Cutting Sarbanes-Oxley costs without cutting compliance.Since it was passed, the cost of complying with the Sarbanes-Oxley Act See SOX. of 2002 (and its associated rules and standards) has been a source of consternation for executives at many public companies. Costs have settled a bit now, but still remain too high in the minds of many executives and boards. Deloitte estimates that current compliance costs roughly correlate to a company's gross revenues--about $1 million in expense per $1 billion in revenue. Exacerbating ex·ac·er·bate tr.v. ex·ac·er·bat·ed, ex·ac·er·bat·ing, ex·ac·er·bates To increase the severity, violence, or bitterness of; aggravate: the issue are the realities of the business environment and expectations placed on senior executives--especially CFOs--to achieve lean operations through aggressive structural cost-cutting. Compliance-related expenses are seen by many as placing U.S. companies at a competitive disadvantage; as such, reducing related costs is on the agenda of many top executives and boards. Thus, CFOs may find themselves in a quandary: cutting costs may jeopardize jeop·ard·ize tr.v. jeop·ard·ized, jeop·ard·iz·ing, jeop·ard·izes To expose to loss or injury; imperil. See Synonyms at endanger. compliance, upset their audit committee or cause a material breakdown in controls; while ignoring costs may displease dis·please v. dis·pleased, dis·pleas·ing, dis·pleas·es v.tr. To cause annoyance or vexation to. v.intr. To cause annoyance or displeasure. their management, worry stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. and analysts and kill the ability to enhance the company's competitiveness. Control Rationalization One approach can be found in the concept of Control Rationalization. Control Rationalization (CR) starts with identifying the most effective and efficient controls needed to achieve compliance and streamline efforts. For these controls, risk-based considerations are used to drive efficiency in testing. Early steps include detecting and eliminating unnecessary controls. Equally important, opportunities for improving control design and automating manual controls are targeted. The program is based on two principles: a top-down, risk-based approach and a lean and balanced control design. A top-down, risk-based approach is founded on the notion that not all accounts, transactions and risks are equally important. One should not only consider the relative significance of these items, but also factor in some related concerns, including the nature of the business; the inherent riskiness of transactions, processes, controls and technologies and the effectiveness of the organization's human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. . A lean and balanced control design emphasizes a holistic view in the design and application of controls. Early on, some companies initiated their compliance efforts with a bottom-up approach, treating all controls as equal, regardless of the underlying risk profile. They tested a large number of controls at the routine level (which usually address relatively lower risks), often resulting in a disproportionate control structure. For example, related to the accounts payable process, many, many companies documented and tested numerous controls around disbursements--a generally routine category that is usually automated and often relatively low risk. Far greater risks may exist elsewhere, such as in the process for estimating accrued liabilities Accrued liabilities are liabilities which have occurred, but have not been paid or logged under accounts payable during an accounting period; in other words, obligations for goods and services provided to a company for which invoices have not yet been received. at the end of the month, which is a manual process involving significant judgment that should receive greater and more focused control attention. CR entails a structured, four-step approach. While the process is far too detailed for the scope of this item, a snapshot of the process follows: * Phase 1: Apply Top-Down, Risk-Based Approach to Re-Scoping. Begin with a risk assessment to identify financial reporting risks. Next, the design of relevant controls is evaluated, starting with company-level controls and proceeding down to the identification of significant accounts, key groups of transactions and related processes and, finally, to the evaluation of individual controls. * Phase 2: Rationalize ra·tion·al·ize v. 1. To make rational. 2. To devise self-satisfying but false or inconsistent reasons for one's behavior, especially as an unconscious defense mechanism through which irrational acts or feelings are made to appear Existing Controls and Redesign Test Plans. Here, opportunities to improve and enhance the design of controls are identified. Controls that address multiple control objectives are favored over those addressing single objectives; automated controls are given preference over manual controls. Redundant controls are identified and eliminated, as appropriate. These activities should yield a "rationalized" set of controls for compliance testing purposes, which also can help isolate the converse (logic) converse - The truth of a proposition of the form A => B and its converse B => A are shown in the following truth table: A B | A => B B => A ------+---------------- f f | t t f t | t f t f | f t t t | t t : controls unnecessary to test for compliance purposes are "scoped out." The next step is to apply a risk-based approach toward testing. Risk-based test plans vary the nature (which controls are being tested? how are the tests conducted?), timing (at what point or how many times during the year are the tests conducted?) and extent (how numerous and extensive are tests?) of testing based on the risk being addressed. This can enable companies to direct their resources to testing controls related to the highest risk areas, which should receive far greater attention than those addressing lower risks. Thus, high-risk areas should: usually undergo the most extensive testing, using a greater number of sample selections; be tested by objective and competent resources (which may often be the internal audit group); and be tested closer to year-end. Medium- and low-risk areas can: be tested through the application of fewer selections; be tested at any time during the year; and be tested through self-assessment to a greater degree. * Phase 3: Leverage Automated Controls and Enabling Technology. Properly implemented, automated controls are less prone to error or manipulation or other potential performance problems that are associated with people-based controls. Thus, to the greatest extent possible, companies should seek to replace manual controls with automated controls. In addition to being more reliable, automated controls can decrease costs by positively impacting the extent, nature and timing of testing. Thus, a lesser number of sample items may be necessary because the likelihood of an exception is low (extent); automated controls can be easier to test than manual controls (nature); and certain application controls can be benchmarked so that testing frequency can be rotated over a reasonable period of time. * Phase 4: Standardize stan·dard·ize v. 1. To cause to conform to a standard. 2. To evaluate by comparing with a standard. and Centralize cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. Processes. Another reason behind the high cost of compliance is the unnecessary complexity around systems, processes and locations faced by many companies. Growth through acquisition can leave companies with an assortment of processes and technologies that have never been standardized standardized pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. . Compared to the benefits from Phases 1-3, the payoff from standardizing and centralizing cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. disparate processes and controls can be significant. Of course, so may be the investment. Hence, most companies view standardizing and centralizing processes as longer-term strategic objectives. Typical activities in this phase include consolidating enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) systems, standardizing business activities and deploying shared services shared services, n.pl the administrative, clinical, or other service functions that are common to two or more hospitals or their health care facilities and used jointly or cooperatively by them. . The potential value derived from these activities extends beyond compliance into operational efficiencies and improvements, and any investment in these areas cannot be justified entirely on the basis of compliance. However, centralization cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. can offer the type of scale that enables companies to deploy controls-related technology efficiently, and in doing so help create a sustainable internal control program. Control Rationalization should be viewed as a continuous process, to be integrated into the regular routines of the business. Equally important, it should be applied to singular events such as mergers and acquisitions, cost-reduction programs and business process improvements. By fully integrating CR in this manner, companies can position themselves to drive sustained, continuous improvement to their program and potentially realize significant cost reductions. Contributed by John Gimpert, a partner in the Assurance and Enterprise Risk Services business at Deloitte & Touche LLP LLP - Lower Layer Protocol , where he co-leads the Sarbanes-Oxley Steering Committee steer·ing committee n. A committee that sets agendas and schedules of business, as for a legislative body or other assemblage. steering committee Noun . He can be reached at 312.486.2591 or gimpert@deloitte.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion