What will you do in Sarbanes-Oxley's second year?As your company races to finish the work necessary to comply with Sarbanes-Oxley's Section 404, consider one simple question: Do you want the second year of compliance to be a replay of the first? It's a question that will stop many financial executives dead in their tracks, because despite the substantial resources deployed on Section 404 compliance projects, the work was somewhat chaotic--and for some companies, it still is. For those with 2004 deadlines, the last few months couldn't be characterized char·ac·ter·ize tr.v. character·ized, character·iz·ing, character·iz·es 1. To describe the qualities or peculiarities of: characterized the warden as ruthless. 2. as a marathon, but rather like a decathlon--replete with hurdles, sprints and pole-vaults, and culminating in a muscle-straining, vein-popping shot put. But, endure you must, because, unlike other races, you can't just drop out of the Sarbanes-Oxley competition. So take a tip from this coach: The secret to prolonged pro·long tr.v. pro·longed, pro·long·ing, pro·longs 1. To lengthen in duration; protract. 2. To lengthen in extent. success is not to run harder, but smarter. This means you must plan for, design and implement an efficient and effective program for sustainable compliance. What you did during the first year was necessary, but not sufficient for the long run. Impending im·pend intr.v. im·pend·ed, im·pend·ing, im·pends 1. To be about to occur: Her retirement is impending. 2. deadlines drove many Section 404 projects, with little time devoted to long-term planning. But as the calendar rolls around to year two, the breakneck break·neck adj. 1. Dangerously fast: a breakneck pace. 2. Likely to cause an accident: a breakneck curve. pace slows, and some perspective can be attained. Here's some advice for sustaining compliance for year two and beyond: * Throw away the Band-Aids. In year one, many applied a Band-Aid; in year two, more comprehensive treatment is required. Many, understandably, treated Section 404 compliance as a discrete project with a clearly defined ending point. But this "project" mindset mind·set or mind-set n. 1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations. 2. An inclination or a habit. is fallacious and hindering hin·der 1 v. hin·dered, hin·der·ing, hin·ders v.tr. 1. To be or get in the way of. 2. To obstruct or delay the progress of. v.intr. . There is, in fact, no end date for Section 404 compliance, anymore than there's an end date for filing 10-Ks. Thus, perspective needs to change. The tenets of good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). and internal control mandated by Sarbanes-Oxley must become integrated into the mission, culture and daily activities of your company; anything less comprehensive represents a stop-gap approach. * Preparation. The journey involves moving from a 404 project mindset to a sustainable compliance program, to strong internal control as part of your company's DNA DNA: see nucleic acid. DNA or deoxyribonucleic acid One of two types of nucleic acid (the other is RNA); a complex organic compound found in all living cells and many viruses. It is the chemical substance of genes. . The first leg of the journey got you to year-one compliance--neither the finish line nor the final destination. Continuing on to sustainable compliance will be much different from the first-year's documentation, testing and remediation. * Build processes. A triage triage Division of patients for priority of care, usually into three categories: those who will not survive even with treatment; those who will survive without treatment; and those whose survival depends on treatment. approach may have been the only workable tactic during the first year, but over subsequent reporting periods, more order and structure needs to be imposed. Ad-hoc techniques should yield to methodical me·thod·i·cal also me·thod·ic adj. 1. Arranged or proceeding in regular, systematic order. 2. Characterized by ordered and systematic habits or behavior. See Synonyms at orderly. ones; makeshift solutions should give way to integrated ones; and short-term thinking to long-term thinking. Most important is the need to develop well-designed, repeatable, sustainable processes. Work more closely to integrate financial reporting and internal control. Just as you have a well-defined process for closing the books on financials, so, too, should you have a structure for closing your books on internal control. * Reinforce your control environment. All employees should be dedicated to good corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and strong internal control. Additionally, depending on company size, industry and other factors, certain staff may need to be dedicated--full- or part-time--to compliance. Allegiance to the doctrine of corporate governance does not magically appear, it must be cultivated. Employees will embrace it only if they receive proper guidance, instruction and modeling. This is where the credo of "tone at the top" comes into play, and continuing education continuing education: see adult education. continuing education or adult education Any form of learning provided for adults. In the U.S. the University of Wisconsin was the first academic institution to offer such programs (1904). on Sarbanes-Oxley, business ethics business ethics, the study and evaluation of decision making by businesses according to moral concepts and judgments. Ethical questions range from practical, narrowly defined issues, such as a company's obligation to be honest with its customers, to broader social , internal control and related topics is critical. Employee roles and responsibilities should be explicitly defined, repeatedly communicated, seamlessly integrated and closely monitored. * Extricate internal audit. The internal audit function proved a lifesaver for many companies, providing key personnel for internal control assessment, testing and remediation work. But a problem can arise with continued reliance: The regular tasks of internal audit--operational, systems and special project work--suffer when the function is redeployed. The solution? Either return