EXECUTIVE SUMMARY

THE SARBANES-OXLEY ACT NOW REQUIRES PUBLICLY traded companies to disclose whether they have adopted a code of ethics for senior financial officers. In addition, the New York Stock Exchange is considering new rules that would require listed companies to have a code of business conduct that applies to all employees. UNDER THE ACT THE SEC REQUIRES COMPANIES to file an internal control report with their annual report outlining management’s responsibilities for establishing and maintaining adequate internal controls as well as its conclusions about the effectiveness of those controls. The company’s auditor must attest to management’s evaluation. MANY COMPANIES ALREADY HAVE ETHICS CODES. With the emphasis in Sarbanes-Oxley on financial reporting, CPAs may want to help employers and clients review these codes to make sure they comply with the new regulations. Companies will need to establish a process for rank-and-file employees to report code violations confidentially to someone outside the ordinary corporate chain of command. THE BEST WAY TO DRAFT A CODE OF ETHICS all employees will follow is to bring together a multidisciplinary team from all parts of the organization. Employees must then be trained in what the code means using real-life dilemmas they might encounter on the job. Regular refresher courses are important because ethics training is perishable—people forget. COMPANIES WITH AN EXISTING ETHICS CODE UNLIKELY will need a new one. Still, businesses may want to revisit the code to make sure they have a full-blown compliance program in place. Even though the act focuses on the CFO, the SEC expects the entire organization to comply with the law.

RANDY MYERS is a freelance financial writer who lives in Dover, Pennsylvania. His e-mail address is randy@randymyers.net.

tung by the high-profile accounting scandals that drove some the nation’s leading companies into bankruptcy court, Congress and other regulatory authorities have taken up their pens in an attempt to legislate business behavior. The Sarbanes-Oxley Act, which President Bush signed into law in July of 2002, requires publicly traded companies to disclose whether they have adopted a code of ethics for their senior financial officers, and if not, why. They also must report promptly any amendments to or waivers from the code.

The New York Stock Exchange, meanwhile, proposed new corporate governance standards which—if the SEC approves them—would require companies traded on that exchange to adopt corporate governance guidelines and a code of business conduct and ethics for all employees. CPAs can help employers or clients navigate these new rules and create a code of ethics that complies with all of the requirements.

NUTS AND BOLTS For companies that choose to adopt a set of ethics guidelines in response to Sarbanes-Oxley—and few will run the risk of not doing so given the negative message it would send to investors, regulators and potential litigants—section 406 of the act says the code should seek to ensure that senior financial executives Conduct themselves honestly and ethically, particularly in handling actual or apparent conflicts of interest. Provide full, fair, accurate, timely and understandable disclosure in the periodic reports their employers file with the SEC. Comply with all applicable government laws, rules and regulations.

Source: Christian & Timbers, New York City, www.ctnet.com.

Even for CPAs who don’t toil as principal financial officers, comptrollers or principal accounting officers—job titles Sarbanes-Oxley specifically targets—the new law introduces a raft of issues. As interpreted by the SEC in the proposed rule-making notice it issued on October 16, 2002, Sarbanes-Oxley does more than suggest companies have a code of ethics for senior financial executives.

Once SEC rules are finalized, section 404 of the act will require publicly traded companies to file in their annual reports an “internal control report” that outlines what steps management has taken to establish and maintain adequate internal controls and financial reporting procedures, as well as management’s conclusions about the effectiveness of those controls and procedures—a report CPAs and corporate finance departments likely will have a hand in drafting. The report must say the company’s public accountant has attested to, and reported on, management’s evaluation of the company’s internal controls and financial reporting procedures. The company must include a copy of the auditor’s attestation in its annual report.

What’s not clear, says CPA Sherrie McAvoy, national director of corporate compliance and ethics services for Deloitte & Touche in Dallas, is whether an external auditor would be required to formally audit a client’s compliance with its own code of ethics. While her initial suspicion is it would not, she says it won’t be clear until the SEC issues final regulations. An SEC spokesman notes that Sarbanes-Oxley gave the agency 180 days from the date of the law’s enactment, or roughly until the end of January 2003, to issue final rules.

