What You Don't Know about Sarbanes-Oxley
Snares, pitfalls, and trapdoors: Sarbanes-Oxley
is full of surprises. These five top the list.
If all goes well,
FirstEnergy Corporation just might dodge a major financial
reporting bullet. All management needs to do is meet its planned
June 1 deadline for overhauling the company's computer system.
That's because the
Securities and Exchange Commission isn't likely to have gotten
around to defining "internal controls" under Section 404
of the Sarbanes-Oxley Act by then.
If the SEC comes
out with a definition before FirstEnergy's conversion, the electric
utility holding company would find itself under a crushing
reporting burden. To comply with the section, FirstEnergy — and
every other public corporation — must include an annual assessment
of its "internal control structure and procedures for financial
reporting" in its annual report.
The issue is: How
broadly do you define financial controls? For instance, when
FirstEnergy switches its ERP software from Oracle to SAP in the
next few months, the change will affect a bevy of functions,
including supply-chain management, human resources, work-order
management, and general ledger. David Richards, the company's
director of internal auditing, says some of those functions — like
general ledger — are clearly within the financial purview. Others,
like work-order management, might not be.
Right now, it's up
for grabs whether the SEC would require only information about
FirstEnergy's finance function in the company's internal controls
report. It's possible government regulators might want the company
to cast its net over operations as well in the report. Richards
says some auditors are expecting the commission to lay out broad
requirements for internal controls reports. "They're talking
about the whole enchilada," he says.
Lucky for First
Energy that it's likely to avoid the possibility of such a
definitional nightmare. Even luckier for the company: By coming in
on deadline, the company can sidestep documentation of its internal
controls under both Oracle and SAP. Such documenting would involve
a massive boost in record-keeping, the internal auditor thinks.
Many companies won't be so fortunate, however.
Now that the dust has settled on some of the more obvious tidbits
of Sarbanes-Oxley (the requirement that CFOs and chief executive
officers certify company financials, for example), a slew of
disclosure concerns is emerging to trouble the sleep of finance
chiefs.
Like the
internal-controls provision, parts of Sarbanes-Oxley — and the
SEC's implementation of rules related to the act — threaten to
spread far beyond finance and accounting, spilling over into
operations reporting as well. For instance, a pending commission
requirement would force companies to disclose a burgeoning menu of
material events in just two days.
The real-time rule
would put "pressure on the operational side of the
business," says Rick Fumo, a senior vice president with Parson
Consulting, a financial management advisory firm.
One for-instance:
If a company truck delivering toxic chemicals springs a leak,
operations employees might have to speed that news up the chain of
command to the comptroller so that an 8-K form could be filed. To
grease the wheels, companies will need to tool up their reporting
software and train line managers to communicate faster, Fumo says.
The act also has
surprises in unexpected areas, things like compensation, executive
relocation, and overseas operations. And contrary to popular
belief, private companies aren't entirely immune to the provisions
of Sarbox, as some finance managers have come to refer to the law.
Indeed, if you thought the provisions of
Sarbanes-Oxley only concerned corporate finance, independent
auditing, and equity research, you've missed the fine print. Sarbox
also covers such disparate corporate functions as information
technology, human resources, compensation, and environmental
compliance.
Why? Because these
areas — and a host of others — affect company financials.
In fact, after the
SEC gets finished implementing the provisions of the bill,
Sarbanes-Oxley might be a whole lot more far-ranging than its
proper title suggests. That moniker? "Public Company
Accounting Reform and Investor Protection Act."
Here, then are five
of the more nettlesome — and less publicized — edicts of the
Sarbanes-Oxley Act of 2002.
1. Material
changes must be reported at lightspeed.
Most CFOs are aware that they now must provide the SEC with an 8-K
form within five business days if their company issues an earnings
release.
They also know that
if they follow up an earnings release by dishing up important new
details in a conference call, they might need to issue another 8-K.
Such requirements
could make it "difficult to have open discussions," says
Brian Jarzynski, CFO of Comshare Inc. It could also make it harder
for finance chiefs "to get people listening" by holding
out some of the good stuff for the conference call.
