Thursday, December 30, 2004
Transaction Integrity Monitoring
Executives shoulder the responsibilities for both corporate earnings and the integrity of those financial results. In today's highly scrutinized business environment, executives face demanding regulations that impose runaway compliance costs that make compliance an expense rather than an investment. However, good corporate governance should improve your bottom line - not someone else's.
Oversight Systems reduces the cost of ongoing Sarbanes-Oxley compliance by continuously monitoring key controls required for Section 404 certification. With its real-time Transaction Integrity Monitoring solutions, Oversight addresses the tangible costs of controls testing and remediation along with the opportunity costs associated with the internal distractions of compliance.
Oversight catches errors, fraud and internal control issues early in the transaction process so that corrections can be made before time is wasted duplicating and reversing work, before money is lost and before controls are deemed deficient. By identifying the root-cause of control violations and errors in real time, Oversight allows companies to improve the quality of their earnings, ensure accountability, enhance business processes and remediate any weaknesses for regulatory compliance.
posted by Brian Moran @ 9:30 AM
Wednesday, December 29, 2004
KPMG told Fannie Mae of 'weaknesses'
From Financial Times
KPMG raised concerns about Fannie Mae's internal financial reporting controls and accounting records shortly after a damning report was released by the mortgage finance provider's regulator in September, Fannie disclosed yesterday.
The accounting firm, which has worked for Fannie since 1969 but which was dismissed last week, has not publicly commented on its auditing practices as a scandal has unfolded over the finance provider's accounting practices during the past three months.
Yesterday, Fannie said in a filing to the Securities and Exchange Commission that KPMG had notified the company of "material weaknesses" in internal controls related to its financial reporting as well as "deficiencies" in some of its accounting processes.
Some of these concerns relate to Section 404 of the Sarbanes-Oxley Act, which requires management to take responsibility for maintaining sound financial reporting procedures. The disclosure comes as the SEC investigates whether Fannie's former management violated the Act by certifying the accuracy of Fannie's accounts.
Franklin Raines, Fannie's chairman and chief executive, and Timothy Howard, its chief financial officer - who were ousted last week - had certified the company's 2002 and 2003 accounts "fairly present[ed] in all material respects" its financial condition in statements filed with the SEC.
Fannie said yesterday it was "assessing" KPMG's observations and was looking at whether any of its concerns comprised "significant deficiencies or material weaknesses, either individually or in the aggregate".
Terms "material weaknesses" and "significant deficiencies" are used by accountants to describe faults in a company's controls that could damage its ability to record financial data accurately. Fannie's board has not publicly identified any wrongdoing by its former executives.
posted by Brian Moran @ 4:05 PM
Tuesday, December 28, 2004
FEI Outlines Top Ten Financial Reporting Challenges for 2005
AccountingWEB.com - Financial Executives International has identified the top 10 financial reporting challenges for 2005. These challenges will impact the way companies manage their businesses, report their financial results, and compensate their employees.
The challenges include:
1.) Stock option expensing. The Financial Accounting Standards Board (FASB) has mandated that all stock compensation be expensed beginning June 30, 2005 for most public companies. Smaller public companies and private firms have until the first annual reporting period after Dec. 15, 2005.
2.) Complying with Sarbanes Oxley Section 404. The requirement for reporting on internal controls is already in place for accelerated SEC filers with years ending after November 15, 2004, but during 2005 all companies have to comply. Increasingly, lenders and state regulators are asking private companies about the status of their internal controls environment. Private companies may also see audit procedures used by their external auditor become more "integrated" with internal controls as the audit firms change their procedures.
posted by Brian Moran @ 10:46 AM
Thursday, December 23, 2004
SEC to probe Fannie’s Sarbanes compliance
US regulators are set to investigate possible violations of the Sarbanes-Oxley legislation on accounting and corporate governance by former senior management at Fannie Mae, the US mortgage finance company.
The Securities and Exchange Commission, the chief US financial regulator, is expected to determine whether Franklin Raines, former chief executive, and Timothy Howard, former chief financial officer, infringed the legislation's requirements to certify the accuracy of the accounts. Mr Raines and Mr Howard who were ousted by Fannie Mae's board on Tuesday certified that the company's 2002 and 2003 accounts “fairly present in all material respects” its financial condition, in signed statements filed with the SEC.
Last week Donald Nicolaisen, SEC chief accountant, ruled that Fannie Mae had violated US accounting rules between 2001 and mid-2004 and called on it to restate its accounts.
Fannie Mae, which agreed to restate, estimated last month that the move could lower its earnings by $9bn (£4.7bn). Mr Raines announced his retirement on Tuesday, but the Office of Federal Housing Enterprise Oversight, the company's regulator, said it would review the severance package given to him. It may seek to have him dismissed, which would curtail his benefits, if the SEC or a separate Department of Justice investigation finds wrongdoing.
The SEC and the Department of Justice are co-ordinating their inquiries. An important element of the inquiries is expected to be whether Mr Raines and Mr Howard infringed the Sarbanes-Oxley legislation's provisions on certification of accounts, according to people familiar with the situation. They said no conclusions had been reached about the conduct of the two men. The SEC investigation is also expected to involve close scrutiny of KPMG which was Fannie Mae's auditor until its dismissal by the company on Tuesday. Infringements of the Sarbanes-Oxley certification requirements can lead to criminal as well as civil penalties.
A report by the Office of Federal Housing Enterprise Oversight said in September that Fannie Mae's violations of accounting rules were “pervasive and reinforced by management”. It alleged Fannie Mae's management clashed with KPMG in 1998 over a decision to defer recognition of $200m expenses related to its mortgage portfolio. It said the decision let management receive all of their annual bonuses.
Mr Raines said on Tuesday that “to my knowledge, the company has always made good faith efforts to get its accounting right”. A spokeswoman for Mr Raines and Mr Howard, who said on Tuesday he had resigned, declined to comment further. The SEC and Department of Justice declined to comment.
posted by Brian Moran @ 8:48 AM
NEW YORK - Dedicated readers of The Wall Street Journal are used to the full-page notices addressed to shareholders that either polish someone's image or solicit their support in a battle for corporate control.
This Tuesday, however, a whole new type of notice appeared--this time with the unlikely sponsorship of PricewaterhouseCoopers. The notice bears the eye-catching caption, "Public Trust Is About To Be Tested Again." Now, anyone with more than ten cents in the market knows these are words that will get more than one investor's pulse rate rising (just think Enron and Worldcom). Add to this that the words are coming from the public's mainstay for trust--namely the company auditors--and you really wonder what's afoot.
The purpose of the notice is to warn investors that the Sarbanes-Oxley Act is about to drop the other shoe. Specifically, under Section 404 of the Act, independent accountants are required to give their opinion on whether the company has material control weaknesses, which "could" cause a misstatement of results in the annual, or interim, financial statements. This is required even if there is no evidence that such a misstatement has happened or will happen.
What is clearly on the minds of these guardians of the public trust is that all such disclosures will become daily fodder for the media, which in turn may cause a reaction in the stock market. This, in turn, will cause a flurry of class action lawsuits. The notice tries to downplay the seriousness of the problem by pointing out that companies who operate globally are forced to deal with a mix of cultures and regulatory systems that don't conform closely to the way business is done in the U.S. Recent scandals involving overseas managers making their own rules, or pillaging their local company, are not uncommon, but are usually swept under the rug. Not any more. Now the mere possibility of this happening must be disclosed.
