|
|
Get Four
|  | DECEMBER 1, 2004
The Hard Knocks of Coping with SOX The SEC just postponed Sarbanes-Oxley deadlines for 2,000 companies. Good thing. PricewaterhouseCoopers's Tim Ryan says many are seeing "slippage" You can bet that the chief financial officers at many small and midsize public companies breathed a sigh of relief on Nov. 30. That's because the Securities & Exchange Commission announced a decision that day to grant outfits nearing the end of their fiscal years and with less than $700 million in market capitalization another 45 days to comply with tough new regulations contained in the Sarbanes-Oxley Act, known as SOX. Even though Congress passed the corporate governance legislation way back in July, 2002, many public companies continue to struggle to comply with provisions detailed in Section 404 of SOX, which took effect on Nov. 15. That section requires management of public companies (and their external auditors) to sum up the quality of internal controls over financial reporting in the 2004 annual report. For most companies the report has to be lodged just 75 days after the end of their fiscal years. Now the estimated 2,000 outfits that qualify for the postponement will have an extra month-and-a-half to submit the 404-related filings. Simply completing all the necessary steps to attest to the quality of the controls this first year of the requirement will still be tough for many companies. And if either management or auditors of a public company report that internal controls are anything less than rock-solid, expect a harsh reaction from investors. Not completing the process could be even worse. Prior to the SEC's postponement announcement, up to 20% of companies would have either missed the deadline or would have to report a material weakness in their internal controls, according to estimates from Tim Ryan, U.S. financial services leader at PricewaterhouseCoopers (see BW Online, 9/20/04, "Hardly Ready for Sarbanes-Oxley"). Even companies that don't flunk the Section 404 requirements may now be stumbling over some of its hurdles. The vast majority have uncovered deficiencies in their internal controls -- but only those flaws that can't be fixed in time or that have the potential to result in a major error on the income statement need to be reported to the public, says Ryan, who updated BusinessWeek Online's Amey Stone on the current state of Section 404 compliance efforts in a recent interview. Following are edited excerpts from their conversation: Q: Now that so many companies are weeks away from the deadline for complying with Section 404 of Sarbanes, how are they doing? A: There has been a small percentage, about 20%, that has done very well and are right on track. Another segment -- 65% or 70% -- is really working hard, and they have experienced some slippage. But we think they're going to make it, as long as they don't have any additional slippage. Q: What do you mean by slippage? A: Complying with Section 404 has four steps. The first step is for a company to identify its key internal controls. The vast majority have done that. The second step is for management to document the controls that they identified. Again, the vast majority have done that. The third step is for management to test those controls, and the fourth is for the auditor to test the controls. At many companies those steps are still under way. To the extent that testing reveals that the controls aren't working as anticipated, remediation may be required. Depending on the magnitude of the control and what it takes to get it fixed, that could be slippage. Q: So what about the remaining 10% to 20% of companies? A: The rest are companies that just won't make it. Either they won't be able to get through those four steps, or the magnitude of the weaknesses they have identified are such that they won't be able to correct them by the deadline. Q: What then? A: If it's deemed a "material weakness," then management and the auditor would have to disclose it in the annual report. But there's a tremendous amount of judgment that goes into classifying these things. Three types of internal control problems can surface: a deficiency (there's no requirement to report that), a significant deficiency (which must be reported to the audit committee, but not the public). Only with the third -- a material weakness -- do management and the auditors report it publicly (as well as to the audit committee). A survey we did of about 40 financial institutions back in October that expected to comply with this section of SOX at the end of 2004 indicated that 93% would have at least one significant deficiency to report to the audit committee. Q: Does that essentially mean that a lot of companies will get off the hook by labeling problems as "significant" rather than "material"? A: Not really. When you've reached a conclusion that something is significant, but not material, you have to make sure there is a healthy analysis as to why. It's not enough to just decide something isn't material. Regulators may come back to you and say, 'Help me understand your judgment.' Q: What are the factors that would distinguish the potential magnitude of the problem? A: Well, if the weakness is so significant that it could result in a large error on the income statement, that would be a material weakness. Or if it is small and there are other mitigating controls, that might skew it to being a significant deficiency. Another factor is the pervasiveness of the issue. The more isolated the problem to a specific unit, the less serious. Q: How will investors react when companies start reporting material weaknesses in their internal controls? A: It's difficult to anticipate how the market will react, but you would think it would come down to the type of the deficiency, as well as how the company handles the disclosure. Q: Are companies hating this process? Are they finding it worth the effort? A: I wouldn't underestimate the fact that everyone is working very hard. But about 40% of companies we surveyed indicated that this process had found a material weakness and that, had it not been fixed, would have had to be reported as a material weakness. Our view as a firm has been that, done correctly, there are a number of benefits, in addition to complying with the law, that this process can provide. I think that, for the most part, across public companies, it has been worth it. We're finding stuff. This is more than check-the-box. Internal controls are really being enhanced.  Edited by Thane Peterson
BW MALL
SPONSORED LINKS
Buy a link now!Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2004, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Notice |
Printer-Friendly Version
