The 404 Monster

The board of Umpqua Holdings Corp. in Portland, Oregon, has worked closely with management over the past decade to craft a retail-oriented strategy that has transformed $5 billion Umpqua from a small rural bank into the state’s largest independent. Lately, though, directors have been devoting much of their time to meeting the demanding new reporting requirements laid out in Section 404 of the Sarbanes-Oxley Act, the meat of which comes due this reporting season.

Simply stated, 404 requires that managements of publicly held companies prepare a “report on internal control over financial reporting,” and then get auditors to sign off on it. The goal is to assure jittery investors that financial reports are accurate in the wake of accounting scandals earlier this decade at Enron, WorldCom, and others.

As Umpqua’s board and management have learned, however, there’s nothing simple about it. Over the past few quarters, the company’s audit and governance committees, like their counterparts at some 5,000 other SEC-registered companies, have ploughed through numbers, policies, and procedures and gotten weekly phone updates on 404 implementation. Now they are awaiting final feedback from auditors on those efforts.

Umpqua chairman and CEO Ray Davis says his directors have been frustrated by the costs and time involved. “It’s an incredibly difficult and labor-intensive process. Do I think it’s necessary, because of what happened [with Enron]? You bet I do. The government came up with a great premise for safeguarding investors. But it’s turned into an absolute monster,” he says.

Nevertheless, his board members are committed to getting it right. “I don’t care what it costs at this point, or how hard it is. These are the rules, and we have to get on with it,” Davis says. “This bank is going to be in compliance.”
Umpqua’s board is far from alone. Because banks already are highly regulated, they’re presumably better prepared for the rigors of 404. Will Anderson, a securities partner with Bracewell & Patterson LLP, a Houston law firm, says much of the language of Sarbanes-Oxley was borrowed from FDICIA, the 1991 law that boosted bank oversight.

Even so, as a foundational piece of Sarbanes-Oxley, 404’s key requirements go beyond what regulatory agencies typically demand. The law requires companies to issue a report that asserts management’s “responsibility” for internal control, identifies a framework to evaluate it, and provides an assessment of the organization’s internal control over financial reporting. An external auditor must then attest to, and report on, that assessment.

The brevity of the management and auditor reportsu00e2u20ac”in most cases, they’re expected to be one-page statements attached to the 10Ku00e2u20ac”can be deceiving. The SEC has noted that its “goal” is “to eliminate or reduce duplicative reporting requirements” on banking companies, and it has given them a choice between filing two separate reportsu00e2u20ac”one for regulators, another for 404u00e2u20ac”or one all-encompassing document. That doesn’t seem to have had much impact on workloads.

The law calls for controls in virtually every aspect of a company’s operations, from securities portfolio management and cash-collection practices to information technologies and personnel policies, to be documented and tested. According to a recent OCC survey, some large banks found they were lacking the IT expertise needed to perform the process. One auditing firm has suggested that clients inventory every single spreadsheet within the company by location, who has access to them, whether they’re password-protected and their potential impact on financial statements. For some institutions, that amounts to millions of documents. “Any transaction that could be of material consequence to the bank has to be tested,” Davis says. “That’s a lot more detail than what we face from regulators.”

“It’s both exhaustive and exhausting. And it really raises the stakes of being a director,” confirms David Frohnmayer, president of the University of Oregon and a member of Umpqua’s audit committee. Frohnmayer has served on several boards, but says he’s never encountered anything approaching “the sheer amount of detail and minutiae” the law requires. “It’s really quite complicated, and has involved a lot of extra meetings and some very, very expensive accounting and legal bills,” Frohnmayer says. All directors, but especially those on the audit committee, “need to be more knowledgeable about financial matters, on a more-intimate level than before.”

Companies that discovered “material weaknesses” in their control processes had until the end of the year to correct those flaws. In some cases, that means putting down in writing controls that heretofore have been done less formally; in others, it requires reworking how certain functions are performed.

Weaknesses that weren’t fixedu00e2u20ac”or those that are discovered by auditors in their post-year-end testingu00e2u20ac”must be disclosed in 10K filings. Firms that don’t file “will be considered deficient,” and in violation of the Securities and Exchange Act of 1934, Anderson says. They could face fines and see their access to capital markets limited for a year.
The risks are ostensibly higher for banks than other companies. The OCC and FDIC have instructed examiners to review 404 documentation as part of their compliance assessments and to include any weaknesses revealed in a “matters requiring attention” section of the exam report. “The bank’s reputation risk may increase if full compliance with [Sarbanes-Oxley] is not achieved,” wrote Emory Rushton, the OCC’s chief national bank examiner, in an October memo.

Directors would likely not face individual sanctions. But their risks could increase indirectlyu00e2u20ac”if a filing is complete but discloses weaknesses. Ratings agencies Standard & Poors and Moody’s Investors Service have said they will weigh 404 filings as part of their ratings procedures. If investors drive share prices down because of a 404 filing that reveals inadequate controls, Anderson says, a class-action suit could follow. “It’s likely we’ll see some litigation coming out of this,” he adds.

Companies eager to avoid the “material weakness” tag have been ringing up multimillion-dollar bills on their efforts to comply, but most companies are expected to report at least some shortcomings. Already by December, some had pre-emptively revealed problems in areas such as month-end closing processes, account reconciliations, personnel training, and poor segregation of duties.

The workload demands on auditors have become so pronounced that in November the SEC gave accelerated filers with market caps between $75 million and $700 million an additional 45 days to file their statements. For calendar-year filers, that delays the deadline from mid-March to the end of April. But it’s a mixed blessing: Those companies still must file all other parts of their 10Ks by the usual deadline, and any company findings and corrections still had to be completed by year-end. That has led some skeptics to refer to the ruling as an “auditor relief act.”

Companies with market caps above $700 million must stick to the original schedule, while those below $75 million aren’t required to file 404 materials until after July 2005.

And while Rushton’s memo noted that larger banks were getting good advice from outside auditors, Anderson says auditors have told several of his smaller clients that “management needs to figure out how to account for things, and then we’ll audit it and tell you if it’s right,” because of time constraints and legal concerns. Frohnmayer says Umpqua has gotten help, but adds that “there’s a little bit of a ‘gotcha’ attitude” among auditors. “It tends to put you in an adversarial position with your accounting firm and creates an arm’s-length relationship with people who ordinarily would be your most-engaged allies.” Relations with management, he adds, also have been tested.

While the report is management’s responsibility, audit committees help manage the process and will be on the receiving end of any auditor findings. If changes in internal controls are required, the audit committee must set a timetable and oversee the process, Anderson says. “There are a lot of audit committees and managements frustrated by the process,” he says.

Indeed, some bankers have concluded they’d rather switch than fight. The board of Georgian Bancorp, a $700 million company in Powder Springs, Georgia, recently decided to buy out smaller shareholders and take the company private after raising $50 million from private investors. “We don’t need public status to raise capital,” explains Chairman and CEO Gordon Teel, “and the out-of-pocket costs you have to spend on lawyers and auditing and compliance for Sarbanes-Oxley are incredible. It’s just not worth it.” [See related story, page 22.]

For other institutions, 404 could amount to a tipping point in their struggle to remain independent. Davis, who was a banking consultant in a past life and retains contacts around the country, says some fellow bankers are contemplating selling their franchises because of the burden. “They’re basically saying, ‘This is too much. All the decisions are being made by the SEC or an accounting firm, so I quit,’” Davis says. “They’re throwing in the towel because of [the 404 reporting requirements.]”

The good news for frazzled managers and directors is that the first year should be the worst. “It’s been a very rough first voyage for everyone,” Frohnmayer says. The upside, he adds, “is that you become a better-informed director. Next year should be easier.”

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.