Most large market-cap public companies would like to forget Nov. 15, 2004–the day that “accelerated filers” had to begin submitting year-end audits under Section 404 of the Sarbanes-Oxley Act. According to many reports, there wasn't much holiday cheer among the employees charged with meeting that deadline. The folks stuck with paying the consulting and auditing bills relating to 404 weren't exactly oozing with Christmas spirit either.

“[Section 404] has taken tremendous man-hours away from running this company … and it has cost a lot of money,” said Scott Royster, CFO of Radio One during a July 2004 earnings conference call.

According to a survey by Financial Executives International, it cost public companies in 2004 on average $3.14 million and 30,000 personnel hours to comply with Section 404. And it may cost shareholders, the very people Sarbanes-Oxley is meant to protect, even more. According to a recent survey conducted by PricewaterhouseCoopers, 20 percent of directors believed “management is so distracted [by Sarbanes-Oxley requirements] that company performance will be affected.”

Adding insult to injury, companies will now have to include in their annual reports an explanation of any material weaknesses in their internal financial controls. How Wall Street will react to these reports, and how a negative attestation from an outside auditor will impact a company's stock price is anyone's guess at the moment. Some experts, though, believe it won't be pretty.

Lost in the shuffle of all these reports, complaints, statistics and deadlines is the fact that many executives are concerned that outside auditors are far too risk adverse, often pushing for redundant controls. Working under intense scrutiny from regulators and government investigators, auditors are perhaps a little more interested in protecting their own hides than giving their clients sound business advice. As a result, compliance has come to have more to do with checking off a list of requirements than managing risk. And that isn't good for companies looking to grow their business.

“The big challenge with 404 compliance is determining how it can help you manage risks generally, and specifically how it can help you identify and assess the major compliance threats to an organization,” said James Bowers, director of compliance risk services at Day, Berry & Howard. “If you want to get to that point, then my advice is to not let the auditors control the process.”

Bowers made this comment at a recent Martindale-Hubbell Counsel to

Counsel Forum in New York titled “Reducing Risk, Realizing Value: Compliance Risk Management in a Post-Sox World.”

The in-house and law firm lawyers at the forum not only discussed the role of external auditors in the compliance process, but also strategies for ensuring that employees and directors understand the importance of compliance training.

Auditing Blues

Since the passage of Sarbanes-Oxley, the regulatory landscape has morphed at an incredible pace. In some heavily regulated industries, such as banking, those whose job it is to oversee compliance have had a tough time keeping up. Meanwhile, many of these new regulations–often passed in response to a scandal–are forcing some companies to implement redundant processes.

“When regulators realize their existing compliance requirements are not effective, their reaction is to clamp down even harder by imposing more restrictions,” said Bruce Ortwine, general counsel of The Sumitomo Trust & Banking Co. “As a result, the regulatory bar is constantly getting higher.”

Once they've raised the bar, regulators often are slow to give companies guidance on how to respond to new regulatory measures, leaving in-house lawyers, auditors and consultants scrambling to develop what they hope are appropriate compliance measures. This problem was particularly acute when it came to section 404 compliance. Because the Public Company Accounting Oversight Board (PCAOB) was slow to release any guidelines to assist outside auditors with the implementation of Section 404, auditors took a very a conservative approach and often changed the advice they were giving clients from week to week. That created a lot of tension between external auditors and their clients.

“Auditors often have a particular approach and sometimes what they want to do is inappropriate,” says P. Mats Goebels, general counsel of Investment Technology Group Inc. “And it's really the organization's responsibility to go back to the auditors and tell them that they are pushing this a little bit too far. You can't let the auditors drive the bus and tell you how you should run your business.”

Many participants in the forum argued that because external auditors don't understand the business as well as those on the inside, they have a tendency to be too risk-adverse.

And that isn't good for the company or its shareholders.

