New horizons: enterprise-wide compliance: a better way to manage regulatory demands.EXECUTIVE SUMMARY * COMPLYING WITH SARBANES-OXLEY HAS LED many companies to search for a better way to manage all the regulatory demands they face. Some are doing so on an enterprise-wide basis by coordinating and integrating compliance into all facets of their business. * COMPANIES NEED A FRAMEWORK TO HELP them manage their enterprise-wide efforts to comply with applicable laws, regulations and industry standards. Frameworks have been developed by ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. and COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) , or companies may find it appropriate to develop their own. * CROSS-FUNCTIONAL COMMITTEES CAN HELP companies integrate compliance into day-to-day work and handle issues such as whistleblowing, code-of-conduct oversight and recurring regulatory compliance. * MANY COMPANIES SEE ENTERPRISE-WIDE COMPLIANCE as an opportunity to enhance productivity, develop more effective processes, lower transaction costs Transaction Costs Costs incurred when buying or selling securities. These include brokers' commissions and spreads (the difference between the price the dealer paid for a security and the price they can sell it). and optimize controls. It also makes organizations less dependent on individual knowledge as processes are documented well enough for new employees to learn and implement. * CPAs PLAY AN INTEGRAL ROLE IN THE COMPLIANCE process. Most compliance activities have financial implications and accountants will need to be involved in any effort to streamline or otherwise modify them. ********** Let's face it. Compliance with the Sarbanes-Oxley Act See SOX. isn't a one-shot deal. With companies expected to spend $80 billion on compliance initiatives in the next five years, CPAs and other financial executives face ongoing regulatory pressure. Some days it must seem they are navigating a strange sort of alphabet soup thanks to rules from the SEC, the IRS An abbreviation for the Internal Revenue Service, a federal agency charged with the responsibility of administering and enforcing internal revenue laws. , NYSE NYSE See: New York Stock Exchange and FASB FASB See: Financial Accounting Standards Board FASB See Financial Accounting Standards Board (FASB). , not to mention laws and standards popularly know as Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations , HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, and SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. . Because so many of these regulations involve a company's financial activities, CPAs are uniquely positioned to take a lead role in developing a comprehensive approach to corn plying Plying, in textile manufacture, is the activity of twisting, intermingling, or otherwise intimately combining two or more fibers or yarns into a combined yarn or fiber. Plying Yarns with them. It is the latest of these laws--Sarbanes-Oxley--that has been a catalyst for many companies to search for a better way to manage these demands. Some entities have begun doing so on an enterprise-wide basis by coordinating and integrating compliance into all facets of the business, not only to streamline the process but also to improve operational efficiency and manage the company better. In many cases it is the sheer scope and breadth of Sarbanes-Oxley that is driving the effort. Because Sarbanes-Oxley compliance usually centers on accounting and finance, CPAs are critical to a company's development of an enterprise-wide compliance approach. This article explains how this strategy works and what forms it can take, the role CPAs can play in implementing it and what goals it can help companies achieve. COMPLYING COMPANY-WIDE Enterprise-wide compliance requires an overarching o·ver·arch·ing adj. 1. Forming an arch overhead or above: overarching branches. 2. Extending over or throughout: "I am not sure whether the missing ingredient . . . framework for managing efforts to comply with the laws, regulations and industry standards that apply to a company. Some companies use frameworks developed by groups formed specifically for this purpose while others rely on existing frameworks, such as the one the International Organization for Standardization International Organization for Standardization (ISO) Organization for determining standards in most technical and nontechnical fields. Founded in Geneva in 1947, its membership includes more than 100 countries. (ISO) developed for continuous process improvement or the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO) frameworks. (See "Resources," page 79.) The exact approach a company takes to enterprise-wide compliance will vary according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. its needs and the rules it must follow. CPAs interested in taking a lead role in enterprise-wide compliance can begin by studying these frameworks to see whether their company can adapt one of them to meet its needs or whether the entity should develop its own framework. From there, CPAs should identify the compliance areas a more consistent enterprise-wide approach can satisfy and what that approach should look like. CPAs can help companies refine the experience of complying with section 404 of Sarbanes-Oxley as the foundation of an enterprise-wide framework. "Companies must have a process and infrastructure in place or they won't be able to meet section 404's ongoing requirements," says Bill Henderson Bill Henderson (born November 6, 1944 in Vancouver, British Columbia) is a Canadian singer/songwriter. He first appeared on the Canadian music scene as a member of the group The Collectors, but he is best known for his work with the group Chilliwack in the 1970s and 1980s, who , CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , investigative and forensic accounting Forensic accounting, sometimes called investigative accounting, involves the application of accounting concepts and techniques to legal problems. Forensic