Living with an 800-Pound Law
from
May/June 2004
by Rob Norton
Back when the Sarbanes-Oxley Act was signed into law in 2002, most board members predicted, all too presciently, that it would seriously complicate their jobs. But another widespread prediction—that the new law would do little good and might cause lots of harm—appears to have been wrong. As we approach Sarbanes-Oxley’s second birthday, the majority of directors are concluding that the good outweighs the bad. According to a recent survey of 153 directors by Corporate Board Member, more than 60% think the effect of the law has been positive for their companies, and nearly 70% see it as positive for their boards.
“I’m a guy who was very skeptical at the outset,” says Bernard G. Rethore, chairman emeritus of Flowserve Corp. in Irving, Texas, and a board member of Belden Inc., Dover Corp., Maytag Corp., and Walter Industries. “But with a year of hindsight, I’ve got to say that Sarbox looks better than I thought.” J. Michael Cook, retired chairman and CEO emeritus of Deloitte & Touche and a director of Comcast, Dow Chemical, Fidelity, International Flavors & Fragrances, and Northrop Grumman, agrees. “Overall,” he says, “you have to say it has had a good effect. Sarbanes-Oxley got people focused on financial reporting and quality, and concerned with the consequences of not getting it right.”
What individual directors think about the new law can be seen on the following pages. Most say they’ve been able to implement the majority of Sarbanes-Oxley’s provisions on governance, financial reporting, and board independence with reasonable smoothness. But even those who largely approve of the law’s effects agree that it’s creating problems. Their biggest single concern is the provision governing internal auditing, known as Section 404 and scheduled to go into effect this year, which is proving far more burdensome and expensive than had been generally expected. Many are uneasy about the costs of Sarbanes-Oxley compliance, which continue to mount. Many are also concerned about the law’s unintended consequences. Particularly worrisome is its effect on small and midsize companies, which complain, with some justification, that they are overwhelmed by the complexity and costs of a law designed with big corporations in mind. A large number of board members would like to see some changes made in Sarbanes-Oxley, but few are confident that any will be forthcoming, at least in the near future.
Most companies have already complied with the bulk of Sarbanes-Oxley’s requirements, including new rules for board independence, executive certification of quarterly and annual reports, stricter standards for external-auditor independence, tighter time frames for filing 10-Q’s and 10-K’s, pre-approval by the audit committee of audit and various non-audit services, and greater disclosure of off-balance-sheet arrangements.
The majority of companies have come to terms with the requirement for a “financial expert” on the audit committee, initially one of the more draconian features of Sarbanes-Oxley. As the law was originally written, many experts interpreted it to mean that only a former CFO or auditor would qualify for the committee, which would have made filling the seats a real challenge. But then the Securities and Exchange Commission stepped in, redefining the required qualifications so that others with relevant experience can also serve as audit committee “experts.” Even so, some board members still think the definition is too restrictive.
A lot of the other Sarbanes-Oxley requirements that seemed vague have been clarified by the SEC’s rulemaking. One provision still unresolved is Section 307, which deals with the responsibilities of in-house and outside lawyers. Attorneys have complained that the legislation, which requires in-house lawyers to report potential problems up the chain of command, would destroy the client-attorney relationship. The interpretation of the rule, and the fate of an amendment proposed by the SEC, remain uncertain. The SEC has delayed publication of a final rule.
Directors also say there is still uncertainty about the so-called whistleblower provisions: Should complaints ultimately go to the chief counsel, the chief internal auditor, or the audit committee chair? Another provision that continues to cause uncertainty is Sarbanes-Oxley’s blanket ban on loans to top executives. Because the SEC has failed to provide clarification, many companies are abstaining from routine transactions such as loans from 401(k) programs, relocation loans, and broker-assisted exercises of stock options, even though it seems unlikely that those are the kinds of transactions the law intended to prohibit.