“It's not a bad thing to have a law that tries to get a company to uncover deficiencies within an organization that might impact the accuracy of its financial reporting,” Bowers said. “There's nothing wrong with that. The problem is that some auditors have pushed implementation far beyond where it should go. Many companies have complained about documenting minute items that have no relationship to the major threats that might impact your financials. And the accountants are so gun-shy that they don't seem to want any risk, so they force an unattainable no-risk environment on the company.”

One participant who didn't want to be identified in this article, went one

step further.

“Sarbanes-Oxley has handed a gun to the accounting profession and they are holding that gun to the corporation's head and telling us what do to in order to get the attestation at the end of the year,” the general counsel said.

Another participant complained that some of the auditors she dealt with in the past actually put the company at risk. She explained that an auditor interviewed managers about what they thought were the biggest risks to the company. When he sat down with the head of public affairs, the executive responded with this little gem, “We play in the Enron arena, so I worry about whether or not our traders are adequately supervised.” The auditor wrote the response down and put it in a file. The general counsel was livid.

Employee Buy-In

Although participants spent a good portion of the forum discussing the role of external auditors in compliance, they also talked at length about the legal department's role in ensuring employees are complying with all the new regulations. Obviously training is key. And although online training seems to be the preferred method of reaching employees these days, it shouldn't be used in every circumstance. Most participants agreed that online training can teach employees about general corporate and HR issues, such as sexual harassment, but it can't replace face-to-face training in more complex compliance issues.

“Sometimes [compliance training] can't be done as canned questions and answers,” said Steven Troyer, vice president and counsel of Commerzbank AG. “You need to create an environment where employees can ask questions about the problems they will face in the real world.”

Many of the participants agreed that once employees have undergone training, it's often necessary to periodically audit business units to ensure they are in compliance. The consensus was that surprise audits work best, though a few participants expressed concern that this would backfire on legal departments, which have spent years trying to shed their image as the corporate cops.

“Designing an effective auditing program requires striking the proper balance,” said Andrew Shakalis, associate general counsel at Unilever United States Inc. “Within the legal department we serve as a source of best practices and help our divisions solve their problems. To do that we have to stay connected.”

All agreed that when the legal department does unearth a problem, it needs to help the business folks correct their mistakes.

“You can't just come in and do an audit without the proper follow up,” Shakalis added. “You have to assist in developing the corrective actions and work with them in implementing those actions. “

These days, though, legal departments don't seem to be having any problems with the latter.

“It is much easier these days to make sure employees take compliance seriously.” said one participant. “All you need to do is tell them they will end up in jail if they don't.”

The Fear Factor

This also is true of board members, who are much more aware of their responsibilities since the passage of Sarbanes-Oxley and the WorldCom and Enron securities class action settlements. In both settlements, directors had to reach deep into their own pockets to placate the plaintiffs. For instance, 10 of Enron's former directors agreed to contribute $13 million of their own funds in the $168 million settlement (the insurance companies will pick up the rest of the tab). And 10 WorldCom directors agreed to contribute $18 million to the company's $54 million settlement. Although these settlements make directors uneasy, they also make the GC's job much easier.

“The key to getting boards engaged is to show them that they can be held liable and that they may have to end up paying out of their own pockets,” said Andrea Teichman, partner at Day, Berry & Howard. “They need to do two things: breathe life into the policies so that they aren't just pieces of paper; and ask questions about the policies and whether or not they go far enough.”

The worst thing a company and its board can do is view a compliance program as simply a “to-do” list. Executives need to see compliance programs as a tool that can benefit the company's bottom line and its reputation in the market.

“We live and die by our brands,” Shakalis said. “So we welcome and approach compliance and Sarbanes as a way to further protect our brands, corporate image and reputation.”

And that requires teamwork. It requires everyone from the very bottom of the corporate ladder to the very top to be involved and vested in compliance.

“Companies need to view compliance not as the responsibility of a compliance officer, but rather as a collective responsibility of everyone, especially senior management,” Ortwine said.