No doubt, some ugly stuff is going to come out, because these are things that can't be fixed over night. No doubt, short sellers and their friends in the media will be primed for action. The notice does conclude with the statement, "the first 404 reports should be viewed as the beginning of a process, not an end." I don't think they meant "process" as in a legal process server, although that misreading may be apropos.
You might call this notice the accountant's equivalent of an earnings alert. It is an effort to inoculate the market against the arrival of bad news. Wall Street's reaction? The Dow closed up 95 points on Dec. 22. Go figure.
posted by Brian Moran @ 8:43 AM
Wednesday, December 22, 2004
This study reported in IBD blames SOX for the decline of non-US companies listing their shares in US markets. Europe will soon have its own version of SOX, and the study really fails to see the real reason for the decline from 2000 to 2004 -- the collapse of the economic bubble and resulting recession! SOX is a pain for every company, but let's not blame world hunger on this one regulation.
INVESTOR'S BUSINESS DAILY
Governance: Philosopher Frederic Bastiat famously observed that all economic actions have consequences seen and unseen — as in those wrought by Sen. Paul Sarbanes and Rep. Michael Oxley.
Sarbanes, D-Md., and Oxley, R-Ohio, authored the landmark 2002 legislation that seeks to bring more accountability to corporate governance after the Enron and WorldCom bankruptcies.
And judging from the dearth of recent scandals, as well as the howls from executive offices and boardrooms about costs of compliance, the statute is certainly having observable effects.
As for unintended consequences, most are still to be quantified. These include decisions deferred, risks not taken and investments not made for fear of running afoul of the law's onerous rules.
Some consequences are already clear — as a recent decision by China's flagship airline illustrated. Due in part to what foreign firms view as Sarbanes-Oxley heavy-handedness, Air China came public not on America's premier exchange in New York, but on London's.
Until now, the NYSE has gotten more than its share of big China deals. Thirty companies based on the mainland or in Hong Kong and Taiwan now trade on the Big Board. Among them are three of the biggest IPOs in the last year or so — China Life Insurance, China Netcom and Semiconductor Manufacturing International.
Air China's $1 billion offering was the first big China deal that the NYSE didn't land of late. A good question for Messrs. Sarbanes and Oxley, as well as other politicians eager to rein in business, is whether it will be the last.
We know the question is on the mind of NYSE chief John Thain. He posed it six months ago, when he noted the decline of non-U.S. companies listing on the NYSE since Sarbanes-Oxley took effect in mid-2002.
The statute and especially a section requiring CEOs and CFOs to sign off on financial statements "take time, effort and resources to implement," Thain told the Economic Club of New York.
"The value proposition for overseas companies seeking to list in the U.S. — and to remain listed — changes significantly when the costs of meeting our reporting requirements are so high."
Such costs presumably will come down as compliance procedures are worked out. And Europe may soon face its own version of Sarbanes-Oxley as it deals with Enron-like scandals such as Parmalat.
Somehow that doesn't make us feel any better about the loss of business and competitiveness that Sarbanes-Oxley is causing.
Thain put it best: "American standards of corporate governance should not become the enemy of economic performance."
posted by Brian Moran @ 10:39 AM
Tuesday, December 21, 2004
BearingPoint Warns on Controls; More problems for the former consulting arm of KPMG.
A month after the departure of its chief financial officer, BearingPoint Inc. said in a regulatory filing that it may be unable to complete all of the work necessary to present its report on internal controls required by Section 404 of the Sarbanes-Oxley Act or to conclude that its internal controls are effective.
BearingPoint added that while it expects to complete its evaluation and testing of its internal controls by the time it must file its 10-K for the year ending December 31 — due no later than March 16, 2005 — if "we have any material weakness, we will not be permitted to conclude that our internal controls are effective."
Even if the company had time to take remedial actions that corrected the material weakness by year-end, BearingPoint added, the remediated controls would probably not be in operation long enough to allow its auditor, PricewaterhouseCoopers, to conclude that they are effective. That makes it likely that PwC will provide either an adverse or disclaimed audit opinion, added the consultancy.
In October, BearingPoint announced in a government filing that PwC had identified "material weaknesses" in its internal controls. According to BearingPoint, in 2003 it acquired a series of consulting firms in 15 countries that "brought a variety of disparate accounting systems of varying quality, all of which had to be evaluated and integrated" into BearingPoint's systems.
BearingPoint also said that for fiscal years 2004 and 2005, it expects to pay fees to third parties totaling about $20.5 million and $12 million, respectively, to address Section 404 responsibilities. Since June 2003, added the consultancy, it has outsourced certain aspects of its internal audit function to Ernst & Young.
If BearingPoint is unable to meet the Section 404 deadline, the company warned, its ability to obtain additional financing "could be materially and adversely affected." Further, if it does not have audited financial statements by March 31, it will default under a 2004 credit facility, unless the delay is "solely as a result of continuing work by the company and/or its independent accounting firm to prepare opinions or statements required under Section 404," which will enable a 30-day extension.
posted by Brian Moran @ 11:19 AM
Monday, December 20, 2004
Role Of Auditors Still Evolving; Accounting: Another Sarbanes-Oxley provision goes into effect in 2005
From Investor's Business Daily
As companies head into the new year, they're scrambling to comply with one of the most important -- and most complicated -- aspects of the Sarbanes Oxley Act.
The 2002 legislation was aimed at curbing financial malfeasance. These days, section 404 of that legislation has managers and accountants sweating. That section requires firms to review their internal controls, fix any that aren't up to snuff and evaluate those controls in their annual reports.
For most companies, the additional reporting must be included in the annual report for the first fiscal year that ends after April 15, 2005.
Tim Ryan, who heads the financial services audit and business advisory practice at accounting firm PricewaterhouseCoopers, says the law has brought a variety of changes for managers, audit committees and in-house and outside auditors.
IBD: Could you tell me a little more about section 404 and what that means for companies?
Ryan: Section 404 requires management to do a detailed assessment of the design of the (accounting) controls. Then it requires them to document that design. To the extent that they identify any holes or areas for improvement, it requires them to fix or remediate those holes.
After that's done, they're required to test those controls. Then the (external) auditor is required to test it.
In the first step, for example, when you're looking at the design of the controls, you have great guidance out there (from the Public Accounting Oversight Board), but it is still subjective and there's an element of judgment. You may feel you have the right controls in place, and I may feel differently, but it's not a matter of right or wrong -- it's a judgment.
The standard says there are three levels of control weakness. One is deficiency. With a deficiency, there's no reporting requirement. In other words -- and this isn't an official term -- it's a minor deficiency.
The next level is called a significant deficiency. A significant deficiency is required to go to the audit committee. But there is no external reporting with that.
A material deficiency is one that goes to the audit committee and goes to the outside world. When you look at the complexity of some of the financial services companies or of any company that hires branch sources, it's not likely that everybody is going to be perfect.
IBD: What is the role of internal auditors in this process? Do they bring problems to the company's attention?
