tung by the high-profile accounting scandals that drove some the nation’s leading companies into bankruptcy court, Congress and other regulatory authorities have taken up their pens in an attempt to legislate business behavior. The Sarbanes-Oxley Act, which President Bush signed into law in July of 2002, requires publicly traded companies to disclose whether they have adopted a code of ethics for their senior financial officers, and if not, why. They also must report promptly any amendments to or waivers from the code.
The New York Stock Exchange, meanwhile, proposed new corporate governance standards which—if the SEC approves them—would require companies traded on that exchange to adopt corporate governance guidelines and a code of business conduct and ethics for all employees. CPAs can help employers or clients navigate these new rules and create a code of ethics that complies with all of the requirements.
Even for CPAs who don’t toil as principal financial officers, comptrollers or principal accounting officers—job titles Sarbanes-Oxley specifically targets—the new law introduces a raft of issues. As interpreted by the SEC in the proposed rule-making notice it issued on October 16, 2002, Sarbanes-Oxley does more than suggest companies have a code of ethics for senior financial executives.
Once SEC rules are finalized, section 404 of the act will require publicly traded companies to file in their annual reports an “internal control report” that outlines what steps management has taken to establish and maintain adequate internal controls and financial reporting procedures, as well as management’s conclusions about the effectiveness of those controls and procedures—a report CPAs and corporate finance departments likely will have a hand in drafting. The report must say the company’s public accountant has attested to, and reported on, management’s evaluation of the company’s internal controls and financial reporting procedures. The company must include a copy of the auditor’s attestation in its annual report.
What’s not clear, says CPA Sherrie McAvoy, national director of corporate compliance and ethics services for Deloitte & Touche in Dallas, is whether an external auditor would be required to formally audit a client’s compliance with its own code of ethics. While her initial suspicion is it would not, she says it won’t be clear until the SEC issues final regulations. An SEC spokesman notes that Sarbanes-Oxley gave the agency 180 days from the date of the law’s enactment, or roughly until the end of January 2003, to issue final rules.
CPA Richard Steinberg, head of the corporate governance practice for PricewaterhouseCoopers in Florham Park, New Jersey, takes a similar view. “As they look at internal controls, the external auditors are going to focus on this (the code of ethics),” he says. “Not that they’re going to audit it, but they’ll consider it as they assess the company’s control environment.”
Today, says McAvoy, surveys her firm conducted show approximately 95% of Fortune 1000 companies have a code of conduct. Stuart C. Gilman, president of the nonprofit Ethics Resource Center in Washington, D.C., says many private companies have such guidelines as well; he estimates that altogether there are more than 3,000 ethics officers working in the United States.
What’s different now that Sarbanes-Oxley is on the books? According to McAvoy, the new law puts more emphasis on financial reporting, particularly its accuracy. This could translate into more responsibility for CPAs. Section 301 also mandates that companies put in place a mechanism for employees to raise concerns about financial reporting matters—confidentially and anonymously. The SEC’s proposed rules for implementing section 406 go on to say the code of ethics should identify the person or persons to whom employees should deliver those anonymous reports.
Establishing a process for rank-and-file employees to confidentially report code violations is a critical component of any ethics program, according to McAvoy. Most of the companies that already have established such procedures assign a case number to each complaint or tip an employee makes so he or she can track its progress. In addition, the person to whom employees report alleged violations is generally someone outside the ordinary chain of corporate command—an ethics or compliance officer, for example, or an ombudsman—who nonetheless has access to the company’s top executives and its board of directors.
The WorldCom case amply illustrated the perils of having employees report complaints to a senior executive with routine corporate responsibilities. Internal auditors who uncovered the company’s accounting fraud reported it to the company’s then CFO Scott Sullivan. The federal government now alleges Sullivan instigated the fraud and attempted to block the internal investigation. According to an in-depth report The Wall Street Journal published in October of 2002, WorldCom didn’t finally acknowledge, make public and address the fraud until its vice-president of internal audit, Cynthia Cooper, took damaging evidence to the company’s audit committee.
Many CPAs will have a role in helping companies comply with Sarbanes-Oxley. Certainly, those in corporate finance departments can be expected to be involved in drafting or reviewing those portions of their company’s code dealing with financial matters, says Nancy Wilgenbusch, president of Marylhurst University in Portland, Oregon, and a member of the AICPA ethics committee. The portions of the code CPAs might handle would range from insider trading to appropriate and accurate expense reporting, acting as good stewards of company assets, avoiding conflicts of interest and assuring accurate corporate communications with the public. To the extent the code of ethics includes quantifiable measures of accountability concerning items such as insider trading or entertainment expense reporting, for example, Wilgenbusch says CPAs are ideally suited, by virtue of their training and professional expertise, to evaluate or test the results.
External auditors would also appear to have a role in assessing compliance with codes of ethics, if only in the context of a code’s being part of a company’s internal control process. Gilman encourages outside auditors to go a step further: For each client, the auditor should sign a statement noting that it understands and accepts the client’s code of ethics. “This allows the outside auditing firm to comport with the company’s internal environment,” Gilman says. “It permits a level of independence and says, ‘We’re willing to obey and abide by the same set of standards the organization holds itself to.’”
DOING IT RIGHT
Is the action legal?
