Sarbanes-Oxley’s Wake-Up Call to the Construction Industry
Leveraging Compliance and Internal Controls to Manage Risks

By Barry B. LePatner, Henry H. Korn, and Anthony S. Chan

E-mail Story Print Story

For this company, whose securities are publicly traded, acceding to the unexpected cost overrun is only one problem. The larger issue may be the lack of proper management review and oversight coupled with a poor internal control environment—an investor relations nightmare that could have easily been avoided with more appropriate monitoring of the construction activities. For any senior management faced with this situation, the question is how to manage the unnecessary risks and exposures in light of the requirements imposed by the Sarbanes-Oxley Act (SOX).

To gain true perspective of the relevance of SOX and internal controls in the construction process, it’s necessary first to review the purpose behind SOX.

Purpose of SOX

SOX passed through both houses of Congress with record speed in 2002 as legislators reacted to the Enron and WorldCom scandals, and disclosures that senior executives or directors simply ignored—or otherwise allowed—managers to distort their company’s financial condition by hiding losses and liabilities from the company’s balance sheet, embezzling corporate funds for personal use, as well as failing to implement internal controls and processes to ensure the accuracy of financial reports. The statute passed the Senate 99–0 and cleared the House with only three dissenting votes.

As the extent of the fraudulent practices and lack of oversight for effective internal controls came to light, Congress was concerned that no one in senior management used effective oversight to ensure that internal controls were in place to prevent the fraud. Of equal concern to Congress, members of boards of directors likewise remained oblivious to monitoring the companies’ internal controls and financial condition. SOX is universally recognized as a tool to prevent the kind of conduct that led to scandals like Enron and WorldCom. It put the burden on corporations’ senior management, the boards of directors, and outside auditors to see that effective controls are in place to support the financial condition as periodically reported to shareholders and the public.

SOX imposes significant penalties on senior management, directors, and outside auditors with respect to its reporting and internal control provisions. Among the administrative remedies available to enforce this statute, the SEC has the authority under SOX section 1105 to prohibit officers or directors from serving in such positions for violation of the foregoing provisions. To enforce these provisions, the SEC may bring cease-and-desist proceedings in federal court.

SOX also establishes, for the first time, criminal penalties for persons “knowingly” or “willfully” violating these certification provisions; they may be fined up to $1 million and imprisoned up to 10 years, or both, for each offense. The statute enhances the criminal penalties for one who “willfully” violates the certification provisions, with a fine of up to $5 million, a prison term of up to 20 years, or both.

SOX and Construction Projects

Since the enactment of SOX, managements of publicly traded companies have been required to annually certify the effectiveness of internal controls over financial reporting. While many have questioned the cost of SOX compliance, the investing community has embraced the related benefits, because of: 1) the decline in the number of financial statement restatements over the past few years; 2) the enhancement of corporate governance; 3) the strengthening of underlying controls, including management monitoring and oversight; and 4) the increased transparency in financial reporting.

Although SOX is intended to focus on mitigating the risk of management override and fraudulent financial reporting, its relevance and applicability has often been extended to internal projects with significant financial consequence. For corporations involved in large-scale construction, SOX provides management with an opportunity to leverage internal controls to manage the company’s financial, business, and reputational risks, as well as enhance operating efficiencies with best practices.

Some contend that cost overruns and related lack of control on construction projects should not trigger SOX concerns over internal controls, claiming the amounts involved are not material. From the authors’ perspective, however, corporate indifference to how construction projects are monitored is an invitation to serious trouble for management.

The construction industry contributes nearly 6% of U.S. gross domestic product, with more than $1 trillion spent annually in the United States on construction projects. The media regularly report on projects, large and small, that experience massive cost overruns and delays long beyond their contract completion dates.

To be SOX-compliant, management must have an effective process in place to accurately record and report related expenses or capitalizable costs in the proper period and to ensure disclosure of significant events. Such a process is critical to the timely identification and investigation of significant cost overruns, the communication of related findings to senior management, and the consideration of the findings for proper disclosure.

The bottom line: Significant construction project overruns, if caused by poor management oversight or fraudulent activities, could raise concerns about the integrity of the company’s internal control environment and effectiveness of its antifraud program. The authors believe that senior management of publicly traded companies should appreciate the reach of SOX to their construction projects. Furthermore, in view of the recognized prevalence of cost overruns and delays that beset this industry, management is obligated to take affirmative steps to establish effective controls that will monitor project exigencies.

To minimize the risk of cost overruns and possible consequences resulting from project delays, management should factor the following actions into the contracting process before the commencement of each construction project:

• Define the roles and responsibilities of its project managers and third-party advisors and consultants;
• Conduct a detailed risk assessment;
• Rank the related operating and fraud risks based on their likelihood and potential dollar impact;
• Identify and develop specific actions to mitigate such risks;
• Establish formal guidance and directives to ensure proper authorization, approval, and review of change orders, increases in scope during the project, and related activities;
• Ensure that employees involved in the construction process have the necessary experience and training;
• Develop a formal process to review, analyze, and investigate results that significantly vary from the budget or plan; and
• Establish a formal communication process to facilitate the information flow from project managers to senior management.

In addition, management should establish formal milestones and specific due dates to prevent the risk of delay.

Effective Internal Controls over Construction Projects

Based on the authors’ experience advising owners undertaking commercial, institutional, and residential construction projects, management should make certain of the following:

• The construction team has maintained appropriate insurance coverage and the company is protected as an additional insured;
• The construction manager or general contractor on a project can justify its fees, overhead (general conditions), and other reimbursable expenses (typically reflected as a percentage of the cost of work);
• Claims for change-order work (the effect of which typically increases the cost of the project) and associated payments by the owner can be fully justified;
• Internal controls are in place relating to change-order work to identify who has the authority to approve change-order work and what documentation is required to justify such increases to the project budget; and
• The requisition process is transparent so that the owner or its representative can be confident that every requisition payment reflects work actually completed, that payments are made in full to subcontractors, and that funds are not diverted from the project to pay for the expenses of other projects involving the construction manager/general contractor, or to pay for the general operating or personal expenses of the construction manager/general contractor.

Structure and Discipline

SOX compliance has brought structure and discipline to the management and oversight of construction projects. When properly designed and implemented, internal controls can be an effective risk management tool to accomplish the following:

• Deter, prevent, or detect fraudulent activities in a timely manner;
• Ensure proper communication and evaluation of control issues as they are identified;
• Identify surprises and issues before they get worse; and
• Ensure proper disclosure and presentation of the company’s financial results.

Management cannot afford to delegate all cost controls to a construction manager or general contractor who is directly in line to benefit from such cost overruns. Such a course of action represents an invitation to disaster. To mitigate the element of surprise, management must have a formal process in place to monitor and evaluate its third-party advisors and consultants on a periodic basis, and should take an active role in reviewing the related project costs to ensure their validity and accuracy.

©2009 The New York State Society of CPAs. Legal Notices