Complying with Sarbanes-Oxley has certainly added to board members’ workload, especially if they’re on audit committees. But the law has also strengthened their hand. “There were a number of boards where it was not the habit for the directors to meet in executive session without the CEO present,” says Joseph L. Bower, a professor of business administration at Harvard Business School and a board member at Anika Therapeutics, Brown Shoe Co., Loews Corp., and Sonesta International. “My impression—an anecdotal one—is that people are pleasantly surprised by the contribution these sessions make. It gives the board members an opportunity to surface things that are on their minds and find a way of expressing them that can be very helpful to the CEO.” Says Robert Mittelstaedt Jr., vice dean of the Wharton School and a director at Innovative Solutions & Support Inc. and Laboratory Corp. of America: “It has tremendously empowered boards, much to the chagrin of the CEO in some cases, and absolutely changed the tone in the boardroom. You now regularly hear board members saying, ‘Look, guys, we have a legal responsibility here that we can’t shirk.’ People are not afraid to be inquisitive, and confrontational if necessary.”
The provision in Sarbanes-Oxley that’s causing the most trouble is Section 404, which requires CEOs and CFOs to assess the adequacy of their companies’ internal controls. This simply stated goal turns out to require a vast amount of work, so much so that some managers have likened it to earlier efforts to get ready for Y2K. To comply, companies have to inventory internal controls and assess their adequacy, document the whole exercise and any steps taken to remedy deficiencies, and then wrap up the entire process in a formal report. In many cases, this is leading them to do massive overhauls of their information-technology systems, often at huge expense (see the following story).
“As managements and boards have gotten their arms around this in the past several months, they are understanding how broadly internal controls reach and how far they need to go,” says Richard M. Steinberg, principal of Steinberg Governance Advisors in Westport, Connecticut, and formerly corporate governance leader at PricewaterhouseCoopers. While managers may have thought that only their companies’ detailed control procedures were at issue, he says, they are finding that they must also look at the broader control environment. This involves monitoring management, internal audit, and information systems and includes the procedures managers use to make the estimates and judgments that go into financial statements. “That’s all part of the internal-control system,” says Steinberg.
Companies have been significantly expanding their conception of what 404 compliance entails in recent months. During most of 2003, according to AMR Research, a Boston analysis firm, more than half of some 70 companies surveyed thought that complying with 404 would involve only financial processes. But by the year’s end, AMR reports, nearly 80% had concluded that they’d need to include finance, operations, and IT processes as well.
Many managers and directors consider Section 404 regulatory overkill and feel that the SEC made things even more burdensome when it wrote the enabling regulations. Perhaps realizing this, the commission extended its original deadlines for compliance with Section 404. Companies with market capitalization of more than $75 million now have until November 15, 2004. Smaller companies and foreign outfits have until July 15, 2005.
Some board members say they’ve had unofficial discussions with lawmakers about revisiting Sarbanes-Oxley to relax Section 404, and some lobbying groups, notably the Business Roundtable, have been pushing for adjustments. But few directors think it’s likely that any change will come soon. Says Wharton’s Robert Mittelstaedt: “Truth is, there’s been too much damage to people from Enron and other situations for the average person in the street to understand why you should back off.” Richard Steinberg agrees, and notes that the SEC favored more stringent requirements concerning internal controls for decades.
Even the seemingly onerous provisions of Section 404 may not seem so bad once companies have survived the initial shock. Says consultant Barbara T. Alexander, a board member at Burlington Resources, Centex, and Harrah’s Entertainment: “It’s a clear headache, but it’s not radically dissimilar to many requirements that were put in banking a decade ago. And bankers tell me that while those were painful in the first year, they were not so later. It’s largely a one-time cost, and the best companies I know are using this as an opportunity not just to document current controls but also to ask whether they can use them to augment what they have.”
A number of board members still aren’t sure just how much attention the audit committee needs to expend on compliance with Section 404. “It’s a new issue this year,” says retired Deloitte & Touche chairman Michael Cook. “I would be interested to know the opinion of the regulators with respect to audit committee involvement in 404 compliance.”
