Wednesday, February 23, 2005
The Human Side of Compliance
A company's ability to comply with financial reporting regulations is only as good as its people. Some businesses are doing a lot to ensure that their people are doing the right thing.
CFOs often complain that the Sarbanes-Oxley Act represents a harsh overreaction to the corrupt acts of a few bad apples. Besides, they say, the new law cannot prevent fraud if an unethical manager is determined to skirt the rules. This argument points to one of the steepest challenges of sustaining compliance over the long haul: people. "As good fraud auditors already know, any individual -- from the most pious to the most incorrigible -- can be prone to commit fraud due to fundamental 'people factors' that emerge given the right external stimulus," notes Dwayne Jorgensen, director of the Sarbanes-Oxley services practice for consulting firm CTG's information security solutions division in Duluth, Ga. Public companies have strengthened their financial reporting processes and installed new technology to help monitor internal controls, but one bad apple on staff can poison those staggering investments. Companies with a long-term commitment to Sarbanes-Oxley compliance and corporate governance address the human challenge through effective communication, compliance training and staffing decisions. Most important, compliance leaders translate the abstract notion of "tone at the top" into a practical and visible component of daily decision-making throughout the organization.
Drilling Tone Into the Ranks
The executive team at Santa Clara, Calif.-based Sun Microsystems Inc. shone a spotlight on compliance issues well before Sarbanes huddled with Oxley. "When you have 30,000 employees, there's always a chance somebody is going to apply bad judgment or make a mistake," notes Sun vice president and chief compliance officer (CCO) David Farrell. "We stress a very strong expectation for integrity at the top. We typically err very much on the side of being conservative in our judgments, and we work to set that tone throughout the company."
Farrell drafted his company's original "Standards of Business Conduct," and in early 2001 he helped establish the business conduct office, which he managed until stepping into the CCO position. A glance at Sun's board of directors -- which includes former SEC chief accountant Lynn Turner -- confirms Farrell's claim that a commitment to governance and compliance resides in the company's DNA. And Farrell credits the board and executive team with ensuring that the company puts its good-governance genes to use.
Shortly after Sarbanes-Oxley became law, CFO Stephen McGowan asked Farrell and Robyn Denholm, the company's vice president and corporate controller, to develop a series of compliance and governance training sessions that became known as Sun's "fiduciary boot camp." The program, named for its intensive-indoctrination approach, delivers in-person sessions on legal and compliance issues, including Sarbanes-Oxley, Reg FD, analyst and media relations, export laws, global anti-corruption laws, and related issues. It's mandatory for all of the company's vice presidents and directors, as well as for other managers whose responsibilities require a sharp understanding of compliance issues (e.g., people in analyst relations or financial reporting, overseas sales managers).
The day-and-a-half program is divided into hour-long sessions led by managers from Sun's business conduct office and other internal subject-matter experts. In 2003 1,000 employees attended the training; last year that figure doubled. One hundred to 250 employees attend each boot camp event, a dozen of which were held in locations throughout the world in 2004.
Farrell believes that the most effective way to train people on compliance-related subjects is to engage them in a dialogue rather than bombarding them with slides. "There is a lot of gray area in many of these areas, a lot of judgment calls," he notes. Sun boot camp attendees flex their decision-making muscles by working through case studies set in those gray areas and debating sticky issues with their colleagues.
The fiduciary boot camps are now overbooked because many graduates have requested that their teams attend future sessions. The sessions have also attracted interest from the companies that benchmark with Sun. "Our approach is to be as innovative and effective as we can from a preventative perspective," Farrell says, pointing out that the key to effectiveness is to keep these issues top of mind throughout the organization.
Skills Available Online
In addition to disseminating its governance message through the boot camp training, Sun relies on technology to expand the reach of its compliance instruction. The content developed for the boot camps is summarized and placed on the company's intranet so that all employees can access the material. All Sun workers also complete online training courses related to the company's business conduct standards and compliance issues related to exports; the courses' content is customized according to the student's job function.
Sempra Energy has taken a similar approach to corporate governance training. Roughly 200 top managers have attended the San Diego-based energy services holding company's financial literacy workshop in recent months (see Compliance Everlasting in the August 2004 issue). All Sempra employees must complete Web-based compliance training related to their responsibilities, on topics such as the U.S. Foreign Corrupt Practices Act, anti-trust laws, state-specific energy regulations, and other environmental and safety rules. "We are also in the process of developing Web-based training around internal controls and other aspects of Sarbanes-Oxley," reports Sempra Energy's chief compliance officer Randall Peterson.
Peterson notes that his company's emphasis on the importance of internal controls is not new. "We've conveyed that message for a long time," he explains. "We have an internal-controls policy that we make management aware of periodically to drive home the point that [controls] are not just something that auditors and accountants need to worry about. They need to be embedded in everyone's responsibilities."
Sempra Energy's business-conduct guidelines and related training hammer home the importance of seeking help from supervisors when tough judgment calls arise. The company has also established a decision-making model that Peterson and his staff consistently communicate. Faced with a gray-area decision, employees in the finance function first ask whether their choice is consistent with company policy and company values. If they're still unsure after reviewing the corporate guidelines, they turn to their supervisor -- or, if they prefer, their divisional controller or the corporate controller.