Ryan: It depends. Some internal audit departments have been very involved with that initial assessment of the design.
Other companies use their internal audit departments in a testing function in that second step. Companies choose to use internal audit in that role because they're good at it, and when internal audit does the testing, the auditors place more reliance in it because that's an independent function of the testing as opposed to management.
But probably the most important role of internal audit is working with the other parties -- management and the audit committee and the external auditors -- to bring perspective on the magnitude of the control deficiencies. Internal auditors obviously have a very important seat at the table.
IBD: What is the role of the external auditor?
Ryan: I like to think what we bring to the table is a perspective of relative industry practices, an independent perspective when these control deficiencies are being recognized.
IBD: It sounds a labor-intensive process. Have companies had a hard time complying for that reason?
Ryan: It has been a challenge for companies from several perspectives. First, just the amount of time. To do that assessment at the level that Sarbanes-Oxley requires takes a lot of time. Second, most organizations want to be very well controlled. As they have identified deficiencies and worked very diligently to close the gaps, it has placed a lot of strain within the organizations.
So not only has it been time consuming and stressful to get gaps remediated, but there is a knowledge in the back of people's minds that decisions will be second-guessed.
IBD: You issued a report in which you said that 85% of financial managers are expecting more from external auditors these days. Could you tell me a little more about that?
Ryan: In a post-Sarbanes environment, the expectations of the external auditors have significantly increased.
Audit committee increasingly turn to us for independent views on things such as accounting policy and compliance.
Most audit committees are very concerned about reputation risk, areas such as key judgments about valuations. So we find ourselves talking more with our audit committees, and they expect more of us in those areas.
IBD: What are the biggest changes you've seen in the relationship between external auditors and management?
Ryan: I would say our role certainly has changed. We're being asked more questions and being included in decisions upfront. (Generally accepted accounting principles) are very complex, particularly in the financial services space.
Management has been diligent to get our experts involved early on as they approach transactions that are governed by very complicated and often subjective account principals.
posted by Brian Moran @ 9:18 AM
Friday, December 17, 2004
Automating SOX Compliance
December 13, 2004: Sarbanes-Oxley compliance is going to take more than a Excel spreadsheet and time is running out, writes CIO Update guest columnist Bill Fine of newScale.
Sarbanes-Oxley (SOX) is part of the new business reality for U.S. public corporations. Ongoing compliance is essential to maintaining shareholder confidence and avoiding penalties making SOX the most important corporate governance and disclosure legislation since the U.S. security laws of the 1930s.
Section 404, which stipulates company management must demonstrate control over financial reporting, is arguably the most significant part of the legislation -- affecting companies with year-ends beginning on or after November 15, 2004.
Of particular concern to IT is one of the four IT General Control objectives specified by the U.S. Public Company Accounting Oversight Board (PCAOB), Access to Programs and Data.
The Buck Stops with IT
Today, a company's financial reports summarize processes supported by enterprise systems and applications running on sophisticated servers databases and networks. IT processes and controls that are integral to that framework need to satisfy the broader requirements of SOX.
However, many IT organizations lack these controls and most do not have the means to document them or their effectiveness on an ongoing basis.
If this is the case with your company, you must gain a clear understanding of the control framework established by the IT Governance Institute (ITGI).
The ITGI established this framework in collaboration with external auditors and drew from the Securities and Exchange Commission (SEC) and the PCAOB guidelines. The framework also incorporates elements of frameworks such as COSO, IT-specific methodologies such as CobiT, ISO17799, and the Information Technology Infrastructure Library (ITIL).
According to the ITGI, key requirements for implementing PCAOB IT General Controls include:
* Understanding internal controls and the financial reporting process.
* Mapping IT systems that support internal controls and the financial reporting process to financial statements.
* Identifying risks.
* Designing/implementing controls to mitigate risks and continuously monitoring them.
* Documenting and testing controls.
* Ensuring controls are updated to correspond to internal changes or the financial reporting process.
Programs and Data Controls
For many IT organizations, achieving compliance and implementing controls has been difficult.
According to a September 2004 study conducted by Ernst & Young's Technology and Security Risk Services, the two issues causing the largest number of Section 404 audit exceptions and remediation projects are: lack of application of segregation of duty controls, and excessive and/or improper user access to applications, servers and data.
Most IT organizations' application infrastructure is decentralized at the application system and application environment levels. So it is not surprising that these organizations struggle to manage access rights and create segregation of duty business rules -- often for as many as 100 business applications and related environments.
Increasing this complexity is a transient workforce where new hires, transfers, and terminations occur daily. Similarly, the universe of applications impacted by SOX is evolving as old systems are retired, new ones are brought on-line, and application modules and functional roles change.
Preparation and Compliance
To prepare for and comply with SOX requirements and PCAOB IT General Control objectives, companies must document IT processes that support financial reporting -- implementing and testing controls to protect the integrity of applications and infrastructure.
For some companies, documenting existing processes may be adequate to pass the initial audit. For most publicly-held corporations, though, automated software systems will be required.
The intent of the SOX IT audit is to verify that processes and controls are in place and consistently followed. Manual, paper-based solutions are unlikely to be sufficient on an ongoing basis. In the case of large or geographically dispersed organizations, auditors generally probe more intensively for proof of adequate controls and consistently followed processes.
To comply with Section 404 and implement PCAOB's Access to Programs and Data controls, IT leaders must:
* Define and document key application security and segregation of duties controls.
* Govern the control processes for application access additions, changes, and deletes.
* Ensure long-term compliance through ongoing testing and tracking.
Automation is Key
User access rights and procedures should be standardized and enforced. Compliance and controls can be automated with a self-service provisioning process. With an automated process, the appropriate employees are given access to the right applications and data; and when an employee's functional role or authorization changes, access to those systems is automatically and immediately adjusted.
This automation not only formalizes and ensures control over your application security processes, but it also generates a complete audit trail that demonstrates these processes were followed; a single source where application access and related controls can be tracked to monitor compliance.
Finally, it enables ongoing accountability and a framework to drive future information security and compliance initiatives.
Indeed, the requirements for internal controls continue beyond the initial Section 404 filing: IT organizations must prepare for future compliance after the first successful attestation and filing.
Unlike previous event-driven control activities such as Y2K, SOX will become part of doing business and IT will continue to have an important role in internal control over financial reporting. Organizations must develop an ongoing compliance monitoring process, because the full impact of SOX will not be known for several years.
posted by Brian Moran @ 11:34 AM
Sarbanes-Oxley: Killing Enterprise to Save It
by Fred E. Foldvary, Senior Editor
The Progress Report
In reaction to corporate scandals, greed, failure, and fraud, Congress in July 2002 passed the Sarbanes-Oxley Corporate Reform Act, named after Sen. Paul Sarbanes (Democrat, Maryland), at the time chairman of the Banking, Housing and Urban Affairs Committee) and Rep. Michael Oxley (Republican, Ohio) to more strictly regulate corporate accounting. But this law has created awful costs that far exceed the benefits, and which have hampered the economic recovery and have contributed to slow employment growth.
