Sarbanes-Oxley, section 404: from project to practice ... to best practice; in the governance and compliance arena, transitioning from 'best' to 'required' may occur faster than ever. Industry thought leaders advocate such an approach, and a number of companies have begun to set the bar.Most companies today are conducting substantial--even massive--projects around Sarbanes-Oxley Section 404 requirements. There is a growing need, however, to transform that initial project effort into sustainable practice as companies realize that the "deadline" isn't the finish line. In fact, for shareholders and even for customers, the filing deadline is the start line, as it marks the beginning of expectations for complete, effective internal controls and transparency for management and board of directors. In developing a roadmap to transform the project effort into ongoing practice to meet Securities and Exchange (SEC) requirements, executives and boards are carefully evaluating how they can elevate el·e·vate tr.v. ele·vat·ed, ele·vat·ing, ele·vates 1. To move (something) to a higher place or position from a lower one; lift. 2. To increase the amplitude, intensity, or volume of. 3. their practices to best practices that exceed shareholder expectations and provide competitive advantage. Some companies are even including customer perception and benefit in their plans and strategies. The consistent theme driving these strategies is a "tone at the top" that aspires to higher standards of both ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a and performance. As is often the case, industry best practices ultimately become standard requirements. The early practitioners of best practices realize significant benefits and advantage while "forced followers followers see dairy herd. " pay a higher premium for adopting the practice and enjoy lower returns because they must invest merely to break even. In the corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and compliance arena, the transition from "best" to "required" may occur faster than ever. A variety of industry thought leaders already advocate such an approach, and a number of companies have begun to set the bar. Companies approach compliance with different attitudes and goals. These include a project approach with the notion of a start- and stop- date; a sustained practice approach, involving continuing, consistent behavior; and a best practice approach, taking the highest ethical ground and striving for business benefit. * The project approach can be characterized char·ac·ter·ize tr.v. character·ized, character·iz·ing, character·iz·es 1. To describe the qualities or peculiarities of: characterized the warden as ruthless. 2. by: Managed by a SWAT team Hunting and gathering exercise Change agents This is a doable, but unsustainable and potentially untestable, approach to Section 404 compliance. It concentrates responsibility for compliance in the hands of a few, and is often typified by retention of outside consultants who take the process knowledge with them when they leave the company. * The practice approach can be characterized by: Standard operating procedure standard operating procedure Medtalk A technique, method or therapy performed 'by the book,' using a standard protocol meeting internally or externally defined criteria; a formal, written procedure that describes how specific lab operations are to be performed. Consistent behaviors Routine monitoring This is a repeatable approach and a necessary pre-cursor to auditor testing. Responsibility for control ownership, documentation and assessment are distributed; with that, comes distributed governance consciousness and a consistent corporate standard. * The best practice approach can be characterized by: Common structures for Sections 302, 404, and other upcoming requirements, like 409 Financial and other processes optimized Management responsiveness Business benefits and reduced liabilities flow from this approach. This is the aspirational versus the minimal approach to governance, controls and compliance. It aligns the standards of adequacy for disclosure controls with those for internal controls and offers management the ability to meet accelerated disclosure deadlines. The dividends include increased management velocity. As with any significant business decision, smart planning ensures smarter execution. The path companies take will impact their costs of compliance, the effectiveness of their control framework and their potential to realize business benefits. It's worth noting that the reverse is also true: An inefficient approach to meeting the requirements bloats compliance costs, provides an unsound unsound said of an animal, usually a horse, which has been examined for soundness and found to be unsatisfactory. control framework and disables any potential business benefits. Suntron, a manufacturing services provider with 1800 employees, $370 million in revenues and plants across the U.S., has taken a strategic approach to its compliance efforts. Pete Harper, Suntron's CFO See Chief Financial Officer. , says, "We are taking the opportunity to drive ongoing process efficiencies and sustainable compliance practices, which is a key aspect of our management discipline and central to our commitment to customer and shareholder value." Harper expects to achieve 15-20 percent improvement in a number of processes as a result of this controls project and effort. Well-versed in Six Sigma Not to be confused with Sigma 6. Six Sigma is a set of practices originally developed by Motorola to systematically improve processes by eliminating defects.