* THE SARBANES-OXLEY ACT HAS HAD a far-reaching impact on CPA firms, whether large, midsize or small. Firms that audit public companies have been working out strategies for coping successfully in their internal operations as well as in their relations with clients and prospects.
* THE STEPPED-UP INTERNAL AUDIT, documentation and division-of-labor requirements place demands on partners and staff in several ways. To meet the requirement to rotate the lead audit partner and audit review partner every five years, small and midsize firms have to carefully coordinate their growth plans.
* FIRMS NOW VET PROSPECTIVE AUDIT CLIENTS more carefully. To check whether a prospect's industry aligns with the firm's experience, one firm uses a vetting committee to look at whether the prospective client has a strong financial position and a good reputation.
* RECORD RETENTION IS MORE STRINGENT under Sarbanes-Oxley, which requires an auditor to retain for a seven-year period all relevant workpapers, memos, correspondence and records (paper and electronic) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with the audit of a public company.
* THE NEW LAW HAS FORCED auditing firms out of many of the ancillary services they previously had provided public-company clients--who still need those services. Other firms can step in to provide them, and strategic alliances offer an opportunity to develop new business.
* THE ACT INCREASED AUDIT COMMITTEES' oversight role. As a result audit firm partners and staff who had developed working relationships with a client company's management must work more closely with the audit committee to satisfy Sarbanes-Oxley requirements.
Although the Sarbanes-Oxley Act of 2002 was directed at publicly held companies and their auditors, other CPA firms have been affected, too. Midsize and small firms' adjustments to the compliance requirements imposed directly by Sarbanes-Oxley or indirectly by their clients' responses to the act include a spectrum of changes such as heightened monitoring of the regulatory environment, vetting prospective audit clients by committee and meeting staffing needs as workloads intensify. The act even has presented practitioners with a new type of engagement opportunity: the second-CPA-firm role to document and test public companies' internal controls for entities they do not audit. Challenged by Sarbanes-Oxley, firms have been coping successfully in their internal operations as well as in their relations with clients and prospects. This article shares some of their on-the-job practice-management lessons learned.
APPOINT A SARBANES-OXLEY MONITOR
Sarbanes-Oxley and the subsequent standards from the Public Company Accounting Oversight Board (PCAOB) add a new layer of complexity to firm management: Auditors of public companies have new rules to follow while other firms must keep a careful eye on the changing environment. State legislatures may complicate the situation even more by adding restrictions in their own versions of the law--the so-called "cascade effect" (see "Evaluating the Cascade Effect" page 42).
To monitor changes, some firms designate a partner or senior manager to track standards activity and coordinate implementation. Aronson & Co., a Rockville, Maryland, firm that serves about a dozen public companies, has a quality-control partner whose duties include Sarbanes-Oxley oversight. Lisa J. Cines, CPA and managing officer, says, "In our firm, a quality-control partner keeps management and our SEC-company practice informed about Sarbanes-Oxley and the PCAOB work." The accountable partner spends about 10% of his time on matters related to the act and is the "gatekeeper, so to speak, who has the responsibility for tracking changes," Cines says.
George I. Victor, CPA, manages the quality-control function for Reminick, Aarons & Co. LLP in New York City, which works for a small number of public companies. Victor is the firm's director of accounting and auditing and also serves as chairman of the New York state society's SEC practice committee. He estimates that right after the law passed he spent roughly 20% of his time on Sarbanes-Oxley, although that figure is lower today. "I have to keep my knowledge current, monitor the firm's policies and procedures and provide training for partners, staff and clients," he says.
* Tip: Assign a partner or director to monitor Sarbanes-Oxley developments.
* Tip: Establish communication procedures that ensure management, staff and clients receive relevant updates.
REVIEW NEW AUDIT CLIENTS CAREFULLY
As a result of the heightened regulatory environment, the audit firms interviewed for this article say they have tightened their processes for vetting prospective clients to ensure a good fit for the firm. The steps they take include
Review by committee. Aronson & Co. no longer lets a single partner bid for a prospective client's work. Instead the firm takes a team approach and includes the managing partner and the quality-control partner in the due diligence process. "We want to be sure the client aligns with our experience from an industry standpoint," says Cines. Team members
* Evaluate how well the firm understands the prospective client's business and industry to decide whether it is qualified to perform the audit services.
