Corporate Accountability Deadline Looms

Enron…WorldCom…Adelphia….

The names of these firms, once respected symbols of American commercial prowess and financial muscle, now cause only sighs and snickering. The accounting scandals of the past two years that rocked these once respected service providers spurred the passage of the Sarbanes-Oxley Act of 2002, which is aimed at restoring the confidence of investors in public companies. And while it is true that no law will root out all misdeeds, one thing is certain: The requirements of compliance are sending service providers scrambling as they shore up their internal controls and reporting mechanisms in time for the 2003 reporting deadlines.

The goal of the Sarbanes-Oxley Act is to drive increased integrity and accountability in the financial reporting activities of public companies, as well as the behavior of the auditors who review their books. It does this primarily by requiring company CEOs, CFOs and their external auditors to attest to the veracity of both financial statements and internal controls on a regular basis. It also limits the role of a company’s auditors to audit functions alone and articulates the responsibilities of the audit committee of a company’s board of directors. Other requirements include the establishment of a code of conduct within each corporation and support and protection of employee whistleblowers (see “Sarbanes-Oxley At A Glance”).

According to Arleen Thomas, vice president of Professional Standards and Services at the American Institute of Certified Public Accountants (AICPA), “This is the most significant legislation to affect publicly held companies and their auditing firms since the Securities Act of 1934.”

The Dreaded Section 404

When the Sarbanes-Oxley Act was first implemented last July, section 302 received much fanfare. It required company officers to certify the integrity of their financial statements as they were filed with the SEC. It came and went without so much as a whimper by the service provider community, and executives dutifully signed off on their books.

On balance, it is the internal controls mandate, section 404, which is giving the biggest headaches to auditors and service providers, according to Terri McClements, a partner in PricewaterhouseCoopers’ (PwC) InfoComm Advisory Services, and a subject matter expert on Sarbanes-Oxley. She says carrier clients have been scrambling for education on section 404. They know both the “what” and the “how” of internal controls in general, she says, but the precise requirements of this law have them worried. And worried they should be—penalties range from minor fines to 25-year prison terms.

What exactly are the demands of section 404? According to “Sarbanes-Oxley: A Closer Look,” published earlier this year by auditing firm KPMG, CEOs and CFOs must file an internal controls report with the company’s annual report. In this report, the officers certify that they have reviewed the financial reports being submitted to the SEC, including balance sheets, income statements and any accompanying materials such as Management Discussion and Analysis (MD&A). They certify that they are responsible for the internal controls and procedures for financial reporting, that they have evaluated the company’s internal controls and as such, these controls are adequate to the task of accurate and complete financial reporting. Finally, the company’s external auditor attests to these management assertions.

Additional disclosures corporate executives must make to both their external auditors as well as the audit committee of their board of directors include material weaknesses in internal controls and remedial steps being undertaken.

All of this takes effect at the company’s fiscal year end, beginning September 15, 2003. This isn’t exactly a luxurious implementation window. In fact, PwC’s McClements says many had thought this would be deferred, given that the SEC has not yet released section 404 compliance rules, and its implementation body, the Public Company Accounting Oversight Board (PCAOB), has yet to ramp up its operations (see “PCAOB: The New Sheriff In Town?”).

Barron Green, managing director with independent risk consulting firm Protiviti, says there was a lot of denial in corporate America when the law was first passed, but now there is an awakening taking place. “There are a lot of “ahas” going on out there, and executives are shocked at what they have to get done before the end of the year.”

More Than Just Financials

It would be easy enough to place some control activities around the preparation of financial statements, and in fact, any company worth its 10K probably already has such assurances. Proper delegation of authority, multiple levels of management signoff, daily ledger balancing and other financial integrity checks have long been a part of the auditor’s repertoire. That’s just the beginning, according to PwC’s McClements. “Every process that has the potential to roll up to the financial statements, or disclosure of a number in the financial statements” is covered by Sarbanes-Oxley, she says.