[1] A defect is defined as nonconformity of a product or service to its specifications. and process efficiency from his years at General Electric Co., Harper believes that the results will benefit the company, its shareholders and its customers. "We think our customers are important beneficiaries of our internal controls, and our approach is an important signal about our integrity, credibility and viability." Instead of approaching compliance as a project, he opted for a solution that automated au·to·mate v. au·to·mat·ed, au·to·mat·ing, au·to·mates v.tr. 1. To convert to automatic operation: automate a factory. 2. his risk assessment and process documentation efforts as required for Section 404 compliance but which also provides a platform for process efficiencies and best practices. Similar drivers compelled Linda Olinger, corporate controller at The Greenbrier greenbrier: see smilax. Cos. "We wanted to manage our 404 project effectively, but we need to transform compliance into a continuous practice within the company." Greenbrier is a railcar manufacturer and distributor comprised of a number of business units and divisions, with plants and facilities in the U.S., Canada, Mexico and Europe. The diversity of controls and processes between its manufacturing and leasing operations is significant, further complicated by the number of sales and leasing offices around the world. The ability to distribute responsibility and ownership are important aspects of moving from a project to a practice. Assigning risk assessment, controls documentation and assessment and sub-certifications responsibilities to locations and business units transforms "hunting and gathering" to a standard, inclusive process that accurately maps to the right control ownership and compliance responsibilities. Both Harper and Olinger share the belief that their initial approach should result in a sustainable platform upon which they can drive best practices. From Project to Sustainable Practice To move from a project effort to standard enterprise practice, many executives believe companies should invest in a systematic approach that enables documented activities to be instituted, executed, monitored, tested and demonstrated. Bala Iyer, a board member at Conexant, Invitrogen and Overture overture, instrumental musical composition written as an introduction to an opera, ballet, oratorio, musical, or play. The earliest Italian opera overtures were simply pieces of orchestral music and were called sinfonie. and recently retired CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Conexant, explains, "If this were all about getting a one-time-sign off, I'm not sure you need elaborate systems. But think about when policies change and you need to, in fact, demonstrate that you have controls in place that refer to new policies, and that you are in compliance with new policies. "When you have distributed operations Distributed Operations (DO) is a new warfighting concept being adopted by the United States Marine Corps and is being developed by their Warfighting Laboratory as a response to the changing environment of the Global War on Terror. around the world, and when you have changes in different parts of the world, it suddenly becomes a logistical lo·gis·tic also lo·gis·ti·cal adj. 1. Of or relating to symbolic logic. 2. Of or relating to logistics. [Medieval Latin logisticus, of calculation nightmare." Iyer believes the Conexant team has excellent controls and processes in place, so investing in a system wasn't about achieving robust controls for the first time. Its focus was on cost-effectively sustaining controls and management's visibility on their effectiveness as time goes on and the business changes. Suntron's Harper concurs that one of the biggest challenges to sustaining compliance is change in the business; his company acquires and divests plants and facilities to be responsive to changing demands. Like the processes and systems that enable confident and reliable financial reporting, Harper believes that internal controls also require a system infrastructure and processes to provide an accurate picture of the controls environment, enable management's assertions based on auditable facts and provide evidence for auditor examination. These systems can play a crucial role, notes Steve Biskie, assistant vice president of Internal Controls at Great-West Life & Annuity annuity: see insurance. annuity Payment made at a fixed interval. A common example is the payment received by retirees from their pension plan. There are two main classes of annuities: annuities certain and contingent annuities. , a provider of healthcare and financial solutions, with offices in 125 countries and over $3 billion in revenue. With its Canadian parent and diverse business, GreatWest has high expectations for its controls and compliance program. Biskie believes that the control framework and controls management must be responsive to acquisitions, divisional structural changes and to new management. For example, how does management--new management in particular --understand the risk that is designed in and come to conclusions on risk tolerance Risk Tolerance The degree of uncertainty that an investor can handle in regards to a negative change in the value of their portfolio. Notes: An investor's risk tolerance varies according to age, income requirements, financial goals, etc. or acceptance? Biskie believes that management needs visibility, not just to the controls in place, but to the risks and the cost/benefit decisions and choices implied by those controls. Single-dimension systems and the inability to extract and present a full picture to management fundamentally limit sustainability and visibility. Echoing this complexity, Nick Moore, retired chairman and CEO of PricewaterhouseCoopers and the financial expert on several boards, concludes: "You can band-aid your way through this, but it probably won't make the audit committee comfortable, and it shouldn't make management comfortable, either. You need a sustainable mechanism, and one that adds value over time." From Standard Practice to Best Practice SEC and auditor standards will require companies to shift beyond the project approach to a standard practice. Standard practice demands that companies drive cost efficiencies for compliance without compromising the integrity of the controls. These efficiencies come from reducing overhead and redundancies and by reducing the costs of recordkeeping and external audits. Control integrity is maintained through genuine participation from control owners and effective monitoring and transparency. Best practices are achieved when the systems and processes of compliance are used to drive value above and beyond compliance. These benefits drive shareholder and customer value and create competitive advantage for companies. The hallmarks include: 1. A COMMON METHODOLOGY FOR SECTION 302 DISCLOSURE CONTROLS AND 404 INTERNAL CONTROLS. A best practice applies a common standard of adequacy and visibility for both disclosure and internal controls. Disparate approaches are unlikely to withstand future litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. tests. With equivalent adequacy standards and a common platform, companies can reduce their exposure to litigation and reduce their costs of compliance while earning high marks with shareholders. 2. FULL IMPLEMENTATION OF A PRINCIPLE-BASED FRAMEWORK. By thinking beyond the controls over financial reporting to ethics and integrity, communications, monitoring and information system controls, management has the opportunity to inculcate in·cul·cate tr.v. in·cul·cat·ed, in·cul·cat·ing, in·cul·cates 1. To impress (something) upon the mind of another by frequent instruction or repetition; instill: inculcating sound principles. good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). as a component of corporate citizenship Corporate Citizenship The extent to which businesses are socially responsible in meeting legal, ethical and economic responsibilities placed on them by shareholders. The aim it to create higher standards of living and quality of life in the community in which it operates, while . A number of adjacent rules, additional compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). and best practices fall within the purview The part of a statute or a law that delineates its purpose and scope. Purview refers to the enacting part of a statute. It generally begins with the words be it enacted and continues as far as the repealing clause. of a principle-driven framework so management can have consolidated means and methods of oversight. 3. AN ACCURATE COMPLIANCE INDEX AND AUTHENTIC CONTROL INDICATORS AVAILABLE TO MANAGEMENT. By truly utilizing the risk and controls information acquired and aggregated throughout the 404 assessment process, management can understand risk in the business and how it is impacted by environmental and decision changes. By continuing to employ this information, management can increase its velocity and profitability. The transition from a compliance project to standard compliance practices is a necessary precursor precursor /pre·cur·sor/ (pre´kur-ser) something that precedes. In biological processes, a substance from which another, usually more active or mature, substance is formed. In clinical medicine, a sign or symptom that heralds another. to auditor testing because it signals the operating integrity of the company's control framework. It is also an important signal to management on the sustainability and reliability of the controls and information flow and integrity. Companies that move beyond reliable controls and aspire to aspire to verb aim for, desire, pursue, hope for, long for, crave, seek out, wish for, dream about, yearn for, hunger for, hanker after, be eager for, set your heart on, set your sights on, be ambitious for best practices and business advantage reap the rewards of lower risk, higher shareholder and customer satisfaction, process and compliance efficiencies and greater executive responsiveness. It's evident that nowhere is the tone at the top more demonstrable de·mon·stra·ble adj. 1. Capable of being demonstrated or proved: demonstrable truths. 2. Obvious or apparent: demonstrable lies. than a company's approach to compliance. And, those companies that are converting compliance to an asset and realizing the advantage that it presents build both credibility and value for their shareholders. Vani Kola kola: see cola. is CEO and President of Nth Orbit, a San Jose San Jose, city, United States San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. , Calif.-based provider of software solutions for compliance and controls. She can be reached at vani.kola@nthorbit.com or 408.423.4680. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion