≡ Menu

CIA Certification – Why Become a Certified Internal Auditor

It occurred to me on the drive in this morning that, while I’ve been busy working on organizational deliverables, I’ve been neglecting my own personal development. I’m getting my paperwork in order for my CIA exam, the only designation that really reflects the necessary competencies to manage this work in the new SOX world. With this new designation in hand, I can be a) a counterintelligence agent that appreciates the shared acronym, or b) certified by the Internal Auditors Association and potentially a more intelligible agent of change. Getting my act in gear not only helps the business – giving the externals a bit more confidence with a CIA testing controls – but it also makes me much more marketable in this mixed up little world of controls.

I have to hand it to the CPA folks – great marketing of the designation, the IIA could learn a thing or two. Take a step or two away from the Internal Audit department and a few consultants, and the CPA looks like the logical background for this work, and going forward, I think it probably will be again. But controls haven’t been a big part of an externals’ game, unless they had gotten involved more heavily on the IT side.

To the person, I’ve yet to talk with a former auditor that looks back on their work and says, “Yes – I was a damn fine controls auditor.” Nearly every one has said that, as the external in the pre-SOX world, attention to controls only meant creating more work for themselves, so avoided it like the plague. No one paid attention to this piece of the work (or wanted to pay for many hours of it), and the audit meant getting busy with the work plan to test the numbers.

cia certification

Professional Investment

Retooling is the name of the game. Though I’m fortunate enough to be working with some really quality accounting pros, I’ve also had a number of conversations at large that tell me bulk price of Accountants at COSTCO is no steal. Unless folks have spent time in the twigs and berries of process design and controls evaluation, there is going to be a learning curve.

There is a reason that many organizations like to hire out of Internal Audit. These are generally professionals that have been able to bridge their public accounting experience and started getting really nitty gritty with process and controls. They have moved around the organization, and see the business as a series of interdependent systems. They know how to ask tough questions, and keep on asking even when it becomes a thorn for senior managers.

This is the skill set we need to be seeking out, and in all likelihood, figure out how to build. Financial professionals may not see the personal value right away, but will thank visionary managers that make this a core discipline. If you haven’t already bought it, you better start figuring out how to build it – you’re going to need it.

So, to the Big Four – feel free to keep your financial statement auditors until they’ve been through the process at a client or two, and understand what is expected to cross this magic line. I’ll be keenly interested when they’ve had the opportunity to learn their chops in someone else’s shop. Please steer a few my way that can talk about worst practices: I think there is more to learn in failure than success.

(The kicker is that, by the time the Big Four have manufactured SOX and control-oriented auditors, most public companies will have already certified, meaning that what they will really be needing is process improvement and system implementation people, not auditors. Hmm.)

Evidence Drive Change – Overhaul your Org Design Strategy

SOX is an excuse to get your house in Order. Take advantage of it.

Kudos to McKinsey on this latest analysis – too little consideration has been given to how the analysis underpinning Sarbanes Oxley compliance implementations can contribute to evaluating organizational design.

When a company takes advantage of their tranasactional and entity-level control activities in their SOX implementation to really understand the workings of their company, they are poised for measuring and monitoring subtle changes in any number of management actions. SOX shouldn’t be an extra body of work- it should be the summation and review of evidence produced from good practices already occurring within the business, reflecting expert work product, scrutiny and measurment of results, comparison to objectives, and ethically conscious business actions.

This view is at the heart of all those conversations that have been occurring about “how much is enough?” on compliance tasks. If you did the bear minimum, you may be compliant but didn’t learn much about your business. If you did a full-blown effort but haven’t looked at it in this way, you have sunk costs that can be applied to drive real business results.

Clear direction, apparent accountability for actions, and a culture driven by ethical values is a well-aligned series of management actions to drive results. Even if your auditors don’t reduce your fees, at least you will be reaping the benefits through stronger execution on your strategic initiatives.

