The value proposition: there's more to Sarbanes-Oxley compliance than meets the eye.
With studies showing that well-governed companies pay off handsomely for shareholders, CPAs can help their employers benefit from the lessons learned by companies that approached Sarbanes-Oxley compliance as a stepping-stone to more comprehensive improvements. These entities upgraded technology and business processes and took the opportunity to change how the company functioned; new methods of doing business frequently result in cost savings. While management and audit executives' crystal balls don't yet clearly show that the cost savings balance the full cost of compliance, the excitement around possibilities for the future is palpable.
AUDIT COMMITTEE CONFIDENCE
As the surveys accumulated by Institutional Shareholder Services show (see "Sarbanes-Oxley Payback," page 78), many managers and directors see Sarbanes-Oxley as a positive experience. The company-wide review of processes and the required documentation increased internal transparency and provided a common language for employees in diverse departments and functions. CPAs looking to add value to the extra hours of work should help their companies realize the benefits of formalizing process documentation. Companies can find additional uses for Sarbanes-Oxley documentation as a tool for audit committees, a way to enhance employee decisions based on cross-function process information and a means of increasing efficiencies by eliminating duplicate controls.
As did the majority of respondents in the surveys, the board of Little Rock, Ark.-based Alltel Corp. found Sarbanes-Oxley created useful tools. Alltell documented 100 company processes within the scope of the act. Brandi Joplin, CPA, vice-president of internal audit, led the team that mapped out the key areas in each process such as purchasing or payables. "We were early COSO adopters in 1992 and always believed we had strong internal controls," Joplin says. "But we found consistent process documentation of the controls across the entire company created even greater value."
CPAs and internal auditors who now report directly to the board of directors audit committee can use the section 404 documentation as a basis for discussion. Alltel's internal audit team reports to the company's audit committee. Its process documentation includes six flowcharts per process, supported by memos and narratives. The audit committee can use this information to support its decisions. "It can look across business cycles and drill down into various processes," Joplin says. "Committee members now have insight into what's really going on and the information they need to ask very specific questions."
Similarly the audit committee at global energy company USEC Inc. focuses on the broader goal of good corporate governance resulting from Sarbanes-Oxley compliance. From the beginning USEC internal audit and senior management focused beyond compliance to the value proposition Sarbanes-Oxley represented. CPAs can follow USEC's five-step process in exhibit 1, page 79.
According to Barry Mumford, CPA, CMA, director of auditing for USEC in Bethesda, Md., while section 404 compliance means financial reporting should be more reliable, the broader definition of "internal control" includes two other elements: the effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Together they make up the full value proposition. "Many companies are focused on reliable financial reporting," he says, "but in our opinion addressing only one of the three elements leaves most of the value on the table."
Sarbanes-Oxley compliance creates value for a broad base of stakeholders. Audit committees clearly will find the documented processes helpful in making sound business decisions. However many companies feel the compliance process has helped to streamline communication for decision making at many other levels.
CPAs should focus their company's attention on the value of company-wide participation in instituting and documenting the required controls. Joplin reports that with the 100 company processes within the scope of Sarbanes-Oxley, Alltel "focused on the handoffs between functions, each of which makes sure that when their flowchart stops, the next one picks up. This takes us way beyond the silo look at processes."
Alltel created the flowcharts in the third phase of its Sarbanes-Oxley compliance. The company had started immediately on the compliance process in 2002; in 2003 it enhanced and added more processes and tweaked procedures. In 2004 it added flowcharts and narratives to the documentation. "We averaged 6 to 10 flowcharts with each process. Each box has an accompanying narrative that tells what's going on within the process," Joplin says. "Now anybody anywhere in the organization can pick up the documentation and see key areas in a flash."
The result is that employees across functions now speak the same language. When issues arise in meetings, the first question addressed is what risk the process is trying to control. "It's impossible to put a price on the value of what we've gained in terms of consistent process documentation, or the common language of assessing risk and controls," Joplin says. "I can see our personnel have incorporated the assessment process into their day-to-day decision making."
