Thursday, May 26, 2005
SOX Compliance Can Set A Better Organization In Motion
Although SOX has a broad mandate and is implementation-agnostic, many of the strategies to meet its requirements can be drawn from best practices that will also improve the overall operations of the organization.
Yet like the proverbial Newtonian object flying through space, many of these same organizations would, given a choice, allow momentum to dictate their direction rather than expend the energy necessary to change course - even if headed for a collision with a larger object. As a result, many organizations are doing the minimum required for SOX compliance. They are creating additional layers of bureaucracy and approvals for audit purposes and the results are entirely predictable: increased costs, more inefficiencies, and frustrated employees. These haphazard, reactionary compliance strategies not only cause stress, they may cause the organization to miss a tremendous opportunity to create real competitive advantage.
Instead of complying reluctantly, smart organizations will take this opportunity to re-evaluate their processes and make changes, including the occasional wide sweeping but painful ones that improve business operations. They will use SOX as a means to streamline their processes and auditing procedures through workflow automation, with compliance a natural byproduct.
Still, that's not quite an apple-dropping-on-your-head revelation. Truly enlightened organizations will take it a step further by embedding their auditing procedures right within those automated processes. With embedded auditing, the mere act of performing an action provides instant accountability and transparency. Auditing, therefore, becomes not an afterthought dependent on the good intentions of the person performing an act, but an integral part of the act itself.
Having an automatically generated, real-time audit trail not only makes it easier to assure SOX compliance, but also creates a body of metrics that could lead to additional process improvements, lowered costs, and
posted by Brian Moran @ 9:39 AM
Tuesday, May 24, 2005
The Trust Buster
Trust. That's the point of the Sarbanes-Oxley Act: making sure investors can trust our financial statements. Of course, for anyone involved in Sarb-Ox compliance projects, it feels more like trust has been hanged, drawn, quartered, electrocuted, run over by a steamroller, then stood up against a wall and shot, just for good measure. With Sarb-Ox, it seems as if nobody in corporate America will ever be allowed to trust anyone ever again.
So there may not seem to be much comfort in the Sarb-Ox guidelines issued last week by the SEC [QuickLink 54486]. The agency's staff now says we can trust each other -- just a little bit.
That means not every single piece of financial data has to be rigorously controlled at every step in its life cycle; corporate management is allowed to use a little discretion. And auditors don't have to be grim, silent inquisitors; they're allowed to tell management what's wrong, explain why it's wrong and even suggest ways of fixing problems.
It's only a little ray of trust in what's become a very dark Sarb-Ox world. But right now, we can use all the hopeful signs we can get.
posted by Brian Moran @ 11:34 AM
Tuesday, May 17, 2005
Greenspan lauds Sarbanes-Oxley
Countering critics of the Sarbanes-Oxley Act, Federal Reserve Chairman Alan Greenspan on Sunday praised the controversial measure as an effective response to corporate fraud.
"I am surprised that the Sarbanes-Oxley Act, so rapidly developed and enacted, has functioned as well as it has," said Greenspan, in prepared remarks delivered at the University of Pennsylvania's Wharton business school commencement.
Passed swiftly by Congress in 2002 in the wake of the Enron and WorldCom scandals, Sarbanes-Oxley requires companies to vouch for accounting controls and disclose weaknesses to shareholders. Some companies complain about a big increases in what they view as unproductive auditing expenses.
Business lobbyists are pushing to amend the rules. Some officials have been conjecturing that Sarbanes-Oxley may be making executives too cautious, hindering business expansion and job growth.
posted by Brian Moran @ 11:28 AM
'Use your judgment on Sarbanes 404'
Companies and their auditors were yesterday told they could cut the costs of complying with the US Sarbanes-Oxley accounting and governance law by taking a more flexible approach to its implementation.
Regulators said the costs could be reduced if companies and auditors exercised better judgments when they carried out their obligations under the law. The Securities and Exchange Commission and the Public Company Accounting Oversight Board published guidance on how to make implementation of section 404 of the law easier.
Section 404 requires companies to report on the state of their internal controls, which are supposed to ensure good financial reporting and guard against fraud. Many US companies have complained about sky-rocketing costs resulting from section 404, which has proved to be the most complex and expensive provision of the Sarbanes-Oxley law.
The SEC staff, after examining first-year experiences of section 404, said: "Some non trivial costs may have been unnecessary due to excessive, duplicative or misfocused efforts."
The regulators did not propose changes to the Sarbanes-Oxley law, which they insisted had provided significant benefits by giving investors greater confidence in the accuracy of financial statements.
The costs of section 404 were driven upwards in many cases by companies and their auditors failing to take a risk-based approach to choosing which internal controls to review.
Some decided to test all controls, rather than focus on those where weaknesses could lead to accounting errors.
The SEC said: "Both management and auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process."
posted by Brian Moran @ 11:27 AM
Friday, May 13, 2005
Challenges of Sarbanes-Oxley: Sustainability Is an Organizational Cultural Issue
Sarbanes-Oxley (SOX) sustainability is an organization-wide issue. This means that the organizational culture will be impacted by new requirements related to the compliance initiative. Conversely, it means that the culture will influence or determine how to efficiently fulfill the new requirements of the compliance initiative. Discussions on how to achieve efficient sustainability must begin with a discussion about organizational culture.
For our purpose, culture may be described as a combination of several core elements (among others):
1. Uniquely talented and uniquely biased employees and contractors
2. Ethical and moral predispositions and preferences of those same persons
3. Entrepreneurial and/or bureaucratic tendencies
4. Team-orientation and/or self-orientation
5. Innate Technology-focus (pro or con)
6. Behavior and policy flexibility
7. Willingness and adaptability to change; faith in the future
8. Reward systems (monetary and psychological)
9. Organizational pride and cohesiveness
10. Sense of urgency to move forward
Based on this mix of variables, any given organizational culture requires a custom-tailored approach to compliance at a point in time. Even COSO and the PCAOB recognize that internal control systems are not one size fits all. They are unique to the entity and the particular moment in time. Incentives, tools, and processes that are effectively employed by one culture could be wasted by another: Give a bandsaw to a carpenter and get beautiful cabinetry; Give the same bandsaw to someone else and get a boat anchor.
posted by Brian Moran @ 9:59 AM
Tuesday, May 10, 2005
Sarbanes-Oxley Can Mean Business as Usual
Surely the single most crucial Sarbanes-Oxley topic today is to find an efficient way of managing and sustaining compliance over the longer term. Most organisations caught by the legislation have completed the groundwork of documenting their financial reporting structure and process and the control fence around them, but it has been a very time intensive struggle to achieve compliance.
The next challenge is to identify and adopt a sustainable solution that distributes responsibility for monitoring of controls to the appropriate managers, and minimises the time and effort required to maintain it. Data and report mining, including the automated versions of such software, can and will play a vital roll in this process; bringing to the table understandable systems and a business as usual enterprise environment.
Such solutions should also ensure accountability for those managers, requiring systematic review and sign-off through defined workflows. Ideally, the solution would provide support for automation of the monitoring of critical controls. A long term solution will eventually be integrated into many of the organisations enterprise applications, with the ability to extract data and monitor key control activities, delivering the timely reporting that S409 demands. If ever there was a business environment designed for data mining then Sarbanes-Oxley ? and the other current compliance imperatives ? have certainly created and defined it.
The task seems simple enough on the surface, but the requirements are extensive. Controls must be monitored and tested on a regular basis to ensure that they are performing adequately. The documentation must be updated and maintained. Management must be able to support their assertions that the financial data in their reports is accurate. Material weaknesses must be identified and reported in a timely manner. Resolution of issues must be tracked and reported. The control environment must be evaluated. A cultural change may be needed to encourage managers to identify problems without the fear of retribution. By understanding that this is an enterprise wide task and not ? as many are reported as believing ? an IT issue then fear becomes redundant.
The best IT head in the world is highly unlikely to be a compliance professional or, for that matter, an internal auditor of finance professional. To see this new era as a mostly IT issue is to assume that IT can be tasked with fully understanding all the additional needs of these other departments in a real time and changing environment. It is much better to allow compliance, audit and finance teams? direct access to the existing data using their accumulated knowledge and data mining skills to monitor and control these vital processes.