How to Interpret the Fastow Verdict

Wow.

Milken. Ebbers. Fastow. One of these is not like the others. Poor Bernie, with no chance at the speaker tour or to save the family name with a charitable foundation. At least Andrew will still have a crack at public redemption.

With the announcement of Fastow’s 6-year prison term, I’m sure many pensioners, 401(k) holders, and business professionals are asking, “and then…?” I often wonder if I’m simply out of pace with the world around me, and don’t appreciate the standards of conduct that apply in society today. This pronouncement – and Greenspan’s recent “scrap SOX” makes me wonder what I’m missing. Clearly, the news of late isn’t making sense to me.

I’m quick to note that I didn’t follow the unfolding reality tv saga of Andrew’s repentance (or monitor on my webcam the comings and goings of the now retired Greenspan), but I am left thinking that the time doesn’t fit the crime. And it’s not that I want him to rot away in a prison system, studying law or learning foreign languages in the comfortable confinement of a federal cell. I just can’t imagine the look of shock on the faces of the thousands of Enron shareholders that have been waiting for this sentencing after the loss of their savings. “Prosecution, not persecution” – ?

I hope we’ll look back in 10 years, and note the early 2000’s as the era of revitalized governance, of corporations renewing their commitment to acting as responsible, ethical citizens. I know that much of the discussion around Sarbanes Oxley has centered in integrity, values, and transparency, and that domestic efforts to reform corporate governance domestically are having an impact on capital markets on a global scale. I hope in 10 years, we’ll look back and agree that whatever the cause, governance took a very important starring role in boardrooms and headlines for publicly traded companies.

I had hoped that in the absence of visible market reward for strong governance, we would at least see the painful consequences of unethical behavior. This sentencing message seems to contradict the Ebbers sentencing, making unethical behavior a very gray topic – and I thought we were getting close to a black and white issue.

But the bright shining light in all this? All that 529 money we are socking away for our kids might someday bring our college ages kids home with tales about an ethics lesson from Professor Fastow. If Andy can pull that page from Michael’s playbook as well.

Is there a ‘silver lining’ to the Sarbanes Oxley Act?

If you own shares in a publicly traded company or you are a technology professional in one, chances are that you’re already well-acquainted with the Sarbanes-Oxley Act (SOX), which was passed by Congress as a response to the pervasive corporate fraud of the 1990s involving well-known companies like Adelphia, Enron, Tyco and Worldcom.

Sarbanes-Oxley was designed to combat rampant corporate fraud; to restore investor and public confidence in American capitol markets; and to promote sound accounting practices while it policed insider trading and ensured the integrity of market research. The provisions in Sarbanes Oxley are not entirely new, and many already exist in an amalgam of existing federal and state laws and for corporate executives, accountants and technology professionals.

For many corporate IT departments, SOX at first glance loomed as a second “Y2K” effort that would delay other important projects and suck the life out of the technology budget. This article explores how much Sarbanes Oxley compliance has cost companies, how much Sarbanes Oxley has been enforced, how SOX has affected corporate IT, and whether its ultimate impact could be a beneficial one.

The hard dollar cost of SOX compliance

A 2005 Financial Executives International survey of 217 publicly traded companies showed that companies spent an average of $4.36 million to comply with Section 404 of Sarbanes Oxley. A second 2005 survey of 90 Big Four accounting firm clients found that companies spent an average of $7.8 million on compliance, or about 0.10 of their revenue. Understandably, companies have been concerned that SOX compliance is diverting money from maximizing shareholder value–and corporate technology departments are looking at project load backups, brought about by the effort expended to facilitate the massive reporting requirements mandated by Sarbanes-Oxley.

On the flip side, the dangers of not complying with Sarbanes Oxley, in combination with improper accounting practices, is far costlier.