Only a few corporations committed deceptive accounting and engaged in and aided a massive looting of shareholder assets. Sarbanes-Oxley is an over-reaction that illustrates the basic problem of regulation: all are required to incur great costs to fix the problems caused by a few. The law requires 12,000 firms to file complex financial statements with the Securities and Exchange Commission. It's like the smog tests required of car owners in most states, where millions of car owners have to incur an expense even though only a small proportion of the cars cause most of the pollution.
The total compliance cost in terms of money spent is over $5.5 billion per year. Much of the cost is passed on to consumers, which then reduces sales, and some is borne by the investors, stifling the expansion of the company. That does not take into account the much greater cost to the economy of enterprises not expanding or starting, because "Sarbox" makes it too costly.
"The more complex the company, the more internal controls are needed. Large global companies have hundreds of controls. The reason Sarbanes-Oxley is so expensive is that it requires companies to delve into each of these controls and document that they are effective. That is time consuming and a drain on manpower. Then an external auditor must be paid to attest that it has been done adequately" ( "Sarbanes-Oxley: Dragon or white knight?" by Del Jones, USA TODAY).
Section 404 of Sarbanes-Oxley requires corporations to establish many new controls for financial reporting. A study by Financial Executives International finds that the average compliance cost for large companies is $4.6 million, including 35,000 hours of internal labor, $1.3 million for consulting and software, and extra audit fees of $1.5 million. That does not include the time spent by executives on that law, rather than concentrating on production.
Maurice Greenberg, chairman of AIG, the world's largest insurance company, told shareholders that Sarbanes-Oxley was costing them $300 million per year. General Electric said that it pays $30 million per year in compliance costs ( Bruce Barlette ).
The law also affects firms which are not corporations, if they do business with the government or report to government agencies. Foreign companies are also forced to comply if their shares are included in the stock exchanges in the US. Smaller companies have a relatively greater burden than big ones. For example, hardware wholesaler Moore-Handley, which had 2002 sales of $151 million, had a compliance cost of $250,000, compared to profits of $300,000.
Like any activity, internal controls have benefits, such as preventing fraud, but also costs, and the optimal policy is where the extra costs of increasing controls just equal the extra benefits. The additional benefit from greater controls diminishes with increasing amounts of control. At some amount, the cost of greater control is more than the cost saved. But the law sweepingly applies to all firms, regardless of their individual costs and benefits.
The problem is made worse by the vagueness of Sarbanes-Oxley, which creates uncertainty and induces even more spending. "Michael Koss, CEO of stereo headphones maker Koss, says it's all but impossible to know what the law requires, so it has become a black hole where frightened companies throw endless amounts of money" (Del Jones, USA TODAY).
There are some good features of "Sarbox". It reduces conflicts of interest between auditors and firms, and requires better disclosure of items such as off-balance sheet assets and liabilities. Its increased penalties for fraud are probably an improvement. But its attempts at micro-management are destroying enterprise in order to save it.
Far better reforms would be to have clear statements of corporate policy and to encourage better corporate democracy. The accounting requirements of Sarbanes-Oxley should be repealed and replaced with a requirement for clear statements of the accounting policies, so that investors then know what kinds of controls the company has, and can then make their investment decisions accordingly.
(Thanks are due to Robert Finocchio, Jr., for assembling the sources for the Sarbanes-Oxley law for a session of the Civil Society Institute's "Economics Colloquium" for students at Santa Clara University, California.)
posted by Brian Moran @ 11:29 AM
Thursday, December 16, 2004
Accounting crackdown costly to companies, poll says
The costs of complying with new accounting laws enacted in the wake of the Enron scandal are higher than companies have anticipated. But the process, executives say, should restore investor confidence in the market.
The conclusions come from auditing firm KPMG LLP through its annual survey of corporate executives in six regions of the country.
KPMG hired Penn, Schoen & Berland Associates Inc. to interview 98 local senior executives at public and private firms, 40 percent of whom represent the auto industry, between Nov. 17 and Dec. 7. The survey also found that local executives are not as optimistic about the overall economy compared with executives in other regions.
The 2002 Sarbanes-Oxley Act calls for public companies to fix holes in their accounting systems that allow for mistakes or fraud. The act also requires top executives to swear to the accuracy of financial reports.
A series of responses indicate that companies are concerned with the cost and time used to comply with the act:
•46 percent of respondents said Sarbanes and other legislation have had a negative effect on their businesses.
•28 percent said the regulations are "crimping entrepreneurial spirit, the ability to take risks and grow the business."
•31 percent said the costs of complying with Sarbanes-Oxley slightly outweighed the benefits. Another 31 percent said the costs greatly outweighed the benefits.
•47 percent said the legislation has boosted investor confidence somewhat.
The costs are expected to be high at first, said Arthur Levitt, former chairman of the Securities and Exchange Commission.
"If the cost of that brings back public confidence, in a cost-benefit analysis, it's well worth it," he said Tuesday in an interview.
The initial cost, he said, is dwarfed by the millions that shareholders lost due to corporate scandals.
Companies are hiring consultants and dedicating staff to test their accounting processes to ensure checks are in place to detect mistakes or fraud.
In local examples, Auburn Hills-based manufactured housing company Champion Enterprises Inc. estimated it has spent $2 million during the last two years to -- among other things -- hire 20 people across the country in consulting and full-time positions.
Port Huron-based Semco Energy Inc. is spending "a significant amount" to hire staff to review and document the company's procedures, said company spokesman Tim Lubbers.
"It's all about making sure the information is clean," said David Hardesty, a San Francisco-based accountant who has written four books about the act.
The first test of the new process will come next year when some large companies and their auditors will be required to release reports detailing whether their internal accounting systems are working.
With all of the internal changes comes a changing attitude in the boardroom, Levitt said.
Companies are giving auditors and audit committees -- composed of at least three board members -- more independence and clout.
In turn, corporate boards are moving from having a fraternal attitude to a skeptical attitude, he said.
"I think that's a hugely beneficial change," Levitt said.
In addition to accounting issues, KPMG measured the confidence local executives have in their companies and in the local economy.
KPMG found that 49 percent said their company's performance will be somewhat better next year.
The firm also found that 39 percent of respondents said their outlook for their local economies during the next year is somewhat better than this year. Another 39 percent say they expect it to be about the same. The numbers are tepid compared to the rest of the country, said Jeff Dobbs, managing director of KPMG's Detroit office.
"All of the challenges and opportunities certainly manifest in Detroit around the automotive industry," Dobbs said. "While there's plenty of good news, just the notion of the layoffs that we've had in Michigan temper probably everybody's point of view about how good next year is going to be."
posted by Brian Moran @ 11:07 AM
Wednesday, December 15, 2004
Financial Executives Call SOX Compliance A Good Investment
New Oversight Systems survey found many benefits to Sarbanes-Oxley compliance, but they come with a high cost.
A majority of financial executives said SOX compliance was a good investment, according to the results of Oversight Systems Inc.'s 2004 Financial Executive Report On Sarbanes-Oxley Compliance, a nationwide survey of 222 financial executives.
According to Oversight, Atlanta, the report shows most financial executives are torn on the cost vs. benefits of Sarbanes-Oxley compliance, but a majority (57 percent) said SOX compliance was a good investment for stockholders.
