Bill Teuber prickles a bit at the notion that the landmark Sarbanes-Oxley legislation has forced major reforms within EMC Corp. "I think about internal controls all the time; I didn't need the law to get me to think about them," says the CFO of the $5.4 billion information-storage giant. For the past decade, Hopkinton, Massachusetts-based EMC has carefully tracked its financial results with monthly closes and updated forecasts, says Teuber. In the same spirit, his regional controllers have been attesting to their compliance with EMC's procedures since mid-2001 — before Enron imploded. Teuber has also been thinking about financial transparency since being promoted to CFO in 1998, breaking down revenue streams by product classes rather than broad categories, and disclosing the quarterly earnings impact of stock options as early as July 2002.
Yet by the end of the year, EMC will have spent more than $1 million and thousands of man-hours complying with two of the main statutes in the Sarbanes-Oxley Act of 2002 — Section 404, related to internal controls; and Section 302, mandating CEO and CFO certifications of quarterly financial statements. Teuber won't even speculate on the price tag for full compliance, except to say "it's not insignificant." Moreover, he doesn't expect that burden to lift, thanks to ongoing testing and disclosure requirements. "Even maintenance mode will require a sizable effort," he says.
Like Teuber, CFOs across America say they are spending more time and money trying to shoehorn existing practices into legally acceptable formats. Forty-eight percent of companies will spend at least $500,000 on Sarbanes-Oxley compliance, according to finance executives who participated in a recent CFO magazine survey. Unlike Teuber, however — who sees the increased internal-controls documentation as "a chance to get best-of-breed solutions in our sales offices across 50-plus countries" — other CFOs (nearly 40 percent) see the increased burden as having "very little" or "no effect" on their current processes. Moreover, only 30 percent believe the benefits outweigh the costs.
In fact, many CFOs, such as Borland Software Corp.'s Ken Hahn, who expects to spend $3 million on compliance — including having some 25 percent of Borland's employees sign papers "saying they're not doing anything wrong" — see Sarbanes-Oxley as nothing more than "an efficiency tax." Stephen P. Bishop, CFO of Berkshire Hathawayowned NetJets Inc., speaks for many when he says the "documenting and papering" of internal controls for Section 404 compliance will result in little "value-add." And E. Follin Smith, CFO of $4.7 billion Constellation Energy Group, goes so far as to say the law could eventually make the "fear of personal liability so great that managers are afraid to take risks on innovation."
Indeed, many finance executives believe that in seeking to curb the freewheeling ways of the likes of Enron, Tyco International, and WorldCom, Congress has committed some excesses of its own. Part of the problem, of course, was the haste with which the law was written. "If Congress had given the [Securities and Exchange Commission] more time to promulgate the regulations and the SEC had given companies more time to comply, costs would have been lower," says Goodwin Procter LLP partner Steve Poss. Instead, by rapidly legislating a whole set of processes, the law has become a windfall for auditors and lawyers and a time drain on overburdened finance departments. Moreover, the liability implications have "put people so on edge that they're looking over their shoulders all the time to see whether they're perceived as doing the right thing, not whether they are doing the right thing," says LCC International senior vice president and CFO Graham Perkins. "I don't think the legislators really understood all of the adverse consequences."
Perception Versus Reality
It's hard to know exactly what Congress expected, since it did not assess any costs when it passed the law. That's not unusual, since "there's no formal process for Congress to calculate benefits or costs of legislation," says Thomas McCool, head of financial markets and community investment at the General Accounting Office. "Sometimes they try to get indications from various parties, but when it's something prospective like this, [costs] would be very hard to tell."
The SEC, though, is required to estimate the burdens associated with its information requests under the Paperwork Reduction Act of 1995, and so has offered some guesses at future costs in piecemeal fashion. Such guesstimates have been chronically low. For one thing, they are typically limited to disclosure activities, and don't attempt to quantify costs like software purchases, audit-fee increases, or management and staffing requirements. The agency also tends to lowball the number and costs of hours of external help involved. "Most professionals look at these estimates and laugh," says Poss.
Reg FD compliance, for example, was projected to add a maximum $49.5 million to total annual disclosure costs when the rule was passed in August 2000, but actually cost somewhere between $250 million and $450 million, according to a Securities Industry Association (SIA) study in May 2001. That divergence was in large part based on the SEC's assumption that hourly legal fees were $85 to $175, compared with the $450 to $550 the SIA reported.