Organisations that find a technology solution which allows them to efficiently meet these requirements, with a minimum of manual effort, will reap rewards. But what they do not need is more expensive technology just timely solutions. These solutions will ultimately provide more than just compliance with Sarbanes-Oxley. The same solutions can be applied across the enterprise, to document, evaluate and monitor processes and controls in all areas. It does not need to be limited to financial reporting. The methods and procedures that are applied to achieve compliance for Sarbanes-Oxley can also provide the foundation for an enterprise risk management program. Better corporate governance is the certain prize awaiting those enterprises which adopt a can do and positive approach to twenty first century compliance.
The objective of Sarbanes-Oxley is to provide shareholders, markets and regulators with greater transparency into the financial reporting process. The goal of enterprise risk management is to provide executive management with greater understanding and transparency into their enterprise, enabling them to make better management decisions. IT auditing can apply a system of measurement to the organisations internal processes, providing management with an understanding of their organisations system?s strengths and weaknesses. It allows resources to be assigned to the appropriate areas to address weaknesses or to exploit areas with competitive advantages.
Better business process is a long term goal for many organisations. The first and most pressing need is to find that solution which can efficiently and effectively help them maintain compliance with the many requirements of the Sarbanes-Oxley act. Technology can and will help in that imperative but enterprises should be wary of technology at any cost pitches, concentrate on the solution and import no more new technology than is necessary to enhance the existing process. Business as usual wins over technology at any price.
posted by Brian Moran @ 4:56 PM
CEOs Have More Financial Insight, Say CFOs
May 10, 2005 (SmartPros) — Chief executive officers currently on trial may not have known about the fraud occurring within their companies, suggests a CFO Magazine survey.
The survey of 314 senior finance executives found that 31 percent of public company CFOs believe that their CEOs could have remained unaware of major fraud prior to the implementation of the Sarbanes-Oxley Act.
The survey also suggests that Sarbanes-Oxley has successfully forced CEOs to become better acquainted with finance. Only 14 percent of public company CFOs think their CEOs could remain ignorant of major financial fraud today.
Yet CFOs are skeptical that the top managers of Enron, HealthSouth and WorldCom didn't know about their companies' financial deceptions. 81 percent think it is unlikely that Kenneth Lay didn't know about Enron's fraud, 83 percent think Richard Scrushy likely knew about HealthSouth's fraud, and 81 percent think that Bernard Ebbers was probably aware of WorldCom's fraud.
Among other findings, 95 percent of CFOs say that their CEO is moderately or deeply involved in significant corporate financial decisions. 46 percent say this level of involvement has increased since the enactment of Sarbanes-Oxley. CFOs gave CEOs generally high marks for their grasp of six areas of financial management.
posted by Brian Moran @ 8:44 AM
Tuesday, May 03, 2005
What Does Your CEO Really Know?
How much does any CEO know about his company's finances? How much should he know?
Those are the central questions in the trials of several chief executives accused of masterminding their companies' massive accounting scandals. These CEOs claim they knew nothing of the financial machinations that rocked their companies. In each case, they insist, a manipulative and conniving CFO acted alone.
But the amiable-dunce defense has failed spectacularly at least once. This past March, former WorldCom CEO Bernard J. Ebbers was found guilty of conspiracy, false regulatory filings, and securities fraud in connection with the 2002 demise of the telecom giant—convicted despite his insistence that former CFO Scott Sullivan unilaterally cooked the books. (Sullivan, the prosecution's star witness, admitted to the cooking, but testified that his former boss held the frying pan, a scenario the jury found more plausible than Ebbers's version.) Similarly, Richard Scrushy, former CEO of HealthSouth, maintains in his ongoing trial that conspiring executives, including five former CFOs, committed the $2.7 billion fraud there. And Kenneth Lay, former Enron chairman and CEO, is widely expected to employ the ignorance defense when his first case gets under way, perhaps as early as next month.
So what gives? All these top executives insist they didn't possess the knowledge necessary to execute the frauds in question.
posted by Brian Moran @ 9:13 AM