File this one under "B" for best-laid plans.
In March 2005, external auditors from PricewaterhouseCoopers began arriving at the Louisville headquarters of lighting fixture and controls maker Genlyte Group Inc. The engagement partners were there to review Genlyte's inaugural round of internal-controls attestation. These annual love fests , stipulated by Section 404 of the Sarbanes-Oxley Act, require external auditors to thoroughly test the adequacy of clients' key controls over financial reporting.
Genlyte CFO Bill Ferko recalls that his internal audit staff and PwC had already gone several rounds with 404. In a yearlong run-up to the meeting, Genlyte's internal audit staff had carefully documented critical business processes, identified deficiencies, and put controls in place. Given the prep work, Ferko felt reasonably confident the company's internal controls would pass muster.
But when the engagement partners from PwC began sifting through the paperwork, Ferko was taken aback. The auditors uncovered several deficiencies in the financial controls at Genlyte, including material weaknesses in three of the company's financial-statement accounts. The failing grade meant the $1.2 billion (in revenues) Genlyte had to disclose the problems to the Securities and Exchange Commission. In the aftermath, the company's share price fell 9 percent. Recalls Ferko: "The Sarbox standards of evidence were more rigorous than we'd expected."
Since that unpleasantness last year, Ferko's finance staff has worked hard to remediate the exposed deficiencies. This time, though, Genlyte management is taking no chances. Last fall, the company hired its former independent auditor, Ernst & Young, to conduct a preaudit ahead of the final audit by PwC. "We've got internal auditors, external auditors, and consulting auditors," notes Ferko. "There are auditors all over the place here now."
It's becoming a familiar scene. With corporate reputations — as well as their own — on the line, finance managers are increasingly relying on outside advisers to help with internal controls. Typically, the third-party consultants come from the Big Four accountancies, second-tier firms like BDO Seidman and Grant Thornton, or business-process specialists such as Protiviti Inc. or Paisley Consulting. And there appears to be no shortage of work, either. In a survey of public-company executives conducted by CFO magazine earlier this year (see "A Band of Outsiders" at the end of this article), nearly 60 percent of managers said they had hired third-party consultants to help with Section 404 certification.
This consulting jag is being spurred, in part, by the sheer amount of work involved in documenting and testing scores of internal corporate controls. Mostly, though, finance chiefs say they're bringing in outside auditors because they can't get answers from their external auditors, who appear spooked by Sarbox's tough auditor-independence provision. At industrial products maker SPX Corp., management hired PwC because independent auditor Deloitte & Touche "will not give us any advice at all," claims Dan Ladenberger, former CFO and current division head at the Charlotte, North Carolina–based manufacturer.
So, SPX managers consult with PwC, which has helped the company document workflows related to 404 compliance. The manufacturer's other two dozen or so business units also retained additional third-party auditing consultants for advice on processes and documentation. Ladenberger, echoing a growing legion of frustrated corporate managers, says the third-party advisers fill a void created by the "nearly draconian" stance adopted by the company's external auditors. "We need to express ourselves frankly," he complains. "And we need to be able to ask [important] questions without risking scrutiny and skepticism."
These days, asking external auditors any compliance question can be a big mistake. At best, queries generate vague responses; at worst, they're taken as signs of incompetence.
One CFO at a U.S. wholesaler reports that any accounting inquiry directed to the company's engagement partners is handled delicately. Before broaching a topic with the external auditor, the finance chief says his staff researches the topic, then carefully talks to the line partners. "We say things like, 'We're starting to think about this issue and are working through it and haven't quite completed it yet, but this is our direction,'" he notes. "The firm then says, 'That's interesting, but you may want to consider this particular FASB staff bulletin when you complete your analysis.'"
The pretense is not lost on this veteran finance executive. "It's theatre, a bit of Kabuki," he acknowledges. "You don't want to create the impression that you don't know what you're doing. Do that and you'll get a material weakness."
A material weakness can exact a dear price on capitalization and careers. As CFO reported last fall (see "The 411 on 404," September), publicly held businesses that reported material weaknesses saw, on average, a 4 percent drop in their share price. Moreover, an earlier survey found that 60 percent of finance chiefs at companies reporting material weaknesses were replaced within six months.
