Amy Feldman - Subpage Collage
Subheader - Portfolio

Inc, September 2005

SURVIVING SARBANES-OXLEY

A law intended to clean up big public companies has taken its toll on small private ones — both financially and emotionally. Why there may finally be relief in sight.

Three million bucks. That’s how much Alex Davern, chief financial officer at National Instruments in Austin, spent to comply with the Sarbanes-Oxley Act last year. And no, he’s not happy about it. That’s roughly 5% of profits, enough to lead the company — a testing and measurement business that went public in 1995 — to consider sending engineering work overseas to offset costs.

What’s worse, Davern says, is that complying with the internal controls didn’t do much to enhance the company’s systems or to protect shareholders. In fact, many of the issues seemed silly. National Instruments’ auditors at PricewaterhouseCoopers (since replaced with Ernst & Young) charged $200 an hour to attend a closed-door financial meeting, just to prove that such a meeting took place. They collected all the keys to the company’s data center to test the locks. They even reviewed the blueprints to confirm that glass windows were heat-tempered so that data could not possibly be lost. “If we lose power to our data center, it is not going to result in us filing inaccurate financial statements,” Davern fumes. “Enron was not caused by a blackout.” PricewaterhouseCoopers declined to discuss its former client, but Ray Beier, a partner at the firm, defends rigorous compliance, saying, “Investors want equal levels of assurance from smaller companies and larger companies.”

Nonetheless, Davern’s experience, and anger, is common these days. At a recent two-day roundtable convened by the Securities and Exchange Commission to field complaints, executives called politely but aggressively for change. In one Internet posting, the vitriol was expressed more bluntly: “SOX sucks.”

Passed hurriedly by Congress in 2002 in the wake of corporate implosions at Enron, WorldCom and the like, Sarbanes-Oxley is the most important piece of antifraud legislation enacted since the Great Depression. In broad strokes, the checks and balances it requires were long overdue. The law established an accounting industry watchdog, required CEOs to sign off on their companies’ financial statements, strengthened the role of the board of directors, forbade cozy relationships between accountants and executives, and mandated that companies and their auditors assess the effectiveness of their internal controls. That last section of the law, known as Section 404, has caused the most headaches and expense. One problem is that it discourages communication between companies and their external auditors right at the moment managers really need smart auditing advice.

Most entrepreneurs would concede that some sort of reform was necessary, of course. But many say the new rules are too vague and their implementation by CPAs too rigid. Ted Schlein, a partner at the venture capital firm Kleiner Perkins Caufield & Byers and a member of the SEC’s smaller companies advisory group, sums up the feelings of many when he says: “You’re hitting everything with a sledgehammer rather than hitting the nails with a small hammer and the spikes with a sledgehammer.”

In an effort to mollify the business community, both the SEC and the Public Company Accounting Oversight Board, or PCAOB, the industry watchdog set up by Sarbanes-Oxley, have issued rules clarifications and warned against applying checklists to companies absent consideration for their size or operations. Regulators have also postponed the deadline (to July 2006) for public companies with market values below $75 million to complete internal controls assessments. Midcaps got an extension, too, though theirs was briefer. Though these are only stopgaps and half-measures, they offer some relief.

But there’s also been a trickle-down effect. A law like Sarbanes-Oxley cannot help but have an influence over the business world that exceeds the actual language of the provisions. Even now, the values and ideas behind the legislation are seeping into all sorts of day-to-day business transactions. The same ethos is carried forth in the increasingly cautious behavior of auditors, executives and board members at companies of all sizes, and echoes can be heard in the onerous provisions now making their way into contracts and insurance policy boilerplate.

While Sarbanes-Oxley technically applies only to public companies (and to others registered with the SEC for various reasons, including the issuance of public debt), private companies have plenty of reasons to be nervous. Says Mark Jensen, national director of VC services for the San Jose, Calif., office of Deloitte & Touche: “Unless you are a 100% family-owned business and 100% self-financed, you’re going to be impacted by Sarbanes-Oxley.”

