Monday, October 31, 2005
Turning Sarbanes-Oxley into a strategic Advantage
The key to turning your company’s conformity with Sarbanes-Oxley into a strategic advantage is to sustain your compliance year-on-year. To do so, you must embrace the idea that Sarbanes-Oxley compliance is an ongoing journey not a final destination.
To increase your company’s competitive advantage and close the IT audit gap you must leverage a combination of the right people, processes and technology. This means making compliance a repetitive process via careful planning, effective communication, efficient processes and applied technology applications aligned with best practices, audit and internal control guidelines and corporate culture.
Sarbanes-Oxley compliance has forced and is continuing to force companies to reengineer their business processes, which can improve overall enterprise risk management and business performance and therefore create enormous productivity gains. Complying with Sarbanes-Oxley mandates can be costly and time-consuming. Global companies have estimated that it will cost between $10-$20 million to implement the appropriate control frameworks (COSO, CoBiT) and create the environment needed to fulfill Sarbanes-Oxley requirements on an annual basis. Yet, for those companies determined to turn the business knowledge gleaned from Sarbanes-Oxley into a competitive advantage, an important silver lining beckons. The information that companies gather while complying with Sarbanes-Oxley, in particular regarding internal controls and risk management processes, can open up new opportunities to streamline businesses and increase profit. Here are ten tips to getting the most out of your company’s Compliance Strategies and benefiting from the silver lining.
posted by Brian Moran @ 11:33 AM
Refco investors ignored warnings
Long before Refco Inc. found itself at the center of a scandal that led to its collapse, investors should have known that its financial house was in disarray. The company said as much in its initial public offering's prospectus.
Refco acknowledged on page 23 that its auditors had found "significant deficiencies" with how the company staffed its finance department that made it difficult to prepare compliant financial statements. It also noted problems with the procedures used to close its books each quarter.
But investors chose to ignore such risks when they poured big money into Refco's stock during its IPO and thereafter. Weeks later, financial fraud destroyed the company.
The Securities and Exchange Commission demands that companies list all relevant "risk factors" in prospectuses before they are allowed to sell stock to the public. Some need a dozen or more pages to inform investors about all the things that could go wrong in their businesses.
posted by Brian Moran @ 8:56 AM
Friday, October 28, 2005
How to Reduce SOX Chaos and Cost Through Automation
For the majority of corporations, compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) has rapidly become an expensive and complex proposition. Surveys reported at the 2004 SEC Conference on Sarbanes-Oxley 404 showed that the effort involved in 404-compliance is resulting in double and triple the amount of work originally estimated and involves tens of thousands of hours.
The year 2004 also saw company executives opening their coffers in an effort to implement the internal controls necessary to achieve 404-compliance at virtually any cost. This "open checkbook" policy meant that while some funds were spent wisely, money was also wasted.
Along the way, an army of consultants and advisory firms were hired (and sometimes fired just as quickly). In sum, there was a feeling of chaos as companies sought to comply with unfamiliar processes and controls.
Throwing money at this problem doesn't necessarily solve it. The answer is that companies need to streamline visibility, control, and processes.
In most companies, SOX 404-compliance is treated as a separate project, independent of the rest of the organization. This "silo" mentality creates a wall between those responsible for reporting and controls and those who are involved in day-to-day processes.
Instead, SOX compliance needs to be integrated back into the day-to-day operations of the enterprise. This means shifting responsibility for testing and documentation to process owners. In other words, you must decentralize to reduce costs.
However, it's difficult for 404-compliance owners to transfer responsibility due to lack of visibility into the schedules, status, and issues of process owners spread throughout the enterprise. In addition, the change control process is manual, which makes it difficult to synchronize documentation, controls, and processes. Finally, many control-owners are reluctant to transfer responsibility for 404-compliance simply because they anticipate having to redo all their work from year one.
Leveraging technology to streamline visibility, control, and processes is the best way to reduce the cost of SOX compliance over the long term.
