Navigating Sarbanes-Oxley Waters Alone Is TooRisky Many public companies–from Fortune500 to relatively small enterprises–are using outside firms toassist them in complying with the rigorous requirements of theSarbanes-Oxley Act.

Given the Act's penalties for executives who don'tcomply–including multimillion-dollar fines and possible prisonterms–it's just too risky to go it alone, say professionals whohave studied the law's intricacies.

As a result, law and accounting firms, consultants, specialtypublishers, and other service providers are carving out niches inthis new risk management specialty.

The need for Sarbanes-Oxley arose from the “cowboy culture” thatprevailed during the Internet market boom and recent era ofcorporate misdeeds, noted Rick Viola, a partner in the corporatesecurities group of Helms Mulliss Wicker, a 90-attorney law firm inCharlotte, N.C. “People acted like the rules did not apply tothem.”

“The primary focus is on corporate governance issues, makingsure the committees–including audit, compensation andnominating–are working the way they are supposed to,” said Mr.Viola. “We also help clients comply with the Act's reporting,certification and disclosure requirements, which areextensive.”

Sarbanes-Oxley is so burdensome and costly that many smallercompanies are exploring ways to “go private,” Mr. Viola noted. “Theexpense of setting up all the internal controls and the managementtime involved is just too much for some of them,” he pointedout.

It may be risky not to use outside advisors for variousaspects of Sarbanes-Oxley compliance, noted Trent Gazzaway,accounting firm Grant Thornton LLP's national director of corporategovernance advisory services.

Mr. Gazzaway, who is also based in Charlotte, explained that“the Act specifically states that an audit committee may engage anoutside advisor for independent input.” Failing to obtain suchindependent advice may be viewed negatively if decisions of theaudit committee are subsequently questioned, he added.

The principal services provided by Grant Thornton in connectionwith Sarbanes-Oxley include “internal advisory services,” whichestablish the financial controls required by the Act. The firm alsoprovides “audit committee advisory services,” which assist theaudit committee in understanding and executing their fiduciaryduties, said Mr. Gazzaway. Those services may be provided inconjunction with the client's law firm, he added.

Grant Thornton has also created software to assist clients incomplying with the Act's many financial and reporting requirements,Mr. Gazzaway noted. “The biggest technical issue is having anelectronic repository for all the internal controls and evaluationof those controls.”

In addition, the firm has a fraud and investment services arm tohelp clients set up procedures so that “whistleblowers” can reportsuspected misconduct, Mr. Gazzaway added.

Risk consulting firm Protiviti Inc., based in Houston, Texas,specializes in assisting clients with their internal auditprocedures. Protiviti's managing director, Everett Gibbs, explainedthat providing services relating to Sarbanes-Oxley requires thefollowing core competencies:

Expertise in company processes, especially financialmanagement.
Accounting skills, including having CPAs on staff.
A database that knows what the key corporate internal controlsare.
Deep comprehension of the Act itself.
Supporting technology to store the processes, identify and documentrisks, and query those accountable.

“Putting in place controls to manage risk and then certifyingwhat takes place” is key, noted Mr. Gibbs. “We have accountants,engineers, security experts, database specialists and technologypeople to help accomplish that objective.”

Sarbanes-Oxley requires modifications notonly in corporate practices and mindsets, but in the technologyused to run the business. AMR Research, a Boston-based research andadvisory firm, provides advice on the information technologyimplications of the Act.

“About 85 percent of companies may have to make changes to orrefine their IT infrastructure in connection with Sarbanes-Oxley,”noted AMR vice president John Hagerty.

According to Mr. Hagerty, those changes involve documentinginternal controls and business practices, enforcing those controls,and setting up disclosure methods. Expanding or establishing adocument imaging system to store digitized records may also be partof the mix, he added.

In addition, AMR can advise on creating a system for reportingand tracking whistleblower complaints. However, Mr. Hagerty pointedout that this has not been a big issue so far because most clientsalready have such procedures in place.

“We work mainly with the client's auditors, and also with theirattorneys and other service providers, to determine the best ITsolutions for that client,” Mr. Hagerty said.

Sarbanes-Oxley contains “structural, mechanical and attitudinal”elements, according Stanley Keller, a partner with the law firmPalmer & Dodge LLP in Boston. Mr. Keller makes certain that hisclients comply with all three of those elements.

There may have to be structural changes relating to thecorporate governance model of the company, such as revamping theaudit committee, Mr. Keller explained. An example of a mechanicalelement is a corporate charter that has to be amended to complywith the Act, or a reporting deadline that has to be met.Attitudinal issues involve management's willingness to effectivelyperform the oversight role mandated by the law, he added.

All of this is an “amplification” of the advice Palmer &Dodge was giving to clients before anyone ever heard ofSarbanes-Oxley, Mr. Keller pointed out. “There wasn't much new forus. We were already advising on corporate governance, complianceand disclosure.”

What Sarbanes-Oxley did was give new priorities to and place anew focus on boards and committees fulfilling their oversightroles, said Mr. Keller. “The Act enhanced and accelerateddisclosure obligations. Company officials have to say more, say itbetter, and say it faster.”

Executives who want Sarbanes-Oxley and other financialcompliance and disclosure advice via the Web can turn toCompliance Week, a Boston-based electronic newsletterdevoted to this purpose. The newsletter's circulation of 30,000,after only a year in existence, testifies to the hungercorporations have for this type of information.

“Our readers are mainly financial executives at U.S.-basedpublic companies,” said publisher Scott Cohen. “Our mandate is toprovide resources and best practices so they can do their jobsbetter. That's our sweet spot.”

The Web site also contains a list of “compliance providers,”which is a convenient overview of the variety of outside servicesrelating to Sarbanes-Oxley. These include firms that do one or moreof the following:

Facilitate compliance with record-retention rules.
Assist in meeting requirements relating to mandatory Web access ofcorporate filings.
Help to comply with rules requiring insiders to electronicallyreport stock trades.
Develop codes of business ethics.
Help to comply with financial reporting requirements anddeadlines.
Offer fraud examinations, forensic and security auditing, andvulnerability analyses.
Rate and rank corporations' governance practices.
Provide whistleblower reporting systems.

“The number one compliance issue facing corporations today isrelated to the new internal controls rules,” Mr. Cohen noted. “Theamount of work required to document and monitor financial controlsis staggering,” he explained. “Limited resources and disparatesystems are making the required attestations even more difficult tomake.”

Reproduced from National Underwriter Edition, July 7, 2003.Copyright 2003 by The National Underwriter Company in the serialpublication. All rights reserved. Copyright in this article as anindependent work may be held by the author.