Sarbanes-Oxley: two years on

Perhaps the most vital corporate governance legislation in recent years, Jon Rowden looks at the Sarbanes-Oxley Act, which, now two years old, continues to place ever greater responsibilities on America Inc

Following the collapse of some high-profile companies in the United States, the Sarbanes-Oxley Act of July 2002 introduced new rules covering many of the areas of corporate governance which were perceived to have failed. In broad terms, the Act addresses the responsibilities of directors and the relationship between auditors and their clients. New disclosures to help investors understand the financial position and governance arrangements were also introduced. The audit profession has now become an independently regulated business following the creation of the Public Company Accounting Oversight Board (PCAOB).

In addition, criminal penalties of up to 20 years in jail were introduced for certain corporate misdemeanours; for instance, the shredding of documents after a regulatory investigation has commenced. Television coverage of finance executives in handcuffs have been noted by the global financial community.

In overview, the Act is intended to protect US citizens who are shareholders. In the global economy this means that the new rules apply to companies who offer their shares or bonds on the US market and are registered with the Securities and Exchange Commission (SEC). These foreign registrant companies have each submitted themselves to US law.

Two years on, where do things now stand?

Most of the new rules have been put into operation and registrant companies are bedding down the procedures necessary to comply. One particular rule however has taken rather longer and is yet to come into full operation. That rule is called Section 404.

Section 404 of the Act requires both the CEO and CFO to certify that the controls related to financial reporting are effective. This ensures that senior management take personal responsibility for the financial statements of their company - something that was felt by many to be missing in financial scandals leading up to the Act. In addition to the CEO/CFO certification, the Act requires external auditors to attest to management�s assessment of the financial reporting controls.

The implementation of Section 404 has been a rollercoaster ride with separate tracks for large US companies and companies based outside the US. In October 2002, a rule for companies was drafted by the SEC and issued for comment. This proposal envisaged that all companies would be required to comply by late 2003. Many commentators requested further time to implement the requirement. In May 2003, the SEC finalised their rule, moving the timetable back - US companies would now have to comply by June 2004, with foreign registrants permitted an additional 10 months. Then, in February 2004, the SEC moved to grant a further extension. At the time of writing, US registrant companies will need to comply for years ending after 15 November 2004. For foreign registrant companies the equivalent date is 15 July 2005.

The introduction of a matching Section 404 rule for auditors has been keenly followed, not least by management looking to the audit rule to clarify what they themselves are expected to do. In October 2003 the newly-formed PCAOB issued an exposure draft setting out a proposed rule which went much further than the Act required. Not only were auditors to consider management�s process of assessing financial reporting controls, they would also be required to form a view on whether the controls themselves were effective.

This was a surprise. A repeated scene in the aftermath of high-profile corporate collapses had been former finance executives explaining that they had only made the same accounting decisions as experienced auditors who knew more about accounting than they. Perhaps in response to this, the Sarbanes-Oxley Act specified that only the CEO and CFO were to make a statement about whether financial controls were effective, with auditors required to form a view on how management had made this assessment. The proposed audit rule overturned this and placed auditors in the position of making the same statement as management about the effectiveness of internal controls over financial reporting.

The proposal also made apparent that very detailed documentation, assessment and testing of controls would be expected of both management and auditors if a clean audit opinion were to be achieved. Controls relating to the audit committee and the tone at the top of companies would be covered, but would only account for a small proportion of the overall effort required to comply.

There were 194 responses to the proposed audit rule. A distinct division emerged between those who stated that the cost and effort involved in this requirement would provide an important safeguard for the shareholders, and those who felt that additional effort on individual processes and controls would divert attention away from the tone of corporate governance exercised at the top of companies and would be unnecessarily expensive.

Finalising their rule in March 2004, the PCAOB came down on the side of those who feel that the undoubted costs were worth paying and made relatively few amendments to their proposal, which the SEC has subsequently ratified.

What does this mean for accountants working for companies that are registered with the SEC or their affiliated companies?

The rules require somebody to document existing financial processes and controls, to assess them, test them, fix them where necessary and have external auditors carry out walkthroughs to confirm the processes and controls which the auditors then also test. To be executed properly, Section 404 will need skilled people with plenty of time. Some finance departments and internal audit teams may have spare capacity to absorb this requirement, but many will not, and global recruitment of financial professionals dedicated to Section 404 projects is increasing.

Section 404 will not be a once-off effort; full compliance is required annually and so documentation will need to be updated for systems changes, whilst testing of controls will be done afresh each year. This means Section 404 will have to be embedded in corporate budgets and the career expectations of finance professionals.

Equilibrium

Although the rules are now final, corporate America still appears to be feeling its way towards an equilibrium on Section 404. Recently, Arthur Levitt, a former chairman of the SEC, and Paul Volcker, a former chairman of the Federal Reserve, penned a defence of the new rule in the Wall Street Journal referring to the pain suffered by investors and challenging the memory-span of critics. This reinforced the regulatory view that Section 404 does come with a cost, but for investors that cost is worth paying.

First compliance with Section 404 will happen in early 2005 when US companies with calendar year-ends report their findings. Recent surveys suggest that corporate America has much work to do between now and the first certification. Not every company will achieve a clean controls certification and the reaction of the marketplace and regulators to companies who discover controls problems is hard to predict. Some companies may not even be able to demonstrate that they have carried out an effective process for Section 404 and will perhaps face even sterner censure.

With rules finalised, it might be envisaged that the rollercoaster ride will now smooth out. For that to happen, much time and effort from skilled accountants will be necessary. Some will relish the challenge. Others may not envisage a career of documenting processes, the assessment and testing of controls, then beginning the exercise afresh each year. Their willingness and motivation will be an important factor in the success of the Section 404 rules. Time will tell whether the Section 404 rollercoaster ride is now behind us.

Jon Rowden is a London-based director at PricewaterhouseCoopers responsible for advising clients on the effect of the Sarbanes-Oxley Act. He is also a member of the PCAOB working group set up by the Institute of Chartered Accountants in England & Wales.