Since its enactment in 2002, the Sarbanes-Oxley Act has been impressing observers with its sweep. From banning executive loans and auditor conflicts of interest, to setting up financial sign-offs by top executives, to governing audit committees and whistle-blowers, Sarbox cuts a wide swath through Corporate America.
In the first few years of compliance with the act, many finance chiefs seemed too busy to step back and analyze it. Now, however, most sizable companies have ample experience with the toughest parts of Sarbox: certification under Section 404 (governing internal controls over financial reporting) and Section 302 (governing sign-offs of financials by senior executives). With the hectic pace abating somewhat, some CFOs are willing to sound off on Sarbox’s shortcomings. And one of the biggest problems many have with the act is its very sweep.
Pressed by risk-averse auditors and stringent regulators, finance executives say they’ve been awash in a vast sea of details, with little ability to set priorities about what to focus on in their compliance efforts. Taking their inspiration from enterprise risk management (ERM) — a “holistic” approach in which a corporation’s entire array of threats is managed together — many finance chiefs favor a “risk-based” strategy of Sarbox adherence.
Instead of pursuing a checklist approach that calls for managers to put the same level of effort into mending each risk, the strategy would enable executives to channel corporate energies into the most serious problems. Complying with the act is a “broad and tedious” endeavor, drawing executives into excessive documentation of company processes, says Rich Goudis, the CFO of Herbalife, a Los Angeles-based weight management company.
By contrast, corporations should be able to proceed on the basis of “risk-based assessments,” according to Goudis. That would enable them to place a high priority on preventing financial misstatements, for example, and a low one on less pressing threats, he says.
The major flashpoint of the argument is the way that auditors attack Section 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No. 2, which instructs auditors on how to check their clients’ internal-control reviews.
As a result of AS2, accountants test and retest internal-control audits to make sure their sign-offs are beyond question. For their part, CFOs contend that foreknowledge of independent-auditor nit-picking forces their companies into indiscriminate documentation of internal controls.
Not that auditors would have much reason to cut down on their work even if the rules were less demanding. They have “no financial incentive” to do less testing, says Robert Daleo, CFO of The Thomson Group. To an accountant, not doing an extra test would mean less fee money, he notes.
There are signs, however, that the PCAOB is moving towards a more flexible way of regulating auditor attestations. In a November 30, 2005, report on the initial implementation of AS2, the board criticized auditors who “did not alter the nature, timing, and extent of their testing to reflect the level of risk.”