The most straightforward approach is to adopt a Project and Portfolio Management (PPM) software system, preferably one that offers pre-built templates for 404-compliance and supports the Internal Control Integrated Framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
This software should serve as a central repository of all documents, with role-based access for stakeholders. Web-based access is essential to ensuring that various team members across the globe can easily get to the right version of a document.
posted by Brian Moran @ 11:32 AM
Thursday, October 27, 2005
IT's Role in Financial Process Improvements
From the first databases to ERP deployments, information technology has led the way in business process reengineering. Despite process improvements, corporate America and government enterprises still face errors, fraud, and data quality issues within their financial systems.
Now the challenge is to stay competitive and continually improve those processes, such as accounts payable, accounts receivables, purchase-cards, and financial reporting. IT can again play a role in process improvement.
Those responsible for these business processes face increasing pressure from government regulations, such as Sarbanes-Oxley and BASEL II, to eliminate errors and strengthen internal controls. However, fast-paced growth and corporate acquisitions only increase the risk of financial errors by creating complex IT environments with multiple ERP systems running throughout most companies.
A 2004 study from the Hackett Group reported that the average $1 billion company has 2.7 ERP systems. Most CIOs and IT managers personally deal with this headache on a daily basis. All the while, business process owners face competitive pressures to decrease their operating costs and improve efficiency or be outsourced to India.
Just like ERP deployments, IT can to lead process-improving changes by applying the proven methods for quality improvement to their financial applications. Business process owners can look IT solutions to drive out errors in their financial systems through continuous monitoring and real-time transaction inspection.
Today, business process owners rely on sample-based audits and manual review of their custom-built ERP reports to identify invoicing errors, uncollected receivables, payment errors, invalid journal entries to the general ledger, or unauthorized p-card purchases.
Most of these efforts are consumed on the backend of the process - looking for a duplicate payment or bad invoice before they hit the mail. For example, a $6 billion Midwest manufacturer devoted two full-time employees to double check payments before they went out the door. Two other employees spent most of their days correcting the identified errors by tracking down the cause of the problem and reversing the purchase orders, vouchers, and payments.
While this manufacturer placed a large emphasis on quality and catching all the errors in its financial system, the quality assurance team could only spend their time inspecting and following up on the payments that were greater than $5,000. Economically, it didn't make sense to hire two more people to check data quality within these smaller payments and another two employees to correct the mistakes. However, errors within these smaller payments built over a year to misstate the company's accounts payables by almost $400,000.
Spurred on by the demands of Sarbanes-Oxley, some companies have tried solutions that simulate ERP configurations to eliminate segregation of duties violations and root out the cause of many of these errors. These highly technical solutions offer "open-loop" controls that attempt to project the potential errors or acts of fraud that could occur in the financial system. However, these solutions forever cement daily involvement from IT personnel in the business process, which creates a resource problem for IT and a headache for the owner of the business process.
While useful in configuring an ERP system, these solutions require time-consuming manual reviews that increase operating costs without effectively addressing the entire problem. By tightening the embedded controls of the ERP system, these restrictions introduce barriers to productivity, which then frustrates production-line employees by restricting them from getting their jobs done efficiently.
With this mindset, IT managers risk running smack into the “productivity paradox” where investments in information systems drag corporate productivity instead of lifting it as projected. In short, tighter controls reach a point of diminishing returns because the human element can never be removed from the process. The human part of the process creates the opportunity for errors, risk, and control violations to affect the quality of your financial operations.
Further, configuration management tools typically work for only a single system and cannot correlate users, access controls, and transactions across multiple systems. IT managers must duplicate their efforts across all systems.
For these reasons, IT managers should look for closed-loop control systems that monitor quality throughout each step of financial processes.
IT managers generally understand “closed-loop” controls in the context of information security. A firewall can be configured so that it does not allow Internet traffic into the corporate network, but that’s not realistic. Communication must flow into and out of the corporate network.
While configuration of the firewall remains the first step of IT security, IT managers know that they must also deploy intrusion detection or other forms of network monitoring to identify threats inside the corporate network.
In the same way, financial systems must be monitored for risk. The best efforts at prevention cannot eliminate the human element that naturally introduces errors and risk and errors into financial processes.
Financial systems demand controls that identify and prevent mistakes and violations that occur in each step of the financial processes. While controllers could throw a roomful of internal auditors to provide this level of quality assurance, IT managers should recognize the potential for technology to automate this benefit.
To effectively present this agenda for budget approval, IT managers should first understand the concepts of quality and process improvement – and how technology can drive these programs in financial processes.