Since Sarbanes Oxley’s enactment in 2002, federal prosecutors have filed criminal charges on 14 major corporate fraud scandals (this data is current through July of 2004). The charges are tied to 69 separate but related prosecutions. Two-thirds of the cases resulted in convictions. In nine of the major corporate frauds, 152 CEOs or other high executives were criminally charged. In 14 of the investigations, CFOs or other high ranking financial officers were charged.

Unfortunate as it might be, this prosecution has helped to restore investor confidence in the capital markets as investors now believe that they have solid law enforcement that they can depend on. Within corporate technology departments, there has also been an opportunity to complete data and reporting projects that had been sitting in the wings for quite some time, due to other pressing priorities.

It is good that these reporting projects are finally coming off the IT backlogs, since they always took second, third or even fourth place to technology implementations that were able to immediately pay off in increased corporate sales or a competitive advantage in the marketplace. For IT managers, however, a “reverse” question has surfaced: has all of this time spent working on reporting and data organization detracted from critically competitive technology projects and budget allocations?

New governance models for IT

Beyond a doubt, there has been budgetary fallout from Sarbanes Oxley work in IT. However, unlike the Y2K effort, there is increasing evidence that Sarbanes Oxley has delivered some unexpected by-products to technology organizations that are making them stronger and more efficient.

The most beneficial area for corporate IT is the area of governance. In a nutshell, IT governance is a collection of policies, processes and procedures that define how corporate technology and technology workers operate. These guidelines govern the management of change, problem management and trouble-shooting, management of service levels, and consistency of IT operations from facility to facility.

Several different IT governance standards exist today. The IT Infrastructure Library (ITIL) is well supported in Europe, and is growing in popularity in North America. The Control Objectives for Information and Related Technology framework (CoBiT) is also being studied and adopted by organizations. CoBiT addresses technology planning and organization, acquisition and implementation, delivery and support, and monitoring.

Many organizations that have adopted ITIL and/or CoBiT have claimed significant returns on investment (ROI) from their IT operations.

As an example, Tech Republic, an online community and information resource for IT professionals, cited Proctor & Gamble, which has reduced IT operations costs six to 8 percent annually and reduced technology staff between 15-20 percent for a savings of more than $500 million over four years. In an interview with Tech Republic, Morton Cohen, Proctor & Gamble’s manager of global service management, commented, “When IT processes are done by 5,000 people consistently across one company, service management can deliver tremendous savings.”

Of course, if you are an IT professional “on the lines,” no one likes to see staff reductions unless it results in job reassignments that keep people working. For the most part, it has — and the operational savings that are going hand in hand with the “get tough” compliance measures of Sarbanes Oxley, have produced attractive results for both shareholders and companies.

New impact on consulting resources

There is one other corner that needs to be covered in the Sarbanes Oxley story for IT: outside consulting. SOX compliance has focused the spotlight on consulting firms, as well as on internal accounting, auditing and IT functions.

According to Sen. Paul Sarbanes in the New York Times, a major goal of SOX was “to get auditors to start being auditors again.” To do this, SOX prohibited auditors from engaging in business ancillary to accounting.

The repercussions internally and externally have been significant. On the inside of corporations, where there have often been strong alliances between accounting and IT, there is now more segregation of duties than before.

On the outside of organizations, where accounting firms traditionally also bid on IT projects, there has been less activity in the IT area — which has opened up the field for more consultancies that focus exclusively on IT. Neither trend is necessarily bad for IT. Internally, IT gains autonomy and more recognition for its contributions and core competencies. Externally, there are now more consultancy choices available – with a dedicated focus on IT.

Concluding remarks

Debates on Sarbanes Oxley are likely to continue, but unlike Y2K SOX has the chance to deliver some long-lasting and positive results to organizations, especially now that the initial rounds of SOX spending are over.

The emerging field of IT governance, fueled by Sarbanes Oxley and other forces, is likely to have far-reaching effects on IT that in the long run, can make IT stronger. These contributions are in the areas of policies, uniform operations and uniform service levels — which IT and its internal and external customers will all profit from.

