Cutting Sarbanes-Oxley costs without cutting compliance.
Exacerbating the issue are the realities of the business environment and expectations placed on senior executives--especially CFOs--to achieve lean operations through aggressive structural cost-cutting. Compliance-related expenses are seen by many as placing U.S. companies at a competitive disadvantage; as such, reducing related costs is on the agenda of many top executives and boards.
Thus, CFOs may find themselves in a quandary: cutting costs may jeopardize compliance, upset their audit committee or cause a material breakdown in controls; while ignoring costs may displease their management, worry stakeholders and analysts and kill the ability to enhance the company's competitiveness.
One approach can be found in the concept of Control Rationalization. Control Rationalization (CR) starts with identifying the most effective and efficient controls needed to achieve compliance and streamline efforts. For these controls, risk-based considerations are used to drive efficiency in testing. Early steps include detecting and eliminating unnecessary controls. Equally important, opportunities for improving control design and automating manual controls are targeted.
The program is based on two principles: a top-down, risk-based approach and a lean and balanced control design. A top-down, risk-based approach is founded on the notion that not all accounts, transactions and risks are equally important. One should not only consider the relative significance of these items, but also factor in some related concerns, including the nature of the business; the inherent riskiness of transactions, processes, controls and technologies and the effectiveness of the organization's human resources.
A lean and balanced control design emphasizes a holistic view in the design and application of controls. Early on, some companies initiated their compliance efforts with a bottom-up approach, treating all controls as equal, regardless of the underlying risk profile. They tested a large number of controls at the routine level (which usually address relatively lower risks), often resulting in a disproportionate control structure.
For example, related to the accounts payable process, many, many companies documented and tested numerous controls around disbursements--a generally routine category that is usually automated and often relatively low risk. Far greater risks may exist elsewhere, such as in the process for estimating accrued liabilities at the end of the month, which is a manual process involving significant judgment that should receive greater and more focused control attention.
CR entails a structured, four-step approach. While the process is far too detailed for the scope of this item, a snapshot of the process follows:
* Phase 1: Apply Top-Down, Risk-Based Approach to Re-Scoping. Begin with a risk assessment to identify financial reporting risks. Next, the design of relevant controls is evaluated, starting with company-level controls and proceeding down to the identification of significant accounts, key groups of transactions and related processes and, finally, to the evaluation of individual controls.
* Phase 2: Rationalize Existing Controls and Redesign Test Plans. Here, opportunities to improve and enhance the design of controls are identified. Controls that address multiple control objectives are favored over those addressing single objectives; automated controls are given preference over manual controls. Redundant controls are identified and eliminated, as appropriate. These activities should yield a "rationalized" set of controls for compliance testing purposes, which also can help isolate the converse: controls unnecessary to test for compliance purposes are "scoped out."
The next step is to apply a risk-based approach toward testing. Risk-based test plans vary the nature (which controls are being tested? how are the tests conducted?), timing (at what point or how many times during the year are the tests conducted?) and extent (how numerous and extensive are tests?) of testing based on the risk being addressed. This can enable companies to direct their resources to testing controls related to the highest risk areas, which should receive far greater attention than those addressing lower risks. Thus, high-risk areas should: usually undergo the most extensive testing, using a greater number of sample selections; be tested by objective and competent resources (which may often be the internal audit group); and be tested closer to year-end. Medium- and low-risk areas can: be tested through the application of fewer selections; be tested at any time during the year; and be tested through self-assessment to a greater degree.
* Phase 3: Leverage Automated Controls and Enabling Technology. Properly implemented, automated controls are less prone to error or manipulation or other potential performance problems that are associated with people-based controls. Thus, to the greatest extent possible, companies should seek to replace manual controls with automated controls.
In addition to being more reliable, automated controls can decrease costs by positively impacting the extent, nature and timing of testing. Thus, a lesser number of sample items may be necessary because the likelihood of an exception is low (extent); automated controls can be easier to test than manual controls (nature); and certain application controls can be benchmarked so that testing frequency can be rotated over a reasonable period of time.
* Phase 4: Standardize and Centralize Processes. Another reason behind the high cost of compliance is the unnecessary complexity around systems, processes and locations faced by many companies. Growth through acquisition can leave companies with an assortment of processes and technologies that have never been standardized.
Compared to the benefits from Phases 1-3, the payoff from standardizing and centralizing disparate processes and controls can be significant. Of course, so may be the investment. Hence, most companies view standardizing and centralizing processes as longer-term strategic objectives.
Typical activities in this phase include consolidating enterprise resource planning (ERP) systems, standardizing business activities and deploying shared services. The potential value derived from these activities extends beyond compliance into operational efficiencies and improvements, and any investment in these areas cannot be justified entirely on the basis of compliance. However, centralization can offer the type of scale that enables companies to deploy controls-related technology efficiently, and in doing so help create a sustainable internal control program.
Control Rationalization should be viewed as a continuous process, to be integrated into the regular routines of the business. Equally important, it should be applied to singular events such as mergers and acquisitions, cost-reduction programs and business process improvements. By fully integrating CR in this manner, companies can position themselves to drive sustained, continuous improvement to their program and potentially realize significant cost reductions.
Contributed by John Gimpert, a partner in the Assurance and Enterprise Risk Services business at Deloitte & Touche LLP, where he co-leads the Sarbanes-Oxley Steering Committee. He can be reached at 312.486.2591 or firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||financial REPORTING|
|Author:||Heffes, Ellen M.|
|Date:||May 1, 2006|
|Previous Article:||IIA chief: Sarbanes-Oxley puts internal auditing 'in the limelight'.|
|Next Article:||Managing the ultimate corporate risk.|