In the latest of our weekly Q&As with governance and compliance executives, we talk to Michael Rhodes, partner-in-charge of corporate governance at $41 million Citrin Cooperman. An index of previous conversations is available here.

You were recently named partner-in-charge of corporate governance. Tell us about your role and responsibilities.

Our practice provides a broad range of services to public, private and nonprofit clients. A core offering has been working with public companies to support their Section 404 compliance efforts. We provide the expertise to document and evaluate internal controls within core business processes, and support efforts to remediate any weaknesses. We provide project-management oversight, facilitate the external auditor review of management’s documentation, and conduct independent testing of key controls …

Outside of 404 compliance, our work has centered around ensuring that senior management and boards are provided the right information to make informed business decisions, formulate sound policies, and monitor employee activity to reduce the risk that the company’s overall business strategy is being challenged. We also provide ongoing internal audit services.

Where are most of the public companies you’re working with at on their 404 compliance efforts?

There’s no straightforward answer to this. Some clients who are non-accelerated filers wanted to get an early start on their effort, because either they knew they had weaknesses that required remediation or they wanted validation that their procedures were generally adequate. Another client (a non-accelerated filer) has started the documentation process to coincide with an ERP system implementation. In that situation, the client recognized how building in the adequate controls from the outset would provide the long-term value to justify the investment.

An accelerated filer we’re working with asked us to evaluate the quality of their documentation and to help look for internal control redundancy, streamline documentation, and create a documentation package that has a consistent look and feel across all business units and divisions. The client assumed primary responsibility for creating the initial documentation and asked us to provide the Year Two updating in the middle of the fourth quarter.

Among the companies that are already under 404, what have the biggest hurdles been?

One of the largest hurdles is related to sufficiently integrating the IT application controls within the process documentation and control evaluations. Historically, controllers and CFOs were able to look at the manual workflow and relied on their IT groups to ensure that the systems were providing the right information. Today, the CIO won’t go to jail if he or she misinforms senior management, but Sarbanes-Oxley makes it abundantly clear that the CEO or the CFO can, and will …

Another significant hurdle is related to the aggregation of deficiencies and findings to determine if a significant deficiency or material weakness exists. It’s like a huge jigsaw puzzle where all of the smaller pieces may not look like anything serious, but when you put it all together, the big picture emerges.

Sometimes the easiest part is finding the weakness; the challenge comes in evaluating its impact to the financial statements. For example, one client operated in a decentralized environment where multiple business units were performing the same functions, each slightly differently. In areas where a control wasn’t operating effectively at one business unit, we needed to evaluate its impact on the overall company and determine how it might impact other business units. It’s an exercise that requires a great deal of analysis and consideration. If a company doesn’t do it, their external auditors may do it for them. And what they might find could lead the company to fail in its compliance effort. With 404, there are no second chances.

Proponents of SOX often say companies can derive ROI from their 404 work, but it appears that most companies are still in the trenches.

I think that’s true. The reality is companies were so focused in Year One with getting the documentation completed to a satisfactory level that no one had the time (or the stomach) to evaluate all of the data gathered. Year Two wasn’t necessarily any better; CFOs looking to derive an ROI from their 404 work need to evaluate and analyze the process information collected. I have one client that would like to use the SOX documentation to identify and justify areas to centralize operations and to develop standard operating procedures where it doesn’t make sense to centralize. The information is there, but they haven’t committed the time or resources to the effort. Until it’s done, multiple resources are being used to perform the same function. Control documentation maintenance and testing is multiplied accordingly.

For another client (non-accelerated filer) with sales offices throughout the country, we will use SOX as a tool to create operating and reporting standards that all offices will be required to adhere to. Prior to SOX, senior management had been unable to justify the reasons that sales offices should follow the same set of “rules.” Now they have some leverage.

What do you see companies doing differently for Sarbanes compliance in Year Two, compared to Year One? Are they having an easier time with Section 404 this year?

Quite frankly, I didn’t see drastic changes in how clients behaved in Year Two. Any savings companies experienced largely related to not having to build the documentation from scratch. Companies had the expectation that it would be easier in Year Two than it turned out to be, and were taken off guard by how unprepared they actually were. When it came time to update, while many companies believed that their environments had remained relatively static, there was no formal mechanism to confirm those beliefs. Many companies didn’t take the time to consider whether all the key controls they previously identified (and tested) were, in fact, critical, resulting in test plans that didn’t drastically change.

Companies and external auditors are getting smarter. We’re seeing them taking advantage of the lessons learned to improve how ongoing compliance is assessed going forward. For many companies, this includes re-evaluating internal criteria for determining key or critical controls, looking at test plans to identify ways of testing more efficiently, and building in the appropriate triggers to complete documentation updates throughout the year.

There’s been a lot of talk about the benefits of automation, but again, a lot of the data we see shows that most companies are not actually automating 404 processes yet. Your opinion?

I agree that automation isn’t as far along as many had hoped. I’m still finding that many companies continue to rely heavily on secured servers to warehouse myriad flowcharts, narratives and control matrices. The prior-year testing may be filed in separate folders, but the data warehousing techniques remain the same.

In an extreme situation, a client purchased one of the larger (and more costly) software solutions before they thought through how they were going to compile the process documentation, where their risks lay, and what the documentation, in the end, was going to look like. They had put the cart before the horse. The technology actually became a burden, in that they were constantly trying to conform findings to fit the software. We were able to work through the issues, but the software didn’t solve any of the compliance issues and there will always be a certain level of ongoing maintenance as the business and core processes change.

That said, I believe that software developers are getting smarter about what matters most to companies. Some applications have emerged that are affordable and can really help companies streamline the information that is compiled and allow better analysis and tracking on a long-term basis. We don’t sell or endorse a particular software solution. I engage clients in discussions on technology solutions and have opinions as to which products are most suitable, which I share with clients who are interested.

Among those companies that haven’t had to comply with 404 yet, where are they on their efforts? A lot of companies have said that the delay hasn’t halted or slowed their compliance efforts, but is that really the case, since the SEC could still make changes before the new effective date?

Right now, we’re all in a bit of a holding pattern until further information is available from the Advisory Committee on Smaller Public Companies. Obviously, it makes sense for companies that haven’t started their compliance efforts to see the committee’s final recommendations before planning and kicking off their projects.

That said, if a company is 90 percent finished with its compliance efforts, they’re unlikely to stop at this point. If a company is just starting or about to start, they’ll probably hold off until clearer guidance comes from the SEC. Even those companies should realize that complying with the law – whether they will eventually need to or not – can still be a valuable exercise. Section 404 provides companies the opportunity to evaluate and better understand areas of their business that wouldn’t otherwise be measured. Vital questions can be answered in the course of an appropriately executed compliance initiative, i.e.: How can pre-existing technology be better leveraged? Are the right people in the right functions? Is the information gathered sufficient to formulate sound decisions? Do we know what our employees are doing that comprises a full workday? Do we adequately monitor performance? I’ve worked with several CFOs who were skeptical about SOX, believing that it could never add value. Rarely will their opinions remain unchanged as the project progresses.

I had one client that had serious revenue-recognition issues relating to a high-growth area of their business. While their accounting practices had never created audit issues in the past, the business line had grown to a more material part of their revenue and was clearly going to create audit issues if it wasn’t addressed. Our work elevated the significance of this and allowed the CFO and controller to better prepare for their year-end audit. We’ve since modified the information used to support revenue, which is now used as a management tool and fraud detector, in addition to providing audit support. None of this would have occurred if it weren’t for the Section 404 compliance initiative.

Thanks, Michael.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.

Topics