CPA Richard Steinberg, head of the corporate governance practice for PricewaterhouseCoopers in Florham Park, New Jersey, takes a similar view. “As they look at internal controls, the external auditors are going to focus on this (the code of ethics),” he says. “Not that they’re going to audit it, but they’ll consider it as they assess the company’s control environment.”

INCREMENTAL CHANGE
Those counting on ethics codes to change corporate behavior may be surprised to learn that most public companies—at least those in the Fortune 1000—already have them. When the U.S. Federal Sentencing Guidelines became law in 1991, they listed seven elements of an effective corporate compliance program judges could take into consideration when sentencing corporations for federal offenses. Most large public companies quickly realized the value of incorporating these elements into their operations, if only as risk-management tools. Among them was establishing compliance standards and procedures—otherwise known as a code of conduct or ethics.

Today, says McAvoy, surveys her firm conducted show approximately 95% of Fortune 1000 companies have a code of conduct. Stuart C. Gilman, president of the nonprofit Ethics Resource Center in Washington, D.C., says many private companies have such guidelines as well; he estimates that altogether there are more than 3,000 ethics officers working in the United States.

What’s different now that Sarbanes-Oxley is on the books? According to McAvoy, the new law puts more emphasis on financial reporting, particularly its accuracy. This could translate into more responsibility for CPAs. Section 301 also mandates that companies put in place a mechanism for employees to raise concerns about financial reporting matters—confidentially and anonymously. The SEC’s proposed rules for implementing section 406 go on to say the code of ethics should identify the person or persons to whom employees should deliver those anonymous reports.

Establishing a process for rank-and-file employees to confidentially report code violations is a critical component of any ethics program, according to McAvoy. Most of the companies that already have established such procedures assign a case number to each complaint or tip an employee makes so he or she can track its progress. In addition, the person to whom employees report alleged violations is generally someone outside the ordinary chain of corporate command—an ethics or compliance officer, for example, or an ombudsman—who nonetheless has access to the company’s top executives and its board of directors.

The WorldCom case amply illustrated the perils of having employees report complaints to a senior executive with routine corporate responsibilities. Internal auditors who uncovered the company’s accounting fraud reported it to the company’s then CFO Scott Sullivan. The federal government now alleges Sullivan instigated the fraud and attempted to block the internal investigation. According to an in-depth report The Wall Street Journal published in October of 2002, WorldCom didn’t finally acknowledge, make public and address the fraud until its vice-president of internal audit, Cynthia Cooper, took damaging evidence to the company’s audit committee.

Many CPAs will have a role in helping companies comply with Sarbanes-Oxley. Certainly, those in corporate finance departments can be expected to be involved in drafting or reviewing those portions of their company’s code dealing with financial matters, says Nancy Wilgenbusch, president of Marylhurst University in Portland, Oregon, and a member of the AICPA ethics committee. The portions of the code CPAs might handle would range from insider trading to appropriate and accurate expense reporting, acting as good stewards of company assets, avoiding conflicts of interest and assuring accurate corporate communications with the public. To the extent the code of ethics includes quantifiable measures of accountability concerning items such as insider trading or entertainment expense reporting, for example, Wilgenbusch says CPAs are ideally suited, by virtue of their training and professional expertise, to evaluate or test the results.

External auditors would also appear to have a role in assessing compliance with codes of ethics, if only in the context of a code’s being part of a company’s internal control process. Gilman encourages outside auditors to go a step further: For each client, the auditor should sign a statement noting that it understands and accepts the client’s code of ethics. “This allows the outside auditing firm to comport with the company’s internal environment,” Gilman says. “It permits a level of independence and says, ‘We’re willing to obey and abide by the same set of standards the organization holds itself to.’”

DOING IT RIGHT
A number of companies—including Raytheon and Texas Instruments—have been widely recognized for the scope and quality of their ethics programs. Raytheon makes ethics training a requirement for every employee, all the way up to the CEO. Texas Instruments’ employee ethics handbook dates to 1961 and the company has received three ethics awards for its leadership in the field. Texas Instruments also provides employees with a business-card-sized pamphlet that serves as a “quick test” for workers faced with an ethical dilemma.

Is the action legal?
Does it comply with our values?
If you do it, will you feel bad?
How will it look in the newspaper?
If you know its wrong, don’t do it.
If you’re not sure, ask.
Keep asking until you get an answer.

While it’s difficult to calculate a hard return on investment for drafting and implementing a code, Bruce Pfau, national practice leader for organization measurements at Watson Wyatt Worldwide has tried. A survey his consulting company conducted in 2000 found workers who believed their company operated with honesty and integrity showed higher levels of commitment to their employer in terms of job satisfaction and company pride than those who judged their employer to have low ethical values. Pfau also found companies highly rated by their employees for honesty and integrity produced, over the previous three years, a higher return to shareholders (112%) than poorly rated companies (76%).

PUTTING TOGETHER A CODE
With virtually all companies needing a code of ethics so they can avoid having to report they don’t have one under Sarbanes-Oxley, the task of developing one from scratch need not be too involved. The Financial Executives Institute has drafted a one-page model code of ethics for senior financial executives it says conforms to the new law; it can be found on the organization’s Web site at www.fei.org. Another code developed by Parson Consulting, a national consulting company specializing in finance, accounting and business systems is available at www.parsonconsulting.com/sarbanes-market_position.asp.

But most experts say it would be far better to create a code of ethics for the entire company, one that applies to all employees and builds on their input. Under the proposed changes to the NYSE listing requirements, such a policy would be required of all companies trading on the Big Board.

The challenge companies face—whether creating an entirely new code or reassessing and upgrading an existing one to reflect Sarbanes-Oxley—is to draft a document that isn’t just decoration on the company bulletin board but instead helps employees live up to the ethical standards investors, legislators and regulators demand. “We’re terrified here of what we call the three Ps—the print, post and pray syndrome,” says Gilman. “You print a code of conduct, post it on the wall and pray people actually read it.”

According to Gilman and other ethics professionals, the correct approach is to bring together a multidisciplinary team from all parts of the organization—finance, sales, human resources, operations, marketing, executive—to draft a code, communicate its importance to employees and then involve them in seminars to help understand how the code applies to them and their colleagues. Finally, says Minneapolis-based ethics trainer Nan DeMars, author of You Want Me To Do What? (Fireside, 1998), senior management must follow through and hold people accountable for complying with the code.

One way to make a code of ethics come alive for employees, DeMars says, is for human resources to plan training sessions that engage them in discussions about real-life or theoretical ethical dilemmas they might expect to handle on the job. The more specific the situations are to the particular company, the more valuable they will be. DeMars gives these examples of the types of questions she might pose in a seminar: “You are the assistant to David Duncan, lead auditor for Arthur Andersen. You know the firm is about to be subpoenaed. He asks you to shred documents. What would you do? Or, you are Sharon Watkin’s assistant at Enron and you type her memo to Ken Lay warning him of the possibility Enron will implode if its current accounting practices continue. Now that you know the company is in trouble and your boss is aware of this, what do you do?”

“You’ve got to take the words as well as the legal requirements and translate them into understandable practices,” agrees John J. Castellani, president of The Business Roundtable, an association of CEOs of leading corporations. “Ultimately, doing so gives you a very strong tool. When employees violate the policy, they are dismissed.”

DeMars and others agree ethics programs don’t achieve much when they are handed down by senior management with little input from other employees or when senior managers themselves fail to abide by the code or neglect to stress its importance. Enron had a rigorous code of ethics, for example, yet it fell victim to unethical behavior in part because its board of directors twice voted to suspend the code to allow the company’s former CFO, Andrew Fastow, to launch business activities that created, for him, a conflict of interest. Ethics professionals warn against viewing educational programs as a once-and-done procedure. “Ethics training is perishable,” Gilman says. “People forget.” To deal with this problem, companies should schedule regular refresher courses for all employees.