Credit: August 2006 issue of Enterprise Networks & Servers

Compliance – Evolution & Refinement in Practices

I came across a concise, straight-forward summary of year 2 evolution’s in an organization, from an IT Security Manager’s perspective. Dave Bowser’s “How to Learn to Love Sarbanes-Oxley” provides some very useful points of reference for organizations continuing to change and refine their SOX compliance practices.

In addition to the IT-centric considerations noted in the article, I would also suggest that the control activities occurring within the business provide a powerful base of intelligence that can lead to improved efficiencies in the systems environment as well.

Since a control by design should stop a transaction from continuing through the process when an error is found, business owners, through the operation of their controls over critical transactions, should now be keeping documentation on the nature and frequency of exceptions they are finding in their processes. A studied review of identified exceptions is an excellent way to prioritize refinements in the core processes that drive financial performance.

In one example, IT was asked to begin logging and obtaining system owner approval for all changes to production data. Though this had long been an informal practice, it was escalated to a level of “key control” as part of the General Computer Controls considerations around systems and production data. In monitoring and performing this new control, a number of systemic issues were now documented, many of which were minor configuration or functionality changes that improved the integrity of the data.

For the non-IT business manager, a regular self-assessment of control operations should also reveal potential improvements in process. The exceptions found in detective, back-end controls can recommend more appropriate front-end controls to reduce error correction and rework. Often, these exceptions can point to refinements for system input screens that shift the control function from detective/manual to preventative/automated. These system change requests will have much more clout when based on hard data, given the potential costs these changes might require.

“Love” might still sound like a strong word, but when business begins to review and monitor the data as closely as the auditors, there is a strong promise of improved operational efficiency.

SOX: Sunk Cost or Capital Investment toward a BPM Effort?

The cost of your SOX documentation has likely already been accounted for, and if you are like most organizations, you’ve already decided how you will address the ongoing maintenance and testing requirements that are now part of the publicly traded landscape.

One of the considerations that has been getting some discussion is how value can be built on top of the analytical work and assessment that SOX required. If you have ever undergone a business process improvement project or have a business process management function (BPM) that facilitates change in your organization, you are probably aware of the costs surrounding the “how do things work today” assessment. SOX documentation should give you a head start.

Should – this is the critical watchword, and this notion comes with caveats. If you’ve ever tried to pick up someone else’s speech, or inherited a process from someone else, you are familiar with the orientation challenges to recycling the work of others. Most documentation has a slant to it, in that the original author typically has been writing for an explicit purpose, which is probably different than yours.

The SOX documentation floating about your organization should provide a very concise orientation to the critical transactions that result on your financial statements – this was the driving purpose to the thousands of hours of documentation that preceded the flurry of testing. The intent of this documentation is to provide an external auditor that isn’t necessarily familiar with your process an adequate overview of how the transaction moves from initiation through the process and ultimately to the financials.

SOX documentation is very risk and control centric: the point is to demonstrate that investors can rely on the financial results because a series of key activities (controls) are being regularly executed that ensure the accuracy of the financial results. While it contains flow and systems details in varying depth, these are represented to help a reader understand effectiveness of the controls – not efficiency.

“Effectiveness” is the SOX objective, at whatever cost to efficiencies in the process. And therein lies the opportunity: an objective review of your controls will tell you what is being done efficiently (automated controls, or controls embedded in the process itself) and what is only being done effectively (manual reviews of printouts and signoffs that happen offline to ensure proper authorization). Business Finance published a recent article on the value that can be realized through BPM efforts, which might be useful as you make your case to senior management.