Think about it: The sales process generates the revenue numbers, so that’s included. Billing posts the billed charges to the company’s accounts receivable, network management carries inventory data, and customer care may process refunds, so these processes are included, too. And deposits required by credit risk management policies constitute balance sheet-affecting liabilities, which again, are covered by the Sarbanes-Oxley umbrella. What about those revenue assurance initiatives? Those may be some of the more obvious pointers to control flaws.

Even the tax department will have section 404 headaches, says Dale Currie, KPMG partner and head of its communications industry tax practice. “Don’t underestimate the importance of proper controls here. Telecom is the most heavily taxed industry from a consumption standpoint. The top tier will collect and remit more than a billion dollars each in tax revenues in thousands of tax returns, and there have to be substantial controls around those processes.”

Carrier tax managers lament that their departments are already under the gun to produce thousands of tax returns each month with fewer and fewer people, and the idea of stopping their production processes to deliver documentation on internal controls is simply unrealistic. Says one such manager “I know what I have to get done every month, and I know that my data sources are clean. Just where did they think I was going to get those extra people I need to produce all that documentation?”

How Do We Get There From Here?

Compliance with Sarbanes-Oxley in general, and section 404 in particular, isn’t simple or fast, but it can be done, says PwC’s Terri McClements. “Start with your financial statements, and work backwards, mapping every number in every statement to a process or set of processes that feed that number.” Once this is done, make sure both process documentation and controls are in place. She further counsels to test the controls to make sure they are adequate to the task. Lastly, you have to leave enough time for your external auditor to sign off on the suitability of the controls, because their business is on the line, too.

Internal control experts point to the framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, www.coso.org), a voluntary effort launched in 1985 by several financial industry organizations to study the likely causes of fraudulent financial reporting. It is this framework that the AICPA recommended for adoption by the SEC in establishing the as-yet-unreleased rules for section 404.

In a nutshell, the COSO framework for internal controls specifies the philosophical underpinnings of any corporate process control environment. According to COSO, a company’s controls must include adequate policies and procedures with appropriate levels of management signoff; a regular assessment of risks to determine if the company has all the necessary controls; a mechanism to communicate the policies as well as the results of control audits; monitoring activities to ensure that controls are complete and relevant; and most importantly, a management environment that encourages ethical behavior.

As a by-product of the industry’s regulatory legacy, coupled with the inherent complexity of network services, most service providers already have some process controls in place, says McClements. Given that, compliance then becomes not as much an add-on, as it is a complement to the existing environment. That’s the good news. The bad news is if you haven’t started yet, you’re in for a rough ride. That’s because your newly compliant controls need to be in place, tested and operational by October 1 to allow for two months of actual operation prior to final attestation by your external auditor in December, in time for year-end book close. And of course, that assumes a December 31 fiscal year end. If your year ends between September 15 and December 31, the schedule compresses accordingly.

Toolkits Emerge

Amid the scurrying, several commercial tools are evolving to assist in the quest for clean, documented controls. Certainly all of the “Big 4” accounting firms have tools available. Protiviti does as well, although according to Green, it will adopt any tool the client prefers. These tools enable companies to catalog business processes, the internal audit standards for the processes and linkages to other processes in the company.

Cleveland-based software company Axentis produces a compliance management tool that automates adherence to a company’s policies as well as applicable laws according to company president Ted Frank. Originally designed three years ago to track and monitor compliance with FDA requirements levied on pharmaceutical firms, Frank says Axentis’ Enterprise platform fits well in any regulated business that is complex and multi-functional, including telecom, energy and financial services. It allows companies to group business processes to any grouping of workers, whether or not these people are in the same organization. The key to the tool’s success, says Frank, is the reporting and alert capability that tells senior management when compliance activity is missing or incomplete, exposing the company to fines and legal action by regulatory authorities.

Another beneficiary of Sarbanes-Oxley is OpenPages, a software firm based in the Boston area. According to Peter Morgan, vice president of marketing, its Sarbanes-Oxley Express product delivers a complete financial document management system, including control of all the processes used to complete these documents, such as rollups and signoffs of component parts. Sarbanes-Oxley Express promises complete audit trails of financial reporting workflows, archives of all financial reports, and certification monitoring both within a company and by third parties such as auditing firms. Lastly, a management dashboard gives the CFO an overview of all financial reports and documents, with ‘drill down’ capability to the feeder documents.