While the impact of SOX compliance on shareholder value was seen as mixed, the survey showed that most companies were seeing internal benefits. Of those surveyed, 79 percent reported having stronger internal controls as a result of SOX compliance. Nearly three quarters (74 percent) said their companies realized a benefit from SOX compliance. And when asked to identify the benefits from SOX, survey participants reported the following:
But when asked what impact SOX compliance had on shareholder value, only 37 percent of those surveyed said SOX increased shareholder value because investors know they operate as an ethical business. And only 25 percent reported that SOX boosts shareholder value by building overall confidence in the market. Moreover, 33 percent claimed SOX compliance created a cost burden that suppresses stock prices, and 14 percent felt that SOX decreased their ability to pay out dividends because compliance expenses are a significant drain on earnings.
- 46 percent said SOX compliance ensures the accountability of individuals involved in financial reports and operations
- 33 percent said SOX compliance decreases the risk of financial fraud
- 31 percent said they have reduced errors in their financial operations
- 27 percent reported SOX improvements in the accuracy of financial reports
- 25 percent said SOX compliance empowers the board audit committee by providing it with deeper information
- 20 percent claimed SOX strengthens investors' view of the company
In analyzing the low numbers on shareholder value, Dr. Todd DeZoort, accounting advisory board fellow at The University of Alabama and an advisor to Oversight Systems, said "We've seen a negative reaction to Sarbanes-Oxley because it's easy to quantify the cost and extremely difficult to quantify the benefits. It's great to see perceived benefits like improved accuracy in financial reports, but how do you place a dollar value on that? The reality is that the costs of financial reporting fraud or restating earnings can be in the billions."
As part of the survey, respondents were also asked to define their feelings toward SOX legislation. Of the group, 52 percent said Congress had good intentions when it passed SOX, but the costs of compliance were not fully considered. Thirty-eight percent said SOX was Congress's over-reaction to the unethical behavior of a few executives, and 28 percent said the market requires regulations like SOX to boost investor confidence. Only 13 percent said the benefits of SOX outweigh the costs of complying while 25 percent said the costs of complying with SOX outweigh the benefits.
Although a clear majority (81 percent) think Congress needs to revisit SOX legislation, most would still include the sections that require the CEO and CFO to sign off on financial reports (Section 302); increased documentation and monitoring of internal controls (Section 404); and the timely disclosure of material changes (Section 409).
One way to control costs when it comes to SOX compliance is to deploy technology that automate some of the manual work of internal auditors or SOX consultants. Nearly a quarter of those surveyed (24 percent) said they plan to implement a technology solution to continuously monitor key controls and transactions to maintain SOX 404 compliance.
The survey was accomplished through a combination of an invitation-only online survey and survey intercepts. Titles of the 222 corporate financial leaders from across the U.S. who participated in this study included CFO, controller, treasurer, vice president and director. Of the sample, 25 percent were in companies with more than $5 billion in annual revenues, 23 percent with revenues from $1 billion to $5 billion, 22 percent between $251 million and $999 million, and 30 percent with revenues of $250 million or less.
posted by Brian Moran @ 4:23 PM
Tuesday, December 14, 2004
Automation, The Best RX For SOX Pain
Fix the problems now for a smoother 2005.
from Compliance Pipeline
Well, by now, you are familiar with all the pain points when it comes to Sarbanes-Oxley compliance. If your organization is among the majority that attempted to muddle through with manual processes for this first round of deadlines, you are very aware of your particular pain points. And even if only a portion of SOX compliance tasks fell to your staff to handle manually, you are probably making early New Year's resolutions that sound something like "AUTOMATE OR DIE."
While IT staffers roam around with spreadsheets logging policy exceptions to prove that IT "controls" are effectively in place, IT isn't the only department driven to distraction. The executive suite has been forced to take its collective eye off the ball as well.
A recent PricewaterhouseCoopers survey found that one out of five directors say Sarbanes-Oxley has created an environment where management is distracted enough that company performance will be affected. And this number is up from 13.9 percent in 2003. Why? Sections 404 and 302 for starters. But a failure to automate the processes around monitoring and controls (Section 404) has left them in a precarious position for certifying the integrity of their financial statements (Section 302).
In the survey of 10,000 directors and CEOs of 2,000 publicly traded companies, only about half of the directors felt that Sections 404 and 302 compliance would make a difference in the quality of their financial statements. Something tells me those are the directors from companies that didn't flunk their internal audits the first time around.
Of course, the real message is that no matter how painful the process was this year, you get to do it all over again next year. Now is the time to do something about it. More tools appear every week for monitoring the IT control points associated with compliance management. Or consider an overall framework of process automation.
It was easy to de-prioritize SOX in favor of other activities like running the business. But if IT and business managers end up running around collecting required documentation, it's easy to see how performance can be affected.
To put a finer point on it, we can expect the regulators to learn as the go, as well. They'll figure out what's working and what isn't and if there is piece of technology that turns out to be very effective for identifying problems and making accurate reports, eventually they'll want to know why it isn't being used.
posted by Brian Moran @ 10:18 AM
Internal Controls Issues Behind Many Auditor Changes
From Compliance Week
Nearly one of 10 companies that has changed auditors so far this year has also reported internal control issues. That's according to an in-depth analysis conducted by Manchaug, Mass.-based AuditAnalytics.com, which found that 1,647 companies reported a change in auditors through Dec. 6. And 152, or more than 9 percent of the total, had disclosed internal control issues.
More than half of those 152 companies dismissed their auditors, while in 71 cases—or 47 percent of the cases—the auditor resigned, according to the study.
Disagreements A "Big Deal"
In general, the percentage of resignations to dismissals has ranged between 18 percent and 34 percent over the past four years, suggesting that when there is an internal control issue, the auditor is increasingly likely to resign.
Joe Cyr of AuditAnalytics.com stresses that internal controls are flagged when an auditor change notification specifically identifies internal controls in its filings. He stresses that this does not mean that a lack of these controls, whether corrected or not, were the cause of the auditor change. It simply means that they were mentioned.
posted by Brian Moran @ 10:11 AM
Monday, December 13, 2004
SEC Expects Internal Controls Problems
WASHINGTON (Reuters) - An increasing number of corporations are likely to announce "material weaknesses" in their internal financial controls in the coming months, a top U.S. accounting regulator said on Monday.
Securities and Exchange Commission Chief Accountant Donald Nicolaisen said he expects these announcements to come as companies move to comply with a new rule imposed by the post-Enron Sarbanes-Oxley accounting reforms.
"Additional attention to internal controls is warranted," Nicolaisen said at a conference held by the American Institute of Certified Public Accountants.
The new rule, spelled out in Section 404 of Sarbanes-Oxley, requires company managers to explain in annual reports how they go about ensuring that their financial houses are in order.
The rule also requires companies' outside auditors to review and comment on management's reports.
Nicolaisen said it was to be expected that some companies would have trouble complying with the new rule in its first year of implementation.
Faced with a flurry of complaints about burdensome new rules, the SEC in late November postponed a deadline for some companies to submit reports on their internal controls.
Under the SEC's action, some companies will have an additional 45 days to file the reports with the commission. They have to submit annual reports to the SEC within a certain period after their fiscal years end. That time period is 75 days this year.