In considering a BPM technology initiative, your SOX documentation should provide a few useful data points to get you started. It is reasonable to expect:

  • An overview of the transactions from initiation to reporting.
  • Identification of the workgroups involved (assuming that swim lane diagrams or narrative descriptions have been oriented this way).
  • A clear balance of current manual and automated activities that are relied on to get comfortable that the transactional data is being captured and processed appropriately.
  • Walkthrough and testing documentation that reflects the nuances of the control operation, including the use of the applications, spreadsheets, and other information necessary to evaluate if the transaction is being processed correctly.
  • Business owners painfully aware of extra work that has been layered on them to meet the law (effective), but is hampering their day to day work efforts (efficiency).

You will not likely find:

  • Specific identification of process bottlenecks in the flow from initiation to reporting.
  • A well-crafted list of grievances resulting from new manual processes slammed into place to meet regulatory guidelines.
  • System development roadmaps that consider SOX requirements along side the demands of operations.
  • The pain point exists, and the timing is excellent for companies deep in Year 2 of their efforts, where considerations of efficiency are now being put back on the table. Tapping into the vast knowledge store required for SOX is an excellent way to turn sunk documentation costs into a base of investment for business transformations.

General Computer Controls – Access Management Woes

Thick in the world of SOX, it seems that many organizations are having a hard time getting their IT and business-sides of the organization to pull together. One such area that has been a particular challenge for me has been in regards to Access Management.

As a key consideration for General Computer Controls (see isaca.org and details regarding use of the COBIT standard to address SOX issues), Access Management means that you restrict the types of access that persons have to your systems. This applies equally to those persons in the business and in IT supporting or developing the applications.

One of the greatest challenges I’m seeing and hearing is that system access privilleges reflect where you’ve been, not what you now do. If you have folks that have moved around the organization, it is quite likely that they have retained their access to a number of applications or networked folders that reflect their past work. Hmm. Not a good thing when you begin your efforts to identify adequate Segregation of Duties.

A few considerations to help clean this up:

Make role definition a priority. This means that, for each functional area, a specific project should be assigned that requires managers to determine what their team needs (and doesn’t need) in terms of access. If it is not on the list, it needs to be approved by exception by both the persons manager AND the targeted system owner. Not only does clear role definition make it easier for managers to review at future dates, it makes it easier to adjust as changes occur in your staff.

Get HR Involved. No one gets hired, fired, or transferred without HR ensuring that payroll details and benefits considerations get updated. A well-run HR process can assure that, before a new person gets put into a vacated role, all rights for that role have been closed out. You are likely thinking “that’s not how our process works” – which is probably right. What you need to ensure though is that changes in the roster are reflected properly in the IT access environment. If you have managers that want to fill vacancies or get an internal candidate into the job, now is the time to task them with cleaning up the access details – while they have a clear motivation for knocking out the work.

Make Managers Accountable. The best laid plans… go up in smoke without clear accountability. Your management structure should reflect a proper span of control, such that every manager should know what their team needs to do their jobs effectively. Make these managers acountable for proper access by pushing out periodic reports (i.e. quarterly) and have them validate that their teams’ access is appropriate.

Any of the efforts around IT really need to be covered off in two specific aspects – clean up of existing access (data), and then building a process that ensures things don’t get off track in the future. Clear processes coupled with a proper level of accountability provide assurance that practices stay on track long after the pain of cleanup has been completed.

Why You’ll Get SOX’d Sooner or Later

For the lucky few who have been laughing at you – the SOX practitioner or control owner – their time is coming. Sure, they’ve been smiling and waving a hearty goodbye each evening, wishing you well even as they roll out of the office at a quarter to 5.

But here’s the sweet justice – SOXing is coming to a process nearer to them. Now, I don’t mean to suggest that the law or interpretation will necessarily be changed to engulf every last aspect of a business. (That would be disheartening for those that have done such a masterful job of defining and arguing scope with their auditors.)

No, my point is that all the good work that has been done around financial transactions and processes – while painful, expensive, and time consuming – has been good work. I’ve yet to talk to or hear from an excecutive that hasn’t found this educational. And there is no doubt that processes and confidence in financial numbers has improved – as much to increased scrutiny and awareness of the process as the new level of transparency.

