Printer Friendly

Cutting Sarbanes-Oxley costs without cutting compliance.

Since it was passed, the cost of complying with the Sarbanes-Oxley Act of 2002 (and its associated rules and standards) has been a source of consternation for executives at many public companies. Costs have settled a bit now, but still remain too high in the minds of many executives and boards. Deloitte estimates that current compliance costs roughly correlate to a company's gross revenues--about $1 million in expense per $1 billion in revenue.

Exacerbating the issue are the realities of the business environment and expectations placed on senior executives--especially CFOs--to achieve lean operations through aggressive structural cost-cutting. Compliance-related expenses are seen by many as placing U.S. companies at a competitive disadvantage; as such, reducing related costs is on the agenda of many top executives and boards.

Thus, CFOs may find themselves in a quandary: cutting costs may jeopardize compliance, upset their audit committee or cause a material breakdown in controls; while ignoring costs may displease their management, worry stakeholders and analysts and kill the ability to enhance the company's competitiveness.

Control Rationalization

One approach can be found in the concept of Control Rationalization. Control Rationalization (CR) starts with identifying the most effective and efficient controls needed to achieve compliance and streamline efforts. For these controls, risk-based considerations are used to drive efficiency in testing. Early steps include detecting and eliminating unnecessary controls. Equally important, opportunities for improving control design and automating manual controls are targeted.

The program is based on two principles: a top-down, risk-based approach and a lean and balanced control design. A top-down, risk-based approach is founded on the notion that not all accounts, transactions and risks are equally important. One should not only consider the relative significance of these items, but also factor in some related concerns, including the nature of the business; the inherent riskiness of transactions, processes, controls and technologies and the effectiveness of the organization's human resources.

A lean and balanced control design emphasizes a holistic view in the design and application of controls. Early on, some companies initiated their compliance efforts with a bottom-up approach, treating all controls as equal, regardless of the underlying risk profile. They tested a large number of controls at the routine level (which usually address relatively lower risks), often resulting in a disproportionate control structure.

For example, related to the accounts payable process, many, many companies documented and tested numerous controls around disbursements--a generally routine category that is usually automated and often relatively low risk. Far greater risks may exist elsewhere, such as in the process for estimating accrued liabilities at the end of the month, which is a manual process involving significant judgment that should receive greater and more focused control attention.

CR entails a structured, four-step approach. While the process is far too detailed for the scope of this item, a snapshot of the process follows:

* Phase 1: Apply Top-Down, Risk-Based Approach to Re-Scoping. Begin with a risk assessment to identify financial reporting risks. Next, the design of relevant controls is evaluated, starting with company-level controls and proceeding down to the identification of significant accounts, key groups of transactions and related processes and, finally, to the evaluation of individual controls.

* Phase 2: Rationalize Existing Controls and Redesign Test Plans. Here, opportunities to improve and enhance the design of controls are identified. Controls that address multiple control objectives are favored over those addressing single objectives; automated controls are given preference over manual controls. Redundant controls are identified and eliminated, as appropriate. These activities should yield a "rationalized" set of controls for compliance testing purposes, which also can help isolate the converse: controls unnecessary to test for compliance purposes are "scoped out."

The next step is to apply a risk-based approach toward testing. Risk-based test plans vary the nature (which controls are being tested? how are the tests conducted?), timing (at what point or how many times during the year are the tests conducted?) and extent (how numerous and extensive are tests?) of testing based on the risk being addressed. This can enable companies to direct their resources to testing controls related to the highest risk areas, which should receive far greater attention than those addressing lower risks. Thus, high-risk areas should: usually undergo the most extensive testing, using a greater number of sample selections; be tested by objective and competent resources (which may often be the internal audit group); and be tested closer to year-end. Medium- and low-risk areas can: be tested through the application of fewer selections; be tested at any time during the year; and be tested through self-assessment to a greater degree.

* Phase 3: Leverage Automated Controls and Enabling Technology. Properly implemented, automated controls are less prone to error or manipulation or other potential performance problems that are associated with people-based controls. Thus, to the greatest extent possible, companies should seek to replace manual controls with automated controls.

In addition to being more reliable, automated controls can decrease costs by positively impacting the extent, nature and timing of testing. Thus, a lesser number of sample items may be necessary because the likelihood of an exception is low (extent); automated controls can be easier to test than manual controls (nature); and certain application controls can be benchmarked so that testing frequency can be rotated over a reasonable period of time.

* Phase 4: Standardize and Centralize Processes. Another reason behind the high cost of compliance is the unnecessary complexity around systems, processes and locations faced by many companies. Growth through acquisition can leave companies with an assortment of processes and technologies that have never been standardized.

Compared to the benefits from Phases 1-3, the payoff from standardizing and centralizing disparate processes and controls can be significant. Of course, so may be the investment. Hence, most companies view standardizing and centralizing processes as longer-term strategic objectives.

Typical activities in this phase include consolidating enterprise resource planning (ERP) systems, standardizing business activities and deploying shared services. The potential value derived from these activities extends beyond compliance into operational efficiencies and improvements, and any investment in these areas cannot be justified entirely on the basis of compliance. However, centralization can offer the type of scale that enables companies to deploy controls-related technology efficiently, and in doing so help create a sustainable internal control program.

Control Rationalization should be viewed as a continuous process, to be integrated into the regular routines of the business. Equally important, it should be applied to singular events such as mergers and acquisitions, cost-reduction programs and business process improvements. By fully integrating CR in this manner, companies can position themselves to drive sustained, continuous improvement to their program and potentially realize significant cost reductions.

Contributed by John Gimpert, a partner in the Assurance and Enterprise Risk Services business at Deloitte & Touche LLP, where he co-leads the Sarbanes-Oxley Steering Committee. He can be reached at 312.486.2591 or
COPYRIGHT 2006 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:financial REPORTING
Author:Heffes, Ellen M.
Publication:Financial Executive
Geographic Code:1USA
Date:May 1, 2006
Previous Article:IIA chief: Sarbanes-Oxley puts internal auditing 'in the limelight'.
Next Article:Managing the ultimate corporate risk.

Related Articles
Advantage: Sarbanes-Oxley.
PCAOB issues internal control standards ED.
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.
Is software the solution for Sarbanes-Oxyley.
Sarbanes-Oxley 404's tax implications: the law may actually provide companies with the opportunity to better align tax and business processes and...
The value proposition: there's more to Sarbanes-Oxley compliance than meets the eye.
Sarbanes Oxley Simplified.
How CFOs can contain rising audit costs: high audit costs could start to force smaller businesses to sacrifice fiscal health for compliance....

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters