EXECUTIVE SUMMARY

NEW ACCOUNTING REGULATIONS BROUGHT ABOUT by Sarbanes-Oxley and SAS no. 99 will force many companies to change how they do business. Compliance with these and other rule changes will expand the burden of corporate CPAs. ONE NEW REGULATION THAT WILL AFFECT ALL public companies is the proposed NYSE requirement for an internal audit function. At a time of economic downturn, audits are going to cost more and companies will have to bear the expense of putting in new programs to be in compliance with government and stock exchange rules. THE CHANGES IN ACCOUNTING AND AUDITING RULES will reach beyond public companies. More than just a piece of legislation, Sarbanes-Oxley is a whole new way of thinking about corporate governance. Banks and insurance companies also will insist on a higher standard for businesses—even for privately held entities. ANOTHER PROBLEM BOTH PUBLIC AND PRIVATE companies face is the possibility individual states will adopt parts of Sarbanes-Oxley and make them apply to all companies doing business in that state. Such potentially contradictory rules could cause havoc with the world economy. BUSINESSES FACE A NUMBER OF OTHER CHANGES including the setting up of fraud hot lines, establishing a new relationship with their external auditors and training employees to comply with the requirements of Sarbanes-Oxley and SAS no. 99. CPAs will have an evolving role as the PCAOB takes on its new responsibilities.

CYNTHIA HARRINGTON, CFA, is a California-based journalist whose work appears in a variety of financial publications. She is a contributing editor to Accounting Today and horsesmouth.com, a subscription Web site for financial advisers.

eeping up with the changes the new accounting regulations demand can add complexity and hours to the already full schedules of corporate financial executives. This year CPAs in business and industry have had to find the time to know—and do—more. The Sarbanes-Oxley Act of 2002 and SAS no. 99, Consideration of Fraud in a Financial Statement Audit, are forcing companies to bring in additional personnel to handle the compliance workload. Some of the new employees will help companies keep up with the tidal wave of changes from federal and state regulators and agencies. Others will bring newly required expertise—in internal audit, for example. The bottom line impact is broad, and few companies will be able to escape what experts call a paradigm shift in the way they conduct business. Here’s what CPAs can expect and what they can do about it.

Debra R. Hopkins, CPA, CIA, director of CPA review courses and professor of accounting at Northern Illinois University in DeKalb, addresses all of these issues head-on in a talk she gives titled “Spotlight on Corporate Governance: The Highwire Balancing Act.” Hopkins often gives her training through the Center for Corporate Financial Leadership in Chicago, which serves 40,000 CPAs in business and industry in eight midwestern states. CCFL is one of many organizations scrambling to help CPAs adapt to the new accounting model brought about by Sarbanes-Oxley. Some of the others are listed in exhibit 1, below.

Hopkins says: “Half the financial executives come into my talk saying they’re getting what they need from the checklist their external auditors provide. But they leave the room knowing they need much more.” Hopkins says the other half are just scared and looking for help.

Hopkins says Sarbanes-Oxley and SAS no. 99 together force businesses to think about corporate governance in a whole new way. The three affected areas—upgrading internal controls, preventing fraud and improving audit committee accountability—are all intertwined by the new rules. For example, she says, the need to have internal controls signed off on by the audit committee and to prevent financial statement fraud will force companies to review their entire IT system. “Many company systems grew out of the need to respond to an event like Y2K or Web site development and their integration into general business activities,” Hopkins says. “Now businesses must review their systems and consider things like safeguarding documents to ensure the right people have access and the correct information is being recorded before they approve the new controls.”

Hopkins says the internal controls assessment the new legislation requires (the SEC issued its final rules in June) forces companies to consider the entity-wide effectiveness of financial reporting. And, with the economy and revenues down, it couldn’t have happened at a worse time, says Hopkins. “Audits are going to cost more, and companies should be prepared to bear the expense of putting in new compliance programs.”

CCFL board member Roy P. Rendino, CPA, is senior vice-president of finance and chief accounting officer of publicly traded Prime Group Realty Trust in Chicago. He admits that keeping on top of the changing rules and regulations is taking much of his time. “In many companies, several members of senior management share the task, with legal and accounting playing leading roles.”

Rendino says communication flow within his company has become formalized, replacing the more casual procedures department heads previously had in place. Now, communication occurs at regular meetings with executives from legal, operations and acquisitions in attendance. Each department has the opportunity to review the new regulations from its own unique perspective. The revised meetings structure enables executives to discuss updates and evaluate their impact on the company’s financial statements and related disclosures. In addition, Prime Realty circulates drafts of financial statements to all officers before issuing them, giving the executives an opportunity to provide additional input.