An unanticipated consequence of all this however is that businesses are demonstrating their ability to implement improved processes and controls. Oops. If a business can do it in these key core processes – and in a short period of time – there is no reason this same rigor can’t be applied to all facets of the business. And the real rub for those snickering fools is that everyone else is now up on the lingo, up to speed on how process controls, measuring and monitor work. And management knows it works – just look at how many control improvements and remediation tasks have been resolved during the last 18 months. And no one knew/admitted those processes (core to financial reporting) were broken, now did they?

Your pity, and a wee bit of sympathy may be in order. The Finance and Accounting folks were at least used to having auditors rifling through their notebooks, and snooping through their process. When was the last time that Internal Audit crawled inside your Marketing machine? When did they last opine on your budget process? Your compensation and retention plans? Your recruitment process?

Be sure, when and if your Business Process Management folks get ahold of this, those snickering fools are going to be on one wild ride.

Trends in Reported SOX Deficiencies

As a member of the IIA, I’ve been monitoring and commenting on their discussion forum over the last several months. An interesting question posed by a private-company professional was, “what are the current trends in reported deficiencies?”

As dumb luck would have it:

A colleague recently shared a paper from Compliance Week (Oct 12, 2004), noting that 51% of disclosures in recent months were due to problematic financial systems. Other big issues showing up as significant deficiencies/ material weaknesses: – Personnel Issues: segregation of duties, inadequate staffing/training, supervision issues- Tone at the Top (following instances of restatement)- Poorly documented accounting practices
An interesting read. For small businesses, I could see some of these issues. I’ve worked in immature organizations that are still trying to find their public legs. I can see where SoD comes up in small companies, and that training can be a challenge when you’re running lean and everyone must focus on operations.

But these are often multi-billion dollar companies. Not start-ups, but organizations with thousands of employees, of a size and market value that the investing public expects solid business practices to be applied at the helm.

What a sad state of affairs into which corporate financial practices have fallen. Coming from the operational side of the business, I find it astounding that so few departments have strong, repeatable, documented processes. It seems that many large businesses move on momentum: ask any serial entrepreneur what has resale value, and they will tell you – repeatable processes.

In conversation after conversation, the single biggest risk in my mind is that people are too busy chasing the little things to ever get ahead. Some of the brightest people I’ve encountered are also the busiest, far too busy to every teach anyone what they are doing, and therefore always shoulder to the grindstone. (Not the formula that I would expect to be applied in organizations trying to build capability – and by extension – shareholder wealth.)

Not that everyone is in danger of getting hit by the proverbial bus, but expert-specific risk is a very real exposure. Health-risks, burnout, separation, and -yes- getting hit by a bus all put the business at risk. We recruit these experts to build our organizations, but fail to capture that expertise in more than a transactional way. Task :: Completion. Problem :: Solution. This is not creating corporate capability – this is perpetuating a very real, unhealthy dependency.

SOX should simply be affirming what we already know to be true about building strong companies: you are what you measure. If you want to be successful, measure the elements that define success. Documenting practices, organizations are now forced to explain the process of expert knowledge in action. Maybe SOX is driving some much-needed-but-never-scheduled reflection on what makes a company healthy. A thought worthy of some personal reflection.

Sarbanes Oxley Spending on Compliance

U.S. Sen. Paul S. Sarbanes calls the corporate governance law that bears his name, the Sarbanes-Oxley Act, the “most far-reaching improvements in the protections for American investors since the Securities and Exchange Commission was established 70 years ago.”

A little more than two years after its enactment, some Maryland business leaders have other — perhaps less complimentary — opinions of the law.

“It’s very costly,” said Robert W. Kurtz, president and CFO of First United Corp. of Oakland, the financial holding company of First United Bank & Trust, which has branches in Frederick and other Maryland counties.

Kurtz estimated that his bank, which has assets of $1.2 billion, has spent about $500,000 on additional accounting, auditing and support staff, fees and other services to comply with the law.

First United is by no means alone. Nationwide, businesses’ average cost of complying with Sarbanes-Oxley has been almost $2 million, according to a recent survey of 321 companies by Financial Executives International, a trade organization in Florham Park, N.J. That includes about 12,000 additional hours of internal work and 3,000 hours of external work, with average auditor fees of $590,000, an increase of 38 percent over the previous year.

MedImmune, a Gaithersburg biotech company, is spending more than the average to comply — “at least in the mid-single-digit millions,” said Jamie Lacey, a MedImmune spokeswoman.

Estimates for the total tab paid by U.S. companies this year are as high as $5.5 billion, a survey of CEOs by AMR Research of Boston found.

The law is designed to help end the accounting fraud and other corporate scandals that caused bankruptcies at Enron, WorldCom and similar public companies in 2001 and 2002, resulting in thousands of lost jobs, billions in lost investment savings and dozens of corporate indictments and convictions.

The measure strengthens accountability standards and criminal penalties for wrongdoing, creates a private regulatory board and prohibits companies from lending money to their top executives.

Some of Sarbanes-Oxley is already in effect, including a requirement that chief executive and chief financial officers vouch for all financial statements.

Businesses scramble to comply with Sarbanes-Oxley Act

One particularly expensive provision, Section 404, requires companies to establish internal auditing controls, warn shareholders of any problems and get independent auditors to verify the changes. Most large public businesses face a Nov. 15 deadline to comply with that section. An SEC official recently said some other portions, such as counting stock options as expenses, may be delayed.

Not surprisingly, officials at accounting firms, which are getting plenty of new work because of the law, are generally enthusiastic about Sarbanes-Oxley.

James H. Quigley, CEO of New York accounting firm Deloitte & Touche, which has offices in Maryland, praised the law when he testified last month before the House Committee on Financial Services, chaired by Rep. Michael G. Oxley (R-Ohio), the legislation’s other main sponsor.

The law’s internal control requirements may be costing companies more money, Quigley said, but those costs represent a small percentage of the companies’ invested capital and can help eliminate redundant systems to boost investment returns.

Also, companies’ audit committees meet more frequently and for longer periods, and thus are more involved in making sure businesses’ figures are accurate, Quigley said.

“The need for increased financial reporting oversight and enhanced safeguards for investors has been recognized, and companies are responding,” he said.

The law has also been good for workers whose retirement pensions are often invested in capital markets, said Richard L. Trumka, secretary-treasurer of the AFL-CIO. He estimated that union members lost $35 billion from the Enron and WorldCom debacles alone.

Kurtz said he recognizes such positive parts, but the series of checks gets to be redundant and can’t always be considered foolproof.

“Just because we have auditors signing off on internal controls, that won’t necessarily stop anyone from being crooked,” he said.

Some companies go private

When Sarbanes-Oxley was passed, some observers predicted that many public companies would simply go private to avoid its additional expenses and scrutiny.

A few more public companies did make the switch last year — 85, compared with 80 in 2002 and 49 in 2001, according to New York business information company Thomson Financial.

Aronson & Co., a Rockville accounting and consulting firm that has numerous public company clients, has recently helped public companies go private, said Lisa J. Cines, a certified public accountant and managing officer.

“Some might be better off being private,” she said. “Each one is different.”

Aronson employees are busy these days, though the pace is not as frantic as one might expect, Cines said. “We’re not working a lot of overtime,” she said. “But employees who can work overtime are asked to do so.”

As a private company, Aronson doesn’t have to comply with the overall act. But because it audits public companies, it has to register with the new Public Company Accounting Oversight Board, another creation of Sarbanes-Oxley, and be audited by that organization every three years.

