By Nanette Byrnes Auditors and finance executives are in the midst of coping with the biggest rule change in their professional careers, and a deadline is approaching. In hopes of some insight into the challenges of the Sarbanes-Oxley Act and its requirement that auditors attest to the state of their clients' internal financial controls, a capacity crowd jammed the rooftop ballroom of the St. Regis hotel in Manhattan on Nov. 12. Largely composed of board members on audit committees, the audience sat beneath the trompe l'oeil ceiling painted with clouds and blue sky, focusing worried glances on Dennis Nally, chairman of audit giant PricewaterhouseCoopers.
RIGHT TO KNOW. What they heard from Nally couldn't have come as welcome news. For the first time, the auditors of most public companies will have to attest to these controls as part of their 2004 annual reports to shareholders, most of which will be filed in February and March. A recent assessment by more than 700 PwC audit teams found that only 20% of clients are on schedule to complete their internal control reviews, according to Nally.
"There's a lot of risk out there," Nally warns. At least 10% of the audit-team sample is at "extreme risk" of not finishing in time to get an auditor review, Nally noted, adding that 20% of companies overall might fail to meet deadlines. If those reviews aren't finished, it's possible auditors won't be able to sign off on annual reports -- never a good thing in investors' eyes. And while smaller companies have petitioned for an extension of their deadlines, the Securities & Exchange Commission has so far not granted a single reprieve.
Even for those managing to finish on time, any important weaknesses found during the review will have to be reported to the board of directors. The board will then assess whether the weaknesses could materially affect financial statements. If that proves to be the case, it will have to report as much to shareholders.
BLACK MARKS. "The real issue will be how the markets will respond to that," says Nally, who thinks close to 20% of companies may be reporting such weaknesses to shareholders.
Whether such a report could panic investors is still unknown. But it looks like plenty of companies will get to find out. In a second sampling of more than 40 financial institutions that implemented the test early, 65% said they had between 1 and 10 significant deficiencies, with some 29% reporting to more than that number. It will be up to boards to decide which of those deficiencies, if any, require public disclosure, but the quantity of deficiencies is one factor audit committees must also consider in their evaluations -- and more than 10 is a lot of weak spots.
Section 404 reviews, as the internal control examinations are called, are taking much longer, and costing much more, than anyone had expected, and some companies are beginning to publicly wonder whether the payoff is worth the cost. A recent survey showed companies will spend an average of $3 million and 30,000 hours dealing with 404, so it's not surprising finance chiefs are beginning to rebel.
NO CHOICE. For PwC, too, it has been an expensive investment. The firm spent $40 million on training on this topic so far. But unlike their clients, for audit firms 404 is a revenue boon as well. PwC will almost certainly report a record year this year, adding to that already growing stress between auditors and clients.
Will it all be worth it? Asked whether this would have prevented the scandals that led to auditor reform -- at Enron, WorldCom, Health South, and the like -- Nally remains optimistic that at least some of those problems would have been caught. He argues, too, that the 404 process has helped a lot of companies get a better handle on their far-flung businesses and could be key to restoring investor confidence as well.
"No matter what we each may think of Sarbanes," he told the audience, "the bottom line is that it is the law." There was no confusion about that in this audience. Byrnes is a senior writer for BusinessWeek in New York