Internal controls: the chains gang

Over the past few years, many international companies have given blood, sweat
and tears in order to meet the stringent requirements on internal controls set
by 2002’s Sarbanes-Oxley Act.

For UK companies registered in the US, this task has been complicated by
other changes brought in by the UK government and the European Union. With the
dust having settled for many on their first year of Sarbox compliance, it is
perhaps of little surprise that so few have noticed any substantial benefits
from all the effort put into compliance.

Recent research by Big Four firm Ernst & Young looking at financial
services companies reveals that most remain unconvinced of the benefits the new
rules bring – both to the company and from a wider perspective. Given the cost
of compliance, this can be irksome. E&Y estimates that, of the companies
that participated in its study, 5% of profits before tax is spent on risk
management, which means (for the largest companies) in excess of £100m a year.

‘The operating models currently in place for risk and compliance across many
organisations evolved in response to 20th century regulations,’ says Stephen
Christie, head of the financial services risk and regulatory practice at E&
Y. ‘The pace and complexity of change in the 21st century is beginning to
highlight significant shortcomings in these models.’

In fact, it is probably only the larger accounting firms and other advisers
that have benefited from the introduction of such regulation, as the extra work
required brought them bumper pay days.

As companies enter a second year of dealing with Sarbanes-Oxley, they are
desperately looking for ways in which to reduce the burden and the costs
associated with it. ‘Companies, having done it once, are now looking for ways to
make it more sustainable, cheaper, more efficient and much less of a hardship
going forward,’ says Bob Spedding, head of internal audit at KPMG.

‘As Sarbanes-Oxley has developed, people have recognised the importance of
getting the number of key controls they identify right. In the early days, I
think everybody – auditors, management and advisers – probably took too tight
and prudent a view on the number of controls that were key.

‘A lot of the developments that have happened within the application of
Sarbanes-Oxley have been around improving efficiency in the process by taking a
more risk-based approach. That allows you to do a narrower scoping and is a
continuing area of development.’

And US regulators appear to be getting the message. This year, the Securities
and Exchange Commission put forward proposals aimed as easing the burden of
complying with the resource-draining section 404 of the Act, which requires
auditors to attest to the robustness of a company’s internal controls.

It is hoped that the redesign of section 404 will help companies comply
without having to devote the same amount of time and resources as they did the
first time around. ‘In the early days of Sarbanes-Oxley it was decided that, as
all companies were different, it wouldn’t be rule-based and people would be able
to apply it as they saw fit,’ says Spedding. ‘But as time has moved on, people
have sought more guidance. The SEC is asking management what sort of guidance
they would like, in particular focusing on three main areas: risk and control
identification, management evaluation, and the extent of documentation required.
They are probably the areas that did get a little overdocumented and overworked
in the early days.’

The SEC has also relaxed the rules further for smaller and foreign companies
in an attempt to stop them fleeing the US market and to encourage initial public
offerings (IPOs) from outside the US (see box). Those intending to list in the
US will be exempt from Sarbanes-Oxley legislation for its first year.

‘Our goal is to make it easier for foreign issuers to do IPOs in the US,’
says John White, director of the SEC’s division of corporation finance. ‘They
will still ultimately have to comply, but won’t have to worry about section 404
compliance during their IPO.’

Non-US companies will also be exempt from having to get auditor sign-off on
their internal controls until July next year, while smaller companies will not
have to comply with Sarbox until 15 December 2007. However, the changes will
benefit very few UK companies, according to Jon Rowden, director at
PricewaterhouseCoopers. He argues that many small companies with a 31 December
year-end will not benefit from the deadline slippage, while the removal of
auditor sign-off for foreign companies will not reduce the administrative burden
at all, although it may help keep down auditor costs for a little longer.

Spedding also warns that even if the proposed changes come to fruition,
companies should not expect an easy ride. ‘As far as we can see, it still
remains a heavy piece of work,’ he says. ‘People shouldn’t imagine that it is
suddenly becoming a very lightweight rule. It’s not.’

Despite the wailing and gnashing of teeth from public companies, some
companies are actively incorporating the new rules into their business practice,
even though they don’t have to. Some private companies are now picking up and
running with Sarbox and have the luxury of not having to comply with the most
arduous parts of the legislation, such as section 404.

Spedding argues that companies are typically doing this because ‘they are
doing systems implementation or have completed an acquisition, so they have an
opportunity to look at their controls afresh. There’s also the circumstance of a
company that feels that, because of its sector or capital base, it could be
acquired by a US company. Therefore, there is an awareness that Sarbanes-Oxley
could be a driver in any deal and such a company may be more likely to comply
just to make sure it is in a state of readiness.’

Those that have avoided Sarbanes-Oxley so far may be breathing a sigh of
relief. But this might not last long. The influence of the US legislation is
starting to be felt everywhere. Other countries are adopting similar rules, so
those with international links are likely to feel the pinch sooner or later.
‘Japan is bringing in its own Sarbox, effective from January next year,’ says
Spedding. ‘It’s a little bit lighter than the US rules, but it’s going to need
working through nonetheless, and it’s going to be another burden for some
organisations, especially the manufacturing divisions of some large Japanese
companies over here.

‘We’ve seen the tightening in France of some of their independence rules.
We’re just in an environment where country by country, the world has changed and
people are tightening things up gradually in different ways,’ says Spedding.

I want to break free

Ever since Sarbanes-Oxley reared its ugly head in the US, and foreign
companies got their heads around exactly what that would mean for them, they
have been desperately searching for ways to get around it.

A few UK companies did manage to get out of the requirements by deregistering
with the SEC, but most were unable to do this because the US regulator would not
allow it for companies with more than 300 US shareholders. The financial
watchdog has since relented on that point, moving the boundaries out to either
5% or 10% of shareholdings, depending on the size of the company, but many
companies will still be unable to take advantage of this change of heart.

Sarbanes-Oxley has also badly hurt the US market in terms of new entrants.
Neal Wolkoff, chairman and chief executive of the American Stock Exchange, has
warned that it has inhibited smaller companies from accessing the US capital
markets. Instead, they are remaining private, or looking to access capital in
foreign markets. The London Stock Exchange has been in a key position to sweep
up such business.

There are still concerns that Sarbanes-Oxley could find its way across the
Atlantic, even for those companies not listed in the US. Potential bids for the
London Stock Exchange or other European markets by US companies such as Nasdaq
have sparked fears that the onerous rules would be imported into the EU. Despite
assurances from both the FSA and the SEC that such mergers would not
automatically result in listed companies having to follow Sarbox, it remains a
concern form any companies, which will be keeping a close eye on any moves.

www.kpmg.co.uk