While many management teams, board of directors, audit committees see Sarbanes-Oxley Act of 2002 as an administrative and compliance exercise, we encourage companies to think outside-the-box and use the regulation as an excuse to improve business processes.
While many management teams, board of directors, audit committees see Sarbanes-Oxley Act as an administrative and compliance exercise, we encourage companies to think outside-the-box and use the regulation as an excuse to improve business processes.
Forward thinking companies are indeed leveraging the Sarbanes-Oxley 404 compliance requirements to define a higher standard in financial reporting, ensuring that their companies deliver on these 5 key "value drivers":
- Greater shareholder confidence through a superior financial reporting process.
- Institutionalize internal audit and controls through out their corporation, both at the financial level, but, more importantly at the operational levels.
- Create an environment where SOx program office, internal audit organizations, external auditors, operating business units, corporate boards can effectively collaborate to proactively identify, report and manage key business and financial risks,
- Deliver superior "risk-adjusted" return on shareholder equity
Let us discuss the key "value drivers" of Sarbanes-Oxley in greater details.
Superior Financial Reporting Process:
The spirit of SOx 404 is to create a company-wide culture and process to fundamentally enhance the quality of financial reporting. For example, while in the past, companies may have reported based on certifications from regional business heads on the accuracies of their P&L, moving forward, the certifications must cascade through to the entities involve in the entire financial management process. This fundamentally requires more global collaboration and oversight from the Board, Executive committees, auditors, and business unit heads and line organizations through out the global organization.
- SOx 404 clearly requires buy-in from the board of directors and the senior executives, but also requires effective collaboration between line and business units across the extended organization, who contribute their key performance indicators, financial performance, material adverse events, known deficiencies & control to help prepare the SOx compliant annual and quarterly financial reports.
- Ensure that the financial reporting processes and policies have a "quality control" oversight at all times. Financial reporting process has to be run similar to the disciplines of running error-free manufacturing operations, where all along the assembly line, the operations managers have control and visibility into their operations.
- Ensure that the quality functions for financial reporting run independent of the operational units. Most companies are creating new job titles, like risk officers, SOx program office, with significant internal audit resource staffs to realize the inherent quality control of the financial reporting process.
- Do not expect your users to use applications for enhancing your financial reporting and management functions. It is critical that the compliance programs work within the framework of how people work, as opposed to asking them to take extra steps to ensure compliance. Many early adopters of software based solutions for SOx have been burnt by shelf-ware, which never replaced the flood of spreadsheets and emails to manage the financial reporting process quarter after quarter. We advocate email-based collaborative processes to ensure that all internal and external parties can effectively collaborate across the enterprise without requiring fundamental changes in how individuals work across the globe.
- Create a real-time financial dashboard and visibility infrastructure to ensure that all parties who are in the financial reporting chain are able to view the appropriate metrics, performance indicators, business exceptions, risks, material adverse events in real-time. Without access to this critical information, real-time scorecards, managers are prone to make errors in financial reporting.
Institutionalize Internal and External Audits through out the Corporation:
Internal and external audit are still viewed as once a year or once a quarter events, which is a necessary "evil" to ensure compliance with the SEC. Many companies are now realizing that the audit functions can, if developed properly, result in significant improvements in corporate risks. Early visibility into key financial and corporate risks, most often means lower cost of overall risk management. Practitioners of six-sigma and quality management have always propagated the well studied quality principle that process errors, found earlier in the process lifecycles can be remediated at significantly lower costs than the ones found later in the lifecycle. The same applies to corporate risks, the sooner we identify material deficiencies in the internal controls, the lower the cost of remediation.
Here are some simple best practices to run your internal audit operations.
- Think Quality Assurance: Management should create more objectivity in the testing process of effective internal controls, i.e. the organization performing the control testing should be a different organization than the one, which is actually performing the control. Self-assessments, while are meaningful audit vehicles, do not provide sufficient evidence of compliance and hence, in most cases, do not adhere to the standards of the external auditors.
