Technology & compliance: looking at the big picture of Sarbanes-Oxley.
For most companies, initial compliance has focused on Sec. 404, which places responsibility on management "for establishing and maintaining an adequate internal control structure and procedures for financial reporting."
The tools companies use vary from Excel spreadsheets to Word documents to specific SOX compliance tools that are too numerous to list. The cost for these specialized compliance tools can range from $1,500 to more than $100,000.
The majority of the technology, regardless of the cost, has a static-point compliance focus for a given reporting cycle. Most companies have had key concerns and have focused on documentation requirements and accuracy to meet initial compliance.
To this end, any and all of the compliance tools have some value. However, there are company management teams that believe the costs incurred for SOX compliance have been excessive, and considerably greater than the benefits received.
This conclusion can be attributed partially to a nearsighted focus on SOX implementations employed by many of these management teams, which--per published polls and interviews conducted for this article--still seem to hold the view that internal controls and related governance activities are little more than a necessary evil.
Further, there has been little confidence placed in technological solutions leading the charge.
A recent CFO Research Services study titled "The Convergence of Compliance and Performance Management" states: "Compliance efforts may well strengthen business processes, but the cost of such initiatives--both in dollars and in managerial attention--makes some senior finance executives very reluctant to endorse compliance as a source of performance improvement.
"One senior finance executive among our interviewees worries that regulatory compliance may actually hurt his company's performance, due to its high costs. 'Overall, compliance probably does help us manage performance,' he says. 'But it may also hurt our financial results, because the costs of compliance are so high.'"
In the article "Unintended Consequences" in the January/February 2005 issue of CEO Magazine, several CEOs voiced complaints about SOX, including:
* Time CEOs spent on compliance issues, when it should be focused on customers and company strategy;
* Fear of board members to serve; and
* Board members' apprehension to approve strategic risk-taking.
In the article, several of those surveyed indicate that when possible, some smaller companies that are able to privatize will do so to get out from under SOX.
FOCUS ON THE FRAMEWORK
What seems to be missed by many as they tackle SOX compliance is that the Treadway Commission's framework focuses on compliance as a process as opposed to independent compliance tasks unrelated to the rest of the organization's functions.
In this spirit, setting compliance-focused goals, defining associated risks and developing and implementing documented, tested controls to address defined risks should be part of an entity's strategic planning process. This incorporates SOX into the overall strategic planning process that many businesses have employed for years.
[FIGURE 1 OMITTED]
The primary difference is that, rather than just focusing on revenue, profits and cost controls, today's focus is enhanced to include controlling financial reporting and fraud prevention; risk assessment as it applies to efficiency and effectiveness in the use of an entity's assets; and appropriate documentation and visibility over the associated internal controls by upper management.
The outcome is transparency to all stakeholders that is systematically incorporated as part of the overall strategic planning and business operations process.
SOX TECH SUPPORT
Within this context, technology support for SOX is in line with the issues of strategy and operations management.
This area has been a software hotbed for several years. Companies have been evaluating and purchasing software solutions, including ERP systems; data warehouses and data marts; analytical tools; budgeting and planning applications; OLAP; and reporting tools and applications, among others, to better manage internal operations as they relate to strategic goals and stakeholder/shareholder wealth maximization.
Within the focus of compliance and governance there are four approaches to which several software applications, tools and platforms have emerged:
* Generic applications that enhance controls;
* Documentation management and workflow;
* Data mining, file retrieval, pattern recognition and business intelligence; and
* Business performance management and real-time compliance.
To date, all but one of the approaches have addressed SOX compliance, particularly as it relates to Sec. 404, as "single pass" static compliance-focused solutions.
The result is that key management can sign the financial statements knowing that they are in compliance as stated in the financial reports, i.e., all business processes are documented, communicated and secure; financial reports are free from material misstatements and fraud; and internal controls are in place and operating as designed to ensure these claims.
The shortcoming is that each year the same process is repeated for the next fiscal period, much like the initial compliance exercise, because ongoing compliance is neither scheduled nor treated as an ongoing process. This creates gaps in visibility of the status of internal controls, and creates additional difficulty in meeting Sec. 409 notification requirements regarding "significant" events that impact the entity's value within a set number of days from occurrence.
To meet the requirements, providers within each of the four classes of software have developed solutions to meet the compliance issues based on their core competencies. To cover requirements outside of their core competencies, they customize existing applications.