Total Quality Management & the Financial Manufacturing Plant
To compete with Japanese manufacturers, American manufacturers adopted the idea of total quality management in the 1980s. In the 1990s, Six Sigma grew as another quality management movement. IT managers can apply these concepts to improving financial processes within their ERP systems.
The costs and benefits of quality within financial operations – or lack thereof – is best understood if you think of the financial processes, such as procure-to-pay, order-to-cash, and financial reporting, as “Information Manufacturing.” (Just to be clear, we’re not talking about manufacturing fictitious earnings reports.) Within this information manufacturing, these processes transform input data into more refined information.
The key to remember is that quality isn’t about having the most elaborate financial systems – it’s about meeting expectations. To this point, quality isn’t necessarily a Cadillac. A Chevrolet can have quality as long as it delivers to the expectations of the customer. Phil Crosby’s most compelling argument is that quality doesn’t have to be a cost; it can be free of you think about all the costs of an error. And every time you remove that error, you save money.
So what are the costs of processing an error within financial processes? If an invoice error produces an erroneous shipment, the correction cycle may include:
Receiving a customer call complaining about the bad shipment
Investigating the error
Reversing the invoice
Handling returned materials
Accruing for rebates & returns
Accounting for change in revenue recognition
Less explicit costs arise when the sales manager gets involved to manage the customer relationship, so the sales manager absorbs an opportunity cost by not devoting his time to call on new business.
For most Fortune 1000 companies, enterprise resource planning (ERP) systems serve as the manufacturing facility. These systems can be configured to deliver quality, but they also involve a significant human element. While ERP systems provide the conveyer belts that move information through the various steps along the process, people play a major role with regard to data entry and approvals.
The analogy in manufacturing is that you inspect for quality along the way. For example, Intel doesn’t wait until the end of the production line to look for defects within its microchips. They look at each step along the process. Intel would much rather find a flaw in a silicon wafer before they’ve burned in all the circuitry. It’s a lot cheaper to throw away that faulty wafer before investing time and production cycles into a defective final product.
IT managers should apply that same mentality to the financial processes inside their ERP systems. Look for errors and defects throughout the process to minimize correction costs and the downstream impact.
CIOs and IT managers can play a major role in improving financial business processes by evaluating technology solutions that automate the manual testing for quality assurance. Oversight Systems provides a continuous monitoring solution with real-time transaction inspection to drive quality through all steps of financial processes.
posted by Brian Moran @ 2:56 PM
COSO moves to cut Sarbanes-Oxley costs
An industry advisory group on Wednesday published proposals that could enable smaller US public companies to cut the cost of complying with the most complex and expensive part of the Sarbanes-Oxley legislation on accounting and corporate governance.
The Committee of Sponsoring Organisations of the Treadway Commission, a private sector body that promotes good financial reporting, is seeking public comment on its guidance for how smaller companies and their auditors can go about implementing the 2002 legislation's requirements on internal controls.
Section 404 of the legislation requires companies to report every year on the quality of their internal controls, which are supposed to ensure good accounting and guard against fraud.
Big and medium sized companies started complying with section 404 last year, and many have complained about the cost of documenting and testing their controls.
posted by Brian Moran @ 8:47 AM
Tuesday, October 25, 2005
Manual processes must be automated to cut cost of Sarbanes-Oxley audits
When Phillip Bennett, head of the US-based hedge fund giant Refco, was suspended earlier this month after his company announced a £240m accounting irregularity, it was a wake-up call to everyone involved in corporate compliance.
Not only has Bennett been charged with fraud, but Refco was also forced to admit its financial statements for the past four years "should no longer be relied upon". Part of the group was put into receivership and its core futures brokerage is being sold off.
The headlines proclaimed it the worst financial scandal since Enron and WorldCom, and its impact is likely to see a tightening of corporate governance regulations around the world.
Even before Refco, it was clear the clean-up of US financial reporting ushered in by the Sarbanes-Oxley regulations in 2002 would be mirrored elsewhere.
