Editor’s note: Jim Verdonik is a principal in the Research Triangle Park law firm Daniels Daniels & Verdonik, P.A. He is also founder of www.BoardStrategies.com and www.TecCoach.com. TechLaw is a regular feature in Local Tech Wire.
_______________________________________________________________________________________The historian, George Santayana, is quoted as saying:

“Those who cannot learn from history are condemned to repeat it.”

So, what has that got to do with Section 404 of the Sarbanes-Oxley Act?


Back before the end of the 20th Century, some people worried that all computers would malfunction, businesses would grind to a halt and society would disintegrate.


Because software designers had not planned for computers to change from year 1999 to 2000.

In retrospect, the frenzy caused seems very … silly … stupid … irrational, but it was a fear held by many people. Some people were buying guns and hoarding food. No kidding. Not everyone involved in the Y2K madness was a nut case. Take the Securities and Exchange Commission, for example.

The SEC required all public companies to disclose:

  • Whether they had completed an assessment of how Y2K might affect their business; and

  • Whether management believed Y2K issues would have a material affect on business, results of operations, or financial condition.
  • The required analysis applied not only to the company’s own computers, but to the computers of its customers, venders, lenders, insurance companies, telephone and other communications suppliers.

    Tens of billions of dollars were wasted trying to comply with this requirement. Dollars that enriched … IT consultants … lawyers … software programmers.

    It was a monumental boondoggle. Y2K was totally harmless.

    I would like to think we all learned the lessons that government interfering with the internal operations of companies leads to massive waste and we shouldn’t let mass hysteria dictate policy decisions.

    Unfortunately, if we learned any lessons from the Y2K fiasco, Congress forgot it quickly. Less than two years later, in response to corporate scandal hysteria in Year 2002, Congress enacted Section 404 of the Sarbanes-Oxley Act, which again required disclosures about internal systems designed to counter phantom problems.

    Notice how Section 404 parallels the Y2K requirements to make disclosures about internal systems. Section 404 provides:

    a. The Commission shall prescribe rules requiring each annual report . . . to contain an internal control report, which shall –

    1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
    2. contain an assessment … of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

    b. … Each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.

    Section 404 does have brevity on its side. Of course, if you know as little about business as Congress does, brevity may be a necessity.

    Just like Y2K, many people are ready and willing to help companies comply with this open-ended requirement … for large fees, of course.

    A Riddle and a Costly Answer

    Here’s a riddle for you.

    What do you get when you close down one of the Big 6 Accounting Firms, threaten accounting partners and CEOs with jail time and enact corporate accounting reforms?

    Answer: Paranoid, but rich accountants.

    Companies spent $35 billion last year trying to comply with the Frankenstein monster Congress stitched together out of spare parts lying around the Capitol building. More fees are being generated as you read this article. Now what do we do?

    On May 16, 2005, both the SEC and the Public Accounting Oversight Board (“POAB”) screamed: “IT AIN’T OUR FAULT! ACCOUNTANTS AND COMPANIES ARE DOING TOO MUCH.”

    According to the SEC and the POAB, during the three years of Sarbanes-Oxley, the accounting profession and corporate America changed from being nests of thieves and con artists to being overzealous compliance freaks.

    Of course, it’s easier to blame public companies and accountants than to blame the media for whipping up frenzied public rage over corporate fraud and a panicked Congress for writing legislation that doesn’t address real problems, wastes tens of billions of dollars each year and provides little guidance about how to comply with the law.

    A One-Finger Salute From Congress

    Yes, it’s definitely the fault of the accountants and corporate executives. Legislators and regulators apparently have no duty to clearly define what they want companies to do. Just yell “DO SOMETHING OR ELSE!” and see what happens seems to be our public policy. Then, if the results are totally absurd, point finger fingers at others. Growing up in Brooklyn, I learned a lot about giving people the finger. Section 404 is Congress’ way of giving corporate America the finger.

    What is the guidance from on high about what Congress really meant when it passed Section 404? Here is what the SEC and POAB think Congress meant and how companies and auditors messed up:

  • Independent auditors and management should communicate with one another more closely. Of course, Sarbanes-Oxley and the media frenzy surrounding corporate fraud cases mandated creating more arms length (some might say “antagonistic”) relationships between outside accountants and corporate management. So, after creating walls between companies and their auditors, the new mantra is “communicate better.”

  • External auditors can rely on the work of others hired by companies to evaluate control systems. Auditors do not have to duplicate all the work done by company personnel, but will accounting firms risk liability exposure for opinions where others are paid large fees to do most of the work?

  • Audits for Section 404 compliance should be conducted as part of the general financial statement audit, not as a separate project.

  • External auditors should focus on big picture risks and leave internal auditors to handle smaller risks. Deciding what is big picture and what is smaller risk will be the key issue. Of course, deciding something is a small risk, carries liability exposure.

  • Accountants and management should focus first on company-wide controls rather than controls related to departments or offices.

  • Internal systems must be evaluated and material weaknesses disclosed so that investors can decide how the risks should affect their investment decisions. Most companies have not wanted to admit to weaknesses and so have focused on trying to fix controls so that there are no weaknesses. Trying to create perfect systems created cost overruns and inefficiencies. Will companies now switch to disclosing weaknesses, living with imperfections and let investors decide?
  • Threat of Jail Time

    Why didn’t all the recommendations happen the first go round with Section 404 compliance?

    That’s easy to answer.

    CEOs told their people that the SEC was going to put the CEO in jail, if this didn’t get done right, so they better not screw up. At the same time, the Big Four Accountants decided Section 404 was a golden goose to replace the consulting fees they lost under Sarbanes or that had disappears after Y2K had passed, so clients had to pay big bucks to document every detail.

    This was obviously a recipe for disaster. No business can run efficiently if the penalty for mistakes is going to jail. Mistakes are different from fraud.

    The question is whether the recent guidance by the SEC and POAB will overcome this basic weakness in Sarbanes-Oxley.

    What would you do if you were the CEO facing possible jail time?

    Would you quibble about the accounting bill?

    The one good thing about the Y2K mess is that it had a definite ending. When the world didn’t fall apart on January 1, 2000, the hysteria and wasted spending stopped.

    Unfortunately, unless Congress acts to change Section 404, the wasteful spending forced by Section 404 will continue forever.

    Daniels Daniels & Verdonik, P.A. has been serving the legal needs of entrepreneurial and high technology clients for more than 20 years. Jim Verdonik concentrates his practice in the representation of entrepreneurial and technology-based businesses, focusing on securities and corporate law. Comments or questions can be sent to jverdonik@d2vlaw.com