accountants investigate and document financial Fraud and white-collar crimes practice leader for the risk consulting practice at Marsh Inc., New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of . "The question is: What role will various functions play in that framework? There is no one-size-fits-all." Simply developing a framework to manage Sarbanes-Oxley isn't enough. "Companies tend to begin with one area, such as Sarbanes-Oxley, because it's the most pressing," says Ted Frank, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Cleveland-based Axentis Corp. and chairman of the Open Compliance and Ethics Group's Technology Council. However, the increasingly complex legal and regulatory environment requires a more strategic look at the process of complying with a variety of laws and regulations. This enterprise-wide approach requires an infrastructure, including a code of conduct, a process to regularly assess compliance status as it relates to risk management, regular compliance reports and a curriculum for ongoing employee education. "The key is to build structures that allow a company to adapt through different business cycles," says Dan Langer, CPA, solutions director for internal audit and controls at Jefferson Wells International in Brookfield, Wis. This type of structure already exists in many companies that operate in heavily regulated industries such as financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. or pharmaceuticals. It's also a good idea to understand how much a company is spending on compliance and where the money is going. According to the Small Business Administration's Office of Advocacy, U.S. companies spend $850 billion a year on regulatory compliance. Sarbanes-Oxley is likely to increase that amount. However, individual companies often don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. how much their own compliance efforts cost. "Spending is very, diffuse, but some companies are trying to capture the costs" says Frank. Any cost reduction effort will be hampered if a company doesn't fully understand what those expenses are. Only with a full picture can companies begin to eliminate inconsistency and fragmentation to make compliance more efficient, not to mention less expensive. COMPLIANCE STRUCTURE For some companies, enterprise-wide compliance is built around committees and other working groups that deal with compliance issues and challenges throughout the company. A committee with a diverse membership and strong leadership can aid enterprise-wide compliance efforts by starting a dialogue among different functions and departments that otherwise would not have an opportunity to meet and work together. These committees also help managers and process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance integrate compliance into their day-to-day work. Committee membership should include individuals from all areas of the company, including human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. , corporate communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. , sales and marketing and IT, as well as the accounting, finance and legal departments. A 2004 survey of 165 executives conducted by Jefferson Wells International found companies used compliance committees to handle a variety of issues such as whistleblower whis·tle·blow·er or whis·tle-blow·er or whistle blower n. One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . cases, code-of-conduct oversight and recurring regulatory compliance. One such company is Charlotte, N.C.-based Wachovia Corp., which formed an enterprise-wide compliance committee following its merger with First Union Corp. The committee's mandate was to anticipate, track and plan compliance with all present and future regulations affecting the company and to determine how those developments might affect the company and its operations. "If we see a regulation coming right away, we might call an emergency meeting to discuss the impact it will have on the company and the procedures and policies we need to support compliance," says Bill Langley, the Wachovia executive vice-president and chief compliance officer who heads the committee. In some cases the committee organizes company-wide training to ensure proper compliance and to foster an understanding of the policies designed to support compliance, such as the company's code of conduct. The company formed the committee, which meets quarterly, as part of a broader effort to more effectively manage Wachovia's total risk profile, including operations, credit and compliance. Membership includes senior compliance leaders from the company's four major lines of business, as well as representatives from staff areas including finance, audit, human resources, IT, legal and corporate communications. These employees were chosen because there is a clear link between the work of their department or function and the company's compliance efforts. Most important, the committee structure and membership encourage better compliance-related communication among functional areas and the company's lines of business. Past and present committee members include CPAs who represent the finance and audit functions, as well as those who are CPAs by training but work in unrelated fields such as legal. Langley sees a significant advantage to including CPAs on the committee. "Much of what we discuss is related to understanding risks and the controls needed to mitigate those risks," he says. "Because CPAs are so well-grounded in those areas, they are able to contribute considerably to developing solutions." ACCOUNTING PARALLELS When developing an enterprise-wide approach to compliance, CPAs can draw on their strong grounding in accounting and finance processes. In many ways an enterprise-wide approach mirrors accounting and finance activities such as sending out invoices or closing the books each period. "There are certain activities associated with strong compliance that occur daily, monthly, quarterly or annually, just like the