The internal controls report postponement applies to companies with fiscal years ending between Nov. 15, 2004 and Feb. 28, 2005, and with public equity float between $75 million and $700 million as of mid-2004, the SEC said last month.
Eligible companies will now have 45 days after the expiration of the 75-day reporting window to amend their annual reports with the required management report on internal controls, as well as the auditor's comment, the SEC said. )
posted by Brian Moran @ 4:58 PM
Friday, December 10, 2004
Improving accountability - boardroom inspection
Transparent accountability is a prerequisite for informed oversight. The board accounts so that shareholders or other stakeholders can be in control. The audit is a necessary confirmation of the reliability of the accounting. Without audit, there is no accountability. Without accountability, there is no control. And if there is no control, where is the seat of power?
As more specific responsibilities of directors have been codified, there has been a corresponding expansion of their reporting obligations. And since boards now have overall responsibility for risk management and internal control, directors report publicly on how they exercise that responsibility.
posted by Brian Moran @ 10:15 AM
Internal Control Disclosures Jump In November
From Compliance Week:
According to a review of regulatory filings, the number of companies disclosing material weaknesses or significant deficiencies in internal controls jumped significantly during the month of November 2004.
119 companies disclosed such deficiencies or weaknesses in November, nearly double the number from October. In November 2003, only 11 companies made similar disclosures.
The increase was largely due to the volume of companies filing quarterly reports, which—for many companies—are their final 10-Qs before Sarbanes-Oxley Section 404 assessments are due as part of their next 10-K. The internal control provisions of SOX require management to assess the effectiveness of the company's internal control over financial reporting. Each company's auditor must also report on—and attest to—management's assessment.
posted by Brian Moran @ 9:11 AM
Thursday, December 09, 2004
Tech companies struggle with Sarbanes-Oxley
Small tech companies are howling as they scramble to comply with the Enron-inspired Sarbanes-Oxley corporate governance act.
Smaller tech firms say the act, designed to prevent accounting fraud, creates busywork that drains resources — and shareholders' pockets. "All of this is really just paper-pushing," says David Anastasi, CEO of business software maker Captaris. "I haven't met one investor that thinks it's a good thing."
The 2002 law affects all public companies. Tech firms with 500 employees or less say they're particularly hard hit because they run fast and lean. They warn of added bureaucracy and stifled innovation. "It's a drag on entrepreneurial companies," says Brian Henry, CFO of Bellevue, Wash.-based Onyx Software.
Small companies are grousing now because most face deadlines early next year. (Most larger firms had even earlier deadlines.) And they say they had no idea how many problems Sarbanes-Oxley would create, including:
Escalating costs. Firms are hiring extra accountants, consultants and even full-time staff to handle accounting procedures required by the act. Captaris estimates its direct costs alone will reach $1 million — a lot for a company that was $10,000 short of breaking even in the first nine months of the year.
Huge workloads. TransAct Technologies, a Wallingford, Conn., specialty printer maker, scuttled plans for an enterprise resource planning (ERP) computer system after it started its Sarbanes-Oxley compliance. The company's 200 employees just couldn't handle two big projects at once, CEO Bart Shuldman says.
Not enough accountants. Some accounting firms are shedding clients as they struggle to keep up with Sarbanes-Oxley work. Wireless equipment maker Endwave was dumped by Ernst & Young in September, forcing the Sunnyvale, Calif., company to turn to second-tier firms BDO Seidman and Grant Thornton. They were also too busy.
Endwave ended up with local firm Burr Pilger & Mayer. CFO Julianne Biagini says the new accountants have done a good job, but she's worried that "they aren't going to have the back-up resources (of a big firm)." Ernst & Young says it's trying to hire more staff to meet demand.
Impractical rules. The section of Sarbanes-Oxley attracting the most criticism requires companies to certify the accuracy of internal accounting controls. Although the language is vague, most auditors are telling clients to put in strenuous checks and balances. That can be difficult with a small staff. "We don't have a lot of people to do the double-checks," Onyx Software's Henry says.
Henry and others say they support the spirit of Sarbanes-Oxley but oppose its most-cumbersome requirements.
Others say the stiff rules are necessary so companies "churn out accurate financial data," says lawyer Richard Swanson of Thelen Reid & Priest, who runs a Sarbanes-Oxley seminar.
posted by Brian Moran @ 9:24 AM
Wednesday, December 08, 2004
Sarbanes-Oxley Act met with resounding, 'What?'
When President Bush signed the Sarbanes-Oxley Act two years, he declared, "No boardroom in America is above or beyond the law."
The act quadrupled sentences for accounting fraud and created a corporate fraud felony charge that carries a 25-year prison term. "No more easy money for corporate criminals -- just hard time," Bush vowed.
Despite the attention the president brought to Sarbanes-Oxley, it seems the general public doesn't follow corporate fraud with quite the same zeal as, say, a bench-clearing brawl in the NBA.
About 88 percent of American workers and 76 percent of investors say they've never heard of Sarbanes-Oxley. Unless they happen to work in accounting and finance circles, Americans have largely ignored Sarbanes-Oxley, according to the survey by Hudson Financial Solutions.
A mere 7 percent of employees who own at least $5,000 in stocks, bonds and mutual funds said Sarbanes-Oxley has increased their confidence in the financial markets.
"Clearly, U.S. workers and individual investors are not well informed about the act or its intended benefits," said Dee Lonn, executive vice president of Hudson.
posted by Brian Moran @ 1:26 PM
Tuesday, December 07, 2004
By naming compliance officers, companies are putting new focus on regulatory issues -- and giving CFOs a break.
There's a new seat at the management table these days, much to the relief of many CFOs. Largely in response to Sarbanes-Oxley, companies have begun to formalize the compliance role, creating a function dedicated to the watchdog tasks that have previously fallen to finance.
In fact, according to Maria Schafer, senior program director at Meta Group Inc., some 35 percent of Global 2,000 companies surveyed have someone other than the CFO heading up compliance today. And they're not just mutual-fund companies, which are now required to staff the role thanks to their industry scandal, or other companies that have run afoul of the Securities and Exchange Commission — although Computer Associates was only the most recent company to name a compliance officer as part of its settlement with the SEC.
Carved-Out Territory At The Men's Wearhouse Inc., a $1.4 billion clothing chain based in Houston, Sarbox prompted the creation of the CCO position, but the growth of the business also revealed the need for a designated compliance head. "The timing was good for us because of the overall increase in the complexity of our business," says CFO Neill Davis, noting that the company now has three retail concepts and others in development, yielding many more employees, business units, and transactions to monitor.
To formalize the role, Davis worked with the audit committee and former chief accounting officer Gary Ckodre to design a position that turned out to be perfect for Ckodre. Now the former Deloitte & Touche audit partner and 11-year company veteran spearheads the overall Sarbox effort and oversees the newly formed internal audit group, which has primary responsibility for Section 404 compliance. The overlap with finance, however, is unquestionable. Ckodre and Davis insist they have almost a symbiotic relationship. "He knows what I do, and I know what he does," says Davis. "Our offices are two doors down," adds Ckodre.