Still, that
five-day 8-k isn't expected to produce all that many ripples.
What might spawn
bigger waves is the realization that companies will have to issue
8-Ks in real time when something big and unexpected happens. Under
Section 409 of Sarbox, companies must report material changes in
the financial or operating condition of the company "on a
rapid and current basis."
How rapid is rapid?
In a footnote to a rule on non-GAAP financial reporting issued in
January, the SEC said it plans to tackle that issue in the near
future. Last June, the commission made it clear that it meant those
8-Ks to be filed in two business days. That's a big change from the
five business days the commission now requires to report material
changes — and the 15 calendar days it asks for others.
What's more, the
topics deemed worthy of an 8-K filing would vastly expand.
Currently, companies must file when they undergo nine specific
events, including a change in control, a significant acquisition,
or a bankruptcy.
To that, the SEC is
proposing to add a whopping 11 triggering events. Among them:
ending (or merely reducing) a significant business relationship
with a customer; large write-offs and restructuring charges;
material impairments; and a change in a rating agency's decision.
Because the SEC's policy was proposed before the
passage of Sarbanes-Oxley and the ensuing brouhaha surrounding it,
however, finance chiefs are only just now waking up to the implications
of "a whole new disclosure regime," says Deborah
Meshulam, a partner with Piper Rudnick in Washington.
One result could
well be a dramatic change in the nature of the CFO job. Finance
chiefs will likely have to dig much deeper into how their companies
disclose their operations, says Meshulam, a former assistant chief
litigation counsel with the SEC's enforcement division.
"That's not a quarterly and annual involvement, with episodic
8-Ks," she adds, " but a steady stream — [or] a daily
onslaught."
Finance chief will
need reinforcements to cope with the flood of required filings. One
solution: Hire a full-time disclosure-controls supervisor or
manager with a direct report to the CFO or another top executive,
says Kevin Lesinski, a partner with Seyfarth Shaw in Boston. Can a
boom in Chief Disclosure Control Officers (CDCOs) be far behind?
2.
"Internal Controls" could mean much more than getting the
numbers right.
On the face of it, Sarbox seems to refer only to finance when it
talks about the need for management to report on and assess
internal company controls.
The SEC has made
statements suggesting it agrees with such limits. In a proposed
rule it published in October, the commission provided an
unremarkable definition of financial controls. Essentially, the
regulatory agency said such controls are there to ensure that
transactions are properly authorized, recorded, and reported, and
that assets are safeguarded against improper use.
Nevertheless, the
SEC remains vague about defining what "internal controls"
will mean under Sarbox 404. Remember, since the findings of the
private-sector initiative known as COSO (Committee of Sponsoring
Organizations) were issued in 1992, the term has included
operations and regulatory compliance, as well as finance.
A broad definition
could have CFOs brooding over regulatory matters that are a far cry
from what's normally considered finance. FirstEnergy, for instance,
is currently fighting Environmental Protection Agency charges that
one of its plants is in violation of the Clean Air Act. But if the
company is found to be out of compliance with the law, it faces
heavy fines. Says Richards: "That's an operating issue that
can sure have financial ramifications if we were wrong."
Further
complicating matters is another feature of Sarbox 404: Auditors
must attest to and report on management's assessment of internal
controls. "That will lever [compliance] up into something
that's going to cost a lot more time and expense," says Steve
Clark, a partner with Chapman and Cutler, a Chicago-based financial
services law firm.
One problem, for
sure, is that auditors will have to piece together new procedures
to assess client controls programs. That will make it tough for
quantitative-minded accountants to gauge performance evaluations
and other soft information provided in management reports, Clark
thinks.
3. Sarbox
doesn't stop at the shoreline.
Laws governing exports and imports and foreign-based bribes and money
laundering don't seem to have much to do with the domestically
focused act.
But the onus that
Sarbanes-Oxley puts on audit committees and independent auditors to
ferret out wrongdoing is spurring a closer look at global
operations, says Sturgis Sobin, a partner and director of the
International Trade Regulatory Practice for Miller & Chevalier
in Washington.
