Vie to comply

Fortune-1000 companies are expecting to spend some $2.5bn on investigation and initial compliance with the Sarbanes-Oxley Act, and the total impact of the new law could be bigger than Y2K, according to AMR Research.

Section 302 of Sarbanes, which also affects non-US companies whose shares are listed on the NYSE or Nasdaq, required companies to ensure the independence of their board members and audit committees by autumn last year, while demanding that FDs and chief executives certify their financial results, making them personally liable for representing its performance accurately.

But AMR Research predicts that, in order to comply with the next phase of the act in the shape of Section 404 and 409, companies will need to spend a total of $2.5bn over the next 12 months on business process change, on revisions to their underlying IT systems and on amendments to methods of corporate governance. Section 404 covers the certification of financial reporting processes and controls, while Section 409 tackles the real-time reporting of material events.

Kirk Locke-Scobie, chief financial officer of Avaya UK, which provides communication networks and services, explains what he sees as being the impact of Section 404 in particular. “Section 302 was a statement about the spirit of the legislation, but 404 is much more about how to deliver it in terms of the new disclosure on controls. This means there is a lot more resource impact in 404, and we’ve put a lot of energy and resource into it.”

As a result, the organisation has set up a project team to tackle the issue, which includes internal staff from both finance and the wider business, representatives from its internal audit group and personnel from SAP, Avaya’s key applications provider. It has also hired KPMG (rather than engage its auditors, PricewaterhouseCoopers) to help in planning, gap analysis and execution.

John Hegarty, a vice president at AMR Research, sums up the issue as being “about finding where the financial information is coming from and how it is being handled to ensure that the right checks and balances are in place”.

This means that the implications of Sarbanes potentially reach beyond the finance department to include the supply chain, customer management and security. As a result, a risk management assessment will need to be made on each of these areas of the organisation.

Hegarty agrees. “The impact is pretty much right across the business, so we’ve held some international workshops to which all elements of the business were invited to help them understand what it means. This is not just a financial responsibility – it’s a business responsibility,” he says.

Another key issue, however, is that the US Securities and Exchange Commission (SEC) has yet to finalise its interpretation of what the two sections will mean for FDs. It must also come up with deadlines for when compliance becomes mandatory.

But the pressure is on: compliance with Section 404 is expected to apply to all filings relating to fiscal year-end 2003, starting from the calendar Q4 of this year. No timescales have been determined for compliance with Section 409 as yet, but either 2004 or 2005 are thought likely.

“Officially, the timescales are not set in stone, but our fiscal year-end is September, so we’ll be among the earliest to be affected as it will possibly cut in from the 15th of that month,” says Locke-Scobie. “We think the legislation allows for the opportunity to request a postponement, but we’re dedicating resource with a view to execution at the end of September.”

Martyn Jones, a partner at Deloitte & Touche, endorses this attitude, saying that companies need to think hard about rectification work prior to their fiscal year-end because otherwise it will be too late to take the necessary steps should they discover last-minute problems.

“How it will affect different companies depends on each one’s individual circumstances and how they’ve been run, but it’s important to do in-depth work now to establish where the deficiencies are and what ongoing processes need to be put in place,” he advises.

In his opinion, the best interpretive guidance to date on what Section 404 is likely to mean for financial directors comes in the form of exposure drafts developed by the American Institute of Certified Public Accountants and material written for the Commission of Sponsoring Organizations of the Treadway Commission (see www.coso.org). This is a private sector voluntary body that aims to improve the quality of financial reporting.

Avaya, for one, is in the process of adopting the Coso integration framework with its standard definitions because, as Locke-Scobie points out, “You might as well do it from start to finish rather than make a half-hearted attempt because you want to be seen to do it.

“This as an opportunity to look at the business and introduce a standardised framework,” he says. “While some of Sarbanes-Oxley can appear onerous, it’s intended to protect stakeholders in the business. Anything that reinforces best practice in corporations today is a good investment.”