Introduction
Unlike the previous years since the corporate scandals broke and Sarbanes-Oxley was passed, 2004 and the first seven months of 2005 were a period of adaptation as companies became more accustomed to the expanded reporting and governance requirements. The principal focus for most public companies was the installation of internal control over financial reporting as mandated by Sarbanes-Oxley. For most private companies and non-profit entities the concern was the extent to which this particular financial reform and the other governance reforms would become best practices, even mandatory practices, for them.
The Consequences Of 404
The first wave of company reports with respect to "internal control over financial reporting" came ashore awash with criticism as to cost - in time and money - and overall effectiveness. The public seemed unconcerned by those reports that identified shortcomings in controls. The criticism was sufficient to stimulate the Securities and Exchange Commission ("SEC") and the Public Company Accounting Oversight Board ("PCAOB") to hold an April 2005 roundtable to discuss Section 404 and its ramifications. There were several highlights:
- Excessive cost.
- Checklist approach.
- Process lacking exercise of judgment.
- Loss of consultative relationship with the auditors.
- Undue impact upon small businesses and foreign companies.
Cost
Cost has been a significant factor. First year 404 costs resulted roughly in a doubling of audit costs. It is still not clear whether the initial cost of the installation of a compliant system of internal controls will be more expensive than the cost of assessment and testing in later years. Some of the cost elements must inevitably be reduced because the extent of cost, especially for small businesses, places a very heavy burden on resources otherwise needed for company operations.
Checklist Approach: Suspension of Judgment
A constant theme throughout the process of adapting to 404 has been the use by auditing firms of a "checklist mentality" that leads to what is judged by many as an excessive amount of documentation - checklists, grids and flow charts - in an effort to provide documentation in lieu of identifying major risks and focusing more heavily on those major risks. One consequence of the checklist approach has been to sidetrack the role of risk assessment and judgment by managers, which in turn discourages the application of these faculties in the audit process. Though little clarity emerged from the April roundtable, one thing did: there will be an emphasis upon less use of a checklist approach and more exercise of judgment.
Loss of Consultative Role of Auditors
Perhaps the most serious defect that has been identified in the process of installing 404 has been the loss by company financial teams of the consultative relationship with audit firms. Because of the stringent standard of independence now imposed on auditors, one theme that has crept into the audit relationship is that a company's finance group can no longer turn to its audit firm for questions of treatment of particular items. Furthermore, the mere telephone call asking for a point of view or advice as to proper treatment assures, as one chief financial officer put it, "that that topic will be on the list of potential weaknesses" when it comes to the audit. The solution to the problem thus far has been for companies to turn to other audit firms, lawyers and other professional advisers for consultation on these matters. At the April roundtable both the SEC and PCAOB noted this drawback, and stated publicly that it must be addressed. But, like the suspension of judgment, no solution has yet been proposed.
Small Companies and Foreign Companies
Small companies and foreign companies have already seen some relief in the form of delays. It is clear that the potential burden for each group is acknowledged and taken seriously. The problem is, however, a difficult one - if the standards are changed in any significant way for these groups, the result can be confusion in the financial markets as to how to understand and apply the standards. If the standards do not change, the continuing problem of excessive cost and time burdens may well discourage companies in both groups from participating in the U.S. public financial markets.
Import Of Governance Standards Into The Private Company And Non-Profit Worlds
Both the governance standards and the financial reporting standards installed as a result of the Sarbanes reforms have now found their way into the private company and non-profit worlds.
The import of financial reporting standards was inevitable. The financial markets available to private companies are more or less the same as those that make up the public financial markets save the exchanges themselves. Financial institutions have become accustomed to expecting the level of reporting and auditing that is required under the new reforms for public companies. Consequently, a lesser level of reporting could perhaps be considered substandard. While it is not true that private companies, for example, will be turned down for a credit facility because their financial statements have not been prepared to the new standard, it is true that the cost of borrowing under that facility may be higher than it would be if the financial statements complied with the new standard.
The parallel is similar in the area of governance. Increasingly it is considered a best practice for non-profit enterprises, as well as private companies, to have a number of independent directors on the board, even a majority. Large non-profit enterprises have been subject to extensive media criticism for having boards of insiders and a lack of active board leadership and supervision of the management. Both privates and non-profits have been criticized for lack of "transparency" (meaning disclosure through media outlets) of results and short-comings, even though they clearly have no such obligation.
Both the WorldCom and Enron cases produced settlements in which directors contributed directly from their own pockets. This has led to a generous amount of speculation that all directors will have increased personal liability and will therefore be less willing to serve. It is apparent that judges are more closely scrutinizing the conduct of directors involved in any piece of litigation and appear more reluctant to dismiss lawsuits early on motion before trial. What this means for directors and has come to mean for companies is: an increased emphasis upon making certain that the director and officer liability insurance is broad and deep in its coverage and will have immediate dollars available for defense; that company bylaws provide mandatory indemnification, rather than discretionary; and that directors have separate indemnification agreements with the companies on whose boards they serve.
Uncertain Emerging (Best) Practices
Some practices which in the recent past were considered the fast track to become best practices or even mandatory have somewhat less certain status now:
- Lead director is a concept that has been accepted by some companies, rejected by others and is not a common theme of discussion presently.
- Board and committee evaluations, while considered a best practice by many, and in fact mandated by the New York Stock Exchange, have not yet been undertaken in any full-blown fashion by many companies.
- The mandatory installation of whistleblower provisions has led to a large number of investigations, but not to the development of a large number of new corporate compliance programs.
Issues On The Horizon
Two principal issues on the horizon are executive compensation and risk management.
Executive Compensation
Executive compensation has continued to be a subject of criticism by shareholder activists. Shareholders are increasing the pressure on boards to be more proactive with respect to executive compensation packages. What this foretells is the emergence of an executive compensation committee with real power. Compensation committees have traditionally been less active committees. Their role has been to review compensation and compensation packages as prepared by management in consultation with compensation consultants and, satisfied that the compensation package is within the range in which the company wishes to position itself in its industry, approves packages and recommends them to the board for approval.
What must change will be the extent of the committee's independent review of the standards of performance expected in a compensation package. This may entail the committee's direct engagement of the compensation consultant, as the audit committee today engages the auditors. It will also behoove these committees to establish careful standards and to explain in their reports in proxy statements their conclusions with respect to the performance of executives at the time of the committee's review.
Risk Management
Risk management is now the phantom of the board room. It has been glossed over in the application of Section 404. It has traditionally meant the cost of insurance, which is really only one solution to a risk once identified and assessed. Risk now lurks, however, throughout a company's culture in its operations, certifications and reports and hence in the conduct of its senior management. Directors must play an active and important role for disclosures regarding risks.
What level of responsibility, must boards take for the accuracy and robustness of the risk management process and for the modeling that leads to proper disclosure? This is the as yet unaddressed and unanswered question. Some boards have responded with risk committees. The concept of separate attention to risk assessment and its management by boards of directors has not been a general practice, and certainly not a best practice. This gap will be closed in the coming years. Whether it will be closed as a result of the extension of the 404 process or in conjunction with the pressure and liability from shareholder groups remains to be seen.
Published September 1, 2005.