What You Don’t Know about Sarbanes-Oxley

Snares, pitfalls, and trapdoors: Sarbanes-Oxley is full of surprises. These five top the list.

If all goes well, FirstEnergy Corporation just might dodge a major financial reporting bullet. All management needs to do is meet its planned June 1 deadline for overhauling the company’s computer system.

That’s because the Securities and Exchange Commission isn’t likely to have gotten around to defining “internal controls” under Section 404 of the Sarbanes-Oxley Act by then.

If the SEC comes out with a definition before FirstEnergy’s conversion, the electric utility holding company would find itself under a crushing reporting burden. To comply with the section, FirstEnergy — and every other public corporation — must include an annual assessment of its “internal control structure and procedures for financial reporting” in its annual report.

The issue is: How broadly do you define financial controls? For instance, when FirstEnergy switches its ERP software from Oracle to SAP in the next few months, the change will affect a bevy of functions, including supply-chain management, human resources, work-order management, and general ledger. David Richards, the company’s director of internal auditing, says some of those functions — like general ledger — are clearly within the financial purview. Others, like work-order management, might not be.

Right now, it’s up for grabs whether the SEC would require only information about FirstEnergy’s finance function in the company’s internal controls report. It’s possible government regulators might want the company to cast its net over operations as well in the report. Richards says some auditors are expecting the commission to lay out broad requirements for internal controls reports. “They’re talking about the whole enchilada,” he says.

Lucky for First Energy that it’s likely to avoid the possibility of such a definitional nightmare. Even luckier for the company: By coming in on deadline, the company can sidestep documentation of its internal controls under both Oracle and SAP. Such documenting would involve a massive boost in record-keeping, the internal auditor thinks.

Many companies won’t be so fortunate, however. Now that the dust has settled on some of the more obvious tidbits of Sarbanes-Oxley (the requirement that CFOs and chief executive officers certify company financials, for example), a slew of disclosure concerns is emerging to trouble the sleep of finance chiefs.

Like the internal-controls provision, parts of Sarbanes-Oxley — and the SEC’s implementation of rules related to the act — threaten to spread far beyond finance and accounting, spilling over into operations reporting as well. For instance, a pending commission requirement would force companies to disclose a burgeoning menu of material events in just two days.

The real-time rule would put “pressure on the operational side of the business,” says Rick Fumo, a senior vice president with Parson Consulting, a financial management advisory firm.

One for-instance: If a company truck delivering toxic chemicals springs a leak, operations employees might have to speed that news up the chain of command to the comptroller so that an 8-K form could be filed. To grease the wheels, companies will need to tool up their reporting software and train line managers to communicate faster, Fumo says.


Your email address will not be published. Required fields are marked *