“The primary focus is on corporate governance issues, making sure the committees–including audit, compensation and nominating–are working the way they are supposed to,” said Mr. Viola. “We also help clients comply with the Act's reporting, certification and disclosure requirements, which are extensive.”

Sarbanes-Oxley is so burdensome and costly that many smaller companies are exploring ways to “go private,” Mr. Viola noted. “The expense of setting up all the internal controls and the management time involved is just too much for some of them,” he pointed out.

It may be risky not to use outside advisors for various aspects of Sarbanes-Oxley compliance, noted Trent Gazzaway, accounting firm Grant Thornton LLP's national director of corporate governance advisory services.

Mr. Gazzaway, who is also based in Charlotte, explained that “the Act specifically states that an audit committee may engage an outside advisor for independent input.” Failing to obtain such independent advice may be viewed negatively if decisions of the audit committee are subsequently questioned, he added.

The principal services provided by Grant Thornton in connection with Sarbanes-Oxley include “internal advisory services,” which establish the financial controls required by the Act. The firm also provides “audit committee advisory services,” which assist the audit committee in understanding and executing their fiduciary duties, said Mr. Gazzaway. Those services may be provided in conjunction with the client's law firm, he added.

Grant Thornton has also created software to assist clients in complying with the Act's many financial and reporting requirements, Mr. Gazzaway noted. “The biggest technical issue is having an electronic repository for all the internal controls and evaluation of those controls.”

In addition, the firm has a fraud and investment services arm to help clients set up procedures so that “whistleblowers” can report suspected misconduct, Mr. Gazzaway added.

Risk consulting firm Protiviti Inc., based in Houston, Texas, specializes in assisting clients with their internal audit procedures. Protiviti's managing director, Everett Gibbs, explained that providing services relating to Sarbanes-Oxley requires the following core competencies:

Expertise in company processes, especially financial management.
Accounting skills, including having CPAs on staff.
A database that knows what the key corporate internal controls are.
Deep comprehension of the Act itself.
Supporting technology to store the processes, identify and document risks, and query those accountable.

“Putting in place controls to manage risk and then certifying what takes place” is key, noted Mr. Gibbs. “We have accountants, engineers, security experts, database specialists and technology people to help accomplish that objective.”

Sarbanes-Oxley requires modifications not only in corporate practices and mindsets, but in the technology used to run the business. AMR Research, a Boston-based research and advisory firm, provides advice on the information technology implications of the Act.

“About 85 percent of companies may have to make changes to or refine their IT infrastructure in connection with Sarbanes-Oxley,” noted AMR vice president John Hagerty.

According to Mr. Hagerty, those changes involve documenting internal controls and business practices, enforcing those controls, and setting up disclosure methods. Expanding or establishing a document imaging system to store digitized records may also be part of the mix, he added.

In addition, AMR can advise on creating a system for reporting and tracking whistleblower complaints. However, Mr. Hagerty pointed out that this has not been a big issue so far because most clients already have such procedures in place.

“We work mainly with the client's auditors, and also with their attorneys and other service providers, to determine the best IT solutions for that client,” Mr. Hagerty said.

Sarbanes-Oxley contains “structural, mechanical and attitudinal” elements, according Stanley Keller, a partner with the law firm Palmer & Dodge LLP in Boston. Mr. Keller makes certain that his clients comply with all three of those elements.

There may have to be structural changes relating to the corporate governance model of the company, such as revamping the audit committee, Mr. Keller explained. An example of a mechanical element is a corporate charter that has to be amended to comply with the Act, or a reporting deadline that has to be met. Attitudinal issues involve management's willingness to effectively perform the oversight role mandated by the law, he added.

All of this is an “amplification” of the advice Palmer & Dodge was giving to clients before anyone ever heard of Sarbanes-Oxley, Mr. Keller pointed out. “There wasn't much new for us. We were already advising on corporate governance, compliance and disclosure.”

What Sarbanes-Oxley did was give new priorities to and place a new focus on boards and committees fulfilling their oversight roles, said Mr. Keller. “The Act enhanced and accelerated disclosure obligations. Company officials have to say more, say it better, and say it faster.”

Executives who want Sarbanes-Oxley and other financial compliance and disclosure advice via the Web can turn to Compliance Week, a Boston-based electronic newsletter devoted to this purpose. The newsletter's circulation of 30,000, after only a year in existence, testifies to the hunger corporations have for this type of information.

“Our readers are mainly financial executives at U.S.-based public companies,” said publisher Scott Cohen. “Our mandate is to provide resources and best practices so they can do their jobs better. That's our sweet spot.”

The Web site also contains a list of “compliance providers,” which is a convenient overview of the variety of outside services relating to Sarbanes-Oxley. These include firms that do one or more of the following:

Facilitate compliance with record-retention rules.
Assist in meeting requirements relating to mandatory Web access of corporate filings.
Help to comply with rules requiring insiders to electronically report stock trades.
Develop codes of business ethics.
Help to comply with financial reporting requirements and deadlines.
Offer fraud examinations, forensic and security auditing, and vulnerability analyses.
Rate and rank corporations' governance practices.
Provide whistleblower reporting systems.

“The number one compliance issue facing corporations today is related to the new internal controls rules,” Mr. Cohen noted. “The amount of work required to document and monitor financial controls is staggering,” he explained. “Limited resources and disparate systems are making the required attestations even more difficult to make.”

Reproduced from National Underwriter Edition, July 7, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.