Personnel issues are the second most frequently cited internal control weakness that companies are disclosing as they comply with Sections 302 and 404 of The Sarbanes-Oxley Act. Those issues are second only to problems with financial systems and procedures.
According to Compliance Week's most recent analysis of SEC filings during the month of August, 54 percent of the disclosures were related to financial systems and procedures, and 27 percent were related to personnel issues.
But you would never know about the prevalence of personnel-related internal control weaknesses from listening to the buzz surrounding SOX 404 compliance. While dozens of surveys and studies have been released on SOX 404's impact on IT and financial systems, few have tracked or focused on personnel issues.
And service providers and vendors tend to focus almost exclusively on technology solutions, automation, and process improvement as the most important compliance tools and ignore or overlook the people side of the compliance equation.
The reasons for this seem to be twofold.
Wagner
For one thing, “Technology and process are tangible issues that are easy to get your arms around,” says Stephen Wagner, chairman of the Sarbanes-Oxley committee at Deloitte & Touche in Boston. “People are more challenging.”
For another, people issues—like people themselves—are unique to the company and defy neat and convenient categorization. According to Compliance Week’s tracking of company disclosures, most people-related internal control deficiencies have centered on poor segregation of duties, inadequate staffing, lack of training, and poor supervision.
However, the form those weaknesses take and the steps companies can take to remediate them will vary according to the unique business needs and circumstances of each company. For example, smaller companies often have less complex organizations that require less complex skills. However, these companies also have fewer people to do the work, which can cause staffing shortages. But whatever the people issues companies face, there is no silver bullet for solving them.
To avoid these types of problems and to support compliance efforts, Bottomline Technologies, an $82 million technology company based in Portsmouth, N.H., has taken several steps to strengthen the people side of internal controls, particularly in its overseas operations.
First, the company created a global finance structure for its U.S. operations and its U.K. and Australian subsidiaries. This meant bringing those subsidiaries onto the corporate IT system for the first time, and changing their reporting relationships for more effective supervision to support internal controls. Rather than reporting to the U.K. managing director, the U.K. finance department now reports directly to Kevin Donovan, the company’s CFO, and maintains a dotted line reporting relationship with the U.K. managing director.
Second, the company keeps close tabs on international subsidiaries, their performance, and their training needs. Donovan and his staff spend significant amount of time checking on the quality of the work in international operations, while relying on technology to provide a second level of control for things like payment approvals. The company’s corporate finance executives and SOX project leader visit the international offices quarterly to review operations and compliance efforts. The international subsidiaries are using the U.S operations’ internal controls documentation as a template that they can adapt to their own needs. And the company brings its key finance people from international operations to corporate headquarters for working sessions on new rules and financial processes and how to work through issues related to SOX and other requirements.
Finally, when it comes to hiring new staff domestically or internationally, the company spends a lot of time checking references for new hires and understanding those individuals’ backgrounds. “We are very focused on the quality of our employees,” says Donovan.
Auditor Independence Impact
And it is no wonder.
DeLoach
“Competent people are an integral part of internal controls,” says Jim DeLoach, a managing director in Protiviti Inc.'s Houston office. “But many companies either do not have enough people or do not have people with competencies in internal controls, so it is not surprising that personnel issues keep popping up.”
These people-related issues in many companies have been complicated by more stringent auditor independence rules. In the past, if a company was dealing with questions related to complex accounting for a specific transaction, the company was likely to have relied on its external auditor for input. Now, auditor independence requirements severely limit the non-audit work firms can do for their audit clients. “The umbilical cord has been severed and companies need to take a look at the competencies they need to prepare financial statements” and handle other matters, says DeLoach.
Although there are plenty of service providers that can provide insight into these types of questions, the company still needs accounting and finance staff who can assimilate the resulting information, evaluate it, and apply it to the situation. Moreover, these other service providers are unlikely to be as well versed in the company’s operations as the external auditor. In these cases, the accounting and finance staff face a less easy hand off of the work and are likely to invest more time working with those providers to ensure a proper outcome.
Of course, companies can begin developing the necessary expertise in house. In the past, FTI Consulting, a $400 million financial restructuring consultancy based in Annapolis, Md., relied on its external auditor for help in preparing financial statements until it became clear that this activity would jeopardize the auditor’s independence. After expanding its internal expertise through the addition of an assistant corporate controller for SEC reporting, the company is now able to handle that internally.
Different Companies, Different Approaches
Other companies, of course, face different challenges and their approaches to dealing with those challenges also differ.
Although Sempra Energy, an $8.5 billion energy services holding company based in San Diego, has found some people-related issues involving issues like proper segregation of duties in its internal controls, those problems have been relatively few and easy to remediate. However, staffing has been a key issue for the company as it moves forward with its Section 404 compliance. As a result, the company has focused its efforts on modifying certain job responsibilities in accounting, finance, and internal audit to emphasize the importance of internal controls while also increasing staff.
SOLUTIONS
Solving People Problems
When thinking about the litany of ways SOX has changed the way companies work, add people management to the list. Just having strong internal controls is not enough; companies need the right people to execute those controls. “The variable is within the people themselves and what they bring to the job and their commitment,” says Stephen Wagner, chairman of the Sarbanes-Oxley committee at Deloitte & Touche in Boston. According to experts like Wagner, here are some ways companies can strengthen their pool of talent:
Assess current staffing
Before making any changes, it is important for companies to know what they have. Therefore, a good first step is to assess whether the company has right people in the right positions who have the capabilities and skills to do their jobs and use internal controls. “The staff needs to carry the ball,” says Wagner. “If people are not able to deal with certain things, there will be a deficiency in internal controls.” By evaluating current staff resources, companies can determine what kind of effort is necessary to make sure people executing controls know what they are doing and can select the proper course of action.
Identify Gaps
If that assessment reveals gaps between what talent the company has and what it needs, the next step is to identify whether the company can close those gaps by training or retraining existing staff, hiring new talent, or identifying vendors that can provide support in certain areas. If the company will be relying on internal staff to close these gaps, it may need to change job responsibilities, job descriptions, and hiring profiles. For example, some companies have shifted the focus on the internal audit staff from conducting operational audits to focusing on financial audits and internal controls, which will require different skill sets.
Add Resources, Staff If Necessary
If this process reveals the need for more and different types of staff resources, that will cost money. Given the demand for qualified accounting, finance, and internal audit professionals, talent is getting more expensive. According to some estimates, salaries for some professionals have increased 25 percent to 35 percent. Nevertheless, a CFO can approach the audit committee and the CEO to articulate these staffing needs. The good news is that “audit committees tend to be receptive of CFO resource needs and are unlikely to say no,” says Wagner.
Reward Performance
The best way to change and reinforce behavior is to use those changes as the basis for employee performance goals and pay decisions. This way, if an employee needs to improve supervisory skills or enhance technical skills to strengthen internal controls, performance goals clearly tied to pay and bonus decisions is one of the best ways to ensure employees do that.
By making these changes, companies may find they have a receptive and engaged audience in their employees. As John Morphy, CFO of $1.3 billion Paychex puts it, “Most people want to do the best job they can.”
That also means modifying the requirements of the people who hold those jobs. For example, internal audit now prefers candidates for certain positions to have a CPA or “certified management accountant” designation. “The rationale is that many of these jobs now focus on the internal controls of the company’s financials,” says Mike Allman, Sempra Energy’s vice president of audit services. Therefore, if someone in internal audit is checking financial statements for something like a capital item on the balance sheet or acquisition costs, that individual must have deep enough technical knowledge to understand the hows and whys of that accounting.
Sempra Energy is not the only company focused more on professional certifications and designations when looking at current and potential staff members. “When companies do add to staff, they tend to look for individuals with a CPA, CMA, or CIA (certified internal auditor), rather than an MBA as they did in the past,” says Chuck Eldridge, managing director of the financial officers practice with Korn/Ferry International in Atlanta.
Jacoby
Adequate staffing has been a key concern for FTI Consulting. The company has added staff, including its new assistant corporate controller for SEC reporting, to ensure that the company has the resources to deal with compliance. Because of compliance demands, “the finance and accounting staff have less time to deal with regular issues and the risk of making a mistake increases significantly,” says Phil Jacoby, the company’s vice president and corporate controller. The additional staff resources are designed to help prevent those types of mistakes.
FTI Consulting concentrated on beefing up its middle management ranks rather than lower level staff to ensure that the company had additional layers of qualified managers to ensure better internal controls and to promote the use of detective techniques in internal controls.
The company has also made changes to its staff management during and after acquisitions. For example, in the past when FTI Consulting made acquisitions, it allowed the finance and accounting organization in the acquired company to stay intact for a transition period. “We no longer do that because of SOX compliance,” says Jacoby. “It is no longer an option to have accounting work done at the subsidiary level. We need more control over it.” As a result, the company plans to bring an acquired company onto its systems immediately and does not retain anyone in finance or accounting at the managerial level. However, the company may retain lower level individuals in accounting and finance and the restrictions do not extend to operations.
The Right People, The Right Things
Morphy
Simply designing and testing appropriate internal controls is only half the battle in Section 404 compliance. People are responsible for executing those internal controls and they need the right skills and training to do so. Indeed, without attention to people issues like training, companies could find themselves in the awkward position of having properly designed and tested controls that are being executed poorly. “It all comes down to people,” says John Morphy, CFO of $1.29 billion Paychex, Inc. in Rochester, N.Y. “Companies need to explain what people need to do differently, get them to understand why making these changes is in their best interest, then let them do it.”
That is why Sempra Energy has expanded training related to internal controls deeper into the organization, rather than just focusing on those with direct internal control responsibilities. This group includes managers and supervisors in operations and training focuses on areas like how to use budget vs. actual reports to spot items that are going over budget, to spot potential problems, or to identify why something is going over budget. “These types of reports and activities are part of the control system because they reveal what the system is saying and allow individuals to spot anything unusual,” says Allman.
Bottomline Technologies has established a SOX project leader position that has led both the company’s domestic and international operations toward full compliance. Once the initial compliance effort is over, the project leader position could evolve into another role or it could become permanent to deal with the compliance issues raised by acquisitions of other companies, particularly of non-public companies, says Donovan.
Compliance pressures can also open new avenues for professionals in compliance-related jobs that require skills that go beyond the technical. For example, one does not necessarily have to be the CFO or CCO to be called upon to communicate with all levels in the organization about compliance and internal controls. In some cases, this might be the board audit committee and in others it might include operating executives and managers. “As people grow into a higher level of responsibility, they have to be able to communicate effectively at very high levels, not just with managers,” says Daniel B. Langer, North American practice director of the internal control services practice of Jefferson Wells International in Brookfield, Wis.
No comments yet