Coming to terms with Sarbanes-Oxley

The law created an independent body, the Public Company Accounting Oversight Board (PCAOB), at the SEC to oversee auditors of public companies, to set standards for accounting, and to investigate and discipline accountants. It attempted to address investment analysts’ and other financial professionals’ potential conflicts of interest and ensure auditor independence. And it tried to strengthen corporate governance by requiring corporate leaders to be personally responsible for the accuracy of their companies’ financial reports.

One key provision proved to be Section 404, “Management assessment of internal controls.” Sub-Section A requires the SEC to set rules for each publicly traded company’s annual report to contain an internal control report. That report “shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”

Sub-Section B, dealing with internal control evaluation and reporting, states that “each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.” Attestations under this sub-section must meet standards set by the PCAOB. “Any such attestation shall not be the subject of a separate engagement,” Section 404 concludes.

The requirements presented a definite challenge for “accelerated filers,” essentially companies with more than $75 million of market capitalization. And it was one that the companies could not meet by simply turning it over to their outside auditors. Several turned to auditing consultants for help.

“The intent of the Sarbanes-Oxley Act was to increase shareholder confidence, yet many companies aren’t going public because of these regulations,” observed Roger D. Burks, a managing partner at Sirius Solutions in Houston who headed Deloitte and Touche LLP’s Gulf Coast energy practice through August 2002.

He considers the Sarbanes-Oxley law the “Auditor’s Full Employment Act” and suggested that the real test will come this summer when the PCAOB conducts its first reviews.

“I would not like to be the CFO of a public company or an audit partner right now,” said Burks. “I would eliminate the audit opinion on the controls, but the provisions of SOX Section 302 regarding the CEO/CFO certification are necessary. Without the auditing opinion, management could spend more time understanding, documenting, mitigating, and disclosing the company’s risk to the investment community.”

He added, “There have been benefits from SOX 404, notably understanding of the business processes and controls by senior management - but that was already a responsibility of management. Having to document for an external audit opinion is causing several of them to look at the SOX rules as purely negative, with no value.”

“Basically, we go in and identify significant processes [as to how a company creates] a financial statement,” explained Keith A. Tunnell, oil and gas specialist at Hein & Associates in Houston. “We attempt to identify each internal control that assures the processes are correct. This involves identifying control weaknesses, then working to remedy them. We actually do performance audit tests to determine the company is following the processes it has created. Some of our clients weren’t even close to meeting the Sarbanes-Oxley requirements. The only ones that were moderately close had internal controls already.”

He said that most of his clients simply were glad the process was finished. “They feel their financial statements will be more accurate, but that it was overkill because the costs outweighed the benefits,” said Tunnell. “What we’re doing improves the accuracy of that statement and substantially mitigates the potential for mid-level management fraud to occur. Very little of what we’ve done would necessarily solve the problems where fraudulent reporting occurred in upper management. That’s where the underlings are ratting out senior executives.”

“Our firm’s Sarbanes-Oxley role has been to help clients achieve compliance,” said Chip Matthews, a principal at Horn Murdock Cole in Houston. “My experience with the firms I’ve worked with is that they’ve generally done about as well as could be expected under the circumstances. Six to nine months ago, they were trying to feel this out. At the end of the day, they’ve got it right more often than not.”

The difference between success and failure, he maintained, depended primarily on the extent of upper management’s involvement in setting the appropriate “tone at the top.” Oil and gas production executives had a model for using audit-type testing to address risks because their companies participate in so many joint ventures. “The oil and gas business is such a high-risk enterprise that the vast majority of the wells drilled in the world are joint ventures, with an operator and partners. The resulting risks are addressed by a rigorous approach to auditing one another,” Matthews said.

When it came to building internal controls, business in general already had COSO - specifically, the Committee of Sponsoring Organizations, which five major professional associations (the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants, which subsequently became the Institute of Managing Accountants) formed in 1985.

COSO’s National Commission on Fraudulent Financial Reporting (better known as the Treadway Commission because it was headed by James C. Treadway Jr., a former SEC commissioner) developed recommended internal control practices for companies to consider. Many companies used them as a framework for developing the internal controls required under Section 404 of the Sarbanes-Oxley Act.

The oil and gas industry also had COPAS - the Council of Petroleum Accountants Societies, which has existed since 1961. It has more than 2,400 members in 24 societies throughout the United States and Canada. With an aim of “turning energy into synergy,” it has established energy accounting guidelines, model form interpretations and best practices; provided ethical standards for energy accounts, and has become the certifying association for the Accredited Petroleum Accountant Program.

“COPAS has set the audit standards and helped develop joint operating agreements,” Matthews explained. “Companies’ internal audit groups also have an external audit function. The experience of auditing partners and being audited by partners can give exploration and production companies an advantage in Sarbanes-Oxley compliance over, say, manufacturing and retail companies. Dealing with joint venture audit can prepare management to deal with compliance issues similar to those addressed by Sarbanes-Oxley. Unfortunately, I’ve seen too many cases where the Sarbanes-Oxley approach was more like a second audit than a process improvement effort.

