Your Company’s new board member questions whether the Company has performed a risk assessment of its financial statement processes (expenditure, revenue, treasury, etc.). She asks how likely it is that there could be misstatements in the processes and, if so, how significant these misstatements could be.
The Sarbanes-Oxley Act (“SOX”) plays a major role in everyday business activities for any company that aspires to be publicly traded. The passage of SOX in 2002 was the legislative response to the financial implosions of companies such as Enron, Tyco and WorldCom, all due to inadequate corporate governance. SOX was introduced to prevent similar collapses of internal controls in the future. The law is long and complicated, but it does outline a few key provisions. It includes the demand that corporate management shall certify that financial statements have been reviewed by them, that those statements are accurate and truthful, and that management shall indicate whether or not the internal control procedures of the company are sufficient and effective. How does this affect your corporate back office? First, expect that it will add millions of dollars annually to your compliance costs. Conversely, the law provides a vehicle for you to cut costs and improve performance across your extended enterprise.
The Public Company Accounting Oversight Board (“PCAOB”) is the new SOX enforcer (for now). Its goal is to maintain trust in our capital markets by protecting employees, customers, and investors. These protections have costly implications for companies, as they require lots of resources to establish and maintain. The requirement to test internal controls on a quarterly basis and then disclose whether those controls are sufficient and effective is the most expensive to comply with. The “new sheriff” enforces the rules by holding its deputies, the external auditors, accountable for the quality of their audits of internal controls. Gone are the days of having your auditor be your internal control. They cannot have a hand in designing your controls and then audit those same controls. As you might expect, when PCAOB scrutiny of auditors increases, so do auditing fees. Legal and audit fees can be expected to add, in aggregate, at least two million of dollars a year to your compliance costs.
Are SOX protections too expensive and cumbersome? Will the ingenuity and resources at the disposal of companies allow them to devise new ways of doing business and generating cash that seem to undermine regulatory efforts to control the risks and harm that are byproducts of their activities? Unless you are an executive at a Fortune 200 company, a top tier Venture Capitalist, or a government economist, do not bother yourself with these types of value judgments. Yes, there are flaws in the law, and human ingenuity and foresight are always limited. Legal rules will end up encountering innovations for which they were not designed. But do not try to override or bypass the regulations. Violations of SOX rules include hefty fines and time spent in jail. Don’t try to scare or co-opt your auditors into overlooking the controls. PCAOB sanctions have scared them more than you ever can.
Instead of playing an endless game of whack-a-mole with your auditors to get around SOX regulations, use the law to identify areas where gains in value could be used to offset the costs of compliance. Having to comply with SOX guidelines offers the wily manager the perfect opportunity to implement Lean practices into the workplace. SOX compliance will enable you to improve and standardize key financial processes (often in shared service centers); eliminate redundant information systems and unify multiple platforms; minimize inconsistencies in data definitions; automate manual processes; reduce the number of handoffs; better integrate subsidiary offices and acquisitions; broaden responsibility for controls; and eliminate unnecessary controls.
While process improvement and standardization should not be mistaken for low-hanging fruit, it is worth the climb. The work of identifying and addressing inconsistencies across operating teams and locations can be substantial, but so can the yield. For example, a company’s journal entry processes can vary widely by group and location, with some employees creating entries by hand, while others input them into Excel spreadsheets, and others still log them into the company’s financial software program. The process for reviewing the entries is often fragmented, with some reviews conducted by people not senior enough and some by people who are too senior. Instead of having hundreds of ad hoc procedures for your finance activities, reduce them to a few standard procedures. Data will be more consistent and reliable, and fewer employees and man-hours will be required to accomplish the same task.
SOX also enables management to evaluate the performance of its “extended enterprise” partners. These partners provide services that include hosting IT applications, managing IT infrastructure, outsourcing or shared service arrangements for accounts receivable or accounts payable, processing payroll, managing benefits, tax reporting, shipping, and maintaining warehouse inventories. In such cases, management must obtain evidence of effective internal control at the partner company, ideally in the form of an SAS 70 Type II report that the partner provides. If, however, the service provider is unwilling or unable to do so, management must conduct its own audit. Know that without these audits, a company using extended enterprise partners will not be able to certify that its controls are effective.
Does a private company need to perform risk assessment of its financial statement processes? Early stage start-ups do not. However, prospective investors in a private placement of securities – and prospective purchasers of a privately held company – may insist on audited financials as well as assurances as to internal controls and auditor independence. Private companies with a large number of non-management shareholders may also insist on a greater amount of ongoing disclosure, especially relating to financial statement matters.
The astonishing thing about SOX regulations is that the sheriff’s instructions to the deputies are not always clear, and they are constantly being reinterpreted. The definition of “sufficient internal controls,” as you might expect from a political body that reflexively responds to the latest financial scandal, is reinterpreted each time the PCAOB publishes its review of an auditor’s work. Occasionally the review is published in the middle of a year and applies retroactively. This concept, as with “value-at-risk,” is absurd. Well intentioned officials within the government believe that changing the interpretation of rules every six months is progress, so be aggressively proactive with your auditor and pin them down on what specific controls, tests of controls, and results from those tests are required before you start your annual procedures. Confirming that your internal controls are “sufficient” takes enormous amounts of time and resources. Don’t get surprised and have to confirm the controls twice.
- Has your board of directors or management team agreed on what internal controls they want in place? Do they know what internal controls exist and what control risks exist for your business?
- Does your company wish to complete an initial public offering of stock within the next two years? If so, do you have plan to design and implement sufficient and effective internal control procedures by the time they are required?
- Has your team identified areas where gains in value could be used to offset the costs of compliance?
Share similar problems with us