Standardized controls and procedures force managers to think carefully about deviating from the process. For instance, customizing a billing format for one customer needs to be justified by better pricing, a quicker cash flow cycle or greater market share. "Companies are realizing they better have a good business reason for deviating from a standard," says Richard Roth, CPA, chief research officer of the Hackett Group in Atlanta. "In today's environment that deviation adds both cost and risk."
MORE EFFICIENT PROCESSES
Assessing each process during compliance forced companies to consider how and why they were doing things. Sometimes the choice was to change processes; other times companies eliminated duplication. "Sarbanes-Oxley compliance activities caused board and senior-level executives to think about how their companies were organized," Roth says. "Some decided they weren't a portfolio of companies but an integrated business and others chose the opposite scenario."
CPAs will find that clarifying the business model can influence bottom-line results as well as produce less tangible benefits. Roth gives the example of one client that had six production divisions and three reporting lines. One issue the company looked at was the complexity of the CFO'S reporting to one boss for functional matters, to another as the head of each product division and to a third based on geography. The section 404 documentation process forced the board and senior-level executives to decide whether they wanted an integrated business or a segmented portfolio of companies. "The company wanted to balance closeness with its customers with the desire to have an efficient business model for maximum leverage," he says. Ultimately they decided to streamline reporting according to customer lines.
Another area of possible streamlined company activities is eliminating control points that duplicate efforts. CPAs can lead the discussion of organizational alignment as part of the greater good of Sarbanes-Oxley compliance. Process or control duphcation is particularly common among companies that grew by acquisition, or that automated systems without revising manual processes. Procedures still might call for verification of a paper document that no longer exists because the process is fully automated. "Some companies are finding a plethora of control points they no longer need," says Roth.
The Hackett Group's 2004 Finance Book of Numbers shows that more than two-thirds of companies were confident with their financial forecasting and reporting outputs. Only 9% had made the same claim a year before. "We have clients that had internal control built into their processes all along," says Roth, "but that was only 10% to 15% of all companies."
There are some contrary views about the benefits of Sarbanes-Oxley compliance, however. Richard Piluso, CPA, vice-president of internal audit for Loews Corp. in New York City, says he personally does not think compliance can be linked to any improved financial performance. Loews is a holding company of diverse interests, including CNA Insurance and the Loews Hotels. "We put a lot of hours into compliance and spent a lot of money," he says. "Out of the thousands of controls we reviewed, we found some minor gaps that were readily addressed."
The 25-some people in the financial department of the company's home office handle matters at the holding-company level, but each subsidiary is an independent cost center. Five of the companies are publicly traded and have individual Sarbanes-Oxley accountability. "The vast majority of Fortune 1000 companies already had top-notch financial departments and a control environment in place," says Piluso. "The fallacy of Sarbanes-Oxley is that in most of the high-profile SEC investigations, management simply overrode the controls."
THE GOOD GOVERNANCE PREMIUM
The real intent of Sarbanes-Oxley is to create better-governed public companies. Effective corporate governance creates real value for shareholders. Studies show investors are willing to pay a premium for companies with independent boards, transparent processes and clear financial disclosures.
Shareholders will find further benefits in increased profitability. Rating agencies' reports are beginning to look more like corporate governance report cards. The resulting higher credit ratings mean lower interest costs. One 2004 study, "The Effects of Corporate Governance on Firms' Credit Ratings" by the Social Science Research Network, found credit ratings were positively related to the degree of financial transparency. Companies received higher credit ratings when they followed practices related to good governance, such as weaker shareholder rights in terms of takeover defense, board independence and a high level of board expertise. Conversely, low credit scores were linked to companies with bad governance conditions such as a CEO with too many close relationships to board members.
CPAs will find unexpected benefits in sharing the Sarbanes-Oxley infrastructure with other departments. The process of mapping and aligning risk, instituting controls to ensure compliance with regulations and then documenting the processes can be applied to compliance with diverse regulations such as labor and employment regulations or environmental protections. USEC, for example, must comply with these regulations, as well as with the rules of the Nuclear Regulatory Agency. "Additional departments here are beginning to apply the Sarbanes-Oxley infrastructure to ensure compliance with other laws and regulations," says Mumford.
