The hidden benefits of Sarbanes-Oxley - Chief Concern - impact of new law on companies and chief executive officers

Chief Executive, The, May, 2003

Edward Nusbaum

Being a CEO at a public company is clearly not as enviable a position as it once was. The passage of the Sarbanes-Oxley Act last summer, with its numerous penalties for corporate wrongdoing, means some CEOs could actually face prison time.

So it is surprising that, on the basis of our firm's recent experience, many CEOs of public companies only now seem to be waking up to the many different aspects of the law. And a number of states are now also considering the imposition of Sarbanes-Oxley guidelines on private companies.

Under the act, CEOs are held financially responsible for accounting restatements resulting from misconduct, with penalties including forfeiture of bonuses and any profits realized from the sale of company securities. CEOs must also personally vouch for their companies' statements and provide well-documented evidence that their internal control systems are adequate. Failures and restatements could result in jail time.

One key to understanding the new environment is knowing that a company's external auditors will be required to attest to the accuracy of its annual assertions. To do so, they will need supporting documentation prepared by management.

In other words, it's not good enough just to have an outside audit. Companies must convince their outside auditors that their internal controls are valid. They also have to provide evidence to the Securities and Exchange Commission, guaranteed with a signature. This requirement will most likely be in effect for fiscal years ending after Sept. 15, 2003.

All this creates a potential problem because internal controls typically have not been top of mind for CEOs--many of whom probably believed their control systems were adequate, but had no way to prove it if asked.

Internal controls are defined as processes created by a company's board, management and other personnel to provide reasonable assurances regarding the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.

The best way to meet the requirements of Sarbanes-Oxley is to review internal financial controls, improve the mechanisms where necessary and ensure that the processes are well-documented. The most immediate actions that a CEO--along with the company's CFO, internal auditors and audit committee--can take to diminish potential risks include:

Assess how to control the risk. Has the board of directors developed policies and procedures with respect to high-risk areas? If so, is there a system in place to periodically test those procedures?

Look at the business in terms of process. Within each process, consider the major business risk. What could go wrong? Where?

Identify and document a control structure. Create a set of clear, concise and well-organized procedures that identify and control risks arising from weaknesses in the internal control audit system. Evaluate the controls based on the business processes the company employs, and assign a risk rating to each of those areas.

Perform a periodic assessment. Establish an internal audit or similar function to ascertain internal control effectiveness, and then ensure there are procedures to address all risk areas.

Adopt best practices: Consider hiring a second accounting or business advisory firm to provide nonaudit services, including internal control evaluation and internal audit co-sourcing and outsourcing. Also, audit committees should consider engaging independent attorneys and accountants to assist them in understanding and executing their fiduciary responsibilities.

This all may seem overwhelming, but I believe there is a hidden benefit in Sarbanes-Oxley. Ultimately, many CEOs may find that the new requirements provide them with useful tools for running their companies more confidently. What's more, internal controls help managers, leadership teams and businesses operate more effectively and avoid problems such as overspending, operational failures, fraud and litigation. By accepting responsibility for their companies' internal controls, CEOs may well find themselves with a renewed sense of duty and accomplishment for a job well done.

Edward Nusbaum is CEO of Chicago-based Grant Thornton, the fifth-largest accounting firm in the United States.