In 2002, in the wake of the Enron and WorldCom scandals, theU.S. government passed the Sarbanes-Oxley Act, designed to hold publiccompanies to far stricter accounting standards and act as a safeguard against corporate fraud. Among other things, itrequired independent auditing of acompany’s finances. On the flip side, “Sarbox” also became abilling bonanza for auditors and an expensive headache for CFOs and CEOs.
But things have changed: In July 2007, the U.S. Securities andExchange Commission relaxed Sarbox requirements. The newguidelines allow auditors to focus on areas of high financial risk, not every aspect of a company’s finances. Below, we’ll show you how to navigate the newregulations, choose an auditor, and use Sarbox to reduce redundanciesand cut costs. And our article “
- From $1.38 million to $11.2 million in external auditing fees,depending on company size. (See "Nitty Gritty," below.) A first-time Sarbanes audit for apre-IPO company runs double what it will cost in subsequent years.
- About three months to prepare and at least a month (andpossibly much longer) for an external audit.
- External Auditor: You’ll need to hire a CPA firmto audit and certify your financial statements and controls. See Step 3 for howto pick the right auditor.
- Internal Auditor: Company finance employees shouldindependently audit financials prior to an external audit so thathonest mistakes (or fraud) can be uncovered and expenses curtailed.
- Top Management Attention: Your CEO, CFO, and CIO need tomake auditing and compliance a priority if you want to drive down the expenseof an outside audit.
- Software Upgrades: Check with your software vendors(Oracle, for instance) to see if you’ll need any upgrades as youshift focus to adding security controls in your existing computinginfrastructure.
Create a Controls-Friendly Culture From the Top
Goal: Lay the groundwork for a smooth audit process.
Ownership of Sarbox compliance should rest with managers whohave access to financial controls and the clout to do something about them. “Althoughinternal auditors make recommendations tomanagement, they are not the ones who put policies and processes into place,”says Dominique Vincenti, chief advocacy officer for the Institute of InternalAuditors, a professional trade group.
It’s also cheaper and easier if managers buildcontrols into their day-to-day activities. For example, instituting a regularpolicy of changing the passwords to financial systems generally costs less thantracing hundreds of possibly unauthorized accesses after a breach. “Topmanagement should make it completely clear that attention to financial controlsis a key element of each group’s operational mandate,” saysJ.R. Reagan, vice president and managing director of Global Risk Compliance atBearingPoint. Corporate mission statements, organizational mandates, andindividual managers’ goals should all make financial controls anabsolute requirement.Performance metrics for operational managers should includehow well they implement any changes that internal auditors suggest. These stepsalso protect the reputation of your executives. “If it’sclear that a company truly values financial controls, the external auditorswill be far less likely to call your corporate governance into question,”says Sanjay Narain, a principal with Ernst &Young.
The Legalese
The Sarbox Lexicon
Sarbox: The Sarbanes-Oxley Act of 2002, formerlyknown as the Public Company Accounting Reform and Investor Protection Act. Itcreated a policing oversight board and banned auditors from doing other kindsof business with clients, such as IT consulting. Sarbox mandated that CEOs andCFOs certify and sign quarterly and annual SEC filings, and it requireddetailed reporting of stock and off-balance-sheet transactions. The law alsoimposed stricter internal auditing controls and harsher criminal penaltiesfor fraud.
AICPA: American Institute of Certified Public Accountants.The largest professional organization of CPAs in the United States.
PCAOB: The Public Company Accounting Oversight Board.Created by Sarbox, it registers auditors, defines compliance, and policesconduct.
Section 404: The Sarbox regulation that requiresmanagement and external auditors to report on the adequacy of a company’sinternal controls over its financial reporting. Implementing this can doubleaudit expenses for small to medium-sized firms.
Standard 2: The original guidance from the SEC abouthow external auditors should approach Section 404. This standard suggested adetailed checklist approach for auditing every financial account, regardless ofits relative importance to the overall business.
Standard 5: The new SEC guidance, announced in July2007, about how external auditors should approach Section 404. It narrows thefocus of external audits to high-risk areas of a business and broadly appliesto all public companies, although small-cap companies (firms with $75 millionor less in market capitalization) generally face less Sarbox scrutiny.
Evaluate Your Business and Focus on Areas of High Risk
GOAL: Reduce the cost of setting up controls.
A risk evaluation of a company’s operation determineswhich accounts deserve serious auditing attention and which do not. Afterreviewing operations with the company’s internal auditor, managementcan implement the level of control appropriate for each area of the business.
For example, a VP of manufacturing might do a risk assessmentand determine that accounts receivable for raw materials is high risk (becauseof the high dollar value), the online ordering system for office supplies ismedium risk (because everyone has access to it), and in-plant inventory is lowrisk (because products are shipped within an hour of being manufactured).