“Our approach has been to nail down tone at the top and risk assessment as early as possible, before completing the detailed control documentation,” Matthews continued. “Then we do a sort of triage - segregating key controls to be tested, control gaps to be remedied, and non-key controls for which documentation is sufficient. This requires professional and management input, but creates the opportunity for real process improvement,” he added. “Sarbanes-Oxley compliance comes where management becomes involved and says it won’t tolerate financial abuses. That can happen, or fail to happen, in any industry.”

Representatives of the Big Four accounting firms, which also have taken on Sarbanes-Oxley compliance work for companies that don’t use their auditing services, confirmed these points. “In exploration and production, there was a risk sharing property that carried through many participants,” said Charles R. Swanson, a partner at Ernst & Young Americas and director of its oil, gas, and chemical sector. “We noticed, however, that systems in those companies were pretty well developed with automated controls that had been used for years. This proved to be a significant benefit in satisfying Section 404 requirements. Most of the mid-stream and downstream companies had stabilized operating systems similar to E&P.

“Oilfield service companies were a different story,” he continued. “Many had grown through acquisitions over the years. As a result, we found several that had different financial systems that had not been integrated, probably as a cost-saving decision at the time. These dissimilar financial reporting processes made 404 compliance a challenge.”

“There were some unique accounting problems that presented issues early on, such as auditing information around reserves. That was resolved early enough last fall that it proved not to be a big problem,” said Gary C. Prasher, a partner at PricewaterhouseCoopers specializing in Sarbanes-Oxley Act Section 404 compliance for energy companies.

One issue, he continued, was that there has been so much oil and gas corporate consolidation the past few years that companies that had not integrated operations had problems meeting the Sarbanes-Oxley requirements. Companies that were required to document operations under the Foreign Corrupt Practices Act of 1977 (which was substantially revised in 1988) were more likely to be ready for Sarbanes-Oxley, however.

“We found three types of companies,” said Prasher. “The first were the ones that had a pretty robust internal control requirement already. The Sarbanes-Oxley exercise was less onerous for them. The second was the biggest category. Companies that didn’t have robust internal control requirements had to spend a lot of money to get them and, now that they are finishing, recognize it as an opportunity to substantially improve internal controls and reduce costs. The third type is fairly small. These are companies that view this strictly as a compliance requirement and don’t see it as an opportunity to change.”

Chris O. Champion, a partner at KPMG LLP who specializes in oil and gas, said the SEC is trying to see if smaller companies will have to follow the framework it requires for larger firms. The internal controls reporting requirement remains the biggest challenge because it requires documentation and tests.

“The number one issue is resources, especially in the first year,” said Champion. “In subsequent years, there will be fewer resources required, but this will have to be assessed each year. The overall response has been positive. Are the auditors overwhelmed? Yes. But the attitude they’re adopting has been exceptional, from our standpoint.”

“Many companies, large and small, have had to go to outside sources,” noted Victor A. Burk, a partner in Deloitte & Touche’s energy practice. “Oil and gas companies, over the years, have gone through cost-reduction programs. Very few had excess resources that they could devote to Sarbanes-Oxley implementation. A few larger ones could redeploy people, but others had to bring in resources from outside to carry out the implementation. External auditors could help with certain parts of the implementation, but could not do, for example, remediation work. If gaps were found in internal controls once the documentation was complete, the outside auditor could not do the remediation work because they would be testing the controls later.”

The implementation process that companies went through required a significant effort at a high cost, Burk continued. “This is the first year of compliance, so companies are moving from the implementation phase to looking at how they achieve benefits from improved internal controls and processes for better returns. For many, it came following a delegation of decision-making that had gone on for years,” he said.

“CEOs and CFOs, first and foremost, wanted to make sure they were in a position to sign their reports on the adequacy of internal controls in their companies. Now, they want not only to sustain compliance but also to achieve benefits through improved controls and improved systems. They’re looking for a return on the investment they made in implementing Sarbanes-Oxley,” Burk concluded.

Sirius Solutions’ Roger Burks predicted that auditing and accounting for businesses will have to change because the PCAOB will become the final judge of the auditing profession and the inherent conflict of interests between auditing and the other services the firms provide.

“We always knew when we were done before issuing our auditing opinion on a company’s financial statements,” he said. “That’s not the case when you audit internal controls because the audit opinion is what could happen, not what has happened, and the rules are ever-changing. We are in a sea-change in the profession. The next seven years are going to see the most startling changes in the profession since the Securities Act of 1933.”

“We’ve found that if a company got to the documentation stage without completing tone at the top and risk assessment, it couldn’t justify evaluation of internal controls,” said Horn Murdock Cole’s Chip Matthews. “COSA was designated as the standard, but few people had really adopted it. The Sarbanes-Oxley Act’s intent was to get management involved. In a backhanded way, it actually had that effect because management had to participate to get the job done.”

“No one is saying that 404 compliance hasn’t been difficult,” said Charles Swanson of Ernst & Young Americas. “Anything new and worthwhile usually is. I imagine there was a lot of consternation, and more employees had to get involved when the Securities Act of 1933 was implemented. But I don’t know anyone who says we shouldn’t have audited numbers. It’s quite likely that decades from now, people will look back and say they can’t imagine a world without the 404 internal reporting requirements.” OGFJ

Nick Snow is OGFJ’s Washington correspondent. He can be reached via e-mail at [email protected].