO Bill Ferko recalls that his internal audit staff and PwC had already gone several rounds with 404. In a yearlong run-up to the meeting, Genlyte’s internal audit staff had carefully documented critical business processes, identified deficiencies, and put controls in place. Given the prep work, Ferko felt reasonably confident the company’s internal controls would pass muster.
But when the engagement partners from PwC began sifting through the paperwork, Ferko was taken aback. The auditors uncovered several deficiencies in the financial controls at Genlyte, including material weaknesses in three of the company’s financial-statement accounts. The failing grade meant the $1.2 billion (in revenues) Genlyte had to disclose the problems to the Securities and Exchange Commission. In the aftermath, the company’s share price fell 9 percent. Recalls Ferko: “The Sarbox standards of evidence were more rigorous than we’d expected.”
Since that unpleasantness last year, Ferko’s finance staff has worked hard to remediate the exposed deficiencies. This time, though, Genlyte management is taking no chances. Last fall, the company hired its former independent auditor, Ernst & Young, to conduct a preaudit ahead of the final audit by PwC. “We’ve got internal auditors, external auditors, and consulting auditors,” notes Ferko. “There are auditors all over the place here now.”
It’s becoming a familiar scene. With corporate reputations — as well as their own — on the line, finance managers are increasingly relying on outside advisers to help with internal controls. Typically, the third-party consultants come from the Big Four accountancies, second-tier firms like BDO Seidman and Grant Thornton, or business-process specialists such as Protiviti Inc. or Paisley Consulting. And there appears to be no shortage of work, either. In a survey of public-company executives conducted by CFO magazine earlier this year (see “A Band of Outsiders” at the end of this article), nearly 60 percent of managers said they had hired third-party consultants to help with Section 404 certification.
This consulting jag is being spurred, in part, by the sheer amount of work involved in documenting and testing scores of internal corporate controls. Mostly, though, finance chiefs say they’re bringing in outside auditors because they can’t get answers from their external auditors, who appear spooked by Sarbox’s tough auditor-independence provision. At industrial products maker SPX Corp., management hired PwC because independent auditor Deloitte & Touche “will not give us any advice at all,” claims Dan Ladenberger, former CFO and current division head at the Charlotte, North Carolina–based manufacturer.
So, SPX managers consult with PwC, which has helped the company document workflows related to 404 compliance. The manufacturer’s other two dozen or so business units also retained additional third-party auditing consultants for advice on processes and documentation. Ladenberger, echoing a growing legion of frustrated corporate managers, says the third-party advisers fill a void created by the “nearly draconian” stance adopted by the company’s external auditors. “We need to express ourselves frankly,” he complains. “And we need to be able to ask [important] questions without risking scrutiny and skepticism.”