Sarbanes-Oxley covers firms with US stock market listings, but it has raised the compliance bar globally, with company shareholders and the financing banks now wanting to see firms managing their risks more effectively and transparently.
posted by Brian Moran @ 8:47 AM
Monday, October 24, 2005
Govt. Agencies Brace for Compliance Act
Finance and IT executives at government agencies across the country are about to get their own dose of some very unpleasant private-sector medicine: the Sarbanes-Oxley Act.
With the start of fiscal 2006 this month, the federal government has adopted drastic new standards for internal controls on finance and operations, much like SarbOx and its requirement that companies document and test all internal controls to ensure accurate financial reporting. Known as Circular No. A-123, the revised measure applies to all federal agencies and governs how they account for spending.
Among the new requirements: annual reports on internal controls and assurances that all of an agency's controls have been documented and tested.
Think of it as SarbOx, gone public.
posted by Brian Moran @ 8:49 AM
Friday, October 21, 2005
What's a Sarbox? Say Many Shareholders
More than three years after the passage of the Sarbanes-Oxley Act, investors are apparently not too confident that the new governance rules are reining in inappropriate behavior by corporate executives.
According to a new poll conducted by The Wall Street Journal and Harris Interactive, 55 percent of U.S. investors believe that financial and accounting regulations governing publicly held companies are too lenient. That figure rises to 77 percent for male investors ages 45 to 54.
Further, many investors are not blindly supporting companies they deem to be unresponsive to shareholders: 30 percent say they have reduced or divested their holdings in a company as a result of poor corporate governance.
The results are based on an online survey of 2,061 U.S. adults conducted in early October.
According to the survey, only one-quarter of investors feel that Sarbox has made the communication of financial information by companies "much more" or "somewhat more" transparent. What's more, 11 percent believe the legislation has actually made communication less transparent.
posted by Brian Moran @ 8:25 AM
Thursday, October 20, 2005
One-third of workers witness unethical behavior
Cynics might say a lack of ethics has been the hallmark of corporate America in recent years. So would about a third of U.S. workers, according to a new survey conducted for Hudson, a global staffing firm.
Thirty-one percent of those surveyed said they've seen co-workers act unethically, according to the survey of 2,099 U.S. workers.
"In a post-Enron, post-WorldCom environment [it's] surprising that still one-third have witnessed unethical behaviors," said David Rhind, general counsel for the North America region at Hudson Highland Group.
"Clearly, there's room for improvement," Rhind said.
The survey did not specify what unethical behaviors workers witnessed. "It could range from as simple as stealing office supplies, pencils, notepads, all the way up to shredding documents, bribing officials, the really bad stuff," Rhind said.
posted by Brian Moran @ 10:05 AM
Friday, October 14, 2005
The auditors' progressive voice
The US leader of PwC, one of the big the global accounting firm, is discussing a very bruising experience. Dennis Nally, chairman of PwC's US business, is directing his firm's sensitive task of declaring whether audit clients have effective financial controls to prevent fraud and ensure accurate accounting.
PwC had by the end of August reported on the quality of internal controls at 717 companies and issued negative verdicts at 94 of them. It was the first time that PwC had given such verdicts and, Mr Nally, says: "The stress levels between [companies] and their auditors were at an all-time high."
Proof that the process has been bruising is illustrated by Mr Nally's admission that PwC decided to sever ties with a handful of audit clients and that a limited number of companies opted to ditch the firm.
The evaluation of internal controls was stipulated in section 404 of the 2002 Sarbanes-Oxley law on accounting and corporate governance but the requirement only took effect last year. Many public companies have been horrified by the cost of reporting on the quality of their controls.
Companies spent huge amounts on documenting and testing the controls, before management reported on their effectiveness.
posted by Brian Moran @ 9:54 AM
Thursday, October 13, 2005
Sarbox ABCs for the Rank and File
Aquila, Inc., an electric utilities company, is so serious about complying with Sarbanes-Oxley Act internal-controls rules that it's requiring all employees — from line workers to the chief executive officer — to complete an online ethics training program.
Indeed, the problems featured in the program reflect that range of participants. One example, for instance, involves a meter reader who must read all the gauges on a particular route by today so that the readings would be included in this month's billing cycle. At the end of the day, however, the meter reader hasn't reached the end of the route, so a colleague offers to split the remainder of the route and suggests entering estimates for that part of it. The training materials examine the situation, explain that good internal controls practices dictate that estimated meter readings shouldn't be used for bills, and instruct the meter reader to contact a supervisor for guidance.
The course also asks employees to create a "personal action plan" listing how they can meld lessons from the training with their daily responsibilities. In such plans, employees can identify which activities in their group they should monitor to ensure their operations run effectively.
Introduced last year, the one-hour course includes explanations of "Internal Control—Integrated Framework," produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on the widely accepted COSO guidelines that Aquila has adopted, the course features hypothetical examples of work situations in which ethical values come into play.
posted by Brian Moran @ 10:15 AM
Tuesday, October 11, 2005
A process of improvement: Sarbox is never simple, but it can be less complex.
How many processes does your company have? A simple question if your firm has documented them all as part of meeting Sarbanes-Oxley requirements. But ensuring actual compliance? That’s another matter.
So who’s going to help minimise the time the nasty auditors spend going through all those processes? You guessed it. Business software companies can help you meet your compliance needs, they plead.
This time, though, they have a point. PricewaterhouseCoopers’ Anton Ruddenklau revealed that one US company he worked with on Sarbox documented 88,000 processes. As he pointed out, it takes an auditor around five hours of billable time to test each one.
So what can technology do to help ease this pain? Firstly, many processes can be automated. The more the degree of automation, the quicker that processes can be checked and the stronger the process will appear to the auditor.
For processes that require the intervention of mere humans, there are products providing workflow technology. These help manage it on a day-to-day basis, and provide the auditor with a clear and easy view of the process itself.
But Oracle UK finance director Norman Green warns: ‘While IT certainly holds the key to easing the compliance burden and facilitating more transparent reporting, it’s important that firms use technology to improve and streamline existing processes rather than automate what they’re already doing.’
His point? Improve processes then look to IT.
posted by Brian Moran @ 1:40 PM
DILLER DISSES SARBANES-OXLEY
Congress should take a hard look at the Sarbanes-Oxley Act because the high cost of complying with the law's requirements is hurting U.S. business, media mogul Barry Diller told The Post yesterday.
"Congress has a duty to revisit Sarbanes-Oxley, to see what was smart about it and what wasn't, and conform it to sensible and current practice," said Diller, CEO of IAC/InterActiveCorp, an Internet holding company.
Diller said he supports the act's requirements making top executives accountable for their books.
But he called some of the law's compliance requirements — specifically Section 404 — "ridiculous" and "incredibly wasteful."
Diller said the rules have forced U.S. firms to spend small fortunes on outside auditors and "millions of dollars internally to hire people to ensure compliance."
He said "99.9 percent of the processes" in the law have nothing to do with corporate malfeasance.
Congress passed the Sarbanes-Oxley Act in 2002, following a wave of scandals at Enron, WorldCom and Global Crossing that cost investors billions of dollars.
In a March 2005 survey of 217 companies by Financial Executives International, a professional association of chief financial officers, 94 percent said costs of complying with Section 404 far outweighed the benefits.
Supporters say some people are beginning to forget why Sarbanes-Oxley was passed in the first place.
"We're entering a phase of scandal amnesia," said Ann Yerger, executive director of the Council of Institutional Investors.
"Sarbanes-Oxley was absolutely essential to protect investors who lost billions of dollars thanks to corporate scandals.
posted by Brian Moran @ 9:19 AM
Friday, October 07, 2005
OMB to add internal controls requirements to PMA scorecard
The Office of Management and Budget will add implementation of milestones for tighter internal controls to federal agencies' ratings for the President’s Management Agenda scorecard during fiscal 2006.
Agencies are required under OMB's revised Circular A-123 to have a framework in place to implement those financial management practices by October 2006, said Dave Zavada, branch chief of financial standards and grants in OMB's Office of Federal Financial Management. An example of an internal control would be an agency performing routine reconciliation and analysis of its accounts throughout the year instead of quarterly or annually, he said.
The first management statement assuring internal controls over financial reports is due in June 2006. That statement will accompany the agency's year-end financial statement, which must be completed Nov. 15, 45 days after the close of the fiscal year. Prior to 2004, agencies had 90 days from Sept. 30 to finish their year-end reports.
"We saw a lot of process improvement last year to meet that deadline. The requirement for internal controls is a follow-on to that," Zavada said at an event sponsored by the Bethesda chapter of the Armed Forces Communications and Electronics Association in North Bethesda, Md.
posted by Brian Moran @ 12:10 PM
Auditor Exposes Fraud Through Time Dimensional Analysis
The ability to spot red flags is the essence of fraud detection. Most internal auditors include in their checklists specific audit procedures to identify fraudulent behavior, such as missing or altered records, unreconciled balances, and cash or inventory shortages. In addition to these procedures, auditors have included in their repertoire audit tools that incorporate the dimensions of space or time. Because space and time analyses provide more information than other forensic tools, internal auditors can benefit from using them during fraud investigations.
Nowadays, many digital audit programs have features that enable the easy use of space or time analyses. For example, an auditor working on behalf of an insurance agency recently detected fraud by conducting a warehouse capacity analysis. According to the insurance claim, a fire destroyed a warehouse facility where 900 television sets valued at US $200,000 were stored. Because the claimant provided fictitious purchase invoices and suppressed certain inventory dispatches, a conventional audit of the inventory records did not reveal any discrepancies. To test the claim's authenticity, the auditor applied a space-dimensional test with the help of a digital audit tool, and checked the warehouse's storage capacity and the total space required to store the 900 TV sets. The result: The warehouse could hold a maximum of 700 TVs at full capacity. Similarly, auditors can use time-dimensional analyses to determine the existence of fraud or errors, as illustrated in the case study below of an actual fraud discovered in India in 2004.
posted by Brian Moran @ 10:11 AM
Thursday, October 06, 2005
Outgoing official calls for patience on Sarbanes-Oxley
The outgoing head of the congressionally created panel that enforces Sarbanes-Oxley audit requirements yesterday defended the landmark law as a success in curbing corporate fraud, but he signaled that possibly significant regulatory tinkering is on the horizon.
William McDonough has led the Public Company Accounting Oversight Board (PCAOB) since its inception in 2002 to help publicly traded companies fall in line with strict new financial-reporting mandates imposed by Congress to heal shaken investor confidence. McDonough’s recent resignation, however, leaves an opening for Sarbanes-Oxley’s vocal corporate critics, who would like the law’s governance standards to be relaxed.
Addressing a group of trade-association officials and lobbyists, McDonough attributed Sarbanes-Oxley’s effectiveness to a higher “fear quotient” among corporate executives of the harsh fallout from accounting fraud. He acknowledged that Section 404, the provision of Sarbanes-Oxley instructing companies to conduct often-complex internal audits, had created a chorus of potentially justified complaints from businesses.
posted by Brian Moran @ 8:12 AM
Tuesday, October 04, 2005
Optimizing Internal Audit In The Post-SOX Era
There’s no doubt that post-Sarbanes-Oxley, the role of internal audit at public companies has changed dramatically. And during the first year of compliance with the onerous Section 404 of the Act, internal auditors played a key role in helping companies meet those requirements.
With internal audit expected to continue to play a critical part in ongoing compliance efforts, companies may need to re-consider how their IA departments function within their organizations. That's according to Deloitte & Touche, which recently published a paper on the subject, "Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era," which offers management and audit committee members some recommendations on structuring internal audit.
During the last three years, "We've seen a pretty substantial transition with IA groups," says Eric Hespenheide, managing partner of global internal audit services at Deloitte & Touche, and a contributor to the paper. "How internal audit groups are positioned within companies, the way they are executing their work, and the expectations companies have of their internal audit function has changed."
posted by Brian Moran @ 9:41 AM
Monday, October 03, 2005
Sarb-Ox Missteps Help IT Execs Fine-tune Plans
Executives who oversaw the first round of Sarbanes-Oxley Act compliance for their companies said last week that in hindsight, they likely would have done things a bit differently.
The changes they would make include better educating workers about the steps that need to be taken, assigning dedicated staffers to assess and monitor critical controls, and automating a greater portion of repairs to deficient IT controls, said attendees at the Sarbanes-Oxley Conference & Exhibition here.
Neil Frieser, vice president of internal controls at Viacom Inc. in New York, said his early experiences taught him that "you want to start the process early, to educate as many people as possible."
posted by Brian Moran @ 2:56 PM