FINDING HELP
While companies must enlist the cooperation of their own staff members to draft a code of ethics that will resonate with them, there’s plenty of outside help available, too. Among the Big Four accounting firms, both Deloitte & Touche and PricewaterhouseCoopers offer ethics consulting services, says Gilman. So do some law firms and a number of nonprofit organizations and academic centers. Among the latter are Gilman’s own Ethics Resource Center as well as the Ethics Officers Association in Belmont, Massachusetts; the Institute for Global Ethics in Camden, Maine; and the Markkula Center for Applied Ethics at Santa Clara University in California. (See the sidebar above for information on how to contact these and other resources.)

Elsewhere, the nonprofit Practicing Law Institute in New York City offers programs on ethics and corporate compliance several times a year, says McAvoy, and has published a series of books on the topic. All that said, Gilman cautions companies against off-loading too much responsibility to outside consultants. “Ethics are one of those things where you don’t want someone doing an assessment and charging you a lot of money to tell you what you want to hear,” he explains. The best ethics code is one drafted in-house.

Many companies that already have a code of ethics are unlikely to need a new one to respond to Sarbanes-Oxley, says attorney Tom Patton, a partner with Tighe Patton Armstrong Teasdale PLLC in Washington, D.C. This is especially true since the new law doesn’t require a company to publish its set of guidelines but merely to confirm it has one. “The statute defines a code of ethics in very broad terms, so you have to make sure your existing code meets all of them; assuming it does, you probably don’t need to develop a new one,” he says.

Stephen Hill Jr., a partner with the Kansas City, Missouri, law firm Blackwell Sanders Peper Martin LLP, concurs but adds companies may still want to review their code point by point to make sure it covers all of the provisions in the new law and that they have a “full-blown compliance program in place.” The proposed SEC regulations under Sarbanes-Oxley make it clear the code should promote “compliance with applicable government laws, rules and regulations.”

At many companies, such reviews are already under way. “A number of companies are taking a hard look at their codes and making sure they’re current and sharing them with their boards of directors,” says Deloitte & Touche’s McAvoy. “They’re also taking a look at the financial reporting aspects and making sure they are as robust as they can be.” Meanwhile, the Ethics Officers Association reports that about 100 companies have hired ethics officers through October of 2002 alone.

Hill says his firm is telling clients their entire organization, not just the CFO, must be prepared to deal with compliance issues. “Sarbanes-Oxley covers the CFO, but in its October 16 statement, the SEC makes it clear it’s going to expect the entire organization to comply with the law,” Hill says. By way of example, the proposed SEC regulations mandate that a company’s code of ethics apply not only to senior financial executives but also to the “principal executive officer,” even though that position was not specified in the act.

According to the London-based Institute of Business Ethics (IBE) (www.ibe.org.uk) a code of ethics should include a preface, signed by the chairman or CEO, explaining what values are important to top management in conducting the business. It should then cover these key areas:

The purpose of the business and its values.
Employee relations including working conditions, recruiting, training, discrimination policies and use of company assets by employees.
Customer relations guidelines.
The importance of protecting the investment made by shareholders or other investors.
Relationships with suppliers.
How the company relates to society as well as to the wider business community.
How the company will implement the code, including training.

The IBE also advises any company drafting a code to find a champion—hopefully the CEO—who is prepared to drive the introduction of a business ethics policy. Without this support, there is little chance the company will find the code a useful tool. The board of directors should also endorse the ethics policy.

WILL IT WORK?
Whether any of this will prevent unethical behavior is uncertain, although most experts say codes can make a difference when companies develop and implement them properly. “There’s nothing we can do to prevent a crook from stealing if he or she wants to,” says ethics committee member Wilgenbusch. “If people are greedy, a code won’t prevent them from behaving unethically. But if the CEO gets the company’s top 20 people in a room and says, ‘We’re going to adhere to both the spirit and letter of the law; we’re going to play by the rules in every sense of the word and anybody who steps across that line of ethical behavior not only will be discharged immediately but prosecuted to the full extent of the law,’ then you are going to avoid unethical behavior.” That’s a goal every accountant can endorse.