Could there be a silver lining hidden within the burden of Sarbanes-Oxley compliance? UK companies affected by it are looking hard to find an upside to the extra costs the US legislation has caused.
Foreign registrants – UK companies with a US listing and those registered with the Securities and Exchange Commission (SEC) – are all affected, alongside UK subsidiaries of US-listed companies. The big advantage for foreign registrants is that they have a little more time to comply (2005 rather than 2004).
Sarbanes-Oxley is having the most impact on UK companies in terms of the documentation and testing of internal controls as required by section 404. “This means going through each of the companies in the group, and documenting all the systems and controls that exist,” says Ken Lever, finance director at Tomkins, which has a listing in New York. “Management has to then test the operation of these controls, and the auditors have to be satisfied that the controls are adequate and that management has tested that they operate.”
Documentation is the first step, and one that is requiring significant effort. “Quite a lot of resource is being used to do that documentation,” says Lever. “Over the past 20 years, companies have been less inclined to have detailed documented procedures and controls, even though they existed. When I came into the profession it wasn’t uncommon to have procedures and controls manuals, but increasingly there has been a focus on containing cost and making sure all resources are directed in areas where they may add some value.” Detailed manuals tended to get abandoned, but now companies are starting to produce them once more, he says.
Even where control manuals do exist, they are unlikely to be sufficiently detailed. “They don’t necessarily go to the level of depth that s404 is requiring,” says Bryan Elliston, group head of audit and financial control at Cookson, the materials technology company. Cookson isn’t listed in the US, but its shares are registered with the SEC, so it has to comply with all the significant requirements of the Sarbanes-Oxley Act. Elliston says the documentation process requires companies to go “back to the bones – identifying your billing process and expenditure processes – and reviewing with each of the key people involved what they believe their job is and comparing it with what it should be. That can be a healthy process because someone may be going through their daily job, but they may not necessarily be as focused on the main things as their boss wants them to be.”
However, Lever doesn’t see much real benefit resulting from the documentation process itself. “It provides you with a tool for giving new hires some training and education,” he says, “but it is primarily there to provide the basis for the auditors to say the system is adequate and whether things have been tested. Like all documentation, it becomes out of date quickly, so there is a maintenance issue.”
The nature of those controls is also being affected by Sarbanes-Oxley. Lever points out that historically many companies would have used reactive controls, such as investigating exceptions from budgets. This won’t be considered sufficient under Sarbanes-Oxley.
“A lot of Sarbanes-Oxley focuses on what they call preventative controls rather than detective controls,” Lever explains. “So not only does it mean documenting controls, sometimes it means actually putting in place controls that aren’t there at the moment.”
Experience in the US suggests that controls are unlikely to need much revision or correction in basic areas, such as bank reconciliations. “It’s more around IT and the ‘close the books’ process,” explains David Noon, a partner in Deloitte’s Enterprise Risk Services and leader of the firm’s s404 group in the UK. “Most people do bank reconciliations and stock takes quite well, but they are not so good at who can sign off a journal, who can book an adjustment, as well as the general computer environment and access controls.” Unfortunately, such areas often get left to the last minute before being documented and tested – a mistake that Noon urges UK companies not to repeat.
“It’s a bigger job than anybody thought,” Noon warns. “It’s a bit like painting a room. You can paint the bulk of the walls quite quickly, but to finish it nicely – to do round the skirting board, the dado rail, the mantle piece and cornice – all takes time and can be quite fiddly. S404 projects are the same. You document revenue, accounts payable, accounts receivable and so on, and then someone asks about tax. You have done corporate tax, but what about VAT, PAYE and customs duty? What about the share options scheme? What about all the areas that involve judgmental accounting?”
The most advanced companies, Noon says, are conducting “end-to-end” pilots – documenting and testing a control area and then getting the auditors to do their review as well. “The key when you do a pilot is to allow plenty of jumping-off time afterwards,” says Noon. “You need to leave yourself a month or two to really digest what comes out of the pilot and incorporate those learnings into the full approach. Companies are finding they do learn a lot.” For example, operational staff may not understand the control documentation instructions they are given if these are written in “auditor language”. They may need extra help and guidance.
Download our Whitepapers
When finally reporting on their internal controls, directors will have to state which “recognised framework” they have used to evaluate their effectiveness. Noon says he has personally only seen companies using the COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) for this, but the SEC has also recognised the UK’s Turnbull guidance, published in 1999, as acceptable. “Turnbull did have a big and positive impact when it was introduced,” says Timothy Copnell, director of KPMG’s Audit Committee Institute. “The message from audit committee members is that people on the whole do manage companies better as a result, and boards are more aware of risks and controls than they were before.”
However, in July the Financial Reporting Council launched a review of the Turnbull guidance, chaired by Douglas Flint, group finance director of HSBC, who was also a member of the original Turnbull working party. In advance of the full review, a sub-group is aiming to issue by the end of 2004 a guidance note for SEC registrant companies on use of the existing Turnbull guidance as an approved framework for s404 compliance.
The timing of the review recognises that there have been developments in the UK and internationally since Turnbull was issued, and that it is worth making sure the guidance remains relevant. Copnell says that while audit committee members are generally supportive of the review, they are keen it should not just seek to replicate US developments. “They are not frightened of change, but they don’t want some knee-jerk reaction. They think we are leading edge and the US approach is less good than ours, firstly because it’s driven by the legal profession and therefore tends to make everyone risk-averse, and secondly because Sarbanes-Oxley is focused on financial risk and controls, whereas Turnbull brings to the attention of the board all the risks facing the organisation – financial, operational and compliance risks as well. It’s much broader, and from the perspective of running a business it’s much more useful.”
Any changes to Turnbull remain in the future, but companies grappling with Sarbanes-Oxley now are looking for any benefits they can generate from the compliance process. “A number of companies have said, if we have to spend money, let’s try to get more than just a tick in a box somewhere,” Noon says. They are looking at their legacy systems and not just assuming things must be done in the same way as before. “You now have fancy IT systems and ERP modules that probably mean you don’t need a lot of your manual controls any more,” Noon says. “So this (Sarbox) has helped companies get a fresh look at controls and see that they can use their systems more.” Tomkins, for example, has found that it can remove overlapping or unnecessary controls, and so derive some benefit from the Sarbox compliance process (see box, page 31].
At Cookson, Elliston believes that the Sarbox-induced extra focus on the importance of controls can provide reassurance for management teams. Finance personnel have so many pressures at the moment, not least due to the imminent adoption of International Financial Reporting Standards, that they are in danger of suffering from “initiative fatigue”, he says. “They are being pulled in so many directions that perhaps some things can be missed. One benefit from this focus on s404 is that it demands that we specifically focus our financial people on achieving and carrying our certain key tasks on a regular basis. In any company, in any industry, there will be certain key financial tasks or controls which must be carried out regularly in order to double-check that everything is working properly. And from that point of view, having a documented approach which is regularly checked can counter the risk of initiative fatigue unwittingly causing people to miss carrying out certain tasks that they ordinarily would do,” explains Elliston.
He also believes there may be some efficiency benefits to be gained from Sarbanes-Oxley compliance (see box, page 32) but these probably are outweighed by the costs. In fact, if Cookson could avoid Sarbox by deregistering with the SEC, it would. “If we could deregister, we would do it in a heartbeat,” Elliston says. “But to deregister we would have to have less than 300 US-registered shareholders at any point in time. Quite a few thousand of our US employees are either shareholders or have share options, so it’s not really a course we can take.”
Looking ahead, there is some concern that compliance regimes as strict as Sarbanes-Oxley could damage the competitiveness of public companies in two ways. “If you look at overseas competition, particularly from some of the economies in the Far East, they don’t have this extensive compliance or corporate governance regime,” Lever says.
“I am very supportive of the concept of corporate governance, but don’t support corporate governance just for the sake of it. The other competitiveness issue is to do with people feeling disinclined to work in a regime which is heavily compliance-driven. There is a talent issue. You have to be careful you don’t end up with a drain of talent from the public company environment to the private company environment because of the existence of all this regulation, of which Sarbanes-Oxley is a good example.”
TOMKINS READY TO ROLL
“Getting ready (for Sarbanes-Oxley) is a big commitment in terms of resource needed to get everything done,” says Ken Lever, FD at Tomkins. “This really is a management and operational responsibility, so we have put responsibility very much with our finance operations people. But there is a heavy commitment required from internal audit to provide guidance and advice as well. They are doing a number of pilots. One of the ways to get (operational) people up to speed is to send some people in to do a pilot of one of the transaction cycles and then leave that with them. They then do the others themselves.”
Lever believes there is an upside from the Sarbanes-Oxley experience. “There is a positive aspect to this in the sense that these reviews sometimes highlight weaknesses, or potential weakness, in control, and so you can redesign the way you do things,” he says. “Systems or controls sometimes overlap, are duplicated or are unnecessary, and you can design them out of the system.”
Nevertheless, persuading people that the business benefits are worth it is an uphill struggle. “It’s difficult for us to sell internally to our business managers that there is a value attached to this,” Lever says. “They see there might be some benefit in that it could lead to a redesign of some processes, but of course there’s a cost to get there.”
It is difficult to put a hard figure on the cost of compliance. “In our case, I would be surprised if the actual out-of-pocket cost in terms of travelling and using external advisers is going to be less than $2m – it’s likely to be higher. It depends on your internal resources and what value you attribute to the time of people who might otherwise be doing other things.”
COOKSON COST CONTROLS
In order to achieve compliance with Sarbanes-Oxley, Cookson is using a mix of internal and external resources, including its internal audit group, financial reporting staff and external consultants. “We have six-to-eight people involved at the moment,” says Bryan Elliston, group head of audit and financial control. “That number will be increasing over the coming months. When we get to where we have to test a lot of the work that is being generated now, that will probably double.” A key aspect of Sarbanes-Oxley is that if you have a control that isn’t well documented, as far as s404 is concerned that control doesn’t exist. So you need to ensure the documentation is correct, and then make sure that the controls which the documentation identifies are actually working.”
Elliston believes there may be some efficiency benefits from “making your finance function more effective, therefore leading to greater integrity in the financial reporting process”. He says: “If your financial controls over the operational side of your business are more robust, you are more likely to pick up debts before they go bad, or identify double payments for expenses. Control inefficiencies can lead to added costs. Ergo, the more effective you become, the less that risk. So there can be financial savings, but for most companies the savings are small compared with the cost of achieving this.”
Elliston has been horrified by some of the estimates of the cost of compliance produced by US companies. General Electric is reported to have spent $30m last year on complying with s404. “I would hope to control the costs to a reasonable amount,” he says. “US companies have earlier reporting deadlines, so they had to start preparing earlier, when regulations were in draft firm. They have ended up doing more work than was needed to achieve minimum compliance.”