Because the SEC has not yet implemented some of its rules, Rendino believes establishing internal controls and documenting processes will be an ongoing task. Companies should see it as more than a need to simply comply with regulatory requirements. For the time being he is taking the advice of the big audit firms that the final rules under section 404 will be close to the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (Exhibit 3, at right, provides some key concepts from COSO’s definition of internal control.) John Morrow, vice-president of the AICPA members in industry division, bluntly says a company that hasn’t yet begun the process of documenting and evaluating its internal control structure will have “significant problems in the future as it attempts to catch up.” CPAs can draw on their background and training to help employers frame the scope of the job. “Each company must navigate through all of Sarbanes-Oxley’s provisions to understand what impact the legislation has on its business,” says Morrow. “And for a CPA in industry who hasn’t read a SAS since he or she left public accounting, SAS no. 99 is the one to read.” SAS no. 99 is the cornerstone of the AICPA’s comprehensive antifraud and corporate responsibility program.

Exhibit 3: COSO Definition of Internal Control: Key Concepts Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. Source: Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org.

NOT JUST FOR PUBLIC COMPANIES
The breadth of the new rules’ impact is surprising to some businesses, particularly private companies. SAS no. 99, for example, will affect the audits CPAs do of both private and public entities. Perhaps most unexpected is the far-reaching impact of Sarbanes-Oxley, which targeted only publicly traded entities. Hopkins says private companies show equal interest in her training sessions. “Sarbanes-Oxley is much more than a piece of legislation. It’s a whole new way of thinking about corporate governance,” she says, and CPAs and their employers must treat it as such.

Entertainment Publications Inc. in Troy, Michigan, is a private company broadly affected by both SAS no. 99 and some elements of Sarbanes-Oxley. The company markets the well-known coupon books for local restaurants and movie houses to raise funds for nonprofit organizations. Ed Stassen, CPA, is the company’s chief financial officer and speaks regularly to other financial executives about how the changes have affected his company’s businesses. We’re going to be more deeply scrutinized than ever before,” he says.

Because his employer is a highly leveraged company owned by a Washington-based LBO firm, Stassen and the upper management deal regularly with banks and other lending institutions. He says a typical banker’s approach now is to explore management’s expectations in personal meetings and then look for consistency between projections and what actually happens. “Now they’re not just verifying whether they think they’ll get paid, but they’re assessing whether they can believe what we tell them,” explains Stassen.

Private companies anticipating an initial public offering or a sale to a public company should start complying now with Sarbanes-Oxley, Stassen advises. He is in the process of transferring ownership to publicly held USA Interactive—and the deal closes soon. In addition to GAAP-compliant financials, the buyer required compliance with provisions of the new legislation. Stassen also finds increased oversight by the company’s insurers. “Prices are going up on coverage in every area,” he says. “Underwriters are scouring our financial results and have added conference call interviews to have us explain them.”

Not all private companies feel the pressure of the changes in accounting and business process rules. A-dec is a closely held, 900-employee dental supply manufacturer in Newberg, Oregon. Alan Steiger, CPA, the company’s CFO, believes the reason he and his employer are so far unaffected is because, unlike Entertainment Publications, A-dec doesn’t have to report outside the entity. “We’ve got no debt, so there are no lenders to satisfy,” says Steiger. “We always have had a strong commitment to effective internal controls even though we’re not large enough to have internal auditors. Our financial statements are audited by an international accounting firm—for the comfort of the owners.”

MOVING THROUGH STATE LEGISLATURES
What Steiger is most worried about is the potentially dramatic cascade effect the new rules might have on private companies. Various state legislatures are considering adopting parts of Sarbanes-Oxley to apply to all companies—both public and private—doing business in their states. “The National Association of State Boards of Accountancy and the AICPA have worked so hard on uniformity of accounting standards. It will be very divisive if individual states decide to pass pieces of Sarbanes-Oxley,” says Steiger, who also chairs the Oregon state board of accountancy.

The AICPA established a special committee on state regulation to deal with potential state initiatives. Formed just last November, this group of CPAs in private industry, large audit firm representatives, smaller firms concerned about the cascade effect and state CPA society directors has chosen to be in the forefront with respect to four areas. “We wanted to focus on auditor rotation, peer review, scope of services and state board of accountancy composition,” says committee chairperson Kathy G. Eddy, CPA, of McDonough, Eddy, Parsons & Baylous in Parkersburg, West Virginia. “We will put the meat on the bones of these issues and talk about how states’ actions might relate to private companies in those states as well as to the public.”

