While the costs of complying with Sarbanes-Oxley have been well-documented, new research from The Hackett Group casts them in a particularly dark light: for the first time in 13 years, the cost of finance (measured as a percent of revenue) has gone up, not down. Although finance departments have successfully reduced the cost of routine tasks for years, Sarbox has required spending that is anything but routine. Such expenses jumped 18 percent between 2003 and 2005, after having declined by an average of 33.6 percent since Hackett first began measuring them in 1992.
Whether this is a mere blip or a sign of what's to come may vary by company. For the most part, "We're probably seeing the peak in terms of compliance costs," says Mark Krueger, managing director of Hackett's finance practice. As companies rushed to comply, expenses ballooned: audits, consulting fees, escalating salaries — the past two years have had it all.
The experience of Ramtron International Corp., a fabless semiconductor company based in Colorado Springs, Colo., is typical. The company became an accelerated filer in July 2004 when it passed $75 million in market capitalization. "We hadn't done much work at all to prepare for Sarbanes-Oxley," says CFO Eric Balzer. Ramtron ultimately spent $100,000 on its audit and an additional $180,000 on Sarbox testing, as well as $300,000 on in-house and contract resources to prepare for Sarbox compliance. And Balzer bolstered his staff with interns. "We were scrambling like crazy," he says. A new Accenture study finds that about half of the CFOs it surveyed at large ($1 billion-plus) companies have hired additional staff to meet Sarbox requirements, and 42 percent plan to hire even more.
Balzer expects his total Sarbox costs to drop by 50 percent next year, in part because he has just retooled all of Ramtron's processes, carefully charted its controls, and installed new accounting software. But not everyone will fare as well.
"There are companies that spent an awful lot of money in 2004 and early 2005 getting ready for Sarbox Section 404," says Tom Hartman, a partner at Foley & Lardner LLP who directed the law firm's study of Sarbox costs. "A second group kind of bulled its way through 404. If those companies bull their way through again this year, their costs may stay the same." But if they invest in updating their systems, their costs will likely go up, says Hartman.
At Kensey Nash Corp., a medical-device maker based in Exton, Pa., the final tab for the company's 2005 audit came to more than twice what auditors Deloitte & Touche had initially estimated, says CFO Wendy F. DiCicco. And for next year, the company has been informed the tab will drop only 12 percent, even though the company received a clean opinion. DiCicco says she's also looking to hire another finance staffer to help handle Sarbox duties. If finance spending is to resume its downward trend, CFOs may have to bring renewed managerial savvy to bear. — Kate O'Sullivan
How affected will you be by Sarbox over the next 1-3 years?
Not very much
Not at all
Source: Accenture survey of 150 finance managers at large ($1 billion+) U.S. companies.
Too Many Indians, Not Enough Chief
Call it the curse of competence. CFOs have proven so adept at juggling an astonishing array of duties — from treasury to purchasing and planning — that their bosses have happily piled on more. According to Washington, D.C.-based CFO Executive Board, a typical CFO now has seven direct reports, and some have a dozen or more.
This comes at a cost. Every hour spent discussing wireless networks with a CIO or tuition-reimbursement policies with an HR executive is an hour not spent on more strategic matters. "If you are making decisions on IT, procurement, or HR, you have to ask what the bottom-line impact is compared with a decision of operational or financial importance," says Kurt Reisenberg, executive director of the CFO Executive Board. The organization's research shows that CFOs with fewer direct reports stay in their jobs longer and help achieve higher shareholder returns.
A recent CFO magazine survey found that 43 percent of finance executives with responsibility for IT see it as a distraction from their core financial duties. And some of those without these reports would like to keep it that way. "I don't have legal, IT, or purchasing reporting to me, and I think that's the right answer," says Eric C. Olsen, CFO of Lafarge North America. "There are too many crucial issues specific to finance that I need to spend my time on."
Many CFOs are looking for ways to lighten their loads. In some cases this means dropping direct reports, but more often it's a matter of hiring someone to help. Adrian Dillon, CFO of Palo Alto, Calif.-based Agilent Technologies, recently hired a senior vice president of finance to oversee treasury, tax, contracts, and the controller function. Prior to that he had 15 direct reports.
"Taking on more reports can be seductive," says Reisenberg. "But if you want to get ahead, shouldering additional administrative duties is the wrong step." — Don Durfee
Thanks to the efforts of a dental-supplies salesman, you may now be able to deduct the cost of an MBA degree. Daniel Allemeier won his case against the IRS in August, arguing that the $15,000-plus he spent on his degree should be tax-deductible because it was a legitimate business expense that expanded his skills. Previously, courts viewed an MBA as either a minimum requirement for a job and thus not tax-deductible, or as a credential that qualifies the holder for a new career or business, in which case ditto on the ixnay.
But Allemeier had been with his employer before earning the degree and stayed with that company afterward, although he did move up the ladder. The ruling caught many experts by surprise, and some say it may pave the way for the tax-deductibility of other degrees, such as those at the undergraduate level. Bill Smith, director of the national tax office at CBIZ Inc., a business-services provider, says that "while the IRS will characterize this decision as a clarification of an existing law, it opens up new possibilities for taxpayers." But specific circumstances will count for a lot, so consult your tax adviser. — Scott Leibs
Steal This Data
New notification laws requiring companies to report data breaches to consumers are surging through state legislatures, adding a new compliance wrinkle for companies still struggling to satisfy the demands of Sarbox, the Health Insurance Portability and Accountability Act, and other regulations.
Some 20 states are implementing statutes similar to a pioneering California privacy law, SB 1386, that requires businesses and public agencies to inform individuals when their names — in combination with either their Social Security or driver's license number, or credit- or debit-card number with personal identification number — have been accessed by an unauthorized person.
And more than a dozen data-theft bills are circulating through Congress, some with more-stringent regulations. At least two, the Identity Theft Protection Act, introduced by Sen. Gordon Smith (R-Oreg.), and Rep. Cliff Stearns's (R-Fla.) Data Accountability and Trust Act, would require the entity to not only notify individuals affected by the breach but also report the breach to the Federal Trade Commission, which has the power to audit a company's security program.
"While lawmakers are responding to the perceived need to protect data," says Donna K. Lewis, counsel at law firm Kilpatrick Stockton LLP, legislation won't necessarily provide the answer. Laws at the federal level will provide consistency when compared to a hodgepodge of state laws, she says, but the real solution lies in a mix of strong technology and adequate internal controls.
Experts warn that the risk liability associated with a data breach will extend beyond potential class-action lawsuits and reporting expenses; brand reputation and consumer trust are also at stake.
Regardless of how the proposed laws play out, it's clear that companies have to do more than encrypt data. "The threat is so huge that mitigating every aspect of the risk is a tough challenge," says Hussain Hasan, managing director of RSM McGladrey Inc.'s technology risk management services group. He recommends that firms consistently remind employees about security policies and procedures, and that managers categorize data so appropriate levels of protection can be applied. — Craig Schneider
A Fringe Benefit on the Fringe
New federal rules governing employer-sponsored retirement plans are scheduled to take effect in January, and the response from large employers has been surprisingly tepid.
Companies will soon be allowed to offer employees the option of contributing to Roth 401(k) plans, which are similar to the popular Roth IRA in that they allow contributions of posttax earnings to a nontaxed retirement fund. But in a survey of more than 450 large companies this past summer, human-resources services firm Hewitt Associates LLC found that only 6 percent said they were "very likely" to offer the Roth option in their benefits packages in 2006, while 25 percent said they were "somewhat likely."
"Many companies are taking a wait-and-see approach," says Lori Lucas, director of participant research at Hewitt. "They will watch the early adopters and see whether people use and value the option."
Some advisers are warning their clients against this new choice with predictions of declining employee enrollment and administrative nightmares. According to James R. Norman Jr., principal of The Pension Group Inc., in Irvine, Calif., most workers will get no significant benefit from a Roth 401(k), and might, in fact, be hurt by it (if they are taxed at a lower rate in retirement than they would have been at the time of their contributions).
Worse, he says, is the possibility that option overload may reduce participation rates, as some employees feel confused by the differences between Roth and traditional 401(k) plans and decide to forgo both.
"We're telling our clients that there is a lot of headache involved and, for most employees, there is no economic gain or increase in contributions," says Norman. On the other hand, he adds, amending their current plans has a cost to employers.
Not all advisers are as unenthusiastic about adding the benefit. In a recent report, Chicago-based Aon Consulting told clients that allowing employees to "better customize" their retirement plans is worth the extra effort. "Even though the option has employee communications and choice challenges," Aon advised, "the advantages...seem to outweigh them." — Rob Garver
Mum Is Not the Word
With Corporate America on a stock-buyback binge — companies in the Standard & Poor's 500 index repurchased $81 billion in stock in the quarter ended June 30, a 92 percent jump from the same period in 2004 — experts are warning companies to be mindful of the nonpublic information they may be harboring. According to a recent report in the Delaware Journal of Corporate Law, corporations that buy back stock from shareholders without disclosing material nonpublic information violate federal securities laws.
Mark Loewenstein, co-author of the report (with William Wang) and a law professor at the University of Colorado, says that while no court case has directly addressed the issue of a public company buying back shares on the open market, several rulings regarding stock deals at closely held companies point to the need to disclose material inside information. In fact, he says, the same rules that apply to insiders making personal transactions apply to issuers that buy back shares from shareholders. In one case, for example, an employee's resignation gave the company the right to buy back his shares at book value at a time when the company was in talks to be acquired for substantially more than book value, a fact that should have been disclosed to the employee.
While a legal precedent may be lacking, the Securities and Exchange Commission has said that, as with potential violations of rules that pertain to trading "on the basis" of inside information, the existence of a written plan governing buybacks can alleviate concerns that material nonpublic information came into play. — Laura DeMars
Fine Time at the SEC
Records were made to be broken. But when the Securities and Exchange Commission levied an unheard-of $10 million fine against Xerox in April 2002, few could have imagined the amounts that other companies would soon be shelling out. Less than four years later, the record fine — now held by WorldCom — stands at $750 million. At least half a dozen other companies, including Royal Dutch/Shell Group, Qwest Communications International, AOL-Time Warner, and Computer Associates International, are also members of the $100 million–plus club.
SEC chairman Christopher Cox, who owes his position in part to the backlash against such fines, told The Wall Street Journal in September that he hopes the SEC can adopt a "framework" that will make penalties more predictable. But is the issue predictability, or size?
Last May, the Government Accountability Office found that the SEC "followed a consistent process" when setting penalties for mutual-fund trading abuses, even though the penalties ranged from $2 million to $140 million. "I don't think there is any unfairness in the commission's processes," says former SEC chairman Harvey Pitt, noting that many factors affect penalties. During his tenure, he explains, Xerox's record fine was levied because "we felt Xerox had been uncooperative." Still, he says, Cox should address any perception that "sanctions are somehow whimsical."
SEC enforcement director Linda Chatman Thomsen says penalties are defined by securities law, based on the number of violations and loss or gain to investors. Critics counter that most penalties are exacted by settlements, and don't conform to the maximums prescribed in the Securities Enforcement Remedies Act of 1990 and other laws. "Many times, the penalties imposed by the SEC are simply a byproduct of negotiation," says ex-SEC enforcement attorney Derek M. Meisner, now with the Boston office of Kirkpatrick & Lockhart Nicholson Graham LLP. The Sarbanes-Oxley Act, which directs penalty proceeds to investors rather than to the U.S. Treasury, may also increase the SEC's inclination to seek large fines, he says.
Developing penalty guidelines beyond those already in place for SEC staff would be difficult, admits Meisner. But Pitt notes that it is the five commissioners who "set the ultimate guidelines for prosecutorial discretion." Commissioners have often split recently over large fines, with the two Republican commissioners worrying that they penalize shareholders already harmed by fraud. Framework or not, Cox is now the tie-breaking vote in those debates. — Tim Reason
Real estate is not the only buyer's market in town: corporate M&A has also moved from a seller's to a buyer's market, according to the fourth annual MAC survey from Nixon Peabody LLP. The law firm examined more than 300 deals and assessed the role of material adverse changes (MAC; sometimes called materially adverse effect, or MAE, clauses). A MAC, broadly speaking, defines the circumstances under which a buyer can scotch a deal, while MAC exceptions set forth terms under which the buyer can't back out due to the given MAC. The firm notes a strong drop in exception clauses, a trend that is strongly indicative of a buyer's market and is a marked change from the same survey last year. There was one notable exception to the decline in exceptions: acts of "war, major hostilities, and terrorism" were mentioned in almost one in five agreements, representing a more than 100 percent increase from 2004. — S.L.
Crime, Punishment, and Relief
It may be safe for everyone at KPMG LLP to exhale.
When the accounting firm announced this past summer that it had reached an agreement with the Department of Justice to defer prosecution of fraud charges connected to its sale of illegal tax shelters, there was concern that the taint of scandal would spur a raft of client defections.
With eight former partners under indictment, a $456 million fine, and the deferral contingent on a set of onerous conditions, KPMG arguably had cause to worry, particularly since some of the rhetoric surrounding the agreement suggested that the firm would be made to serve as an example.
"The actions of the IRS and the DoJ in this case send a powerful message to the promoters, aides, and abettors of abusive tax shelters that they can no longer expect to be let off the hook," said Sen. Carl Levin, the Michigan Democrat who helped push the original investigation. "They are as culpable as the taxpayers who take advantage of the scams, and should be treated no better."
But there has been no rush to the exits since the approval of the settlement on August 29. According to Auditor+Trak, a service of Atlanta-based Strafford Publications Inc., only 19 public companies terminated their auditing relationship with KPMG in the two months following the settlement. (KPMG puts the figure at 18, noting that 2 of the companies were related.) Figures compiled by the Public Accounting Report show that KPMG lost 25 clients in the third quarter, a figure consistent with other members of the Big Four, although it gained fewer new clients than its primary competitors. Experts point out that, post-Enron, there has been increasing fluidity in hiring and firing auditors.
Some observers say there is a certain strength in the lack of numbers. With only four major accounting firms remaining, the loss of one would put many companies in a bind. Already there have been cases in which a client looking to switch auditors had only one other firm to consider because of its nonaudit relationships with some firms. KPMG says it "enjoys strong support from [its] clients...[and] remains thankful for their support now that the matter is behind [the company]." — R.G.
Cut Once, Measure Twice
It's relatively easy to cut certain costs, but far more difficult to keep them cut. So argues McKinsey & Co., which finds that a variety of factors often undo the gains. Simply put, companies make cuts when times are bad but fail to apply continued scrutiny as things improve. The result? "Slippage."
McKinsey looked at 16 common cost-cutting efforts in four categories — finance, IT, HR, and marketing — and determined the likelihood that initial success would erode over time. Here are some highlights:
|Risk of Slippage: Unlikely|
•Moving from weekly to biweekly payroll
•Automating/centralizing cash-incentives process
•Moving from detailed monthly to quarterly reporting
|Risk of Slippage: Likely|
•Capturing benefits of ERP launch
•Streamlining marketing-strategy planning process
•Outsourcing employee IT support
•Enforcing IT-purchasing standards
|Risk of Slippage: Very Likely|
•Eliminating nonstrategic IT initiatives
•Rationalizing temp/contract staff
•Moving to companywide reporting standard, and/or the elimination of customized or redundant reports
•Imposing new travel/expense standards