Partners at large accounting firms have no doubt seen the numbers. The Big Four and second-tier accountancies have been quick to cash in on rising corporate fears over 404 compliance. By law, independent auditors cannot offer internal-controls consulting to audit clients. To steer clear of the prohibition, some audit firms have set up captive subsidiaries. Chicago-based BDO Seidman, for instance, started Bridgemark, a service that advises clients on initial 404 implementation and follow-up maintenance.
Bridgemark's M.O. is typical of most third-party audit consultants. Jay Howell, associate director of assurance at BDO Seidman in San Francisco, says the subsidiary generally contracts with companies that are short on internal audit staff or compliance know-how. In the first year of an engagement, the firm's consultants usually work on assessing the design of controls and then testing their operating effectiveness — what Howell terms "large-bandwidth, body-shop things."
That was the case at Fireman's Fund Insurance Co. (2004 revenues: $5 billion), which brought in outside 404 help in 2004. Jill Paterson, who was Fireman's controller at the time, says she didn't feel she had enough expertise to manage the company's Sarbox project by herself. Paterson says the outside firm (which she declined to name) waded through a raft of internal controls, pointing out trouble spots. One of the biggest: the third-party adviser found that the insurer had three different processes for the same claims function. Recalls Paterson: "They pointed out areas where it was painfully clear we had problems."
Second-year engagements, though, tend to be scaled-down affairs. Trent Gazzaway, managing partner of corporate governance for Grant Thornton, says the firm's consultants often revisit what they did the previous year. In most cases, they're looking for ways to streamline functions. Says Gazzaway: "Our role is to make Sarbox processes a part of a client's everyday life, as opposed to a one-off project."
At The PMI Group Inc., management at the mortgage insurance carrier used the same Big Four firm in its initial year of Section 404 compliance and the follow-up. Don Lofe, CFO at the Walnut Creek, California-based company, points out that the preliminary whack at 404 was mostly about preparing a narrative and testing plans. In the follow-up the next year, he says, "we did use some external support in certain areas where we felt we needed expertise, such as in IT."
That's not unusual: nearly 40 percent of the executives polled by CFO indicated they had hired third-party advisers for IT consulting services once routinely handled by external auditors.
Third-party advisers are only too happy to get the gigs. Landing an internal-controls consulting contract presents a sizable business opportunity for accounting firms, particularly midmarket players. "We're looking for a foot in the door to a longer-term relationship," acknowledges BDO Seidman's Howell. "If a client wanted to switch auditors — and it was comfortable with us — we'd be in a position to bid for those services."
The irony of this situation is obvious to observers of the accounting industry. Prior to the recent spate of corporate financial scandals, accounting firms regularly used their audit services to help cross-sell more-profitable consulting services; now, accounting firms are using their consulting services to land auditing contracts, which, post-Sarbox, have become more lucrative.
Engagement partners no doubt have mixed feelings about the appearance of third-party advisers. Although the SEC and the Public Company Accounting Oversight Board (PCAOB) have encouraged independent auditors to rely more on the documenting and testing performed by clients, such an approach cuts down on billable hours.
The PCAOB has also suggested that external auditors hold more 404 discussions with clients before the attestation phase. That sort of collaboration raises concerns about auditor independence — a huge worry for executives still reeling from the demise of Arthur Andersen. "I'm not sure individual partners at the Big Four are quite on board yet with the PCAOB's position," surmises one finance chief. "They're still interpreting earlier statements that they should not be providing consulting advice."
In fact, some corporate managers claim external auditors prefer it when internal-controls tests are conducted by somebody other than their clients. Joanne M. Berkowitz, PMI chief enterprise officer and overseer of the company's Sarbox efforts, says independent auditors "seem to be giving management testing more reliance if...the company performs it independent of the business units." Other executives have discovered the same thing. "Our auditors didn't want us testing our own controls," says David Black, controller at BWX Technologies Inc., a subsidiary of McDermott International Inc. "The auditors liked a third-party, independent source doing controls. They could rely on that."
Clients, too, are coming to rely on third-party sources — in some cases, for more than just controls work. According to the CFO poll, 28 percent of the respondents said they now use third-party consultants for advice on internal audit. One in 10 solicit outside opinions on accounting standards — advice formerly rendered by external auditors.
SPX's Ladenberger points out that the law says a public issuer must take a position on the facts in both balance sheet and income statement — and then have it audited. "If the external auditor came in and took a different view on a transaction, we would have an audit adjustment and there would be a deficiency under Sarbox for not getting it right," he says. "Having PwC in the room gives me more assurance to present the case to Deloitte & Touche."
Indeed, in some ways it appears that clients are seeking a relationship akin to the one they once had with their auditor of record: someone who is familiar with their business and has the ability to offer advice on new or emerging issues. Says BDO Seidman's Howell: "They come to us and say, 'Is this a real issue, or are we just being jerked around?' And we give them an answer."
Answers don't come cheap. As with all audit work, billable hours for outside accounting advisers can add up. Ladenberger says his business unit alone spent around $250,000 on third-party auditing fees last year.
Businesses with large cross-border operations can pay even more. A. Schulman Inc., a plastic-compound manufacturer based in Akron, spent nearly $6 million in third-party audit consulting fees in 2005. Management at the $1.4 billion (in revenues) company had little choice: Schulman is a far-flung operation, with 65 percent of its businesses located outside the United States. As CFO Robert A. Stefanko points out, those international units are subject to Section 404 requirements.
"Every country we're in has different languages and a need for someone who speaks the local language," he explains. "We just don't have enough people in-house to do the management testing, so we hired a Big Four firm to do it for us."
Of course, some finance chiefs balk at seven-figure consulting bills. David Adante, CFO of landscaping specialist The Davey Tree Expert Co., says the company has a board member who works at another business that "spent a fortune" on 404 consulting services. Having just completed its own sizable SAP software upgrade, management at the $432 million (in revenues) Davey Tree wasn't sure it needed "to bring in people to run down every control in each of our subsidiaries," explains Adante. Ultimately, the company decided not to hire outside help for Section 404.
Other finance executives believe it's too costly not to bring in a third-party audit adviser. "Yeah, we spent a lot of money," concedes Schulman's Stefanko. But he points out that the company's external auditor found no significant deficiencies or material weaknesses in the company's internal controls — no small thing. In fact, Schulman intends to hire the same Big Four firm next year, at half the price. "We still plan on bringing in an outside accountant for management and attestation," explains Stefanko. "We don't want to take any chances."
Back at Genlyte, Ferko knows the feeling. He says he plans on using third-party consultants for the foreseeable future.
Russ Banham is a contributing editor of CFO.
So, What Does 200 Grand Get You?
Most third-party audit advisory work is going to Big Four and national accounting firms, but smaller shops are also landing plenty of engagements. Protiviti Inc. and Paisley Consulting top the list, and a bevy of boutiques offer compliance-aimed services. Usually, these advisers specialize in technology or internal audit — sometimes both.
Paisley and Protiviti, for instance, are IT-oriented consulting firms with roots in the accounting industry. Fees for the hybrid services provided by the two firms vary, depending on things like client size, services rendered, and the length of an engagement. Generally, the all-in bill for an internal-controls engagement ranges from $200,000 to more than $1 million.
So what does that get a client? Protiviti's recent internal-controls engagement with Pioneer Cos. is typical. Pioneer, a $516 million (in revenues) manufacturer of chlor-alkali solutions, had an extensive amount of documenting to do. Grant Farris, Protiviti associate director, says the firm's engagement team started by looking at Pioneer's financial statements. From there, the team examined the general ledger accounts to isolate the processes and transactions significant to Pioneer's financial statement.
The advisers then ranked the financial reporting risks at Pioneer, developing maps for each process and subprocess. The team eventually developed risk and control matrices that identified the risks and the corresponding controls for each process. Protiviti also worked to ensure that all controls at the company were operating as designed, pointing out any safeguards that were insufficient or nonexistent. The consultancy also internally evaluated those controls and documented the testing, eventually handing the paperwork over to Pioneer's external auditors prior to attestation.
Altogether, Farris says Protiviti documented 185 processes at Pioneer and evaluated 260 controls for the company. The firm also conducted 675 tests to ensure that those controls were actually working. "While the entire project cost in excess of $5 million," says Gary Pittman, Pioneer's vice president and CFO, "the good news is we fully expect to be in compliance."
That's the problem for third-party internal-controls advisers. If they do their work well, they can find themselves with a lot less work to do. El Segundo, California-based International Rectifier, for example, hired Protiviti to validate the company's internal controls before its June 2005 initial attestation. The maker of power management technology passed the exam with little trouble. Now, says executive vice president and CFO Michael P. McGee, Protiviti is helping International Rectifier bring the whole validating process back in-house. Notes McGee: "Ultimately, we want the owners of a business process to do the testing themselves." — R.B.