Sobin offers a
hypothetical: While performing an annual audit of a multinational,
auditors find suspicious payments on the books of the company's
Indonesian subsidiary that have all the earmarks of bribes.
"The liability becomes very real," the lawyer says,
"and the auditors, under pressure of Sarbanes-Oxley, have to
recommend to the corporate client that they undertake a rigorous analysis"
of the situation and disclose the results. The disclosure might
then lead to heavy fines under the Foreign Corrupt Practices Act
(FCPA).
That's a sea change
from the previous way multinationals handled discoveries of
baksheesh. Under FCPA and export/import rules, corporate executives
don't have a duty to disclose questionable practices, Sobin says.
Instead,
international business disclosure regulators tend to employ a
"carrot-and-stick" approach involving incentives for
compliance and penalties for transgressions.
That's spawned a
Clintonesque "ask-but-don't-tell" attitude among
corporate officers. "In the past, because there was no
requirement to make a disclosure, [executives said,] 'Let's just
make sure it doesn't happen again' " and leave it at
that, the lawyer says.
But leaving it at
that is often no longer an option for CFOs, who must now certify
the validity of their financials under Sarbox's Section 302.
That's because the
penalties following such things as an improperly reported import
can be a balance-sheet liability. Fines of 100 percent of the value
of the goods are not uncommon, Sobin says. If, for instance, a
company is illegally importing $50 million of disk drives from a
restricted country, that can amount to a decent chunk of change.
The good news is
that companies can mitigate — or even eliminate — the fines by
fessing up before the customs agents find out. "If you are
first in door to report, they will provide you with leniency,"
the lawyer adds.
4. Executive
mobility just got a whole lot tougher.
Remember the home loans that employers made to company managers,
either to relocate an executive or to lure new talent to a
different part of the country?
Forget about them
for the higher-ups. Under Section 402 of Sarbanes-Oxley,
corporations are barred from making personal loans to officers or
directors.
That creates a
problem for executives who have borrowed from the company to buy a
home and must sell it to relocate. Joe Rich, executive vice
president at Clark/Bardes Consulting, illustrates the problem:
"Let's say you bought a $4 million ranch home in Palo Alto,
and now it's worth $3 million," he posits. "The company
moves you to Boston. Now you're upside-down on that loan, and can't
get a new loan [from the company] in Boston."
Still, the money
can come from elsewhere. To help pay for housing, companies could
offer new officers heftier signing bonuses and existing ones
residence bonuses, according to Rich. Or they might buy executive
housing outright and let officers live in it rent-free. Under
Sarbanes-Oxley, however, the SEC might consider the free housing a
loan, Rich cautions.
The loan
prohibition could also create a whole class of embittered officers
and directors: the folks who borrowed money to invest in company
funds and stock before the equities market went kerflewy. Before
Sarbanes-Oxley, a company could adjust the terms of the loan to
keep an executive happy.
Post-Sarbox, such
adjustments violate the act's ban on arranging for or renewing
loans, Rich notes. Of course, the company could always forgive the
loan. Then again, given today's scandal-ridden environment, maybe
not.
5. Private
companies aren't immune to Sarbox.
The Sarbox loan ban also figures into problems that nonpublic
companies can encounter under the act. Officer loans are common
practice in private companies, particularly in single-owner
outfits, notes Parson Consulting's Rick Fumo.
The owners can continue to bestow largesse as
long as they please — provided they don't want to sell their
holdings to a public company or launch an initial public offering.
If private company owners do want to go public, they would have to
see that the loans are paid back before an initial public offering,
Fumo says. That could amount to a pretty penny for some
officer/borrowers.
The
internal-controls reporting required under Sarbanes-Oxley might
also inhibit private owners not used to doing a whole lot of
documentation from making a public offering.
Public company finance chiefs and their bosses,
for their part, are sure to be probing the governance practices of
private merger targets, says Fumo. "The due-diligence process
will take on another level of significance and detail because
there's a higher price to pay for a mistake," the consultant
says. That, in turn, could leave finance managers at the acquiring
company plenty embarrassed.
© 2007 SOXBox Solutions, Inc. All rights reserved.
|
