Since its enactment in 2002, the Sarbanes-Oxley Act has been impressing observers with its sweep. From banning executive loans and auditor conflicts of interest, to setting up financial sign-offs by top executives, to governing audit committees and whistle-blowers, Sarbox cuts a wide swath through Corporate America.
In the first few years of compliance with the act, many finance chiefs seemed too busy to step back and analyze it. Now, however, most sizable companies have ample experience with the toughest parts of Sarbox: certification under Section 404 (governing internal controls over financial reporting) and Section 302 (governing sign-offs of financials by senior executives). With the hectic pace abating somewhat, some CFOs are willing to sound off on Sarbox’s shortcomings. And one of the biggest problems many have with the act is its very sweep.
Pressed by risk-averse auditors and stringent regulators, finance executives say they’ve been awash in a vast sea of details, with little ability to set priorities about what to focus on in their compliance efforts. Taking their inspiration from enterprise risk management (ERM) — a “holistic” approach in which a corporation’s entire array of threats is managed together — many finance chiefs favor a “risk-based” strategy of Sarbox adherence.
Instead of pursuing a checklist approach that calls for managers to put the same level of effort into mending each risk, the strategy would enable executives to channel corporate energies into the most serious problems. Complying with the act is a “broad and tedious” endeavor, drawing executives into excessive documentation of company processes, says Rich Goudis, the CFO of Herbalife, a Los Angeles-based weight management company.
By contrast, corporations should be able to proceed on the basis of “risk-based assessments,” according to Goudis. That would enable them to place a high priority on preventing financial misstatements, for example, and a low one on less pressing threats, he says.
The major flashpoint of the argument is the way that auditors attack Section 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No. 2, which instructs auditors on how to check their clients’ internal-control reviews.
As a result of AS2, accountants test and retest internal-control audits to make sure their sign-offs are beyond question. For their part, CFOs contend that foreknowledge of independent-auditor nit-picking forces their companies into indiscriminate documentation of internal controls.
Not that auditors would have much reason to cut down on their work even if the rules were less demanding. They have “no financial incentive” to do less testing, says Robert Daleo, CFO of The Thomson Group. To an accountant, not doing an extra test would mean less fee money, he notes.
There are signs, however, that the PCAOB is moving towards a more flexible way of regulating auditor attestations. In a November 30, 2005, report on the initial implementation of AS2, the board criticized auditors who “did not alter the nature, timing, and extent of their testing to reflect the level of risk.”
By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles specific to individual companies. “As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas,” the board stated, noting that “in some cases, a higher-risk area should have received more attention than it did.”
Now, the PCAOB is telling auditors to customize their internal-control attestations. As they pick up more experience in such audits, the board expects them “to focus on the particular risks” of each client’s control system.
Some think that the board should be even more specific and spell out “where the real pain points of cost and errors are,” in Daleo’s words. For example, the PCAOB has stated that external auditors may rely on the work of internal auditors and others rather than retracing previous steps. Instead, Daleo maintains that the board should say that auditors must rely on the work of others. By taking discretion out of auditors’ hands, the board would also relieve them of the temptation to test everything.
For some finance chiefs, a risk-based approach means more than just the ability to set priorities; it also helps determine marching orders for a company’s enterprise risk management program. Pitney Bowes, the Stamford, Connecticut-based mail and document-management company, is in the opening stages of an ERM effort that finance chief Bruce Nolop would like to see used as a model for Sarbox compliance.
Rather than focusing on maintaining a set number of mandated procedures, the ERM approach has forced Pitney-Bowes executives to regard the company risks from “a macro, shareholder-advantage perspective,” Nolop says. Working closely with the audit committee and the entire board of directors, managers began the process by asking employees from many different departments a question: What risks could have a material impact on the company?
The CFO finds it interesting that the biggest risks didn’t end up being financial ones. The most-often-cited threats include impairment of the company’s brand image and breeches of customers’ privacy. Nolop says that executives were already made aware of financial risks through the company’s routine business activities; for example, during efforts to obtain financing for customers, they learned a great deal about the effects of interest-rate fluctuations. Hedging and other mitigation techniques are already in place at the company for such exposures, he says.
In comparison to a “procedural” approach to regulatory compliance, which tends to treat risks as stemming from isolated business units, the ERM approach looks at the ripple effect throughout the entire company and beyond, according to Nolop. Concerning supply-chain risk, for instance, executives first consider what they would do if the company ran out of certain parts, then address how they’d respond if the parts suppliers ran out themselves.
Ironically, ERM can be a less efficient process than simple Sarbox compliance. For Sarbanes-Oxley — as CFOS know all too well — regulators and auditors have provided pages and pages of implementation guidance. On the other hand, says Nolop, an enterprisewide approach to risk “means you flounder a little bit to come up with the best processes and procedures. But in the end,” he adds, “you are able to go where the analysis takes you, and you come up with better understanding.”