to pre-Sarbanes-Oxley responsibilities, or significantly increase resources for the function to accommodate the additional workload. * Address risk. Establishing a systematic risk identification and management program is an essential element of Section 404 compliance, and, unfortunately, an area that many take too lightly. Internal controls should be viewed from a risk-based perspective, and greater attention should be paid to potential high-risk areas. For example, control environment risks often present greater problems than more routine control areas such as payroll or accounts payable. * Exploit technology. It is hard to believe that, two years ago, conventional wisdom held that Sarbanes-Oxley compliance would have little or no impact on information technology (IT). Nothing could have been further from the truth. IT is critical for achieving the goals of the Act, and the impacts and implications for IT are significant and pervasive. Application-level controls and general computer controls have been a major focus of attention in year-one projects. Many companies have used technology to help manage their 404 efforts, and to provide a controls repository and an audit trail. The biggest impact on IT lies ahead. Sustainable compliance has impacts throughout the IT application architecture, on IT governance and in IT business processes. Technology will enable the integration of financial and internal control monitoring and reporting, which will be key to most large and complex enterprises. Imagine an internal control system fully integrated with financial monitoring and reporting systems, and a program that allows users to drill down from financial results to the underlying controls; or one that automatically flags exceptions, unauthorized entries and other anomalies. In most cases, the efficiencies gained by leveraging such technology will rapidly offset the implementation costs. The costs and risks of not automating to the fullest extent possible could be significant. * Normalize normalize to convert a set of data by, for example, converting them to logarithms or reciprocals so that their previous non-normal distribution is converted to a normal one. change. If your company isn't changing, it probably isn't thriving. New products, expanded markets, shifting priorities, growing revenues--all of these, and more--are indicators of a dynamic organization. But while change is often a barometer of success, it can also be a harbinger har·bin·ger n. One that indicates or foreshadows what is to come; a forerunner. tr.v. har·bin·gered, har·bin·ger·ing, har·bin·gers To signal the approach of; presage. of internal control headaches. In this new era, virtually every change that your company undergoes will have an impact on internal control. Obviously, major events like a merger, acquisition or a new IT implementation will present significant compliance implications. But smaller, everyday occurrences--personnel moves, department restructurings, market shifts, process changes--will also have a ripple effect ripple effect Epidemiology See Signal event. . As a result of this natural and continuous evolution, many of the processes and procedures that were so painstakingly pains·tak·ing adj. Marked by or requiring great pains; very careful and diligent. See Synonyms at meticulous. n. Extremely careful and diligent work or effort. documented over the last year will be revised, redundant or retired over time as the company advances and grows. Will this cycle of change repeatedly throw your company back to square one in terms of Sarbanes-Oxley compliance? Or will it have the adaptability a·dapt·a·ble adj. Capable of adapting or of being adapted. a·dapt  a·bil and flexibility to respond to organizational, regulatory and market changes as they occur? Clearly, effective change monitoring and management will be critical to avoiding fire drills in years two, three and beyond. Knowing compliance was not optional, but essential, you spent significant resources--time, talent, energy and money--on the 404 project. Now you have (or will have) a documented, assessed, tested and remediated internal controls program, and a better understanding of your internal controls. You also have gained valuable knowledge and insights about your data, processes, systems and organization. The 404 work has shed new light on challenges and opportunities for improvement. This is an opportunity to leverage all you have learned. You are almost certain to find complexities in your data, processes and systems. Unnecessary complexity raises the cost of compliance and increases the risk of a breakdown in controls, and makes it harder to produce high-quality financial information. Reducing unnecessary complexity is a key to making compliance less painful and it's important in order to achieve value from your substantial investment in compliance. Among the many positive outcomes of year one of the Sarbanes-Oxley era is the near unanimity UNANIMITY. The agreement of all the persons concerned in a thing in design and opinion. 2. Generally a simple majority (q.v.) of any number of persons is sufficient to do such acts as the whole number can do; for example, a majority of the legislature can pass among executives that they don't want to redo To reverse an undo operation. See undo. this process again. With the past as motivator, they will be inspired to fully integrate the principles of good governance into every corner of their organizations--infusing it in their philosophy and communications. The more completely that the notion of strong internal control seeps into the collective business psyche Psyche (sī`kē), in Greek mythology, personification of the human soul. She was so lovely that Eros (Cupid), the god of love, fell in love with her. and influences decision-making and day-to-day activities, the smoother the road to sustained compliance will be. Lee Dittmar is a Principal at Deloitte Consulting LLP LLP - Lower Layer Protocol and Leader of the Sarbanes-Oxley Integrated Service Offering. He can be reached at Idittmar@deloitte.com or 610.479.3952. [ILLUSTRATION OMITTED] by Ellen M. Heffes |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion