When President Bush signed the Sarbanes-Oxley Act into law in July 2002, the problems at WorldCom Inc. were fresh on everyone's mind because the telecommunications giant had sought bankruptcy protection just nine days earlier.
Nearly three years later, WorldCom's former chief executive has been found guilty of fraud and could face a maximum prison term of 85 years, potentially one of the stiffest sentences yet in a parade of white-collar criminals.
But many businesses remain disgruntled about the government's remedy to corporate corruption.
Companies have grumbled about the impact of Sarbanes-Oxley on their bottom line since the law was enacted. Lately, the grousing has reached a fever pitch as the costs to meet one requirement under the law have skyrocketed beyond expectations.
And that has caught the attention of federal regulators.
Executives and auditors are required to attest to the strength of internal controls at publicly traded companies, or the ability to detect fraud and accounting errors. The provision, considered by many to be the most effective tool for heading off corporate mischief, accounted for two paragraphs in the 66-page law.
Things got more complicated - and the paperwork and manpower escalated - as an alphabet soup of federal and self-regulatory agencies imposed rules and guidelines.
U.S. Sen. Paul S. Sarbanes, the Maryland Democrat who co-wrote the legislation with Ohio Republican Rep. Michael G. Oxley, said the law is working. He pointed out that hundreds of companies have disclosed that they found shortcomings in their internal controls and were able to correct them, possibly preventing a fraud and thereby protecting investors.
"The question is, `Do you think a public company listed on an exchange that any investor can buy worldwide should have a system of internal controls?'" said Sarbanes in an interview last month. Last week, Sarbanes announced he will not seek re-election in 2006 after a 30-year career in the Senate. "I haven't run into anyone yet who says `no' in answer to that question."
"Then the question becomes how is this thing being implemented," he said. "How much double-checking is being done, how much paperwork is being required that may not be absolutely necessary? Well, that's always worth looking at."
Securities and Exchange Commission Chairman William H. Donaldson has responded by giving foreign and smaller companies more time to comply and by scheduling a public forum next month for companies to air their concerns. Donaldson told a congressional committee last week that the agency needs "to ensure that the benefits are achieved in the most sensible way."
An initial rough estimate from the SEC put the annual cost for a company to fulfill the law's internal control provision, called Section 404, at $91,000. But in a survey by Financial Executives International, a professional group, companies estimated that the cost is more than $3 million on average.
"The amounts of money being spent on it are staggering. It's almost like being taxed for being a public company," said Geoffrey F. Feidelberg, chief financial officer of CompuDyne Corp., an Annapolis maker of security systems. It put eight full-time workers on the compliance effort and was still unable to file its latest financial results on time.
Investor advocates are warning the SEC not to weaken the Sarbanes-Oxley law by allowing "shortcuts" that would reduce costs. Companies have been relying on outdated or ineffective internal controls for decades, said Laurie F. Hacking, executive director for the Ohio Public Employees Retirement System, a $64.5 billion pension fund.
"Leave Sarbanes-Oxley intact, and reject any proposal by its critics to weaken this important investor protection legislation," Hacking wrote in a letter to SEC officials. "Investors are just starting to realize the benefits."
Companies actually have been required to have a system of internal controls since 1977, when Congress enacted legislation to prohibit bribery of foreign officials for government work. That law compelled companies to implement accounting systems to control and accurately record company assets, in part to prevent "slush funds," or accounts used to make illegal payments.
Sarbanes-Oxley reiterated that companies must have internal controls and also required that an accounting firm vouch for the system.
Under the law, most of the nation's largest companies had to have outside auditors assess their internal controls within 75 days of the new year - today. Already, more than 600 companies have announced that they discovered problems, including difficulties with reconciling accounts or tracking inventory, according to Compliance Week, a newsletter on corporate governance.
Investors might never have known about those problems had it not been for the auditors, said Lynn E. Turner, a former chief accountant at the SEC and a managing director at Glass Lewis & Co., a financial research firm.