* Review the prospect's past annual arm current internal interim financial statements to determine the entity's general creditworthiness (a struggling company might be more likely to fudge its numbers, for example).
* Establish direct contact with the prospect's attorneys and bankers as another barometer for assessing risk.
Evaluate the client's internal controls. Because an audit firm no longer can consult with the public-company client on producing its financial statements, firms are evaluating a potential audit client's financial controls more carefully than they used to before agreeing to an engagement. Boston-based Parent, McLaughlin & Nangle works with a small number of public companies. Audit partner James G. Kennedy; CPA, says the firm carefully considers a prospect's capacities. "With the new independence rules, we make sure the prospective client can handle its responsibility to provide us with an accurate financial statement. We ask a prospect to demonstrate that the underlying accounting records reconcile to the general ledger and that ending balances flow to the financial statements. We also request copies of prior-year financial statements and all adjusting journal entries so we can assess its internal accounting capabilities," he says. "We can't he in a position of generating numerous journal entries just to get to the point where we can start auditing. If we think the prospective client needs some help before we can audit, we recommend someone else to bring the records up to date. Then we start."
PLAN FOR STAFFING NEEDS
The stepped-up internal audit, documentation and division-of-labor requirements resulting from Sarbanes-Oxley place demands on part nets and staff in several ways.
Partner rotation. On public company engagements, Sarbanes-Oxley requires firms to rotate the lead audit partner and audit review partner every five years. Besides the five-year rotation requirement of the lead and concurring audit partners, the rules also mandate a five year "time-out" period after rotation and specify that certain audit partners will be subject to a seven-year rotation requirement with a two-year "time-out" period. For firms with fewer than five public audit clients and fewer than 10 partners, the rules provide an alternative--that is, the PCAOB will review all subject engagements at least once every three years. Further, the Sarbanes-Oxley Act requires the Government Accounting Office (GAO) to conduct a study of the effectiveness and implications of audit firm rotation.
To meet the rotation requirement, small and midsize firms have to carefully coordinate their growth plans and their accountants' career paths to avoid a shortage of qualified partners. Philip J. Santarelli, CPA, director of assurance services at Parente Randolph in Wilkes Barre, Pennsylvania, anticipates a staffing challenge. "As we expand the practice, we must get more line partners [who work directly with clients] into the public-company-practice area," he says. "We hope managers will be promoted and will move into the rotation when the time comes."
* Tip: Forecast rotation turnover for your firm's current SEC clients and anticipated additional public clients.
* Tip: Get enhanced training for all partners and managers currently involved in the SEC practice.
* Tip: Identify partners and managers with industry experience and train them for SEC engagements. Rotate those individuals into SEC jobs as appropriate to get experience.
Strategic hiring. There are Sarbanes-Oxley-generated business opportunities as well and they may call for staff expertise that some firms lack. As firms recognize more opportunities--not only audit-based work required by Sarbanes-Oxley but second-CPA-firm internal control review, too--the demand for qualified employees will increase. Many firms already have launched recruiting campaigns to add staff.
Charles L. McGimsey, CPA, president and CEO of Atlanta-based Windham Brannon PC, has added several staff members with public-company experience to help provide nonaudit services to public companies. "We just brought in a principal with extensive internal audit and Sarbanes-Oxley-related documentation experience," he says (see "Section 404 Opens a Door," JofA, May04, page 55). "We've also hired several lower-level staff members. Between new hires and our trained people, about 20% of our staff is qualified to work on Sarbanes-Oxley projects."
David A. Deeter, CPA, managing partner of Frazier & Deeter LLC in Atlanta, is focusing his firm's recruiting efforts on candidates with experience in large-public-company engagements. So far, word-of-mouth recruiting in the Atlanta accounting community has brought in several employees with the desired experience from Big Four firms.