tasks associated with the financial close," Langer says. "They should be ingrained in the organization and made part of individuals' job responsibilities." When new employees join the company, they automatically should be introduced to compliance processes, with the amount of information provided depending on their roles. Employees working in finance, accounting, IT or directly with internal controls would get more education than others. This enterprise-wide approach also can help entities manage compliance issues related to a merger or acquisition. "Ideally, the compliance office should be involved in the transaction and necessary due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. ," says Henderson. For example, Iron Mountain Inc., a $1.7 billion Boston-based provider of data and information management systems and services, completed about 20 acquisitions in 2004. The company coordinated its Sarbanes-Oxley deadlines with the compliance issues associated with each acquisition. Any acquisition in the company's medical records line of business also had to comply with the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996 (HIPAA) and other health-care-industry regulations. "We have to understand the quality of the acquisition and make sure compliance is consistent in all locations," says Jean Bua, CPA, Iron Mountain's vice-president and chief accounting officer. One of the key challenges companies face when developing an enterprise-wide approach is getting the attention of the company's leaders. "Compliance has always been in the background," says Bua. "We have to fight for leaders' time as we integrate compliance activities globally, while also keeping an eye on cultural and regulatory differences among our global operations Global Operations is a first-person shooter computer game developed by Barking Dog Studios and published by both Crave Entertainment and Electronic Arts. It was released in March of 2002, following its public multiplayer beta version which contained only the Quebec map. ." Many entities bring compliance issues to the fore with company leaders through training and education in which CPAs can play a key role. In some cases companies are incorporating compliance-related measures into performance goals for certain executives. Increasing the prominence of compliance activities also means tying those efforts to improved operational and business performance. It's up to CPAs to "educate people throughout the business about the need to be compliance partners by showing them what they get for their efforts," says Bua. For example, documenting and testing internal controls as Sarbanes-Oxley section 404 requires can help promote more efficient and effective operations and information flows. For Iron Mountain this process led to better records management and helped the company comply with HIPAA regulations more effectively. "That, in turn, helps protect the company brand and reputation," says Bua--a message senior management understands. FROM COMPLIANCE TO PROCESS IMPROVEMENT Ideally, an enterprise-wide compliance approach will yield benefits beyond just preventing regulatory and legal problems. "If companies are smart, they are taking enterprise-wide compliance beyond Sarbanes-Oxley and internal controls to identify operational efficiencies," says Langer. Indeed, enterprise-wide compliance--particularly the process mapping, documentation and internal controls testing required by Sarbanes-Oxley--have drawn so-called process owners throughout the company into an overarching compliance effort. This can be a chance for CPAs to expand the conversation into areas such as process and operational improvement. Such is the case with Suntron Corp., a $400 million electronics manufacturer based in Phoenix. With nine facilities in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and one in Mexico, the company has decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. its operations and centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. the finance function. However, Suntron is bridging the gap between operations and finance by using the process mapping and documentation required by section 404 to support its Six Sigma Not to be confused with Sigma 6. Six Sigma is a set of practices originally developed by Motorola to systematically improve processes by eliminating defects.[1] A defect is defined as nonconformity of a product or service to its specifications. activities and to drive continuous process improvements. (Six Sigma is a data-driven methodology for eliminating process defects.) "The first step is understanding where the process is today," says Peter Harper, Suntron's CFO See Chief Financial Officer. and treasurer. "Documenting a process can improve its efficiency up to 20% by eliminating redundant activity and identifying and fixing problems." Moreover, addressing any process weaknesses will strengthen financial reporting. For example, if an entity's inventory control or materials purchasing processes are weak, the resulting problems are likely to lead to incorrect financial reporting. The same is true for contracts and customer pricing. "If a salesperson or a customer business manager makes a deal that isn't properly communicated or documented," Harper says, "that could have negative financial reporting repercussions repercussions npl → répercussions fpl repercussions npl → Auswirkungen pl ." Suntron plans to leverage the ISO framework, using the information gleaned during Sarbanes-Oxley compliance efforts. "That way, we're not reinventing the wheel Reinventing the wheel is a phrase that means a generally accepted technique or solution is ignored in favor of a locally invented solution. To "reinvent the wheel" is to duplicate a basic method that has long since been accepted and even taken for granted. , and finance can be the conduit that provides a different perspective on process quality in financial reporting," says Harper. ISO 9000 requires companies to meet certain requirements with their management processes and activities, including those related to production, service delivery, purchasing and a commitment to monitoring customer perceptions about product quality. Because many of the internal controls that must be documented and tested under section 404 relate to the same processes and activities ISO 9000 covers, CPAs who work in organizations interested in becoming ISO- iso- or is- pref. 1. Equal; uniform: isobar. 