Easton-Bell Chief Ethics Officer on SOX Compliance

In the latest of our occasional conversations with chief compliance and governance officers, we catch up with Elliot Fisch, director of internal audit and chief ethics officer at sports equipment maker Easton-Bell Sports. Fisch joined the non-accelerated filer specifically to help the company through its first Section 404 audits under the Sarbanes-Oxley Act; excerpts of our conversation are below.

Readers can also visit our archive of Q&A interviews.

DETAILS

Fisch

Elliot Fisch, director, internal audit at Easton-Bell Sports, has over 25 years experience in internal audit, corporate governance, and financial and project management in the corporate, government, and consulting sectors. He has extensive experience in the compliance discipline, with significant responsibilities to oversee relations with various governmental authorities, as well as in corporate governance and standards compliance environments.

Fisch has directed internal audit activities in multibillion-dollar international organizations, developing audit staff using a collaborative teamwork approach and working with top company executives and the Board of Directors to provide top-notch customer service. He also has extensive experience with Sarbanes-Oxley Act requirements including project management, developing policies, procedures, and solutions to establish a control framework for organizations, and testing.

In addition, Fisch has been in charge of financial operations, reviews, and oversight to ensure the reliability and presentation of financial statement and contract data.

He can be reached at efisch@eastonbellsports.com.

COMPANY BASICS

Company

Easton-Bell Sports

Headquarters

Van Nuys, Calif.

Industry

Sporting Equipment

Employees

5,000

’07 Revenue

$775 million

What are your responsibilities as director of internal audit at Easton-Bell?

I’m responsible for establishing and running the internal audit program. I’m also responsible for the SOX program and all ethics and compliance issues, which includes the company hotline, researching ethics issues, doing training and regulatory compliance research, and working with management to understand the regulatory issues they face.

Easton-Bell is a little unusual because technically we’re a privately held company, but we’re required to file as a public company because some of our private investors are publicly funded entities, such as teachers’ unions and labor unions.

You were hired in 2007 to help the company, which is a non-accelerated filer, prepare for its first management report on internal controls over financial reporting under Section 404(a). Where was the company at on that effort when you came on board?

The company had already hired a consulting firm to do its 2007 review. It wasn’t going well, so they hired me in July 2007 to manage that effort, which we did successfully. We had no significant issues, so it was a good program, but it was very expensive. It was our first year and the consultants basically ran away with the spoon. Since then, I’ve hired consultants that I previously worked with to do the SOX work.

So where did you start?

I did an assessment of where the company was. I sent an internal control review questionnaire to all of management and secondary-level management to understand where the key internal controls were. We established those and presented them to the consulting firm, and I got the train back on track to make sure they were only reviewing the key controls that needed to be audited.

Then, using the questionnaire, we completed the walk-throughs, where we sat down with the process owners in each area, and had them explain in a narrative format what they do. We identified the key controls from there and developed our tests based on those. The testing lasted through the end of the year. We’re a Dec. 31 filer.

Besides you, who else is involved in the company’s SOX compliance?

It’s not a very large organization. It’s primarily myself in the internal audit department, but I hire people throughout the year based upon need.

I did have another internal auditor who was recently laid off because of cutbacks. So I hire four or five consultants to help me coordinate the entire program, usually from April to the end of the year. Our program for 2009 is just starting. We rely on process owners, the people at our units who deal with the specific control activities, to do the walk-throughs and obtain test materials. I work with the CFO and the audit committee on writing and designing the management report.

To get ready for your external auditor assessment, where are you looking for guidance?

We’re looking at Auditing Standard No. 5 and hoping to rely on that to work with our external auditors to have them approve our management review. We’re looking at the COSO guidance on monitoring internal controls. We’re also having conversations with our external auditors, Ernst & Young, to find out from them what they expect from us to use our management review for their attestation.

What would you say have been the biggest hurdles in getting ready for the external auditor report?

The biggest hurdle is getting the external auditors to settle on what their review is going to look like. We’re trying to cut our audit costs by having management’s review in place of the external auditors’ review, and it’s been a very tough challenge.

We do all of our work based on the E&Y model. We use all of their templates and their testing requirements so they can rely on our review. But we haven’t gotten 100 percent buy off on that yet; they’re still sort of hedging their bets as far as how much of the work they’ll use. They’re very hesitant to pull away from their own separate review to validate the information. So, we’re still working that out.

Where are you in your effort today?

We’re doing our annual preliminary internal control questionnaire, to get an update from the units as far as what they’re doing in their key internal controls. It takes us a couple of weeks to get the responses and assess the information. In about two weeks, we’ll start our walk-throughs, which take us from May until the end of July. We do testing from July until the end of September, with follow-up testing in October or November if necessary.

Cost has been cited as a huge concern for non-accelerated filers. Can you give us an estimate of what the company has spent so far on SOX compliance?

In our first year in 2007, because of the cost of the outside consultants … we spent about $2.7 million. In 2008, we brought that cost down to $650,000.

Where were the biggest savings?

We hired excellent consultants who I worked with previously who really got to the heart of the matter very quickly, and we were able to speed up the process and reduce our costs. The savings also came from our understanding from the first year of the walk-throughs and the methods used throughout the company.

We learned a lot in the first year, and we were able to apply that knowledge in the second year. Plus, we didn’t have a blank check available to us. We had a set budget. The original budget was $1 million, which was what we thought it would take, because we had to redo a lot of the work the earlier consultants had done.

This year we’re budgeting around $450,000 to $500,000. So, we’re expecting costs to be lower, even with the external audit, because we have good consultants who are familiar with the company.

What about the number of key controls? Did that decrease?

Yes, in the first year, the consultants had something like 1,200 key controls, which is just an absurd number. We reduced that to about 385 in the second year, and we’ll probably have the same number or possibly a few more this year, but we really scoped everything down.

We didn’t have any significant deficiencies last year either. But this year, we face the external auditors, which could create more problems for us as far as the amount of work. If they don’t sign off on our management review, the cost of external audit will go up, so there’s an offset there.

We don’t have an estimate yet from E&Y of what the SOX audit will cost. We’re predicting it will be about $400,000. If they can use our management review, that cost will go down considerably.

We’ve been talking all Section 404 so far. What else do you plan to focus on during the coming year?

I’ll be doing a foreign vendor review, and we have a segregation-of-duties issue with our SAP financial system that I’ll be dealing with extensively this year.

What’s that about?

We finished installing SAP at all of our units last April, and we discovered built in segregation-of-duties issues in the program that we need to address before the end of the year. Once we do that, we plan to put in a lot of automated controls through the SAP system … That should free up a lot of time and reduce the amount of testing, because we’ll only have to do a “test of one” to test the control to ensure it’s working.

Thanks, Elliot.