* Tip: Identify the knowledge and experience the firm will need for anticipated Sarbanes-Oxley-related services such as second-CPA-firm internal control review.
* Tip: Business networks, including local and state CPA societies, can provide leads to qualified new hires.
UPGRADE YOUR RECORDKEEPING
Record retention has become more stringent for audits of public entities under Sarbanes-Oxley, which requires an auditor to retain for a seven-year period all relevant workpapers, memos, correspondence and records (paper and electronic) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with an audit (for information on compliance software for both workflow and data storage, see "Choose the Right Tools for Internal Control Reporting," JofA, Feb.04, page 34). To better manage documents,
Project your data storage needs. The requirement to keep all hard-copy or electronic documents for seven years intensifies the need for storage. Paper files take up valuable real estate, making electronic documentation--the so-called paperless office--an attractive alternative. If your firm prefers the electronic approach, map a plan for archiving sets of files to avoid capacity constraints in the future. Reminick Aarons plans to install a network attached storage (NAS) system that will be "infinitely scalable" and will allow the firm to archive all documents on its network. Some firms offer data warehousing as a niche service (see "A Paperless Success Story," JofA, Oct.03, page 59). Review your past and current needs; then, for upcoming years, add a significant cushion--50% more capacity, for example--as a precaution.
Protect documents against unauthorized changes. Unprotected electronic documents are susceptible to alteration or deletion with a few keystrokes, so an archive system must preclude unauthorized changes. Reminick Aarons "locks" its document files by changing the format to read-only after it completes an engagement. Files are secured in a read-only format by controlling the permissions granted in the structured query language (SQL) database. Permission to "lock" a file is granted to manager-level users, who set the file as read only, blocking any change to the file's content or format. Only two individuals in Reminick Aarons can unlock the file. In addition, a "trail" documents any alteration, such as when a file was locked or unlocked as well who changed it, says Victor.
Develop a backup plan. Accidents happen, so multiple file backups are a must, including an off-site location, to reduce the risk of document loss. If the firm's IT and data filing needs are extensive, a disaster recovery consultant can help develop a storage and recovery plan for your office. (For more information see "The Best-Laid Plans," JofA, May04 page 46 and "Before the Deluge--and After," JofA, Apr.03, page 57.)
THE SILVER LINING--NEW SERVICES
Although audit firms have invested considerable resources to meet Sarbanes-Oxley requirements and to tram staff, the CPAs cited in this article emphasize the new law's potential as a source of revenue for other firms. To profit from those opportunities, they recommend firms
Take advantage of changed large-firm markets. The new law has forced auditing firms out of many of the ancillary services they previously had provided to public company clients--who still need those services. Other firms can step in to provide them (see "Small Firms: Think Big!" on page 22). "We don't provide public-company audits, but we do income tax and section 404 work for several public companies," says Deeter. "The Big Four are encountering more conflicts [of interest] than they used to. As a result, we're seeing opportunities."
McGimsey is similarly upbeat about his firm's outlook in the new environment. He points to current nonaudit projects with large public companies as evidence of new openings. "Two years ago we wouldn't have had the breadth of services to realistically pursue some of these companies," he says. "We now view every, public and private company as a potential client."
* Tip: Offer nonaudit services such as income tax or section 404 work.
Form alliances with other firms. Strategic relationships with audit firms offer another opportunity to develop new business. For example, Frazier & Deeter has an alliance with Ernst & Young in Atlanta, as does Aronson & Co. in the Washington, D.C., area. The alliances bring in new business and provide a referral solution when a firm isn't allowed to provide a service the client needs. "Our competitors are referring business to us and we are referring to them--it's going both ways," says Cines. "Without Sat banes-Oxley there might not have been as many referrals in both directions."
* Tip: Identify firms whose services can complement your offerings and vice versa and develop a relationship with them.