***

To figure out how we got to this point, you must got back to 2002. The scandals at Enron, WorldCom, Global Crossing, Adelphia, and the like were front-page news. Arthur Anderson was on trial for obstruction of justice. Furious investors had absorbed trillions of dollars in losses. The 20 most notorious companies, including Enron and WorldCom, saw their shares drop, collectively, by more than $300 billion.

Congressional hearings had become a seemingly daily event, and lawmakers were in a tizzy to do something. In the Senate, Paul Sarbanes, the five-term Maryland Democrat and (then) chairman of the Banking Committee, sponsored one reform bill. In the House, Rep. Michael Oxley, an Ohio Republican and chairman of the Committee on Financial Services, backed another. At first, it seemed the Democrats and Republicans were far apart. The Sarbanes bill had a number of provisions accountants didn’t like; the Oxley one was decried as a “gift to the accounting industry” by Ralph Nader’s group Citizen Works for creating an independent regulatory body made up of accountants.

Though the Oxley bill passed the House first, in April, with a vote of 334-90, by July there was so much pressure to respond to the mounting corporate scandals that the Sarbanes bill gained momentum. On Monday, July 15, the Senate passed it 97-0. The following Friday, WorldCom — $41 billion in debt — filed the largest bankruptcy in history. That week the Dow Jones Industrial Average plummeted 665 points.

With fall elections looming, it didn’t take long for legislators to merge the bills into one neat bipartisan package. The new version gained approval in the House with only three no votes, and President George W. Bush signed it on July 30, 2002, a few days before the summer recess. The degree of unanimity among Republicans and Democrats was extraordinary, and the timetable represented remarkably quick passage for any piece of legislation, particularly one this complex and far-reaching. “Certainly, no one was thinking they were going to pass the most significant legislation of the past 50 years,” says Marc Morgenstern, managing director of Cleveland law firm Kahn Kleinman and the author of a white paper on the impact of Sarbanes-Oxley on midcap companies.

There had been lobbying, of course, but much of it was focused on the parts of the bill that pertained to accountants, not businesses. The U.S. Chamber of Commerce, for example, pushed for changes to the CEO and CFO certification requirements and to the structure of the new accounting board. But most companies — and especially small businesses — didn’t yet understand how the law was going to change their lives. And no one was really thinking about what impact the new law might have on business creation and capital structure. Then, too, the earliest costs of compliance were extraordinarily low — just $91,000, on average, for all companies, according to the SEC. “The business lobby was totally blindsided,” says National Instruments’ Davern, who’s now lobbying heavily through the tech trade group AeA.

Of course, there were warning signs. Everyone knew accounting problems were rampant. From 1997 through 2004, approximately 2160 companies corrected errors in their financial statements, according to Glass Lewis & Co., a San Francisco-based research firm. Clearly, plenty of companies needed to take a second look at their books. Since Sarbanes-Oxley was enacted, hundreds of publicly traded companies have warned investors of “material weaknesses” — a new term of art for the accounting industry — in their internal controls.

Parveen Gupta, an accounting professor at Lehigh University who has studied internal controls extensively, thinks that it’s clear from the difficulties companies are having with Sarbanes-Oxley that many of them had run their operations sloppily during the boom. “Maybe the auditors went a bit overboard,” he says, “but there was a lot of deferred maintenance.”

Still, even when you concede that Sarbanes-Oxley performed a public service — by spurring companies to clean up their acts — the fact remains that the law has created inequities, especially for small companies. Even Oxley himself has begun backpedaling. In a recent speech in London, he recalled the “hothouse atmosphere” that accompanied the law’s adoption. If he could do it over again, Oxley said, he would permit “a bit more flexibility for small and medium-size companies.”

***

Make a list of the woes that companies experience in complying with Sarbanes-Oxley, and audited external reviews are surely at the very top. In the past two years, auditors, fearful of being second-guessed by the PCAOB, went into cover-your-behind mode. When Congress mandated more work, auditors did even more work than was mandated. That combination created a shortage of qualified accountants. Audit prices rose 30%, 50%, and more, while the willingness of auditors to take on smaller clients waned.

