Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549-0609
Please forgive the brevity of my email regarding feedback on the implementation of Sarbanes-Oxley internal controls.
Let me start of by saying that I, and the rest of the leadership of the company I work for, whole-heartedly support the requirements of Sarbanes-Oxley. And, just to repeat what was asked for in the Sarbanes-Oxley Act, in summary, it requires that a company: 1) document its internal controls 2) test the controls to ensure they are functioning as designed 3) opine on the controls and 4) engage the external auditor to opine on the controls. I'm confident that it would be the rare exception to hear anyone in a leadership position of publicly traded company object to these four requirements. Where I believe the real injustice comes is the PCAOB's required use of COSO and the almost literal, and required, application of every element of COSO. So, rather than comment on Sarbanes-Oxley, my comments are more directed to PCAOB and COSO.
Now then, let me provide the following comments:
- In a round-table discussion I participated with CFOs and CEOs, there was a uniform view that companies realized virtually no value from the work that was done for COSO. Moreover, it was universally believed that the shareholders received minimal benefit.
- Failures of the likes of Enron and WorldCom will most likely not be prevented by way of the "boxes" that need to be checked to get a "clean" opinion from the accounting firms.
- COSO is a box-checking exercise that leaves little room for management and auditor judgment.
- The use of COSO is admirable, but not practical.
- The focus on COSO has lead to a lack of focus on many parts of the business.
- Rather than get the proper focus on the real risks of the business (risk based auditing), the requirements of the PCAOB/COSO/Accounting firms' interpretation of what needs to be done, has lead to auditing almost everything.
- In a discussion with investment analysts and investors, they observed that they got little if any satisfaction from the Sarbanes efforts. It will be interesting to see what comments they, or at least those that do comment, offer.
- Our accounting and finance staff would rather work in areas other than finance now that they have to meet the demands of COSO. This is a real pity in that what will eventually happen is the best people will focus their careers elsewhere, leaving the less talented/less capable people to help the company address very complex (and getting more complex each day) accounting rules.
- I personally do not like much of what I have to do as a CFO now being driven by COSO.
- The accounting firms are ill-prepared to give practical advice on the requirements for the implementation of COSO.
- The accounting firms' fear of PCAOB is at an almost humorous level.
- We found that the "rules" changed almost monthly as to what was needed or required.
- The local audit partners have been reduced to managers - they no longer have any confidences on what needs to be done, nor ability to "sign-off" without a national office directive. This has obviously lead to longer cycles, higher costs and significant frustrations when dealing with tighter filing requirements.
- The accounting firms have little to offer in advice other than to "over-do" the process. They communicate such to the CEO, CFO and audit committees and, in turn, each party feel as if they have little choice other than direct full deployment of resources so that the company and they will not be criticized.
- The accounting firms have moved to a position where they will not offer advice on the application of complex accounting. They advise you that if they have to weigh in, they may have to give you an adverse controls opinion. Where does that leave us with regard to SAS 50 (amended by SAS 97)?
- The real winners are the accounting firms - they all doubled, or more than doubled, their audit fees. Seems to be a real injustice given they were part of the problem. They are the biggest benefactors, not the shareholders, employees or customers.
- The requirements of getting every fee item approved by the audit committee is impractical and illogical. I readily understand the independence issue. And, I believe there should be some guidelines provided that guide the committee members on when and where the lines begin to blur. But, to regulate the approval requirements to the point that each time you need the assistance of the accounting firm (on accounting, tax, business combinations, controls, etc., matters), you have to get the audit committee involved at an operational level within the company to proceed. On the other hand, the measure of non-audit to audit fees was made a lot easier this year due the to more than doubling of audit fees - doesn't this seem illogical and wrong? Audit committees should be responsible to approve the fee and services - why not let it to the good judgment of the committee members?
- The requirements for what constitutes a "significant deficiency" should be re-evaluated. As and example, here are two of the significant deficiencies disclosed to the company's audit committee:
- "Reference checks are to be performed on all new key staff involved in the controls over financial reporting. Testwork indicate that no records are maintained of the reference checks being performed."
- "In order to establish and effectively communicate entity-wide objectives and strategies, weekly operational meetings are held with the two processing segments. Testwork performed indicate no records of the meetings are maintained."
While I'm sure that it was anticipated that the outcome of the new definitions would bring to the audit committee's attention issues of the likes that lead to the failure of the Enrons and WorldComs, it didn't. As you can see, it lead to us having to focus time and energy in the business on making sure I document my reference checks - hardly the outcome anticipated.
I listened to one CFO who described his company's regard for the external audit firm and the OCC bank examiners as having flipped. In the past they looked to the accounting firm to provide value added services while they regarded the OCC as non-value/box checking in-experienced auditors with little ability to apply judgment. Now they see the OCC as the value added provider. Where does that leave us with regard to looking to the accounting firms to help guide us through the complexities of the accounting matters we must address (like derivatives, variable interest entities, taxes and options just to name a few)?
In the most sincere way possible, I express a personal and dedicated interest in seeing something good come of the Sarbanes-Oxley Act. Often times, to correct for some deficiency, the remedy results in the pendulum swing too far. I believe the pendulum has swung too far and needs to be brought back more to the center.
By way of suggestion, I believe there are three areas, that if properly addressed, would put an end with the injustices faced by investors and employees of the likes of Enron and WorldCom. They are:
- Disallow "absurd" compensation levels that are driven solely on stock price. Leaders should be compensated based on production of real value - measured in cash. Accounting manipulations generally happen when a company is not performing and the accounting manipulations only serve to make it look like it is performing better. And, unfortunately, I believe, the new rules on income statement treatment of options will do little to discourage the abuses we've seen.
- Prison penalties should be increased significantly - if you cheat, you go should go to jail! I believe the adage of 'locking someone up and throwing away the key' is most appropriately used here.
- Limitations should be placed on the amount of company stock that can be held in employee savings/retirement plans.
Let's face it, the failures that lead to the Sarbanes-Oxley Act had little to do with control structures and more to do with the fact that people wanted to cheat. We should focus on what drove or promoted their interest to fraudulently account for matters. The nature of their fraudulent actions/accounting manipulations will most likely not be detected in an audit of controls. If they want to cheat, this only serves to make it a harder, but crooks will do what they want to do provided the payoff is big enough.
As I noted, I would be most willing to be helpful in any way possible to assist in delivering something useful out of the aftermath of Sarbanes-Oxley.
Executive Vice President and
Chief Financial Officer
Euronet Worldwide, Inc.