Director Of Control Assurance At Rinker On Risk, SOX 404

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

Describe your duties?

I report to the audit committee and serve as their secretary. I am the ethics officer, so I manage the code of ethics and communications and investigations around that, and get annual certifications from people that they’ve read the code.

I manage broad investigations with respect to mis-statements, and have a full range of assurance functions in IT and financial. I coordinate a whole program of self-audits with the business, where we really manage the process and set the standards and work papers they use. We coach them on doing it, and quite frequently we participate. Then I put the results together and look at what lessons there are.

We also have a disclosure committee, and I serve as monitor for the committee. We don’t do quarterly filings; we only do half-year interim filings for Australia which are then given to New York and the SEC.

That's a lot. How did you end up overseeing so much?

Well, Rinker started as a private company. It was sold to CSR in the 1980s, but Rinker had always maintained an audit function [Editor's Note: CSR is "CSR Limited," an Australia-based sugar refiner, aluminum smelter, and construction materials firm]. And Rinker Materials, the U.S. entity, was separately incorporated and had its own board and audit committee with a very thick corporate veil. So the CFO at Rinker Materials knew me from when we were colleagues together earlier, and he asked me to come here and restart the audit function. I had good experience in the industry. I had managed corporate ethics before, I had reported to public company audit committees, I had done risk assessments, I had been certified as a fraud examiner and internal auditor.

And you came to the company when?

Nine years ago.

How has The Sarbanes-Oxley Act of 2002 changed your life in particular, or Rinker’s efforts as a whole?

I have the lead responsibility for Sarbanes. The project has been under my management since the beginning. We haven’t used external consultants other than to do certain procedures, like a payroll software review or some testing. We have not used them for program design or any high-level function. It’s been my internal team that performed the testing, which was done really to manage our external auditors’ time as efficiently as possible.

How much work was involved?

I don’t think it was a lot of work compared to what many people went through, but it was a lot of work crafting narratives and conforming our nomenclature to the external auditors. That was time-consuming and not particularly value-added. And there was a certain amount of work just getting the tests done and some work remediating and following up on matters found. We did not have any material weaknesses, we did not have an significant deficiencies, we did not have any changes in internal control.

No weaknesses or deficiencies? How did you manage that?

We had a system in place before Sarbanes that addresses a lot of issues. We didn’t have a disclosure committee, but we had what we called a "stewardship review." In conjunction with the half-year and year-end, the CFO and I would go through every entity. We’d go through the balance sheet, do a review compared to the same period last year and the prior year, look at reconciliation and estimates, and evaluate where we were.

Each CFO would come really with a big bloody book on required topics, and they would do a fixed-assets inventory, present details on what investments were in progress and where we stood on getting them capitalized, and look at all their provisions and doubtful accounts, dangerous accounts and bad debts, what the reserves were and so forth. We’d use the analytic reviews and reconciliations to make sure things were current and classified appropriately, with an opportunity to talk about potential impairments or any other issues that might come up … It was a soup-to-nuts review, and generally took us about six days.

How do you expect 2005 and future Sarbanes compliance to differ from 2004’s efforts? What about automating all this?

There is some need for that. I don’t think any of my colleagues are all that thrilled with IT vendors. We use MethodWare as a repository for risk controls and tests—it was okay, but it was very frustrating on a multi-user basis so we scaled that back. Every other software has some other problem.

I think the area where we’d like to see greater automation and prevention is in SAP security and segregation-of-duties management. That took a fair amount of remediation, and certain manual efforts both to test it and get it right on a day-to-day basis. This notion of continuous monitoring and so forth: there are some areas around payroll and time-keeping that I’d look at some designs there, but in most of the other areas, I just haven’t found that it’s necessary. Like in monitoring duplicate invoices and payments not sent, those kinds of open items. SAP has pretty well addressed those issues all along.

How much did this cost you in 2004?

It’s hard to pinpoint; we didn’t track the internal costs very carefully, and we didn’t have many costs externally other than the Sarbanes fee from Deloitte. I’d say it cost us $1.5 million, on a $4.5 billion corporation. MethodWare we bought in 2003, and it’s not very expensive.

You expect that sum to decrease in the future?

I think Deloitte’s Sarbanes fee will go down somewhat, and our internal costs for narratives and whatnot will certainly go down. And our internal costs for remediation will go down, too.

How many people are in the audit group that handles Sarbanes, anyway?

Because of turnover, I’d say there were probably principally four people in the U.S. working on Sarbanes and two in Australia, and we used some outside resources to do testing because we were a little short. Our team is usually nine or ten.

Section 404 aside, what other compliance duties occupy your time?

I’d say about 30 percent of our time is devoted to operational work that’s kept out of Sarbanes but certainly supportive of Sarbanes. About 15 percent of my time is devoted to board matters, governance and prep for meetings. Our frauds are pretty infrequent and fairly minor, so that’s not a huge piece of my time. We spent last year maybe 50 percent of the time on Sarbanes, but I’d say it’s settled down to about 30 percent.

We also spend some time on targeted risk areas. I do a strategic risk assessment across the whole company, but with respect to controls outside Sarbanes to look at non-material areas that may be risky as well.

We were going to ask your thoughts about enterprise risk management.

Well, I’m cautious about it. I consider risks by using a fairly detailed framework and construct a risk map, and discuss it with the audit committee which in effect is the whole board, because they all attend. I discuss it with management, and I use the strategic plan and interviews. My top-end purpose is to ensure that we’re disclosing any risks appropriately and have accounted for them if they require accounting, but also just to note areas that may have increased or decreased in their riskiness …

I don’t have an appetite for engaging in a big risk management program beyond the one we have. I’m the closest thing we have to a chief risk officer, without the title… We address risk at a very grassroots level. I think we have a small enough organization that I can get anyone on the phone, and that works pretty well.

Thanks, Alan.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.