Sarbox Run Amok
Sherman, Erik, Chief Executive (U.S.)
Pitney Bowes CEO Michael J. Critelli knew the only way to approach Sarbanes-Oxley was fast, hard and relentlessly. But even foresight and planning didn't anticipate the need for greater business process centralization, more information technology outsourcing, and more time spent resolving the Sarbox problems of less prepared business partners. "There are things you do because of your processes, and there are things you do because someone else has a Sarbanes-Oxley issue," Critelli says.
It's turning out that the more obvious demands imposed by Sarbanes-Oxley in financial accounting-the expense, the time investment, the extra audits-are just the tip of the iceberg. The mandated mix of "proper" business controls and personal liability is causing a chain reaction affecting boards, organizational structures, relationships with professional advisors and daily efficiencies of all public companies, and many private ones, though they are technically unaffected.
The results are affecting the way companies hire, structure their organizations, work with attorneys and accounting firms, and even choose major software systems. They're also driving higher than anticipated spending in unexpected areas. To continue to take credit card payments, for example, Pitney Bowes suddenly had to invest even more into electronic security, on top of what it had already spent, because the card vendors were demanding that the company meet their own Sarbox audit requirements. As frustrating as it is, ultimately, CEOs may have few options bill to grit their teeth and find ways to make the Sarbox investment pay off, one way or another.
To be fair, some of the changes forced by Sarbanes-Oxley should have happened years ago. Segregation of duties is one example. No experienced manager would allow one person to issue purchase orders, enter new vendors and cut checks. Yet relatively few companies had applied the same logic to other functions such as IT, where a programmer might write, debug and maintain codes for critical financial systems, giving that one person the opportunity to install electronic back doors for fraud.
The law has usefully forced dozens of other issues. But, as Booz Allen Hamilton principal Jim Newfrock points out, "Auditors are moving from fundamentally asking, 'Do you have risk control around transaction activity?' to a more nebulous 'How good is the overall control environment?'"
The result has been scope creep, and outside audit firms are sometimes becoming draconian in their interpretations of the question. In author Bob MacDonald's forthcoming book Cheat to Win: The Honest Way to Break all the Dishonest Rules, a former insurance industry CEO sat on the board of a company that had a whistle-blower complaint. An internal investigation, reviewed by both the audit committee and outside auditors, found no wrongdoing and the employee who complained was satisfied by the new information. But the auditors still insisted that management hire business forensic investigators and lawyers to the tune of several million dollars. "Their leverage was if you don't do this, we won't sign off on the end of year statement," MacDonald says. "[Sarbanes-Oxley] is creating this chasm between the various professional disciplines charged with governance and financial controls. Instead of working with each other, they are going at each other."
The reason is clear. CEOs, CFOs and boards all face financial and even criminal penalties, while the Public Company Accounting Oversight Board (PCAOB), created by Sarbox, has authority to punish accounting firms. Given the vague nature of the statute's language - "an adequate internal control structure"-it was a good bet that professionals would seek to cover their posteriors. "Sarbanes-Oxley is so draconian in its threatened impact, I have seen people adopt the mentality of 'every man for himself,'" MacDonald says.
Accountants as Regulators
The very nature of the term "auditor" has changed. …