Assessing internal controls, as mandated by Section 404, has been especially contentious. Take the case of the small publicly held Home Federal Bank of Sioux Falls, S.D. The business was started in 1929 and survived the Great Depression and the savings and loan crisis. These days, it’s got $850 million in assets and a market that spans farmers, small businesses, and individuals.

Though the company is well established, Curt Hage, chief executive of the bank’s parent, HF Financial, says the bank has struggled to comply with Section 404. Hage says his external auditors are afraid to talk much with the internal ones, so there is a lot of wasted effort documenting and redocumenting internal controls. In all, compliance cost the bank $200,000 last year — a hefty amount given the bank’s net profit was $5 million. “We have a very strained relationship" with the external auditors, Hage says. “We are spending an awful lot of money — a disproportionate amount of money — to meet their requirements.”

They’re not the only ones. A survey earlier this year of Section 404 compliance costs by Financial Executives International, a group of 15,000 chief financial officers and other senior financial executives, found that public companies were spending $4.4 million on average — 39% higher than they had expected to pay in July 2004 and more than double what they’d thought it would cost in January 2004. Those costs have hit small companies especially hard: A study by Nasdaq of its members found public companies with less than $100 million in revenue were spending, on average, 1.3% of that revenue to comply, while those with $5 billion or more in sales saw costs of just 0.03%.

Harry Gruber, CEO of San Diego-based Kintera, has spent at a much higher rate than that. Kintera, a public company with $20 million in revenue, creates online payment systems for clients in the nonprofit sector such as the Girl Scouts and the Arthritis Foundation. Last year the company spent $1 million on Sarbanes-Oxley compliance. That comes to nearly a nickel of every dollar of revenue.

Though Gruber believes the actual costs of compliance will fall with the help of technology, as do Davern and Hage, he is bothered that so much money seems to be wasted and that minutia can take over. For example, Gruber’s auditors had a policy for how long employees’ computers could remain inactive, which was one or two minutes. “For someone like me, who is on the phone a lot, that meant that you were logging in every few minutes,” Gruber says. To change the rules, he had to make a formal petition to his auditors. “We complied, but it seemed sort of bureaucratic,” he adds.

***

Despite the outcry from business owners and some backtracking by policymakers, Sarbanes-Oxley orthodoxy doesn’t appear to be evaporating. In fact, little by little, it is spreading. Corporate governance is springing up at the state level now. In California, for example, a state corporate disclosure act requires additional compliance by companies. and in Indiana, companies, whether public or private, that are bidding for state contracts need to provide an extra layer of Sarbanes-Oxley-like information. State legislatures could wind up creating a complicated patchwork of mandates that would be even harder for companies to navigate than the federal codes.

Moreover, any company that’s considering going public needs to start thinking about Sarbanes-Oxley years in advance. One reason to start the regimen now, says Jay Mattie, who runs the audit practice for private companies at PricewaterhouseCoopers, is that you never know when IPOs are going to be hot again. “There may be a window of opportunity to get to market in the next six weeks, and if the company has not prepared itself to respond that quickly it could miss the window,” he says. Not planning an IPO but considering selling out to a public company? The same thinking applies.

Even if you’re running a private enterprise and intend to keep it private, there are ripple effects. Some commercial loan agreements now require certification of financial statements, or prohibit related-party transactions. Are these steps that companies can take relatively easily? Probably. Would entrepreneurs prefer not to be bound by additional loan covenants? Of course.

Another way that private companies experience Sarbanes-Oxley is in their directors and officers insurance policies, known as D&O. The cost of D&O insurance has increased 24% on average for public companies with less than $1 billion in revenue, according to a survey by the law firm Foley Lardner, as directors of publicly traded companies have become personally liable for wrongdoing on their watch. The majority of private companies, as well as public ones, consider D&O a necessity. Going forward, D&O policies may have more tightly drawn exclusions on what they’ll cover or require similar Sarbanes-Oxley Lite provisions.