This committee issued two white papers, available on the AICPA Web site, www.aicpa.org, on the state concerns arising from the Sarbanes-Oxley Act. A Reasoned Approach to Reform and Complexity of the Issues detail the accounting profession’s concerns about adding a state-by-state patchwork of provisions. CPAs interested in lobbying their state legislators can use these documents to try to affect policy in their home states and as talking points with other professionals and the media. “We want to illuminate the problems state legislatures can cause for businesses in their states,” says Eddy. “Each state enacting additional and sometimes contradictory parts of the federal legislation could cause havoc with the world economy.”

THE NEXT STEPS
Here are some other areas accountants will become involved in as companies begin their efforts to comply with the new rules and regulations.

Fraud hot line. CPAs may be charged with implementing the hot line requirement of Sarbanes-Oxley at their companies. Atlanta-based The Network is one company helping with this task. “One thing the hot line industry advocates is the need to create an ethical environment and to talk about what constitutes acceptable behavior and what doesn’t” says Adelle Erdman, spokesperson for the hot line provider. “We’re hearing from companies needing to take action to set up anonymous reporting systems.”

External auditors. The financial executives’ relationship with the company’s outside auditors has also changed in 2003. With external auditors required to “be suspicious” and look for fraud, the tone is different. “Company managers shouldn’t take this personally,” says Hal Schultz, CPA, a partner with PricewaterhouseCoopers in Irvine, California. “They need to be aware that the expectation now exists that auditors can find fraud.” Still, adds Schultz, the accounting profession needs to manage expectations that the auditor will be able to find material fraud. “For years the profession tried to explain the audit was not for that, and still the expectations were there,” says Schultz. “SAS no. 99 shows we’re taking this responsibility very seriously.” Training. In addition to having issued the new fraud standard, the AICPA is partnering with other organizations to upgrade auditors’ skills to help them fulfill the SAS’s requirements. The partnership with the Association of Certified Fraud Examiners (ACFE) in Austin, Texas, has yielded several training options for CPAs including a CPE course titled “Fraud and the CPA.” “I’ve begun to hear people say Sarbanes-Oxley is a good thing, but it’s not going to solve the problem,” says Toby J. F. Bishop, CPA, CFE, FCA, president and CEO of ACFE. “If companies are to avoid being plastered all over the front page of the newspaper, they need to focus on strategies that proactively identify fraud risks and take follow-up actions to reduce those risks.”

PRACTICAL TIPS TO REMEMBER Companies should be prepared for audits to cost more following Sarbanes-Oxley. Businesses also will have to bear other costs to implement provisions of the new law. When considering whether to add an internal audit function in response to the requirements in Sarbanes-Oxley, smaller companies should keep in mind that outsourcing the department may be more cost-effective and give the company access to more up-to-date information. Sarbanes-Oxley has changed how all companies—public and private—must think about corporate governance. Private companies that deal regularly with banks and insurance companies, as well as those that are potential acquisition targets, may need to comply with the new rules even though the law doesn’t require it. Private companies should keep up with the potentially dramatic “cascade” effect as state legislatures adopt some or all of Sarbanes-Oxley and apply it to all companies that do business in the state—public and private. CPAs may want to lobby their state elected officials to make sure the state doesn’t adopt contradictory parts of the federal legislation.

A LONG ROAD AHEAD
The sea change in corporate accounting and auditing activities as a result of the new rules affects accounting professionals on both sides of the desk. There are multiple revisions and many requirements yet to come as the SEC finishes its work and tests the provisions and the Public Company Accounting Oversight Board begins its task in earnest. Clearly any story about the impact of Sarbanes-Oxley and SAS no. 99 on American business will be a work in progress for the rest of 2003 and beyond.

Resources AICPA Sarbanes-Oxley Hotline. Members can call 1-866-265-1977. AICPA National Conference on Fraud. To be held October 2-3, 2003, Miami Beach. For additional information visit www. cpa2biz.com. To register call 1-888-777-7077. Auditing for Internal Fraud. This CPE course provides auditors with the tools to identify fraud schemes. For more information visit the AICPA store at www.cpa2biz.com. Fraud Detection in a GAAS Audit—SAS No. 99 Implementation Guide by Michael J. Ramos, AICPA, 2002. Available for purchase in the AICPA store at www.CPA2biz.org. Sarbanes-Oxley Act/PCAOB Implementation Central. This site includes a list of background documents, AICPA implementation guidance and tools, regulatory actions, PCAOB and SEC activities and rules, http://cpcaf.aicpa.org/Resources/ Sarbanes+Oxley/ The+Changing+Regulatory+Landscape.htm.