Database and business intelligence vendors such as Oracle, MicroStrategy, Cognos and Business Objects are also hot on the trail for opportunities. Fred Studer, Oracle’s vice president of ERP marketing, says the company offers a documentation tool that stores internal controls definitions and business processes as well as policies and procedures that support the processes. It graphically illustrates the processes and also directly integrates with Oracle’s financial and database applications. In this way, if a change is made to a process, the tool will record the change and then propagate the change in the system so that the company operates from what Studer calls “one single source of truth.” The tool wasn’t specifically developed for support of Sarbanes-Oxley but is generating interest as carriers seek to implement mechanical solutions to the quarterly filing and annual certification processes.

Once the poster child of bad corporate behavior when executives were caught recognizing revenues improperly, MicroStrategy has since become a most visible user of its own Financial Transparency product, which it touts for section 404 compliance. This object lesson provides what product manager Imran Aftab says is its own case study of success. “MicroStrategy has a sophisticated system we deployed on our platform that helped us get out of the accounting troubles that we encountered two or three years ago.”

Aftab concedes the company has not developed any specific add-ons or upgrades for Sarbanes-Oxley compliance, but is actively working with systems integrator partners to help customers implement more ‘live’ reporting that can drill down to source data in support of transparency goals.

Not everyone has seen the light. Many software vendor representatives confessed to being caught off guard by Sarbanes-Oxley. One vendor of telecom billing software admitted that his company has not done anything proactive to address its customers’ needs in this regard. And even though the requirement of the law concerns the process controls around the biller and not the software itself, he worries that they may be missing an opportunity to provide value-added professional services to customers.

Even if software isn’t part of the initial implementation to meet the 2003 deadline, says Protiviti’s Green, it should be considered for the ongoing maintenance of the controls environment. “It’s worth the investment to have a tool in place so that it’s not so painful every time you have to certify your controls.”

The Call To Action

Haven’t started your compliance activity? You’re in good company, says PwC’s McClements. “A lot of people thought 404 was going to go away, or would be deferred. Our advice is, and has been, ‘Get ready. This is not going away.’”

Even though the SEC hasn’t yet published the final rules on section 404, Michael Murphy, director of revenue assurance at XO Communications, says they aren’t waiting for the SEC to do its job. “We’re taking a very conservative approach. We can’t imagine what the SEC will come out with that we haven’t already considered in our controls.” He says they see this activity as a step in the right direction — toward a healthier company (see “One Carrier’s Journey”).

Oracle’s Studer concurs, saying, “The market is going to reward well-governed companies. Don’t look at this as just meeting Sarbanes-Oxley. Think of it as an opportunity to be innovative and be more efficient and be a better-run company.”

Protiviti’s Green sums it up, saying, “Forward-looking companies will look at what they’re doing for Sarbanes-Oxley as a baseline. They’ll want to use this for performance improvement, process improvement and revenue assurance.”

 

PCAOB: The New Sheriff in Town? At the center of the Sarbanes-Oxley controversy is the newly formed Public Company Accounting Oversight Board (PCAOB). The PCAOB (www.pcaobus.org) was brought to life by the Act as a private, non-profit corporation funded by public companies rather than as an agency of the U.S. Government. It is charged with restoring the investing public’s confidence by overseeing portions of the Act. To date, however, the board has accomplished little, if anything, of note, other than to stir the pot of public suspicion and professional discomfort. Deliverables to date have been limited to a proposed funding model and a proposed process for the registration of auditing firms. In its one dramatic statement to date, the board issued an announcement in April that it will move to take control of auditing standards away from the Auditing Standards Board (ASB), part of the AICPA. “We fully respect the right of the PCAOB to issue audit standards,” says the AICPA’s Thomas, “but you can’t just stop issuing audits while [the movement to the PCAOB] is taking place.” As a result, the AICPA continues to issue proposed audit standards in support of Sarbanes-Oxley. Equally unclear is how the PCAOB will interact with the Financial Accounting Standards Board (FASB), the accounting world’s standard-bearer and self-proclaimed watchdog. FASB maintains the collection of documents known as GAAP, or Generally Accepted Accounting Principles, from which all recognized accounting practices flow. So far, no one is talking, and the PCAOB’s activities appear to be limited to auditors and auditing rather than public company accounting, as the name suggests.

