One result could well be a dramatic change in the nature of the CFO job. Finance chiefs will likely have to dig much deeper into how their companies disclose their operations, says Meshulam, a former assistant chief litigation counsel with the SEC’s enforcement division. “That’s not a quarterly and annual involvement, with episodic 8-Ks,” she adds, ” but a steady stream — [or] a daily onslaught.”
Finance chief will need reinforcements to cope with the flood of required filings. One solution: Hire a full-time disclosure-controls supervisor or manager with a direct report to the CFO or another top executive, says Kevin Lesinski, a partner with Seyfarth Shaw in Boston. Can a boom in Chief Disclosure Control Officers (CDCOs) be far behind?
2. “Internal Controls” could mean much more than getting the numbers right.
On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls.
The SEC has made statements suggesting it agrees with such limits. In a proposed rule it published in October, the commission provided an unremarkable definition of financial controls. Essentially, the regulatory agency said such controls are there to ensure that transactions are properly authorized, recorded, and reported, and that assets are safeguarded against improper use.
Nevertheless, the SEC remains vague about defining what “internal controls” will mean under Sarbox 404. Remember, since the findings of the private-sector initiative known as COSO (Committee of Sponsoring Organizations) were issued in 1992, the term has included operations and regulatory compliance, as well as finance.
A broad definition could have CFOs brooding over regulatory matters that are a far cry from what’s normally considered finance. FirstEnergy, for instance, is currently fighting Environmental Protection Agency charges that one of its plants is in violation of the Clean Air Act. But if the company is found to be out of compliance with the law, it faces heavy fines. Says Richards: “That’s an operating issue that can sure have financial ramifications if we were wrong.”
Further complicating matters is another feature of Sarbox 404: Auditors must attest to and report on management’s assessment of internal controls. “That will lever [compliance] up into something that’s going to cost a lot more time and expense,” says Steve Clark, a partner with Chapman and Cutler, a Chicago-based financial services law firm.
One problem, for sure, is that auditors will have to piece together new procedures to assess client controls programs. That will make it tough for quantitative-minded accountants to gauge performance evaluations and other soft information provided in management reports, Clark thinks.
3. Sarbox doesn’t stop at the shoreline.
Laws governing exports and imports and foreign-based bribes and money laundering don’t seem to have much to do with the domestically focused act.
But the onus that Sarbanes-Oxley puts on audit committees and independent auditors to ferret out wrongdoing is spurring a closer look at global operations, says Sturgis Sobin, a partner and director of the International Trade Regulatory Practice for Miller & Chevalier in Washington.