In this case, the VP and the internal auditors would determinewhich controls are adequate and which need further work. Changes might berequired to the company’s product data management software, forexample, in order to ensure that payments for raw materials exactly matchshipments.
Technically Speaking
Software to the Rescue?
Software plays a key role in every aspect of Sarboxcompliance. Unfortunately, few (if any) companies have the kind of completelyintegrated computer system that makes it possible to automate the audit. Arecent IDC survey of 685 companies revealed that 92 percent use offline data tocalculate quarterly revenue reports, which requires manual check by the financestaff.
A number of software vendors — such as Cokato, Minnesota-based Paisley — haveemerged with solutions that patch Sarbox-compliant controls into existingsoftware. But such programs can’t do much more than create aframework that helps users understand what controls need to be added, accordingto Tom Eid, vice president of software applications at the Gartner Group. “Youcan’t buy compliance off the shelf,” he says. “It’snot something that can be shrink-wrapped.”
Select the Right External Auditor
GOAL: Find the best fit for your company, and reducethe cost of external auditing.
If your company has executed the first two steps, the actualexternal audit should go smoothly — provided you hire an external auditorwith the right attitude.
Two types of auditors are dangerous: the one that is motivated —implicitly or explicitly — with running up his or her fees, and theauditor with a “gotcha” personality that revels in findingan error your internal guys missed. Avoid these negative types by getting arecommendation from a peer or colleague you trust. “You want auditorswho think of themselves as partners in ensuring accurate, compliant financialstatements rather than policemen looking only for rules violations,”says Toby Lucich of insidesarbanesoxley.com,an online clearinghouse on Sarbox issues.
Remember that the auditor is taking a risk by agreeing to audityour firm. The mighty Arthur Andersen fell as a direct result of Enron, and CPAfirms have not forgotten about the inherit risks associated with their work.Get your CPA on board and keep him or her working for you by involvingoperational managers in every step of the audit process. “Externalauditors look for confidence and competence in the companies that they audit,”says Thomas Connors, a partner at auditing firm Deloitte Touche Tohmatsu. “Atop-down approach, with management committed to making sure the audit goessmoothly, is the best way to make sure that companies get the most value fromthe process.”
Checklist
External Auditor Quick-Pick Checklist
We asked Daniel Schroeder, officer of Technology RiskServices at auditing firm Amper, Politziner and Mattia, what to look for in anexternal auditor. Here are his five must haves:
Qualification. Are they registered with the PCAOB?Don’t laugh. The SEC recently charged 69 accounting firms with violationsof this requirement, essentially invalidating their client’s audits.
Experience. Have they conducted comparable auditsin your industry, with companies about your size, in the past? Choose a teamright for you over a big-name CPA firm.
TrackRecord. Were thoseaudits cost effective for the client? Get on the phone and check references.
Knowledge. Do they understand your business andindustry?
Pragmatism. Can they look at risks realisticallyand in context? Do they have the maturity to make judgment calls about when todig deep and when to shrug and move on?
Eliminate Redundancies and Streamline the AuditProcess
GOAL: Reduce the ongoing cost of compliance whilecreating a competitive advantage.
“It’s not at all uncommon for companies todiscover that, in response to previous government mandates, they’veput multiple controls in place that overlap or reproduce the same effect,”says BearingPoint’s Reagan. “Eliminating such controls notonly costs less operationally but makes a company easier to audit, because theauditor doesn’t need to check extra controls.”
Management’s focus on risk areas also allows a companyto reexamine its financial strategy to make it more efficient. For example, aretail manufacturer might determine that the bulk of the financial risk comesfrom its factory outlet, which provides a clearinghouse function that could beoutsourced. It might make sense in this case to close the outlet, eliminatingboth the risk and the need to audit that risk.
The goal of Sarbox should be to create a company that runsbetter, not just a company that complies with regulations, says Deloitte’sConnors. “This is the first time that the government has evermandated that companies take the entire idea of quality control seriously,”he says. “Ultimately, achieving Sarbanes compliance should be viewedas similar to achieving Six Sigma or TQM — an effort that is asuseful and positive for the company as it is for the investors.”
Nitty Gritty
How Much Will It Cost?
Theaverage fee paid to external auditors since the introduction of Sarbox:
2001 | 2005 | Increase | |
---|---|---|---|
S&P Small-Cap | $342,000 | $1,342,000 | 292% |
S&P Mid-Cap | $650,000 | $2,240,000 | 245% |
S&P 500 | $3,200,000 | $8,400,000 | 163% |
Source: “The Cost of Being Public in the Era of Sarbanes-Oxley,”Foley & Lardner LLP, a business law firm