At other companies, however, the CCO oversees everything but Sarbox. At Arrow Electronics Inc., an electronic-components and computer-products distributor based in Melville, New York, general counsel Peter Brown was the lead designer of the compliance officer role, which the company created last summer. Compliance chief Wayne Brody, who spent 20 years in the company's legal department before moving into the top compliance job, is largely focused on education and coordination of the compliance efforts of the $8.7 billion company's staff around the world. He also takes responsibility for risk assessment, antitrust and competition issues, and employee relations. Sarbox work, however, "rests with the CFO and his organization," says Brody, who reports to Brown.
posted by Brian Moran @ 8:38 AM
Monday, December 06, 2004
Sarbanes-Oxley sparks forensics apps interest
Most companies working on Sarbanes-Oxley projects are laser-focused on documenting their internal financial controls to meet the compliance deadlines that take effect late this year. But the law's requirements are also beginning to generate interest in computer forensics tools that could be used to help identify potential cases of financial fraud.
For example, Avery Dennison Corp. is piloting software announced this week by Oversight Technologies Inc. that can be used to monitor finance systems for irregular transactions. Mark Van Holsbeck, director of enterprise security at Avery Dennison, said the software should cut the time workers at the Pasadena, Calif.-based maker of adhesive products spend poring over printouts of financial data to determine whether any information has been altered or corrupted.
Avery Dennison's use of the Oversight tool, which is being tested on a combination of Wintel and HP-UX platforms, wasn't driven by the requirements of the Sarbanes-Oxley Act, Van Holsbeck said. But the technology should help the company satisfy components of the financial reporting law.
Other users are expected to come to the same conclusion about computer forensics technology, which can track how data is used and modified.
Meta Group Inc. analyst John Van Decker said he expects to see an uptick in forensics technology investments related to Sarbanes-Oxley starting this summer. And Michael Rasmussen, an analyst at Forrester Research Inc., estimated that about a third of the clients he works with have put an investigative response plan in place, including the use of business intelligence tools and other technologies to help monitor ERP and e-mail systems for evidence of potential wrongdoing.
posted by Brian Moran @ 10:01 AM
Friday, December 03, 2004
Sarbanes-Oxley Remains a Force to Be Reckoned With in the Boardroom
Here's an interesting study from PwC
PricewaterhouseCoopers and Corporate Board Member's Annual "What Directors Think" Study Uncovers More Changes in the Boardroom
New York — 27 OCT 2004 — Two years after the introduction of the Sarbanes-Oxley Act of 2002, corporate reform continues to impact corporate directors, according to a recent study by Corporate Board Member magazine and PricewaterhouseCoopers LLP.
The third annual "What Directors Think" study measures the opinions of directors and CEOs of the top 2,000 publicly traded companies. The 2004 survey findings, which the magazine will highlight in its special year-end "What Directors Think" issue, reveal continuing changes in directors' attitudes and actions.
Key Findings, Trends, and Implications:
As boards' time demands continue to increase, the unofficial title of "professional director" in which individuals sit on six or more boards is quickly fading. In 2003, only 33% of CEOs and 16% of outside directors were limited to additional board seats, compared to 43% and 29%, respectively, in the 2004 survey findings. This trend will likely continue—71% of survey respondents said there should be a limit to the number of boards on which an outside director can serve. The average number of boards on which CEOs and outside directors can now serve is three. These statistics imply that search committees will have to cast a wider net to find qualified independent directors.
For many directors, increased time demands coupled with new risks call for an increase in pay, particularly for lead directors and audit committee chairs. Of survey respondents, 98% said audit committee chairs should receive additional compensation, compared to 81% who said so in 2003 and only 54.1% in 2002. In addition, 68% of this year's survey respondents said lead directors should receive additional compensation. More than half of the respondents believe the lead director and audit chair should get 25% more compensation than other directors, and almost one-third believe it should be as much as 50% more in both cases.
Board evaluations are becoming more commonplace. In the 2004 survey, 73% of respondents said their boards were formally evaluated, compared to 50% in 2003 and only 33% in 2002. In addition, 35% of respondents said their boards evaluate individual directors on a regular basis, compared to only 23% that did so in 2002.
The survey asked directors how much time—more, the same, or less—they think their boards should devote to 14 different subjects. Strategic planning was the number one action item, with 58% of respondents saying they'd like more time to discuss it. The other top responses were succession planning, meeting key managers, visiting work sites, and discussing the competition.
posted by Brian Moran @ 9:04 AM
Thursday, December 02, 2004
“Continuous” Will Be Key to Compliance
Here's a great article from Business Finance Magazine.
Companies that blend ongoing compliance with continuous auditing processes and technology accomplish more with less.
Can continuous auditing help bring companies into compliance with Sarbanes-Oxley and other regulations -- and can it do so more effectively and efficiently than alternative approaches to corporate governance? Although this question may be slightly ahead of its time, early adopters of the "continuous" concept are nodding their heads in response to it.
Coined by an academic more than 20 years ago, the term "continuous auditing" describes a broad range of approaches to both internal and external audit that enable companies to stay on top of their controls.
Paul Herring, director of business reporting, assurance and advisory services for the American Institute of Certified Public Accountants (AICPA) in New York City, sees audit options on a continuum. The traditional annual audit resides at one end of that line, while the opposite end is occupied by companies that maintain a perpetual connection with their external auditor. Herring emphasizes that a wide array of possibilities exist between those two extremes.
Miklos Vasarhelyi directs the Continuous Assurance and Reporting Laboratory at Rutgers University in Newark, N.J., and is widely considered the godfather of continuous auditing. He notes that practices under the umbrella of continuous auditing enable companies to test massive numbers of transactions for errors on a real-time basis. Companies that implement these practices can identify accounting errors at their root before they create larger problems.
"With a continuous audit process, companies don't need to wait until the end of the quarter," says Anne Marchetti, practice director for Parson Consulting in New York City. "In that way, it's very similar to a rolling forecast."
Some internal audit departments that have taken the lion's share of responsibility for monitoring their company's Sarbanes-Oxley compliance -- which chiefly translates to compliance with Sections 302 and 404 -- are seeking to blend those efforts with ongoing auditing. "To be efficient you're going to want to integrate 302, 404 and your annual audit plan," says Marchetti. Besides, she adds, the activities mandated throughout the year by companies' myriad new compliance requirements translate to a continuous auditing process anyway.
Tools for the Rolling Audit
Currently, most continuous auditing activities take place within a company rather than between the organization and its external auditors. It is not practical to conduct a full-blown traditional audit -- internal or external -- every month, or even every quarter. However, the traditional audit is undergoing fundamental changes. "Whether you are the preparer of that information or the external auditor, you want to put more emphasis on looking at the processes that generate the information rather than looking only at what comes out at the end of the pipe," says Herring.
By automating some of their transactional scrutiny using continuous auditing technology, internal and external auditors gain more time to focus on the business processes and controls that determine the accuracy of the data coming out of the pipe. CFOs and internal audit executives who have begun to blend compliance initiatives with continuous auditing technology are able to monitor more compliance areas with fewer resources. They are sniffing out significant errors and efficiency-improvement opportunities simultaneously.