Internal controls expertise is a much more concrete skill than, say, tone at the top. Such concrete skills are a vital but frequently overlooked determinant of a compliance program's success, notes John Hall, president of Hall Consulting Inc., a Chicago-based training and consulting firm specializing in risk management and internal auditing. The question, Hall explains, is whether each function within the organization has employees who possess the proper skills to successfully execute their responsibilities in a compliant manner.
For example, to help sustain compliance, the bank reconciler needs to know what fraud indicators to look for when conducting a reconciliation. The bank reconciler also needs to know what actions to take after spotting a sign of fraud. In other words, the bank reconciler needs to know how to do his or her job.
Compliance and related skills training should be tailored to job function. "All I need to say to the person in charge of the receiving dock is, 'Here are five signs I want you to look for; call me every time you see one of them,' " Hall says. The receiving dock manager does not need to learn the finer points of Sarbanes-Oxley or corporate fraud theory; finance managers and internal audit managers, on the other hand, most certainly do. "The signs and indicators of fraud have to be in the hands of the people who review and approve transactions," Hall asserts.
Some of Hall's clients began this year by initiating a second, post-404 phase of Sarbanes-Oxley compliance processes, in which they are assessing skills and compliance competency on a function-by-function basis. The purpose of the exercise is to correct skill deficiencies before they result in a bad decision that leads to a potential material weakness.
A Compliance Labor Crunch
Many companies, particularly small to midsize enterprises, would love to beef up compliance and governance education programs -- if only they could muster up more teachers. Finance professionals with solid auditing backgrounds are in high demand. Micros Systems Inc., a fast-growing IT solution provider to the hospitality and retail industries, has created an internal audit department in tandem with its Sarbanes-Oxley compliance efforts. Cindy Russo, vice president and corporate controller for the Columbia, Md.-based company, says Micros competes with the Big Four firms, the SEC and the Public Company Accounting Oversight Board (PCAOB) for accounting and audit talent. "These resources are in high demand right now, and some of those other organizations pay very, very well," says Russo, who notes that her company considers Big Four experience an attractive quality in internal auditors.
In nearby northern Virginia, QuadraMed Corp., an IT solution provider to the health-care industry, recently rebuilt its 50-person finance department from the ground up after relocating its corporate headquarters from northern California to Reston, Va. One of QuadraMed CFO John Wright's first hires was senior director of internal audit Kevin Haggerty.
"In the past, there was an image of the internal auditor as someone who sat in the back office reviewing expense reports and waiting to say 'Gotcha!' " Wright explains. "Well, that's not Kevin." Haggerty has been deeply involved in QuadraMed's implementation of a new PeopleSoft ERP system, which includes a compliance module. He worked closely with the project teams to ensure that the system's design and capabilities were in line with many of the company's internal controls and compliance processes. "He has very good communication skills," Wright says, "and he instills confidence in the people he works with across the organization."
Haggerty also has Big Four experience, which Wright lists as a key qualification for post-Sarbanes-Oxley finance and internal audit professionals, along with integrity, internal audit experience and technology-systems savvy. "I wanted to make sure we had people here who were accustomed to working in a disciplined environment, like public accounting, and I wanted people who were also accustomed to using technology fully," Wright explains. "You can't comply with 404 just by throwing people at it. You have to have systems and processes in place."
Few companies can afford to throw a lot of people at their compliance efforts. That may be why finance executives at small to midsize companies like QuadraMed and Micros Systems frequently mention technology when discussing the human side of Sarbanes-Oxley compliance.
"It's much easier to test controls when they are automated and you don't touch them nearly as much," explains Russo. She says that technology is vital to the compliance effort; Micros Systems relies on a compliance application from OpenPages. But Russo also emphasizes that the value of the software depends on the people who use it. "Individuals input the information into the system," she notes.
Haggerty agrees that it is beneficial "to have as many control activities as possible be automatically taken care of by the system without a lot of human intervention." For example, once a software company has programmed into its accounting system the proper approach to calculating revenue from software contracts, it no longer requires an individual plugging away on a spreadsheet to judge how proceeds from a particular sale should be recognized. "That's what Sarbanes-Oxley tells you," Haggerty notes. "Most of the attention should be focused on where a human judgment has to be made."
Once a company's controller or CFO establishes how revenue should be recognized, that process can be automated, which limits the likelihood of a poor judgment call by an individual. "If you have the right kind of tool," Haggerty adds, "it assigns those business processes out to the real owners of those processes and it allows for automatic checking for whether the process and related internal controls are in place."
Given the high cost of compliance, which may increase further before it subsides, CFOs and other executives have a right to grouse about Sarbanes-Oxley. A July 2004 Financial Executives International (FEI) survey estimated that internal and external Section 404 compliance costs are averaging $8 million annually for companies with more than $5 billion in revenue. A recent AMR Research study pegs Sarbanes-Oxley compliance costs at $1 million annually for every $1 billion in revenue. And more than half of U.S. and European multinational executives polled in a late-November PricewaterhouseCoopers study reported that their companies will increase compliance spending by an average of 23 percent during the next one to two years.
But bellyaching about the sweeping impact of other companies' bad apples is not an adequate response to the governance crisis. Leading businesses are establishing a strong and broad base for their compliance programs so that they can be sure to weed out the possibility of bad decisions wreaking havoc on their future growth.
posted by Brian Moran @ 1:31 PM