For example, document management solutions specialists provide excellent documentation support, but are considerably less proficient in providing risk assessment and business process mapping capabilities. Data warehousing and ERP solutions provide high visibility of financial reporting and transaction controls, but are weak in delivering process flow tracking. To address process flow mappings and documentation management needs, they require third-party add-on utilities.
Several business intelligence and reporting tools unimpressively address aspects of the previous two, by importing information from various sources to present a static picture in time, but are short on process management. Moreover, ongoing compliance is not addressed.
Companies would be wise to consider business performance management and real-time, compliance-based solutions as an approach to satisfying SOX compliance requirements on an ongoing basis. Solutions implemented with such an approach address compliance by employing a framework with strategic focus that defines goals; identifies associated risks; institutes controls to manage the risks; and monitors performance using ongoing, regularly scheduled reviews.
Such solutions use a business process platform to combine process flows with benchmarking. And compliance-focused scorecards juxtapose to strategic planning scorecards and strategy maps to create the most complete documented approach.
They track and schedule processes with historical comparisons and employ performance alerts driven by integrated benchmarking. They are driven by a scorecard framework integrated with process-engineering flowcharts that are linked to supporting documentation. Company management teams then employ dash-boards and portals to manage the oversight of the process.
This approach provides a value-added aspect by tying controls and documentation requirements under SOX to process efficiency improvements that can have a direct positive impact on the bottom line.
Operating inefficiencies often are the first findings spotted by an internal control review, even if the controls themselves are free of material weaknesses or lesser deficiencies under SOX. A process of ongoing evaluation is critical here.
Tracking and scheduling processes with historical tracking and appropriate documentation attachments--enhanced with alerts driven by integrated benchmarking and scorecarding--reduce the effort; increase the visibility of an operation's efficiency and effectiveness; and ultimately improve the cost/benefit factor of compliance.
In January 2005, we interviewed a large defense contractor and a closely-held cement manufacturer regarding SOX compliance. For both companies, relying on technology was important, but their outcomes were considerably different.
The defense contractor used a SOX specialty solution in which the core competency was document management. The solution met the company's needs from a documentation standpoint, but other aspects dealing with ongoing monitoring of compliance and performance did not receive the same high marks. The company indicated that its initial compliance process was very challenging in light of a large government contract base as part of its business, and that its costs were considerable in both dollars and staff time.
The experience at the closely-held cement manufacture was much different.
Though a closely-held company and not required to conform under SOX, it chose to do so as part of its internal control structure. Instead of using a SOX specialty solution, the company used generic tools that enhanced controls--spreadsheets, word documents, etc. It discovered early that its current systems were virtually in compliance with the COSO framework.
To meet SOX requirements, the company only needed to make a few changes to its board's structure and create a couple of committees. It also needed to make minor enhancements to documentation.
The company already had the primary goal/risk assessment/internal controls framework in place as part of its operations. The company's entire compliance effort took less than six months and included only minor cost additions in dollars and staff time.
Technology will continue to play a big roll in SOX compliance and solutions will evolve into an approach that uses collaborative-based platforms that combine business process flows with a portal-based scorecard/benchmarking analysis as they relate to compliance and business performance.
Management's challenge is to recognize that the usefulness of solutions from a cost-benefit analysis is only part of the game. The goal is not just to be SOX compliant, but to add value through improved visibility of operations process flows that enable process improvements that ultimately lead to more efficient and effective operations.
Future solutions will likely provide support through improved enterprise risk management, i.e., better assessment and application of entity resources and capital with better controls and higher visibility of their performance.
This may become the first step in a "continuous assurance" auditing process--ongoing auditing that enables external auditors to objectively monitor company operations throughout the year.
The result will be greater transparency to the various entity stakeholders and more complete and timely management information support to achieve the entity's goals.
BY WILLIAM BRAUN, CPA AND RICK E. NORRIS, CPA
William Braun, CPA, MBA, MIM and Rick E. Norris, JD, CPA are principals with Los Angeles-based Decision Point Solutions LLC, which designs and implements compliance monitoring solutions. You can reach them at firstname.lastname@example.org and email@example.com.
|Printer friendly Cite/link Email Feedback|
|Author:||Norris, Rick E.|
|Date:||May 1, 2005|
|Previous Article:||Set apart: CITP gives CPAs an edge.|
|Next Article:||Break free: a user's guide to wireless technology today--and tomorrow.|