Market your training. Marketing methods for seizing second-CPA-firm opportunities vary among firms: Reminick Aarons has made internal presentations and brought in experts to meet with partners and staff, who also network at Sarbanes-Oxley conferences. Windham Brannon has contacted CFOs, CEOs and large CPA firms in the Atlanta area to inform them about the nonaudit services it can provide. In partnership with several other Atlanta firms and accounting professors at Georgia State University, it developed a two-day Sarbanes-Oxley training program. The firms have used the program to market to clients who require information on implementing Sarbanes-Oxley technology, and they give seminars for clients' CFOs, controllers and their employees, as well as participating firms' staff members.
* Tip: Offer programs to review Sarbanes-Oxley revisions and PCAOB standards as they are released.
COMMUNICATE WITH THE AUDIT COMMITTEE
The Sarbanes-Oxley Act increased the audit committee's oversight role. As a result audit partners and staff must work more closely with the public company's audit committee. This change in communications offers both risk and opportunity: If a committee decides to request proposals, the current auditor risks losing a client while a new firm benefits from the chance to pitch its services.
Strengthen the lines of communication with the audit committee to reduce the likelihood it will seek proposals. During presentations to committees, it typically takes 15 to 20 minutes to present the company's financial statements and management letter, says Kennedy. He uses that time to discuss relevant events in the marketplace that might affect the company's business and he offers to return for presentations on those topics if the committee wishes. Communication is especially important with new committees, he says. "You need to start developing a relationship similar to the one you have with management. That's the challenge as we learn to deal with these new regulations."
* Tip: Be proactive: Identify potential gaps in the audit committee members' technical and business knowledge and offer to provide training as needed.
* Tip: Be persistent: It probably will take a while before you are able to develop a solid relationship with the audit committee.
* Tip: Be prepared to answer questions.
The CPAs interviewed for this article--including those in firms that don't audit public companies--say the Sarbanes-Oxley Act generally is proving to be good for business. The law has forced firms to incur some nonbillable expenses, but the prospects for new opportunities are plentiful and they look forward to continued growth.
It Will Cost Clients More
The 321 U.S. public companies responding to a Financial Executives International survey on the costs of implementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees.
Source: Business Performance Management Forum, www.bpmforum.org, 2003.
The Institute answers individual questions at the Sarbanes-Oxley Act hot line 866-265-1977--and up-to-date compliance information for CPAs is available at Sarbanes-Oxley Act/PCAOB Implementation Central, www.aicpa.org/sarbanes/index.asp. Publications and resources of the AICPA Special Committee on State Regulation are available at www.aicpa.org/statelegis/ index.asp.
* AICPA Audit and Accounting Guide, Consideration of Internal Control in a Financial Statement Audit (# 012451JA).
* Financial Reporting Alert, Internal Control Reporting--Implementing Sarbanes-Oxley Section 404 (# 029200JA).
* Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA).
* Internal Control--Integrated Framework, COSO report (# 990012JA).
* Internal Control Reporting for Public Companies, a webcast originally presented July 17, 2003, and now available on CD-ROM (# 737132HSJA).
* Internal Control Reporting: Standards for Compliance, a video course: VHS (# 181420JA); DVD (# 181421JA).
* Internal Controls: Design and Documentation, a self-study course (# 731850JA).
* SEC Reporting, a self-study course (# 736771JA).
National Advanced Accounting and Auditing Technical Symposium (NAAATS) July 22-23, 2004 Hilton La Jolla Torrey Pines, La Jolla, California
For more information, to place an order or to register, go to www.cpa2blz.com or call the AICPA at 888-777-7077
Evaluating the Cascade Effect
The Public Company Accounting Oversight Board sets auditing and accounting standards for public companies. In contrast to this single set of standards, there is a risk that some states will pass their own version of Sarbanes-Oxley for smaller, privately held companies and not-for-profits. The result would be a confusing mix of regulations that vary across the country.
To inform public discourse on the issues, the AICPA organized the Special Committee on State Regulation. Working closely with state CPA societies, the committee is providing guidance to states that are faced with legislative or regulatory accounting reform proposals as a result of the Sarbanes-Oxley Act. It has three overarching points:
* The profession should advocate for a reasoned approach to reform at the state level.
* Uniform state laws are essential to protecting the public interest.
* The complexity of the subject calls for public dialogue.
To help articulate and communicate the issues, the committee released A Reasoned Approach to Reform, a compendium of white papers and issues briefs, in January 2003. It put out a second edition in October 2003 and a third in April 2004. During 2003 and 2004, CPAs and legislators from many states faced with legislative and regulatory reform proposals used the information in A Reasoned Approach to obtain a seat at the negotiation table.
Still, numerous state legislatures have tried to enact some or all of Sarbanes-Oxley's provisions since they became law in July 2002. California's legislature was the first to pass several Sarbanes-Oxley-related bills in 2002. Provisions of the new laws include both a requirement that CPAs retain client workpapers for at least seven years and an increase in the membership of the state's board of accountancy, which now must have a majority of its members from outside the accounting profession. According to Jeannie Tindel, director of legislation for the California state society in Sacramento, additional regulations could be forthcoming. "The California board of accountancy has a Sarbanes-Oxley cascade task force looking at what portion of [the law] should apply to private companies and to not-for-profits," Tindel says. "It's looking at it as a mandate, and from our perspective that's problematic because the restrictions and requirements appropriate for a public company may not be appropriate for a private company or even a not-for-profit, where the incentives already are different."
In New York, Attorney General Eliot Spitzer proposed a series of accounting reforms in January 2003, which were carried over to the 2004 legislative session. Spitzer wants his proposals to go beyond Sarbanes-Oxley to include CPA firms that do not audit public companies.
Sarbanes-Oxley also has had an impact in states where proposed legislation did not pass. The Texas legislature instructed the state board of accountancy to research and report on Sarbanes-Oxley's effectiveness and whether state accounting regulations required any changes to be in compliance with federal law. "The debate is about public-interest entities," says John M. Sharbaugh, certified association executive (CAE), executive director and CEO of the Texas state society in Dallas, "which have some kind of public interest, whether they're not-for-profits where members of the public make financial contributions, or banks and lending institutions, where there's a connection to the public."
Although most of the states' proposed legislation has not been passed into law, Sarbanes-Oxley is influencing the management of private companies and not-for-profits. Anecdotal evidence suggests that some not-for-profits are adopting Sarbanes-Oxley-based standards in anticipation of eventual state-level regulations. J. Clarke Price, CAE, president and CEO of the Ohio state society in Dublin, has spoken with several of his CPA members employed by not-for-profits. They informed Price that their boards had determined that it was not appropriate for the organization's auditing firm to simultaneously provide other consulting services. The boards gave the auditing CPA firm a choice: Serve as auditor or consultant, but not both. As a result the not-for-profit works with two or more CPA firms and the same package of accounting and consulting services now costs the agency more.
None of the sources for this article reported these higher costs were leading private companies and not-for-profits to forgo audits in favor of reviews and compilations. If more states pass Sarbanes-Oxley-based legislation, however, the resulting increase in fees could cause these organizations to alter their current practices, some sources say.
PRACTICAL TIPS TO REMEMBER
* Assign a partner or director to monitor Sarbanes-Oxley developments and establish communication procedures that ensure management, staff and clients receive relevant updates.
* Identify the staff experience the firm will need for anticipated Sarbanes-Oxley-related services. Business networks, including local and state CPA societies, can provide leads to qualified new hires.
* Forecast rotation turnover for current SEC clients and anticipated additional public clients.
* Get enhanced training for all partners and managers currently involved in the SEC practice.
* Review the prospect's past annual and current internal interim financial statements to determine its general creditworthiness. Establish direct contact with a prospect's attorneys and bankers. (A company with a strong financial position is less likely to fudge its numbers.)
* Review your past and current storage needs; then, for upcoming years, add a significant cushion--50% more capacity, for example--as a precaution.
* Have multiple file backups, including an off-site location, to reduce the risk of document loss.
* Be prepared to help answer clients' questions.
* Identify potential gaps in audit committee members' technical and business knowledge and offer to provide training as needed.
* Develop a solid relationship with the audit committee.
ED McCarthy is a freelance business and financial writer in Warwick, Rhode Island. His e-mail address is firstname.lastname@example.org.…