Living With Sarbanes-Oxley

How companies are coping in the new era of corporate governance

By DIYA GULLAPALLI
Staff Reporter of THE WALL STREET JOURNAL
October 17, 2005; Page R1

When the strict new corporate-governance law was enacted in 2002, companies struggled to meet shifting demands and deadlines -- and battled their auditors over how to interpret the requirements. But now companies have started to find their footing. And they're taking the lessons they've learned and codifying them into company policy.

These new strategies cover a host of areas. Companies are streamlining their internal audit procedures. They're coming up with better ways to train employees in compliance, as well as spreading the workload more evenly to avoid employee burnout. Most important, they're learning to make peace with their auditors.

All the hardship may be paying off: Companies and auditors seem to be coming out of these tough times with a rigorous new accounting discipline. For instance, a July study by New York University found 227 restatements in the first two quarters of this year, compared with 282 in all of 2004. The trend could suggest that auditors and companies were extra careful in hewing to accounting rules.

Of course, the new guidelines also proved to be costly for companies -- and lucrative for auditors. A University of Nebraska study in June found that average audit fees almost doubled in 2004 for a sample of Fortune 1000 companies.

THE IMPACT ON SMALL FIRMS

PODCAST: Journal reporter Diya Gullapalli discusses Sarbanes-Oxley's impact on small business and why it has become a controversial issue. Plus, what investors can do to cope with delayed compliance deadlines for small businesses.

Another study, from law firm Foley & Lardner LLP, found that audit fees increased 61% on average last year for a wide sampling of companies in three Standard & Poor's Corp. stock indexes, including the S&P 500. This year, according to AMR Research, a technology-research outfit in Boston, U.S. public companies will spend a total of $6.1 billion complying with Sarbanes-Oxley rules, a figure that includes everything from staffing to consultant fees to technology.

The centerpiece of Sarbanes-Oxley is internal controls: the checks and balances that make sure public companies record assets, liabilities and other items accurately on financial statements. Under Sarbanes-Oxley, companies must make sure their controls are sound, then have an auditor sign off on them.

One of the biggest problems companies had with compliance last year was the constant creation of new rules and standards by regulators who were still in the midst of translating the legislation into regulations. Section 404 of Sarbanes-Oxley, which lays out internal-control rules, is only two paragraphs long; it simply states that company management and auditors must certify the soundness of internal controls in annual reports. The newly created Public Company Accounting Oversight Board was assigned to help write up specific guidelines -- which meant companies had to start assessing their controls while the rules were still being created.

And companies couldn't turn to their auditors for guidance. Under the regulators' guidelines, auditors can't help companies design or implement their controls, because the auditors must eventually sign off on the companies' work. Helping the companies might compromise the auditors' role as independent observers. Some auditors, wary of violating rules, went even further and refused to offer advice on a host of other complex accounting matters -- making things even more confusing for companies.

The result: escalating tension. Foley & Lardner's report, for example, quotes corporate executives as saying that internal-control reporting "created an adverse relationship with auditors," in part because executives felt like they were paying auditors for advice and then not getting it. The rising price tag seemed to make things worse: One boss cited in the report said that auditors' higher fees meant the auditors "now drive a Mercedes instead of a Buick."

So, what have companies learned over the past few years? Dow Chemical Co. offers some clues. Dow makes more than 3,500 products, ranging from Styrofoam to farm fungicides, which meant surveying about 30,000 different internal systems. The targets were as large as company computer networks -- and as small as making sure sales contracts for customers in Mexico City were properly authorized.

Last year, the Midland, Mich., company spent more than 100,000 man-hours getting its controls in order -- a job that cost more than $12 million and frequently put Dow's compliance officers at odds with auditors.

Dow started its compliance efforts in mid-2003 by scrutinizing access to computer systems. It then went on to examine inventory-counting procedures at big warehouses and management's ability to question large accounting expenses, as well as profit targets in top offices. Targets that were too high could create pressure for managers to cook the books.

More than 20 Deloitte & Touche LLP auditors sat one floor below Dow's finance staff at the company's Michigan headquarters, crunching numbers to include in financial statements. But because of the independence rules, the auditors couldn't help Dow as it labored through some of the control work.

On several occasions, Deloitte held meetings of its partners and returned to Dow with new interpretations of what the firm could help with, says Frank Brod, Dow's controller. The auditors became increasingly reluctant to offer advice on mergers, joint ventures and other complicated accounting, he says.

This led to "much more tension with the auditor in 2004 than there had been in previous years," says Mr. Brod.