The same mistakes plague Sarbanes-Oxley, says Poss. The agency's new assumption is that outside legal fees will run $300 per hour, a figure with which most CFO respondents concur. Poss argues that fees will run higher. "These are not quick consultations, and they're usually with senior partners," whose rates run from $400 to $700 per hour in most big cities, he says.
No doubt, the SEC's biggest miscalculation was its original estimate that Section 404 compliance would require an additional five hours' worth of work per annual and quarterly filing. The figures were too low "by at least a factor of 100" if not more, wrote Cary Klafter, director of corporate affairs for Intel's legal department, in a November letter to the SEC. "We can only hope that the Commission's burden estimates are not used for any substantive governmental purpose, since they are completely incorrect."
While the SEC typically receives few comments on such estimates, this one raised the ire of so many companies that the agency was forced to recalculate — ending up instead with an average 383-hour workload per company, for a total annual price tag of $91,000, not including additional auditors' fees. "We recognize the magnitude of the cost burdens and we are making several accommodations to address commenters' concerns and to ease compliance," the agency said in its final rules on Section 404, released June 5.
Those accommodations included changing the requirement to test internal controls from a quarterly to an annual activity (unless they are materially changed) and extending the compliance deadline from September 30, 2003, to fiscal years ending on or after June 15, 2004, for accelerated filers; all others will have a compliance deadline of April 15, 2005. The delay "was an effort to help reduce the burden in general, and help make sure it was done right," says SEC commissioner Cynthia A. Glassman. "We did not want a system where [companies] were going to have to redo things."
Just doing it the first time, however, will not be a picnic. While the year extension has prevented a lot of what SPSS CFO Edward Hamburg calls "unnecessary thrashing and spending," the rules make little accommodation for companies of different sizes and growth stages. And even the revised cost estimates are considered "low" or "very low" by more than 80 percent of survey respondents. That irks those who believe the SEC should be held to the same standard as the firms it regulates. "In Corporate America, if you make a bad prediction of what cost of sales or revenues are going to be in a future period, you're likely to get grilled by the SEC about why you thought it was reasonable," says Poss. "It would be interesting to see the same standard applied to regulators."
The Usual Beneficiaries
The yearlong respite reduces the need for outside help, and hence the cost. However, it won't change the fact that two constituencies — auditors and lawyers — stand to reap great gains as firms plow ahead. And given the uncertainty over what will get a pass from the SEC, the final tab is a moving target.
EMC has hired Deloitte & Touche to help sift its balance sheet and income statement into 30 processes (like sales and stock-option granting) and 250 subprocesses (like order taking, shipping, and billing), document them, test them, and package them into a central database for future audit purposes. But EMC's external auditor, PricewaterhouseCoopers, is also "part and parcel of the process," according to Teuber, giving informal approval to the firm's compliance strategy and fielding audit-committee questions on how well EMC is doing on compliance compared with other firms. (Companies can't use their external auditors to help them prepare the controls, but can consult with them on compliance strategies.)
Teuber says it's helpful to have two of the Big Four audit firms on the project. "It's all virgin territory," he says, "so you wouldn't want to do this in a vacuum." But those firms will be the ones collecting the bulk of EMC's $1 million compliance payments for 2003, excluding the final attestation fee.
Many of the Section 404 projects, such as documentation, are one-time efforts. But Sarbanes-Oxley is also guaranteeing audit firms a future income stream by requiring them to attest to the soundness of management assessment of internal controls once a year starting with 10-Ks filed on or after June 15, 2004. The final annual tab for that exercise is uncertain. The Public Company Accounting Oversight Board has yet to issue standards regarding how many controls must be tested, in what manner, and according to what criteria, so audit firms appear to be taking their time estimating the fees for attesting to internal controls. But so far, according to a Financial Executives International survey, CFOs expect to see audit fees increase 35 percent on average, and up to 100 percent at some companies.