Kevin Rhodes, CFO of consulting firm Edgewater Technology in Wakefield, Mass., sees interest in continuous auditing growing on two fronts. "The audit approaches at the Big Four firms are beginning to change," he says. "As Sarbanes-Oxley Section 404 comes into play, external auditors will move more toward a controls-based audit approach." Deloitte & Touche, Edgewater's external auditor, is ratcheting up the intensity of its quarterly audit work for the firm. At the same time, Rhodes expects interest in continuous auditing to intensify within organizations, particularly in the finance function. "Corporate finance will use Sarbanes-Oxley to leverage other improvements. You will see a lot of finance executives asking for more and better systems," he says.
Atlanta-based energy services holding company AGL Resources expects its investment in continuous auditing technology to pay off quickly. "It will help us reduce some of our costs related to Sarbanes-Oxley and, specifically, compliance with Section 404," says chief auditor Ron Lepionka, noting the requirement that managers formally assess the company's internal controls related to financial reporting. "Much of that testing is going to be the responsibility of internal audit depart-ments. We can do that testing by hiring additional people. Or we can incorporate continuous auditing techniques and tools to do the testing on a real-time basis, and by doing so we'll be able to conduct the testing much more efficiently."
Lepionka's early experience with software from Oversight Systems indicates that these products will help his 10-person internal audit department identify abnormal items, errors and inefficiencies in finance and accounting processes that would have been difficult to unearth otherwise. "For example, you can identify duplicate payments before they're made, as opposed to after the fact," he explains. Continuous auditing software "also can boost your efficiency by identifying the root causes of errors. You can fix the root cause and reengineer the process," he adds.
From Bell Labs to XBRL
Vasarhelyi spearheaded a continuous auditing project at Bell Labs in the 1980s; the effort was the first attempt to implement continuous auditing in a corporate setting. Vasarhelyi says interest in this type of project began percolating even before the events that precipitated the Sarbanes-Oxley Act, as auditors and finance executives started to realize that traditional audit methods were not keeping pace with the ever-increasing speed and volume of corporate transactions.
Although he agrees that the development of a continuous link between companies and their external auditors remains in its infancy, Vasarhelyi is convinced that technological advances and investor demand will eventually lead to a "very balkanized world of data." He envisions a finance environment in which pieces of data, embedded with tags that identify the reliability of the information according to an external auditor's assessment, travel from system to system and from company to company. Every software system might have some sort of automated gatekeeper that scans the accuracy tag of each bit of information entering or leaving it.
Vasarhelyi's vision may not be far from reality. The Enhanced Business Reporting Consortium (www.ebrconsortium.org) has taken a step in that direction by developing a method for the electronic tagging of financial data using extensible business reporting language (XBRL).
Theory vs. Practice
In the past, the main obstacles to corporate implementation of sophisticated continuous auditing processes were a lack of adequate technology and the expense of such an implementation. The former is no longer a hurdle, and the latter has become less problematic now that most companies have tallied their initial compliance costs and are searching for ways to lower those costs in the future.
Herring thinks three major obstacles remain in the path of the most advanced form of continuous auditing: costs associated with establishing ongoing connectivity between external auditors and their clients, confidentiality concerns, and security concerns.
Dallas-based A. Wayne Avellanet, author of "Practical Guide to Internal Control" (Warren, Gorham & Lamont, 2004), sees an additional barrier to blending compliance monitoring with more automated audits. He says continuous auditing and compliance monitoring should mesh at the "critical junctures where operational processes and accounting systems intersect." But this meshing requires three components: a variable set of data with enough detail to allow for effective analysis, the ability to understand and decipher the variations produced by the analysis, and the right software tools to apply business rules to the ongoing analysis. "I do not think this is an intuitive fit, especially given the Sarbanes-Oxley compliance documentation practices today," notes Avellanet. In his book, he adds, "Documentation and data from operational processes tend to be separated -- often in separate systems -- from the accounting processes and data."
A small group of companies have instituted continuous auditing and monitoring processes internally. An August survey of 76 members of The Institute of Internal Auditors (IIA) found that 84 percent have discussed continuous auditing techniques within their organization, but the percentage of companies that have actually implemented continuous auditing is probably far lower. "My sense is that it is not a very large percentage, primarily because of the investment that the organization needs to make to establish the process," explains David A. Richards, president of the IIA in Altamonte Spring, Fla.
Richards identifies four steps as key to executing continuous auditing:
- Define the processes and transactions that will be monitored.
- Specify the criteria with which the transactions will be evaluated (e.g., a vendor payment of more than $50,000 will generate an exception report).
- Build technology into the routine so that the outputs are generated on at least a daily basis.
- Develop the processes and workflows that will govern how exceptions are addressed.
The Million-Dollar Payoff
Thanks to the challenge and cost of Sarbanes-Oxley compliance, continuous auditing is growing in popularity within the internal audit community. "Part of what the IIA needs to do in terms of challenging the profession is to say, 'This is an emerging trend that can pay high dividends to your organization,' " Richards says. Bryon Neaman, director of internal audit for Bon Secours Health System Inc. in Marriottsville, Md., seconds that point.
AGL initiated a process for continuous monitoring. So far, the energy company's internal audit department has set up a pilot program that uses Oversight Systems software to scour its PeopleSoft accounts payable module. A standard payables audit, says Lepionka, might select a small sample of transactions and examine their accuracy based on a host of parameters, including approvals and the existence of a valid purchase order and receiving document. "With a continuous auditing tool, you can basically look at the entire population of transactions," he says.
"And you can do that every day, as opposed to waiting five years to clean up your entire database."
In the current compliance environment, which will remain in force into the foreseeable future, fewer and fewer companies have the luxury to wait.
Auditing vs. Monitoring
Although continuous auditing has been kicked around for more than 20 years, finance, accounting and auditing professionals remain confused about the concept.
J. Donald Warren Jr. has looked at the process from just about every possible angle. The 31-year public accounting veteran and former PricewaterhouseCoopers partner recently earned his Ph.D. with a dissertation titled "Continuous Auditing: Implications of the Current Technological, Regulatory and Corporate Environment." In 2001 he founded the Center for Continuous Auditing; currently the center is located at Rutgers University, where he is an accounting professor. Warren instructs those interested in continuous auditing processes on the difference between two terms that most finance and internal audit executives use interchangeably:
Continuous monitoring. This is the mechanism by which the CFO, senior financial management and/or the CEO monitors the control and disclosure environment within the corporation on a continuous basis. "It is a management function rather than an audit function," Warren says. Finance executives can start preparing for continuous monitoring by identifying high-risk areas. They should then prioritize business processes according to risk factors. Finally, finance should institute a process (generally supported by technology) that provides feedback to management on whether the controls and disclosures surrounding the process are proper. The process should flag anomalies for immediate follow-up.
Continuous auditing. This is the purview of internal audit, which puts in place procedures that test both business processes (by scrutinizing large volumes of individual transactions) and management's monitoring process. Are the continuous monitoring systems that management uses functioning in accordance with their intention? Warren emphasizes that the management team should not become dependent on exceptions generated by auditors. If it does, the auditing process becomes an integral part of the management process, which qualifies as a classic control breakdown.
posted by Brian Moran @ 4:30 PM