The confusion became disruptive. In one case, Deloitte spent three months reviewing and testing controls at one of Dow's offices in Singapore -- before Dow was done testing the same controls, according to Mr. Brod.

A Deloitte spokesman declined to comment, saying the firm doesn't discuss individual client issues.

But compliance is getting easier for Dow and its peers. One of the biggest reasons: Regulators appear to be finished churning out new rules, meaning companies and auditors finally have fixed standards to work toward. And earlier this year, regulators clarified the type of help auditors can offer with control reporting, making it clear that for the most part, auditors are prohibited from helping companies design their controls or do other work that violates their independence. But they encouraged auditors to help companies as much as possible in other matters.

"Things seem to be going smoother this year," says Mr. Brod. Dow and Deloitte "agreed to a plan and are trying to stay with it."

Mr. Brod now meets with the lead Deloitte audit partner at least every other day to check in on Sarbanes-Oxley compliance and other work, and Dow's Sarbanes-Oxley team has a progress meeting with the auditors every two weeks. Mr. Brod says both sides come to the meetings more prepared, and Deloitte is more confident in the rules and can quickly answer questions.

Moreover, Dow has streamlined the communications with Deloitte. Dow has identified about a dozen senior managers who are responsible for coordinating with the Deloitte auditors, rather than letting anyone in the 1,600-person finance division contact them. Previously, the auditors couldn't keep track of all the requests for help across the company.

To avert future mix-ups like the one in Singapore, Dow created a plan earlier this year to more clearly divvy up the work between the company and its auditors for the next round of Sarbanes-Oxley reporting.

Just as important as smoothing things over with Deloitte, Dow found ways to streamline its internal testing. For example, Dow learned to focus on the most important controls rather than try to test everything with the same level of detail. So it now conducts thorough inventory counts for its top-selling chemicals and plastics products, and uses sample counts for other products.

Dow also developed a Web-based tool to examine accounting entries at offices world-wide, so internal compliance officials could access the information online rather than manually.

In addition, the company has decided to distribute its compliance workload more evenly so that the burden doesn't rest on just a few shoulders: Dow trained about 300 executives in compliance last year, and will make its Web-based Sarbanes-Oxley training available to 15,000 employees this year.

The company has also begun discussing internal controls very candidly in the public arena. For instance, Mr. Brod participated in a financial-reporting conference last November for Financial Executives International, a professional group for financial chiefs, and in a Securities and Exchange Commission roundtable on internal-control reporting in April. Last month, another Dow executive spoke at a Sarbanes-Oxley conference in Baltimore, organized by the Institute for Financial Excellence, another group for financial executives.

These moves have helped the company develop a reputation for transparency and activism in compliance. By speaking publicly, Mr. Brod and other Dow executives say, they also have solidified their relationships with key regulators at the SEC and the accounting-oversight board, and positioned the company as a role model of sorts for blue-chip peers.

Many companies are learning similar lessons, and developing Sarbanes-Oxley strategies of their own. Some companies are empowering their general counsels to take the workload off risk, compliance and ethics officers, says Scott S. Cohen, editor and publisher of Compliance Week, a Boston-based newsletter that tracks internal-control issues.

Other firms are trying to make Sarbanes-Oxley work attractive to employees by making compliance-related positions into coveted leadership slots. This involves everything from giving dedicated Sarbanes-Oxley staff members more consideration for senior roles to small, lighthearted gestures that aim to make documenting work seem less cumbersome and tedious.

Arrow Electronics Inc. in Melville, N.Y., has named about 15 finance staffers "Sarbanes-Oxley champions," signaling they are dedicated almost exclusively to examining internal controls. Earlier this year, the company held a "Did Well, Do Better" meeting in Paris for the champions and senior management to review how the strategy worked in 2004. PSS World Medical Inc. in Jacksonville, Fla., handed out light-green golf shirts with "Sarbanes Oxley" etched on the front to 50 or so employees this year.

Still, many companies are still struggling to find their footing with Sarbanes-Oxley. Many small businesses in particular say their employees are overwhelmed trying to juggle compliance work with day-to-day jobs. Some small public companies are going private, citing the burden of Sarbanes-Oxley control reporting.

Vermont Teddy Bear Co.'s board voted unanimously to go private earlier this year, largely because of Sarbanes-Oxley. "As a private company, Vermont Teddy Bear will no longer face the challenges of a small company trying to comply with increasingly complex and costly public company requirements," said Elisabeth B. Robert, the company's chief executive, in a May statement, referring to the Rule 404 work mandated by Sarbanes-Oxley.

Other small firms are staying public, but are learning that they need outside help to document their internal controls. And that assistance can come at a steep price. Rock of Ages Corp., a Graniteville, Vt., maker of granite tombstones, has $41 million in market capitalization and a seven-person finance team. Early last year, the team began reading up on Sarbanes-Oxley rules and guidance and went through the company's financial statements to identify big line items that would need the most control testing. These included pension-plan figures, bank debts and customer deposits.

"Maybe it was our Yankee heritage, but we thought we could do it all ourselves," without an independent adviser, says Douglas Goldsmith, chief financial officer at Rock of Ages.

Mr. Goldsmith recalls the meeting to present this so-called risk analysis to their auditors at KPMG LLP. He says the auditors looked across the table at him with stone-faced expressions and said they couldn't help document and test certain items -- because of how they interpreted the same federal rules that barred Deloitte from helping Dow. "The blank stares from our auditors certainly didn't help," Mr. Goldsmith says.

When KPMG voiced concern over the company's ability to properly document controls given its small staff, Rock of Ages hired a consultant: Project Control Co. in Nashua, N.H. Project Control soon created a calendar and began helping the company review its 200 controls. Rock of Ages paid the consultant about $200,000 for the work -- in addition to $400,000 it paid KPMG for audit work that included some initial control review last year.

A KPMG spokesman declined to comment on Rock of Ages, saying the firm doesn't discuss client matters.

Rock of Ages -- and other small firms -- got a temporary break last month. The SEC announced that U.S. public companies with less than $75 million in market capitalization didn't have to deliver internal-control reports until mid-2007, a move intended to help small companies that were struggling to make the deadline. (Most large public companies had to begin complying late last year.)

The delay meant Rock of Ages' finance staff could slow its control work and return to other issues, like improving the company's sales force and 85 stores. Mr. Goldsmith transitioned to running the quarry business, a move Rock of Ages had postponed partly because of the compliance work. The company also continued integrating some stores it had acquired from competitors a few years ago. Rock of Ages also recently replaced KPMG with Grant Thornton LLP, in part in the hopes that a smaller auditor could offer more customized attention.

"We're always hoping and praying for more delays" from the SEC, says Mr. Goldsmith. "But we're absolutely moving forward as if we must meet whatever the latest deadline is."

For some troubled companies, Sarbanes-Oxley has become yet another steep obstacle to overcome as they clean house. Last year, Computer Associates International Inc., of Islandia, N.Y., restated some $2.2 billion in revenue for 2001 and 2002, and several executives resigned and pleaded guilty to fraud. As part of a deferred-prosecution agreement reached with federal prosecutors, Computer Associates was required to work with an independent examiner, hire a compliance officer and improve its record-management program, among other things.

In January, Patrick Gnazzo joined the company as chief compliance officer from United Technologies Corp., where he had worked in a similar role for 10 years. Mr. Gnazzo's first step was to interview staff across the company and read up on Computer Associates' products and internal systems. Given its recent experience, the company focused hardest on internal controls to prevent fraud, carefully examining which senior managers had access to which databases and financial accounts and adding extra layers of computer security to the most sensitive items.

The company developed so-called fraud schemes that mapped out scenarios for potential wrongdoing, and put in extra protection to guard against signature forgeries and doctored or missing financial documents. Computer Associates sometimes went through several iterations of each control before signing off. The company also improved its independent whistle-blower hot line, ensuring that top executives received emails or calls about sensitive allegations within 24 hours.

In May the company announced that it would be restating financial statements for 2000 to 2004 to adjust for incorrect accounting for certain software licenses.

Separately, Computer Associates identified a material weakness in the company's internal controls, which its auditor KPMG confirmed. Computer Associates also found that its European region was overlooking conflicts of interest and "overriding Human Resources' procedures and attempts to frustrate and discourage the reporting and investigation of improper conduct," according to the company's latest annual report.

The company is putting in measures to remedy its recent weaknesses. It is appointing several new executives in its foreign offices, and will require its financial-reporting department to review credits related to software contracts on a quarterly basis. It will also have internal auditors and management check the accounting department's entries, and maintain more detailed schedules of the contracts.

Mr. Gnazzo says he has learned that his company can't go from scandal-ridden to completely clean in just a year. He continues to set a high bar for Computer Associates' compliance, and insists that a "world-class" system of controls is within the company's reach.

In fact, Mr. Gnazzo sees it as something of a personal challenge to create a compliance program essentially from scratch. After working with an established compliance program at United Technologies for so long, "the opportunity to do it all over again keeps a 59-year-old young," says Mr. Gnazzo.

--Ms. Gullapalli is a staff reporter in The Wall Street Journal's New York bureau.