Earlier this year, the SEC barred Ernst & Young, a New York Big Four accounting firm with an office in Baltimore, from adding new public clients for six months because it violated rules governing auditor independence when it formed a joint business with client PeopleSoft, a software provider in Pleasanton, Calif.

Public companies are having more difficulty finding independent auditors, Cines said. A company’s internal auditors can work on many of the new requirements, but an outside auditor has to be hired to test internal controls to guard against conflicts of interest.

“The Big Four accounting firms are being more selective in choosing clients,” she said.

Still, most of Aronson’s clients are trying to look on the bright side, Cines said. “Most companies are saying there is some good to Sarbanes-Oxley,” she said.

Tax and consulting firm RSM McGladrey of Bloomington, Minn., has worked with an affiliate accounting firm, McGladrey & Pullen LLP, to develop an internal control process for clients complying with Sarbanes-Oxley, said Dara Castle, a managing director with the Bethesda offices of RSM McGladrey.

“RSM McGladrey has worked successfully with McGladrey & Pullen through an alternative practice structure to develop a strong internal control process that helps our clients avoid risk, and properly assess and mitigate risk when the situation dictates,” Castle said.

Most clients have good internal controls but lack the formal documentation, assessment and testing of those controls, Castle said.

The compliance costs are among the top concerns for companies, especially smaller and mid-sized ones, said Imtiaz Hussain, manager of risk management services with the Bethesda offices of RSM McGladrey.

“After the initial year, those costs will decline for companies,” he said.

Banks and other financial institutions already face a good deal of regulation, so the additional steps taken to comply with Sarbanes-Oxley are not overly burdensome, said John Bond Jr., chairman and CEO of Columbia Bancorp, parent company of Columbia Bank. Many of Columbia’s 24 branches are in Montgomery and Prince George’s counties.

“It hasn’t been a big problem, but the act does make us do more to get ready for outside auditors,” Bond said. “We were already ahead of much of that in Section 404.”

Some companies have hired a chief compliance officer or at least designated a senior manager to track the complex set of changes under Sarbanes-Oxley. In many cases, the compliance officer reports directly to a company’s audit committee, rather than the chief executive, to provide more independence.

Others have purchased specific software to help them comply. Lockheed Martin Corp., the Bethesda aerospace and defense giant, employs a package from Longview Solutions, a Canadian software provider, that consolidates the company’s tax and accounting systems. Bresler & Reiner, a Rockville real estate investment trust, uses Web-based software from Axena, an Orlando, Fla., technology company, that documents and tests controls and assesses risk. Bresler has also developed a 10-year compliance plan.

Signs of effectiveness

The new law has been effective in helping investors “better understand a company’s true financial picture when they make a determination whether to invest in that company,” Sarbanes (D) of Baltimore said in a statement to mark the law’s second anniversary in late July.

“We are seeing more active involvement by independent directors — as the law requires — better internal controls and more robust disclosure,” he said. “We have also succeeded in nearly doubling the budget of the SEC to hire more staff and investigators. The SEC has moved quickly to issue the rules required to implement the legislation and to review new rules issued” by the accounting oversight board.

One key measure of the law’s efficiency is the lower ratio of accruals to revenues. The ratio declined by about half in the two years under Sarbanes-Oxley when compared with the previous two years, according to a study of more than 6,000 public companies by the Kellogg School of Management at Northwestern University.

Accruals is the practice of overestimating sales to inflate a company’s financial picture; even before Sarbanes-Oxley, accruals could result in steep fines.

The SEC has also stepped up enforcement, enacting 679 actions against companies or business officials in fiscal 2003, about 14 percent more than the previous year. While the pace for 2004 so far is behind last year’s, the SEC is imposing larger fines, most reached after negotiating settlements.

For example, nine of the 12 settlements of at least $50 million since 1986 have come in the past year.

Courtesy of The Gazette