- Make sure that the Internal control testing plans are well discussed and communicated with the external auditors a priori. Many SOx compliance managers have been surprised that their external auditors have not had the same risk scoring on certain controls as was viewed internally. It is best to discuss and collaborate proactively with the external auditors, ahead of time.
- How do you best structure your testing plans is critical to the success of your internal audit functions? One of the best practices, we have seen in the industry is to use a "sample" set of transactions that can naturally test multiple controls in one go. For example, by inspecting and testing a set of sales contracts, one can test for controls on pricing, approval and sales authorizations, as well as revenue recognition controls.
- Timing of testing - A well-designed internal control testing, spreads the manual automated tests through out the fiscal year. These internal audit control tests are not year-end activities, or quarter-end activities, but are well-planned processes where all parties collaborate to test the effectiveness of controls. Good collaborative tools and frameworks come handy in making these a reality.
- No internal audit function is a success without real-time monitoring. As obvious as it may sound, most companies are unable to monitor their controls on an as needed basis. Upfront investments to ensure continuous monitoring of key control activities, evidence of testing, reporting of key exceptions become critical to the internal audit success.
- A well designed internal audit function finally ties back to updating all relevant process documentations, standard operating procedures, should material or non-material deficiencies in the internal controls be discovered. In general, a good rule of thumb is to retain the documents of management assessments, control remediation, evidence of control testing for up to 7 years.
Collaborative Risk Management:
There is no prescribed methodology in best managing your internal control deficiencies and remediation. However, in a large company, one may aggregate over thousands of internal control deficiencies of varying severity and magnitude. The key question that comes in front of the practitioners of compliance is to best summarize and assess the risks associated with the deficiencies. Strong collaboration is required across different groups to understand patterns of deficiencies and to put proactive remedies in place.
- It is best to use a corporate wide tool to aggregate all the deficiencies, corrective action plans, remediation, across the extended enterprise and have a collaborative as well as analytic view to the data. Areas of significant material risks may emerge as one aggregates the control deficiencies, certain business units may require deeper examination, based on trend on control deficiencies.
- Tightly integrated employee training programs often go a long way in remediating known material weaknesses. Evidence of training also creates a document of control remediation for the regulators.
- Your SOx system must enable you to adjust your risk scoring of key deficiencies in collaboration with your external auditors. Early buy-in from the external auditors might serve well when it comes time to show evidence of internal controls.
Greater Risk-adjusted Return on Equity:
This one is hardest to prove or disprove. Yet, logical arguments suggests that as one lowers the overall risk and variance in key business and financial processes, it creates more predictable process outcomes. Processes with high variabilities are inherently riskier and less repeatable for consistent performance. As a financial manager, chartered to deliver greater return on equity, it is critical to reduce the cost of risk management. As companies create comparative business process advantages, they are inherently better situated to manage risks at lower costs, thereby delivering greater risk-adjusted returns on their equity.
- Early discovery of process risks is critical. SOx compliance presents an opportunity to create a company wide system to better visualize and manage corporate and process risks. Implicitly, that results in lower management costs in remediating these risks. E.g. Companies who are better gaining visibility into their "price-discounting" policies through internal controls, are able to remediate the process through an effective sales force training; whereas companies, who discover uncontrolled price discounting in their sales channels at end of their fiscal year are left with significant earnings and revenue misstatement risks.
- SOx 404 coupled with the proposed SOx 409 forces companies to pay attention to material adverse events in their operations, not just in their accounting and financial controls. One of the big benefits, if leveraged properly, is to tie operational compliance and quality initiatives with the SOx 404 efforts, ensuring that all known material adverse events from the factory, logistics departments, retail operations are reported to the SOx 404 program office in near real-time basis, therefore enabling a rapid management response to remediate the business problems. A simple example, a large pharmaceutical company which is able to spot significant FDA non-compliance risks can proactively protect their block-buster drug being banned from the market, therefore delivering superior financial returns to their shareholders.