Other kinds of contracts are not far behind. “With the types of corporate partnering going on, companies are saying to each other, ‘What are your internal controls?’” says Deloitte’s Jensen.

Finally, for private companies there’s the fear that if Sarbanes-Oxley comes to represent the best practices for business, then companies — even small private ones — could be brought to task, in court, for not paying heed should something go wrong.

For now, most private companies that plan to remain private will find themselves picking and choosing among provisions to satisfy those demands. The good news is that companies can do a lot cheaply, such as setting up an internal audit function, adopting a formal code of ethics, and separating the services provided by external accounting firms.

But even relatively simply steps are sometimes complicated in the post-Sarbanes-Oxley world. Venture capitalists say it’s getting harder and harder to find independent board members, for example. “When you ask who’s getting off the board before going public, hands go up: ‘I am, I am, I am,’” says Roland Van der Meer, a partner at ComVentures, a VC firm based in Palo Alto, Calif., that funds communications companies. “There are guys who are capable and they are saying, ‘I don’t want to deal with that.’” Meanwhile, board costs, like so many other costs, have spiked. Foley Lardner found that annual board compensation has more than doubled since Sarbanes-Oxley was passed, to $222,000.

All of this leaves entrepreneurs scratching their heads to figure when and how much they ought to comply. Wait too long, and a company might be exposed. But start too soon, and it might never get off the ground. “I think if a young company was built around the premise of being Sarbanes-Oxley compliant it would go out of business,” says David Reuter, a vice president at LLR Partners, a private equity firm in Philadelphia. “It’s a delicate balance of when in the lifecycle of the company to begin readying for Sarbanes-Oxley.”

***

So what can government do to help businesses regain a sense of equilibrium? Many observers believe there ought to be different rules for companies of different sizes, or at least clearer guidelines on how small companies should apply the rules. A software firm, for example, might need to focus heavily on the processes that go into verifying revenue, while a manufacturer should keep a much closer eye on assets. Auditors could look at a company with 500 controls and determine that not all of them are, in accounting jargon, material. A control employed by a big conglomerate may be untenable in a small venture. “In a large company, you have dozens of people, and can make a perfect flow chart and it’s wonderful,” says Eric Clarke, who heads the Sarbanes-Oxley practice at Aronson & Co., a Rockville, Md., accounting firm whose clients are mostly smaller companies. “In a small company, you have a few people, and people are wearing multiple hats. So segregating duties can be an issue. You need to take more of a tailor-made approach.”

And there are many other issues: What should be reported? Is a weakness in a company’s operating system access privileges as bad as a dollar misstatement? Could you cut costs by staggering the reporting on internal controls so that each is tested every other year rather than annually? What type of evidence do you need that a control works? What do you do in a small company with a finance person who holds multiple roles — taking in the invoices, say, and cutting the checks?

The SEC’s small companies advisory committee, set up by former chairman William Donaldson, is debating these issues now, and observers expect that the group will propose help for small companies soon. The Committee of Sponsoring Organizations, a group that sets accounting standards, is also slated to issue recommendations for how smaller companies should approach internal controls. Businesspeople say they hope that something will change with the incoming SEC chairman, Christopher Cox, a Republican representative from California, who is considered pro-business. Nevertheless, the law itself is likely to be here to stay.

Changing the attitudes of fearful accountants will take time. At a recent PCAOB presentation on Section 404 to small accounting firms in Pittsburgh — one of 10 such meetings the accounting board is holding across the country — the CPAs pressed for specifics. Use your judgment, they were told. Take into account both size and operations. That answer didn’t go over so well. The accountants wanted hard-and-fast rules.

And perhaps more rules are, ironically, the solution. As Oxley seemed to suggest in London, the law could be clarified to have one set of standards for large companies and another set for small companies. There is a precedent for applying different rules to different size organizations with this type of regulation. As with Sarbanes-Oxley, the Federal Deposit Insurance Corp. Improvement Act of 1991 was passed in the wake of an industry debacle — the savings and loan crisis — and was considered, at first, overly harsh. It also included a number of internal controls regulations.

But unlike Sarbanes-Oxley, the 1991 law differentiated between small banks and larger ones. Banks with more than $500 million in assets were subject to all the rules; those with fewer assets were not. Says Curt Hage: “When we first saw Section 404, we thought that’s no big deal because we have been subject to FDICIA for a number of years.”

What a Sarbanes-Oxley cutoff would be is anyone’s guess — perhaps $500 million in annual revenue or perhaps $250 million. Whatever it is would certainly encompass the small entrepreneurial companies that represent the backbone of business in this country. “One size does not fit all in any regulation,” says Bruce Aust, executive vice president at Nasdaq and a point person at the exchange on Sarbanes-Oxley issues. “When it is clear that the smaller companies are bearing a larger part of the burden, then it really has to be addressed. I don’t think that was the intent of the legislation.”

By admonishing accountants to tailor internal controls reporting to the size and operations of their clients, regulators are already beginning to move in that direction. As they put down the sledgehammer and attempt to calm the nerves of auditors who have been driving much of the frenzy, policymakers should take a moment to think about how unexpectedly large a disruption Sarbanes-Oxley has been. A separate set of rules for small companies may quell the understandable efforts to write stricter terms into loan covenants and insurance policies. It may also encourage smart people to consider serving on boards again. Most important, it would recognize that, although the welfare of investors should be protected, companies and the people who run them should not be considered guilty until proven innocent. “I don’t disagree that people should be held accountable,” says ComVentures’ Van der Meer, “but crooks are crooks, and there are a lot of good guys out there.”

SIDEBAR: What Does Sarbanes-Oxley Mean for Companies That Want to Go Public?

Conventional wisdom has it that Sarbanes-Oxley is preventing companies from going public. While that hasn’t been proved — Nasdaq will have more IPOs this year than last if the trend holds — the regulations have clearly made it more expensive to go public and stay public.

Because public companies need to comply with Sarbanes-Oxley, including the costly rules on internal controls, a company planning an IPO needs to have a cash hoard set aside in advance. It will face higher audit costs, higher insurance costs, and more regulatory-related duties for its staffers.

The added costs of Sarbanes-Oxley are one reason, among many, that IPO-ready companies are now larger and more established than they used to be. Jim McGeaver, chief financial office of business software company NetSuite, which is based in San Mateo, Calif., notes that 10 years ago when he worked at Photon Dynamics, that company had no trouble going public with $20 million in revenue. “Now that has to be in the $50 million to $75 million range for the investment bankers to even look at you,” McGeaver says. “It is just going to mean that companies will go public later in the cycles.”

Staying public is tougher and costlier for precisely the same reasons. The new costs are pushing some companies to go private and others to delist. Any company with fewer than 300 shareholders can delist by simply filing Form 15 with the Securities and Exchange Commission. That’s exactly what companies such as Earl Scheib, a Sherman Oaks, Calif., auto-painting firm, and Ohio Art Co., maker of Etch A Sketch, have done. All told, a record 198 companies delisted in 2003, the first full year after the passage of Sarbanes-Oxley, and another 134 did so in 2004, according to a study by Christian Leuz, a professor of accounting at the University of Pennsylvania’s Wharton School. That compares with just 67 that jumped in 2002 and 43 in 2001. Another study by law firm Foley Lardner found that 21% of public companies have considered going private or selling out as a result of the act.

Daniel Goelzer, a member of the Public Company Accounting Oversight Board, says that regulators are grappling with these issues. “I think it is true that Sarbanes-Oxley Section 404 and other changes have made the bar somewhat higher for being a public company,” Goelzer says. “I don’t think we know exactly how much it has risen yet since some of these things are still being worked out. On the one hand, I would say yes, you do have to have a certain level of sophistication in your financial reporting systems and your recordkeeping systems. But I wouldn’t want to see anything that we do choke off access to the capital markets for emerging businesses, which are the key source for growth in the economy. And I think we need to keep that in mind as we go about our work.”Bio photo