The costs of complying with Section 404 may be the biggest factor driving the surge in what companies are spending to carry out the provisions of Sarbanes-Oxley. According to AMR Research, the total tab in 2004 will be about $5.5 billion. Where’s the money coming from? A recent survey of 75 publicly traded companies by Gartner Inc., a Stamford, Connecticut, research firm, gives an indication. The respondents said they were offsetting increased compliance costs by making cuts in areas like external consulting (cited by 53%), enterprise resource planning (36%), and merger-and-acquisition activity (32%). Gartner reported that as of last September a majority of the companies said they did not have an official budget for Sarbanes-Oxley compliance and seemed to be spending in an ad hoc fashion.
Compliance has had broad impact and mixed benefits. “I think the law has served a useful purpose,” says Thomas D. Clark Jr., a professor at Louisiana State University’s E.J. Ourso College of Business Administration and a board member at Dynegy. “But if this goes too far, you begin to make U.S. businesses less globally competitive because of the increased costs of reporting and structure.”
Small-cap and midcap companies have been hit hard by Sarbanes-Oxley. Those surveyed by Foley & Lardner, a national law firm headquartered in Milwaukee, estimated that the costs of being a public company will rise more than 90% because of the new law and other governance reforms. Responding to detailed questionnaires, senior managers at 32 companies with revenues of less than $1 billion said they’re expecting compliance to cost their companies dearly. They look for increases of 105% in accounting expenditures, 98% in board compensation, 94% in directors’ and officers’ insurance, and 90% in legal services.
The burden Sarbanes-Oxley puts on smaller companies has had a number of unintended consequences. Among them: a sharp uptick in the number of public companies announcing privatization plans. In the 16 months following the law’s enactment, the number of companies going private rose 30% over that in the previous 16 months, from 92 to 120, according to the Chicago-based accounting firm Grant Thornton International. Many market observers also think Sarbanes-Oxley will chill initial public offerings and could lead to a slowdown of mergers and acquisitions. “A lot more due diligence is going to be needed,” says Barbara Alexander. “Given the Section 404 requirement, for instance, a company looking to make an acquisition this year will not only need to make sure the acquisition has good internal controls—which you would do in the normal course of due diligence—but will also need to make sure it can document them and test them so that it satisfies its own auditors.”
A more significant unintended consequence of Sarbanes-Oxley, many board members feel, is that it may institutionalize a checklist mentality. “Now that we’ve got most of the regulations in place, what you’ve got is a real rules-based system, a lot of specific requirements being applied in an area that doesn’t necessarily lend itself to objective standards,” says Morgan Burns, an attorney at Faegre & Benson in Minneapolis. “Sometimes you’re better off just stepping back and asking, ‘Does this smell right? Are we doing the right thing here?’ than relying on standards and tests.” Says former Flowserve chairman Bernard Rethore: “The danger is that too much of a focus on checklists can obfuscate the more important things. You want a board that can step away and look at the enterprise as a whole, and ask the important questions: ‘Do we have a strategy that makes sense, and are we executing it well?’ and ‘Is the CEO doing his job?’ That’s where board members really add value.”
The single most interesting question about Sarbanes-Oxley’s effects is whether the law produces what was its primary intended consequence: the elimination of the kinds of massive companywide abuses that rocked U.S. business in 2001 and 2002—the Enrons, Global Crossings, Tyco Internationals, and WorldComs. For many board members and others, the jury remains out. Says Paul Lapides, who heads the corporate governance center at Kennesaw State University and sits on the board of Sun Communities: “I think Sarbanes-Oxley has been good for shareholders, good for companies, and good for governance, and that the costs, in the larger scheme of things, are insignificant. But if it doesn’t stop bad people from doing bad things, then its primary purpose won’t have worked.”
That verdict won’t be rendered for several years at least, and by then U.S. companies will have had to learn to live with Sarbanes-Oxley, warts and all. In the meantime, the path toward better governance could be smoothed significantly if SEC rulemakers supplied even more clarity and if Congress could ease some of the requirements smaller companies face.