It's a fact that companies that want to continue trading on the public stock exchanges can't get away from the new regulations. Like many auditors and finance professionals, Brandi Joplin goes beyond the necessary to look for overriding benefits. (See exhibit 2, at right, for Joplin's checklist of benefits.) "Sarbanes-Oxley compliance is a lot of work. There's no way to get around it, and it costs money," she says, "but there are counterbalancing benefits when companies focus on the value in the process."
THE BENEFITS SHOW
The attitude of many CPAs toward Sarbanes-Oxley compliance sounds much like the old saw, "If you can't beat 'em, join 'em." Once they are through with the mountain of work involved with initial compliance, the benefits of improved decision making, more efficient processes and cross-departmental applications inherent in the Sarbanes-Oxley infrastructure might begin to show through for a broader range of U.S. companies.
CPAs can use the documentation to provide audit committees with more detailed information, to empower all employees to consider cross-functional processes and to lead the entire company in using section-404-type documentation. Since there is no way to avoid the cost, companies might just as well find ways to spread the expenditures over this greater array of benefits.
* CPAs CAN HELP COMPANIES USE SARBANES-OXLEY compliance as a stepping-stone to improved decision making, more efficient processes and greater confidence in financial reporting. Some of these improvements may help companies offset the high cost of complying with the act.
* PROCESS DOCUMENTATION CAN HELP AUDIT committees better understand the activities under their control and enhance their decision making by enabling them to drill down further into various processes.
* A CLOSE EXAMINATION OF CONTROL PROCESSES enables companies to improve them and eliminate duplication. Documenting standardized procedures forces managers to think carefully before they deviate from the process, minimizing a company's exposure to risk.
* NOT EVERY COMPANY SEES VALUE-ADDED BENEFITS from Sarbanes-Oxley compliance. Some well-run companies found only minor gaps they were able to address easily. Many high-profile scandals occurred not because of an absence of controls but because management overrode the controls that were in place.
* AS SARBANES-OXLEY CREATES BETTER-GOVERNED companies, studies show investors are willing to pay a premium for companies with independent boards, transparent processes and clear financial disclosures. Better corporate governance also is translating into higher credit ratings and thus lower interest costs, which boost profits.
Costs are high:
* When final numbers are in, the costs of first-year section 404 compliance could exceed $4.6 million for each of the largest U.S. companies.
* The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began.
But value is there:
* More than 60% of 153 directors surveyed said Sarbanes-Oxley had been positive for their companies; nearly 70% saw it as positive for their boards.
* Nearly 70% of directors said recent governance reforms had improved board governance "a lot" (28%) or "moderately" (41%).
* Some 64% of CFOs and managing directors at U.S. companies saw Sarbanes-Oxley as part of a larger corporate governance initiative.
Source: "Second Anniversary: The Impact of Sarbanes-Oxley," Institutional Shareholder Services, www.issproxy.com.
* Use Sarbanes-Oxley compliance documentation to develop tools the audit committee can use to make decisions and better understand control processes.
* Use the results of the Sarbanes-Oxley compliance process to initiate a discussion of controls that can be eliminated or streamlined because of unnecessary duplication.
* Use process mapping and other compliance activities to help the company better meet other laws and regulations it must follow.
Exhibit 2: Benefits Checklist
[check] Show audit committees the value of process transparency.
[check] Use Sarbanes-Oxley documentation to improve employee decision making.
[check] Eliminate duplicate controls.
[check] Note increased confidence in financial reports.
[check] Streamline processes through conscious examination.
[check] Track good governance premiums--higher share price and higher credit ratings.
CYNTHIA HARRINGTON is a freelance business writer. Her e-mail address is firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Publication:||Journal of Accountancy|
|Date:||Sep 1, 2005|
|Previous Article:||Limit practice liability: select your form of business and your associates with care.|
|Next Article:||New rules for expats: leaving America with dignity.|