What exactly audit firms will do to justify such increases is also cause for consternation. At Digene Corp., a Gaithersburg, Maryland, biotech firm, for example, president and CFO Charles M. Fleischman has watched his audit bill with Ernst & Young and other compliance-related fees increase by 72 percent for 2003. He is currently negotiating fees for 2004, which could jump by another 70 percent. And while he insists he has a good relationship with his auditor, Fleischman just wants "to understand what the scope of the work is — and how that matches up against the bill." So, before he authorizes payment for 2004, he is working with his audit committee and E&Y to determine exactly "what they are doing and where they are going to draw the line between assuring quality in financial reporting and just adding costs."
Legal costs are also on the rise, although CFOs say they are not generally as onerous as audit fees. Magma Design Automation Inc. CFO Greg Walker expects to spend an incremental $200,000 to $300,000 for legal work in the next 12 to 18 months, including efforts to monitor compliance, set up a whistle-blower program, and train employees. That's on top of an additional $750,000 in audit and consulting fees. On average, legal fees nearly doubled, to $404,000, between 2002 and 2003, according to an April survey by law firm Foley & Lardner.
Ranking low on the list of costs is software. Forty percent of finance executives say compliance will not affect their IT budgets, while another 25 percent say it will involve minimal IT costs, according to a CFO IT survey. "Tools are often bundled with consulting fees; I don't think [software is] an integral part of the solution," says Kim Roll-Wallace, vice president of consulting for The Johnsson Group Inc. EMC, in fact, uses Excel. "We've found it works quite well in this regard," says chief accounting officer Mark Link, largely because "everyone already knows how to use it."
Multiple Price Tags
Then there are the indirect costs. The requirement to disclose off-balance-sheet structures more clearly has encouraged some companies to bring these structures on the balance sheet and others to collapse them entirely. Financial experts have become hot properties now that companies are required to disclose if they have one on their board. Restrictions on nonaudit work that a company's auditor can perform has left CFOs scrambling for new tax consultants. Meanwhile, the whistle-blower provision has sparked untold numbers of costly internal investigations.
Of course, there's also an opportunity cost associated with compliance activities. In fact, 33 percent of respondents say they've delayed or canceled projects as a result of Sarbanes-Oxley. Internal staff development is the most common casualty. Moreover, executives say the focus on compliance has also left them frazzled, with less time to mull strategic decisions, as compliance efforts absorb more than 10 percent of a CFO's time in roughly 4 out of 10 companies.
One example of the strain: LCC's Perkins says he has made more lengthy and complicated trips, partly to spearhead compliance efforts across operations at more than 10 locations in six countries. "Instead of being a business partner and doing all the positive things you'd like to do, you're doing the negative things, like triple-checking a filing," says Perkins. In fact, he says he might have thought twice about taking his job at the $100 million wireless-services firm last January if he had known how much compliance-related work it would involve. "I did not anticipate when I joined this company that I would become a surrogate for the SEC," he says.
And this is just the beginning. About 35 percent of survey respondents expect annual compliance efforts to absorb at least $500,000 of their revenues and more than 10 percent of their time going forward, thanks in large part to Section 404's mandate for ongoing controls testing and auditor attestation. That's not counting, of course, the price of changing auditors every five years, as Sarbanes-Oxley mandates.
No one should look for additional relief from the SEC. Glassman says she believes changes could be a possibility "if we start hearing that companies are spending a lot of money to comply but there are no apparent benefits, or if we hear there are more efficient ways to accomplish the same objectives." However, there are no formal efforts under way within the government to test cost assumptions, and she says such a study would be hard to design. "It's a very difficult equation. The costs are explicit. There's also some distraction from running the business. But the benefits are very intangible."
Indeed, survey respondents are about evenly split on whether going through the compliance process has yielded internal benefits, such as more-efficient processes or more respect for the finance department. "It's a constant struggle to try to get benefit out of 404 work," says consultant Roll-Wallace. "In any given company, about 50 percent is work that puts in best practices and the other 50 percent is a dog-and-pony show, putting everything into a neat package for the auditors."
There may be some external benefits, however, says Magma's Walker. The legislation has sped up his time frame for reporting improvements at the $75 million company, he says, but to good effect. "I probably do better deals with customers — the earlier you can detect issues, the better you can structure a contract," he says. And there may be spillover effects, says Borland's Hahn, who is hoping to leverage his new director of financial governance as a "process-improvement specialist."
As for the SEC's larger goal of improving investor confidence, though, there's little agreement on how that will be achieved. On one hand, "you're more confident that senior people are taking extra care to derive the best possible information," says Robert D. Spremulli, a TIAA-CREF senior analyst. But it's hard to see the direct effects of those sentiments, given the multivariate nature of the market. Indeed, major indices showed varying degrees of improvement on Sarbanes-Oxley's one-year anniversary, with the Nasdaq composite index closing up 30 percent from its year-earlier level, but the New York Stock Exchange, the S&P 500, and the Dow Jones Industrial Average up by only 8, 8, and 6 percent, respectively.
And many still question whether Sarbanes-Oxley is an effective inoculation against future financial frauds. "Just having a good control environment doesn't guarantee that people will act ethically," says Deloitte & Touche enterprisewide risk-service partner Stephen Curry. Enron's trading operations, he points out, were cited as a model for enterprisewide risk management in former Andersen partner James DeLoach's 2000 book on the topic. Those close to the company agree. "What allowed Enron to melt down was its culture, and I don't think Sarbanes-Oxley would have changed that," says Sterling Chemical Inc. controller John Beaver, whose Houston office is across the street from Enron's headquarters.
Even companies touched by scandal are skeptical of Sarbanes-Oxley's healing powers — at any price. Tyco, for example, is spending north of $5 million to comply with the act and generally clean up its image by developing new editions of its controllership guide and ethics manual. Still, "that's not to say that we can document routines and controls and be assured that nothing improper will happen," says corporate-governance head Eric Pillmore. "What we hope is that by doing this, we detect problems earlier."
Across the Board
With the Sarbanes-Oxley act of 2002 raising expectations and liabilities for directors, it's no surprise that board-related costs are rising for most public companies — albeit slowly. To date, only about 14 percent of companies have seen those costs jump by more than 50 percent, according to the CFO survey, while 17 percent have not seen any hikes yet.
Those numbers are likely to increase as more companies confront higher directors' and officers' insurance premiums. Many are also in the process of adding new directors to comply with independence requirements and sweetening the pots for current ones. At its annual meeting in August, for example, Computer Associates International Inc. was seeking shareholder approval to boost the value of its annual directors' compensation from about $95,000 last year to $150,000 this year, and reversing its longtime policy of stock-only payments to allow directors to take up to half of that fee in cash.
"Board members, audit-committee members in particular, have been given a whole host of new duties," says CA corporate-governance head and corporate secretary Robert Lamm. (Audit committees, for example, must now oversee the auditors, preapprove any nonaudit services they provide, and decide how to classify nonaudit services in annual filings.) The fee increases "represent the time involved in additional documentation, for better or worse, and the checking of additional boxes."
A Silver Lining for Some
At this point, many companies are still performing low-tech risk-mapping processes to gauge the impact of Sarbanes-Oxley. But the technology sector has high hopes that soon that will give way to a need for new tools. In fact, First Albany technology strategy analyst Gerard Hallaren expects spending on compliance-related technology to grow by $8 billion to $12 billion in the next year. "We've seen a modest push from Sarbanes-Oxley so far, but I think the real spending will kick in at the end of this year," he says.
Content and document management tools, along with analytics, are likely to be among the first beneficiaries of the law, predicts Hallaren, since "auditors are going to have a hard time auditing lots of individual spreadsheets" in the Excel formats that many companies now use. Data-storage companies are likely to be next in line, as analytical and data-management systems become more voluminous.
EMC Corp., which recently debuted the "compliance edition" of its Centera product, is one of the companies waiting for the windfall. The product codes information with a unique identifier, and can automatically delete documents at the end of their required retention period. "It's more accidental offense than planned," says CFO Bill Teuber, "but any number of regulations out there...require more information to be stored, and clearly our products help in that regard."
|Tough Act to Follow|
In August, CFO Magazine E-mailed a questionnaire on Sarbanes-Oxley compliance to senior financial executives drawn randomly from our circulation list. We received 220 responses; 139 from executives at publicly traded companies. The results below represent a combination of both public and private company responses. Note: Numbers may not add up to 100%, due to rounding.
|Not Adding Up|
How realistic are the following cost assumptions made by the SEC? Note: Numbers may not add up to 100%, due to rounding.