2. Isomeric: isopropyl. 3. 9000-compliant can use the section 404 documentation as a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for those efforts. WEIGHING THE PROS AND CONS pros and cons Noun, pl the advantages and disadvantages of a situation [Latin pro for + con(tra) against] Whether enterprise-wide compliance is the best approach depends on the individual company and its circumstances. In 2005 the strategy will compete for the time and attention of overburdened o·ver·bur·den tr.v. o·ver·bur·dened, o·ver·bur·den·ing, o·ver·bur·dens 1. To burden with too much weight; overload. 2. To subject to an excessive burden or strain; overtax. n. 1. finance personnel and won't work for every company. Allied Defense Group, a $163 million defense and security company based in Vienna, Va., has all it can do to keep up with current compliance demands. "Undertaking a project like enterprise-wide compliance is a challenge due to our staffing constraints," says Chuck Hasper, CPA, Allied Defense CFO and treasurer. "As a multinational company we have to explain and translate internal controls so people can understand them, and our staffing constraints compound the problem." For CPAs with the necessary resources, enterprise-wide compliance presents important opportunities to add more value to the organization. "This is a chance for accounting and finance to move away from speaking about the company in technical terms and instead communicate in terms of success by emphasizing the role business unit leaders and geographic regions can play in compliance," says Bua. Iron Mountain's finance organization already has benefited. "These efforts have helped create a more knowledgeable finance organization worldwide and foster more teamwork within that organization. People are working next to each other and cross-pollinating ideas." Many companies report this type of collaboration occurs naturally as individuals from different parts of the company work together for the first time. In some cases a more efficient process one person has developed for his or her own department can be modified and applied to other areas. In other instances it will be up to CPAs to foster these types of working relationships. To help with this, some companies have developed databases of best practices, process improvements and other information gleaned during compliance efforts, with the names and contact information of the people involved. CPAs can use that information to start a dialogue with them and others in the company. Suntron's Harper believes this enterprise-wide approach will lead to enhanced productivity, more efficient and effective processes, lower transaction costs and better controls. "One of the biggest benefits to mapping out all of these processes is it makes the company more process-reliant and less dependent on individuals' tribal knowledge Tribal knowledge is any unwritten information that is known within a tribe but often unknown outside of it. Further reading
RESOURCES * The Committee of Sponsoring Organizations of the Treadway Commission (COSO, www.coso.org) has developed an internal controls framework and an enterprise risk management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ) framework. The internal controls framework quickly has become the standard for companies complying with section 404 of Sarbanes-Oxley. The ERM framework builds on the internal controls framework and is designed to help organizations manage risks including compliance-related ones across the enterprise. * The International Organization for Standardization (www.iso. org/iso/en/ISOOnline.frontpage) has developed standards for continuous process improvement in all areas of a company's operations, as well as product-specific standards. * The Open Compliance & Ethics Group (www.oceg.org) is working to integrate the principles of effective governance, compliance, risk management and integrity into daily business. The group plans to beta test A test of new or revised hardware or software that is performed by users at their facilities under normal operating conditions. Beta testing follows alpha testing. Vendors of packaged software often offer their customers the opportunity of beta testing new releases or versions, and the an application draft of its compliance and ethics management framework this summer and issue a final draft later this year. The OCEG recently merged with the Compliance Consortium, a group of software providers and consultancies formed to promote effective enterprise governance, risk and compliance management. Member companies of the consortium have become charter members of the OCEG's newly formed Technology Council. PRACTICAL TIPS * Study the available compliance frameworks to see whether one meets your needs or whether your company should develop its own. * Choose members of your company's enterprise-wide compliance committee from different functions and departments including human resources, corporate communications, sales and marketing, IT, accounting, finance and legal. * Document the processes your company follows to comply with various laws and regulations to Improve efficiency, eliminate redundant activity and Identify problems. JOANNE SAMMER is a freelance business writer. Her e-mail address See Internet address. e-mail address - electronic mail address is sammerwrite@optonline.net. Cost Breakdown Average section 404 compliance expenses: External costs $1.72 million Internal costs $2.34 million Additional auditor fees $1.30 million Note: Table made from pie chart. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion