Does Honesty Pay Off?

For Bob Travatello, the benefit of complying with Sarbanes-Oxley is calculated in prison time: “The ROI is keeping my CEO and CFO out of jail.”

Travatello is chief information officer for Blue Rhino, a Winston-Salem, N.C., provider of propane gas cylinders for backyard grills. Like counterparts at every public and many private companies, he plans to change processes, document them and install new software to comply with requirements of the Sarbanes-Oxley Act of 2002. He’d also like to pin down some kind of return to justify the expense.

The law, born in a flood of financial deception and fraud that has cost investors and employees tens of billions of dollars, requires a company’s CEO and CFO to vouch for the financial results at their companies.

That provision went into effect in July 2002; and chief executives have been signing on the dotted line.

But the real stickler of Sarbanes-Oxley is Section 404, which puts executives on the hook for instituting internal processes and controls to detect and prevent fraud.

Indeed, Bearingpoint disclosed in its annual report late last month that it would change its processes after auditor PricewaterhouseCoopers found parts of its internal accounting systems and documentation to be “material weaknesses.”

Companies such as Blue Rhino, which has a fiscal year ending shortly after section 404’s June 15, 2004 deadline, will be guinea pigs for whether a company can effectively institute additional approval and control steps for paying invoices, receiving materials and such. The controls will also mean adding additional fields and codes to existing financial systems, to comply with Sarbanes-Oxley requirements.

The law sets fines of up to $5 million with imprisonment of up to 20 years if executives willfully certify results without complying with requirements.

Quips about jail time aside, Travatello does expect Sarbanes-Oxley to eventually deliver a return because compliance will make his company more efficient and clarify processes such as invoicing. Before Sarbanes-Oxley, if a Blue Rhino delivery driver picked up an invoice with the wrong price and date, one employee could correct the problem by amending the invoice. Under Blue Rhino’s new approach, that incorrect invoice would be voided. The driver would have to start a new payment ticket.

Even planned modifications for financial systems are affected. Prior to Sarbanes-Oxley, one of Travatello’s programmers could change a system with one approval. That programmer could make the change, test it and hand off to a second person to make it live. Blue Rhino now requires three approvals and a new worker to handle each step of the change.

“In the past you were trusted to do your job,” he says. “Now it’s about multiple approval codes.”

Blue Rhino is using Metastorm’s eWorks package to streamline and track its business processes. The software will follow Blue Rhino’s workflow and create documentation for each approval to create a trail for auditors.

“I do expect there to be some kind of ROI,” says Travatello. “But we haven’t put a number on it because we’re identifying what we need to do. After we’re done we’ll get an ROI. It’s important for people to realize it wasn’t a waste of money.”

Some technology executives laugh off questions about Sarbanes-Oxley ROI as purely hypothetical. Others don’t want to talk about it. Executives at large companies such as trucking company Yellow Corp. and insurance firm, the MONY Group, declined to comment on their Sarbanes-Oxley plans or potential returns.

There may be a good reason for the silence. There may be no return.

Mercury Interactive’s Chief Marketing Officer Christopher Lochhead considers Sarbanes-Oxley another corporate tax. “We know there’s a lot of ‘I,’ but in reality there may be no ‘R.'”

The perceived lack of a return for Sarbanes-Oxley hasn’t prevented a few executives from considering their options. Here are the three most common:

  • Assume there are no returns and see compliance as a cost of doing business;

  • Use the act as an excuse to consolidate and make processes more efficient, or,

  • Don’t comply and take your chances with the Securities and Exchange Commission.

    SEC spokesman John Heine says his agency will ask civil authorities to levy penalties if a company doesn’t certify its results or comply with Sarbanes-Oxley rules. “We’d ask for injunctive remedies and monetary penalties,” he says. “The amount would depend on the situation.”

    When it comes to monitoring Sarbanes-Oxley compliance, the SEC is primarily relying on a company’s auditors, which have to attest to the results. The SEC doesn’t have any electronic means to probe processes lying behind the financial certifications by top executives and the usual regulatory filings. Regulators did get $98 million in fiscal 2003 to hire 200 more foot soldiers to scrutinize auditors and companies.

    In any event, companies are shelling out big money on compliance. AMR Research analyst John Hagerty has a “million per billion” rule of thumb. If a company has $5 billion in revenue, it is spending roughly $5 million on Sarbanes-Oxley. That estimate, however, appears to be conservative. Mercury Interactive, a company on pace for $500 million in revenue this year is spending “well north of $1 million,” says Lochhead. Blue Rhino, which has annual revenue of about $258 million, plans to spend $500,000 to comply.

    Those tallies contrast with an SEC estimate predicting Sarbanes-Oxley compliance will cost companies an average of about $91,000.

    AMR’s Hagerty reckons that the Fortune 1000 will collectively spend $2.5 billion on Sarbanes-Oxley compliance, roughly 0.3% of revenue.

    Trying To Comply

    Companies trying to comply are doing everything from standardizing enterprise planning software packages to consolidating applications. Meanwhile, processes for tracking the flow of money inside a company are being documented. The end result may be additional auditing and consulting fees.

    Although the investment side of the ROI equation is relatively clear, calculating returns is more difficult.

    For starters, companies may not have funds allocated specifically for complying with Sarbanes-Oxley. Compliance is a “mandate” project that gets the go-ahead regardless and diverts money from other plans. Wireless service provider Cingular Wireless, a private company that has to comply with Sarbanes-Oxley because it has publicly traded bonds, lumps its compliance budget in with its internal auditing budget.

    Irving Tyler, CIO at Quaker Chemical, says his Sarbanes-Oxley budget is largely tied to auditing and consulting costs and documentation.

    For Quaker, much of the heavy lifting for Sarbanes-Oxley was accomplished when the company rolled out J.D. Edwards’ enterprise planning software globally and SAS software for business intelligence.

    That installation, which has ROI targets separate from Sarbanes-Oxley, unified global plants and gave the company more streamlined business processes. Any ROI calculation for Sarbanes-Oxley compliance would exclude Quaker’s enterprise software investment.

    Currently, Tyler says the company is documenting processes and cutting redundant steps as needed to comply with the law and hopefully save money.

    “Why document and leave processes alone?” says Tyler. “The company that just complies is missing an opportunity.”

    Rich de Moll, vice president of finance and employee transformation at Cap Gemini Ernst & Young, says many of the Sarbanes-Oxley returns will be soft benefits, items that can’t be quantitatively measured. “Sarbanes will provide better information to decision makers,” such as real-time statistics on sales and inventory, says de Moll. “But that’s harder to measure.”

    Hagerty says companies using Sarbanes-Oxley to refine processes and to simplify infrastructure through hardware and software consolidation should be able to produce a return.

    For instance, standardizing business processes worldwide could allow a company to cut workers and share services across divisions for a savings of as much as 30%, according to AMR.

    Perhaps the best way to determine the returns for Sarbanes-Oxley would be not to comply, a choice no company would advertise. Under this scenario, a company could refuse to certify its results and play chicken with the SEC. Lack of certification wouldn’t necessarily indicate fraud.

    Although executives say they won’t be surprised if some companies fail to comply, no one is volunteering to be a test case. How do you put a value on your corporate reputation? Hypothetically there could be a better return for not complying, but a company would likely be delisted from the stock markets, raising its cost of capital. WorldCom lost more than $20 billion of market value over what later became $9 billion of financial fraud. A willfully noncompliant company also is likely to be hit with shareholder lawsuits and other litigation expenses.

    PricewaterhouseCoopers partner Richard Anderson says that electing not to comply could be treacherous. That would put a company “in uncharted waters with what the SEC will do and how they will do it.”