While it’s difficult to calculate a hard return on investment for drafting and implementing a code, Bruce Pfau, national practice leader for organization measurements at Watson Wyatt Worldwide has tried. A survey his consulting company conducted in 2000 found workers who believed their company operated with honesty and integrity showed higher levels of commitment to their employer in terms of job satisfaction and company pride than those who judged their employer to have low ethical values. Pfau also found companies highly rated by their employees for honesty and integrity produced, over the previous three years, a higher return to shareholders (112%) than poorly rated companies (76%).
PUTTING TOGETHER A CODE
But most experts say it would be far better to create a code of ethics for the entire company, one that applies to all employees and builds on their input. Under the proposed changes to the NYSE listing requirements, such a policy would be required of all companies trading on the Big Board.
The challenge companies face—whether creating an entirely new code or reassessing and upgrading an existing one to reflect Sarbanes-Oxley—is to draft a document that isn’t just decoration on the company bulletin board but instead helps employees live up to the ethical standards investors, legislators and regulators demand. “We’re terrified here of what we call the three Ps—the print, post and pray syndrome,” says Gilman. “You print a code of conduct, post it on the wall and pray people actually read it.”
According to Gilman and other ethics professionals, the correct approach is to bring together a multidisciplinary team from all parts of the organization—finance, sales, human resources, operations, marketing, executive—to draft a code, communicate its importance to employees and then involve them in seminars to help understand how the code applies to them and their colleagues. Finally, says Minneapolis-based ethics trainer Nan DeMars, author of You Want Me To Do What? (Fireside, 1998), senior management must follow through and hold people accountable for complying with the code.
One way to make a code of ethics come alive for employees, DeMars says, is for human resources to plan training sessions that engage them in discussions about real-life or theoretical ethical dilemmas they might expect to handle on the job. The more specific the situations are to the particular company, the more valuable they will be. DeMars gives these examples of the types of questions she might pose in a seminar: “You are the assistant to David Duncan, lead auditor for Arthur Andersen. You know the firm is about to be subpoenaed. He asks you to shred documents. What would you do? Or, you are Sharon Watkin’s assistant at Enron and you type her memo to Ken Lay warning him of the possibility Enron will implode if its current accounting practices continue. Now that you know the company is in trouble and your boss is aware of this, what do you do?”
“You’ve got to take the words as well as the legal requirements and translate them into understandable practices,” agrees John J. Castellani, president of The Business Roundtable, an association of CEOs of leading corporations. “Ultimately, doing so gives you a very strong tool. When employees violate the policy, they are dismissed.”
DeMars and others agree ethics programs don’t achieve much when they are handed down by senior management with little input from other employees or when senior managers themselves fail to abide by the code or neglect to stress its importance. Enron had a rigorous code of ethics, for example, yet it fell victim to unethical behavior in part because its board of directors twice voted to suspend the code to allow the company’s former CFO, Andrew Fastow, to launch business activities that created, for him, a conflict of interest. Ethics professionals warn against viewing educational programs as a once-and-done procedure. “Ethics training is perishable,” Gilman says. “People forget.” To deal with this problem, companies should schedule regular refresher courses for all employees.
Elsewhere, the nonprofit Practicing Law Institute in New York City offers programs on ethics and corporate compliance several times a year, says McAvoy, and has published a series of books on the topic. All that said, Gilman cautions companies against off-loading too much responsibility to outside consultants. “Ethics are one of those things where you don’t want someone doing an assessment and charging you a lot of money to tell you what you want to hear,” he explains. The best ethics code is one drafted in-house.
Many companies that already have a code of ethics are unlikely to need a new one to respond to Sarbanes-Oxley, says attorney Tom Patton, a partner with Tighe Patton Armstrong Teasdale PLLC in Washington, D.C. This is especially true since the new law doesn’t require a company to publish its set of guidelines but merely to confirm it has one. “The statute defines a code of ethics in very broad terms, so you have to make sure your existing code meets all of them; assuming it does, you probably don’t need to develop a new one,” he says.
Stephen Hill Jr., a partner with the Kansas City, Missouri, law firm Blackwell Sanders Peper Martin LLP, concurs but adds companies may still want to review their code point by point to make sure it covers all of the provisions in the new law and that they have a “full-blown compliance program in place.” The proposed SEC regulations under Sarbanes-Oxley make it clear the code should promote “compliance with applicable government laws, rules and regulations.”
At many companies, such reviews are already under way. “A number of companies are taking a hard look at their codes and making sure they’re current and sharing them with their boards of directors,” says Deloitte & Touche’s McAvoy. “They’re also taking a look at the financial reporting aspects and making sure they are as robust as they can be.” Meanwhile, the Ethics Officers Association reports that about 100 companies have hired ethics officers through October of 2002 alone.
Hill says his firm is telling clients their entire organization, not just the CFO, must be prepared to deal with compliance issues. “Sarbanes-Oxley covers the CFO, but in its October 16 statement, the SEC makes it clear it’s going to expect the entire organization to comply with the law,” Hill says. By way of example, the proposed SEC regulations mandate that a company’s code of ethics apply not only to senior financial executives but also to the “principal executive officer,” even though that position was not specified in the act.
According to the London-based Institute of Business Ethics (IBE) ( www.ibe.org.uk ) a code of ethics should include a preface, signed by the chairman or CEO, explaining what values are important to top management in conducting the business. It should then cover these key areas:
The purpose of the business and its values.
The IBE also advises any company drafting a code to find a champion—hopefully the CEO—who is prepared to drive the introduction of a business ethics policy. Without this support, there is little chance the company will find the code a useful tool. The board of directors should also endorse the ethics policy.
WILL IT WORK?