One Carrier’s Journey Reston, Va.-based service provider XO Communications took a program management approach to complying with the Sarbanes-Oxley Act. It hired senior manager Alysia Kreider in March and put her in charge of overall Sarbanes-Oxley compliance. Working with 25 different departmental and functional leaders, XO’s head of Internal Audit, Ed Sawaf, supplemented by Terri McClement’s team at PwC and external auditors from Ernst & Young, Kreider established a project plan that incorporated a critical timeline of dates and deliverables. Likewise, she supplied FAQs, templates and persistent coaching to get the team up and running. Kreider’s team expects to have all controls documented and tested by the process owners by mid-June. A testing period by external auditors from Ernst & Young follows, and any defects will be remedied prior to going live by the end of July. An aggressive schedule, no doubt, but one that Kreider says is achievable. “There will be bumps in the road, but I think we’ll get through it. It’s going fairly well right now because we have defined many different areas that the [business and department heads] aren’t overwhelmed.” She notes that the large business customer “one-off” deals that invariably run at least partially outside the mainstream process in any service provider’s shop may need some special attention, saying, “I haven’t addressed that just yet.” Kreider credits backing from CFO Wayne Rehberger as key to the success of the project thus far. “Get the signoff from the top level; that’s the key thing that must happen.” At early training sessions, Rehberger made it clear that cooperation is essential to allow him and president Nate Davis to sign the controls report at the end of the year. Even though its stock has not yet been relisted for sale since emerging from bankruptcy, XO’s leadership took aggressive steps to comply with Sarbanes-Oxley, says Michael Murphy, XO’s director of revenue assurance. He says XO wants to prove to Wall Street and the investing public that XO is once again a solid bet. “ We want to assure [majority owner] Carl Icahn and the rest of our investors that their money is being well spent.”

Sarbanes-Oxley At A Glance Section Definition/Impact 201 / Audit firms may not perform non-audit work for clients other than tax services. Examples of prohibited services include financial IT systems work, internal audit outsourcing and legal work. You may need to wind down or discontinue projects if your audit firm is delivering them. There is a grace period of up to 12 months. 203 / The lead partner on your audit team must change every 5-7 years. You begin counting the number of years after May 2003. 206 / To prevent possible conflicts of interest, a company’s senior officers cannot come from its audit firm. 301 / Companies must implement “whistleblower” protection for any employee that wants to complain about questionable accounting practices, including establishing procedures and possible use of outside services to facilitate communication. 302 / In place since last August, this provision requires corporate execs to certify that financial reports are accurate, complete and fairly presented. Also at stake are ‘disclosure controls,’ meaning that companies have told their auditors everything they need to know to perform the audit, and told the board’s audit committee about any internal control weaknesses or fraud. 401 / “Off-balance sheet” arrangements, much like Enron’s famed “Raptor” partnership have to be disclosed, including all contractual obligations, and a discussion of how important this arrangement is to a company’s well-being. Systems and processes may have to be modified to categorize this activity separately. 404 / The mother lode of impact to carrier systems and processes, this section requires management to establish and maintain adequate internal controls, and to certify each quarter as to the effectiveness of the controls. External auditors also have to attest annually that controls are adequate, setting the stage for some auditor-client tension as parties debate effectiveness. 409 / Companies have to disclose “material” changes to financial conditions or operations within three weeks. Systems and processes may have to be developed or modified to care for this reporting window. Source: “Sarbanes-Oxley: A Closer Look,” KPMG, LLP, 2003.