In the latest of our weekly conversations with governance and compliance executives, we talk to Peter Newton, vice president of internal controls at Nielsen Co. You can see an archive of previous question-and-answer interviews here.

DETAILS

Newton

Peter Newton is currently vice president of internal controls at the Nielsen Co. Newton heads the central function of Nielsen’s implementation and ongoing compliance with Section 404 of the Sarbanes-Oxley Act.

Prior to joining Nielsen, Newton successfully headed up SOX compliance as part of the internal audit function at Datascope, a diversified medical device manufacturer. Prior to Datascope, Newton served as a manager at KPMG and led SOX implementation and internal audit efforts at various Fortune 500 companies.

Newton has a degree in mathematical sciences from the University of Durham, England. He is a chartered accountant and a certified information systems auditor. He currently resides in New York.

COMPANY BASICS

Company

Nielsen Co.

Headquarters

New York

Employees

40,000

Industry

Marketing Research

'06 Revenue

$4.16 billion

So what do you do at Nielsen? How long have you been on the job?

I’m in charge of the Sarbanes-Oxley compliance program here. I’ve been doing it since last October, so seven or eight months now. I’ve come in and taken over what was in place previously, which was more of a broad-brushed approach. The previous program had elements of Sarbanes-Oxley compliance to it, but also had a business controls framework across the company. My focus is really on SOX compliance and getting us through that first phase of compliance.

Why worry about SOX? You’re a private company.

We were a Dutch public company, and we were bought out by a group of private equity investors. As part of that process, we issued a lot of debt. So while we’re still privately owned, we have to register that debt now with the SEC. We’ll be listed in the U.S. as of August. So we’re in our first year of compliance …

The company used to have completely European management. That has all changed now that it’s managed out of the U.S. The CEO is a former General Electric veteran, so there’s a change in the tone of the top as well. That helps with the Sarbanes-Oxley effort.

How big is your team?

We have two teams. The first one has about 15 people, including internal audit and support staff; we’re the core team. There are another 50 people out in the business who are responsible for controls at the local level. They report to their respective business leaders and division managers. The internal audit staff reports to the CFO with a line to me for Sarbanes-Oxley purposes. Between us, we have a sizeable team.

And you report to … ?

The corporate controller.

Why was your team established?

It was a new position. As I mentioned, they previously had this business controls framework; there was another person leading that who moved on after that project was closed. We used a lot of stuff produced from that project and tailored it for Sarbanes-Oxley compliance.

How do you define “compliance,” anyway? For example, how does your group distinguish itself from internal audit?

I really have a very hands-on approach. The traditional internal audit role is to come out and question and pass judgment on people; I’m more the ally of the business rather than the judge. I am a former internal and external auditor by trade. I anticipate what the questions might be, help the business get ready for the audits, explain what they’re doing, and show that we are in compliance with SOX.

What are the pillars of your compliance program?

We call it the three P’s: people, process, and performance.

You can’t have a compliance program without the right people. We have a great bunch of folks out there who are committed to ensuring success in our program. That’s the key pillar for us.

The second is process. We need to have robust financial processes to make sure we’re in compliance and doing the right things. We want to make sure we’re compliant but we want to be seen as doing the right thing as well.

On performance, we want to pass Sarbanes-Oxley. Performance for the compliance program means to have a successful SOX audit. And we can take the opportunity to improve our business processes, too. We can take a look at what we’re doing and spot any nonsense going on and duplication. We can streamline and improve our controls.

What are your metrics?

They’re really focused on the database of controls we have in place, which is the BWise tool, and the state of those controls. What percentage of our controls are designed effectively, what percentage operate effectively, and what controls need to be remedied or added? What’s the status of those in progress, on time, overdue, or fixed? We have a dashboard that we present to senior management. We have monthly steering committee meetings with the CFO and other senior levels of management to let them know where we are.

So what does management usually ask in these meetings?

They want to know what the key issues are and what our progress is with the key issues. They have a very can-do attitude. They ask what’s wrong, and then they ask what can they do to help to make sure things get fixed.

How do you educate your workforce about the compliance program?

We have the monthly meeting, and from that we have regular communications to everyone involved with what’s required. We have training on an as-needed basis.

What many companies do is have a formal communications plan. I prefer to communicate on an informal and as-needed basis. If people are inundated with communications, it has a negative effect because people gloss over things and become blasé … I definitely use more personal contact than broad-brushed generic e-mails or conference calls. I try to communicate on a personal level.

Obviously I don’t see that as being the only communication or education going forward, but people appreciate the personal attention. It’s time well spent because we’re such a diverse company, we do a lot of different things, and you need to tailor your communications to the audience. You’ve got to be specific to whom you’re speaking.

Talk about how you monitor the program throughout the company.

It goes back to those metrics we spoke about earlier and regular monthly updates. We track things that need to be fixed, issues that need to be dealt with. Everybody is very hands-on at the senior level. It’s effective because everyone is called to account about their progress for the month.

When will you achieve full SOX compliance?

We’re still in the beginning stages. Our plan is to be internally compliant by the end of 2007. The official date to file our first report is December 2008.

How has the role of compliance managers and groups such as yours changed over the past few years?

When I first started, there was a list, and we followed that, and that’s how it was going to be. Now we can use a more intelligent approach about where there are risks, what the real hot-button issues are and what steps we have to have in place to mitigate those risks. You can use your brain more these days than in the early days.

The new SEC guidance on management’s assessment of internal controls really stressed using top-down, risk-based approaches rather than the, “All right, let’s make sure we’ve got a certain percentage coverage of entities or industry standard controls.”

How do you leverage SOX efforts into your broader compliance program?

At the moment we probably aren’t doing what we could in terms of leverage. Right now we’re very focused on getting through Year One and having a good result. It’s inevitable that Sarbanes-Oxley compliance here will become leveraged into the broader program. That’s a Year Two project.

What are your top priorities this year, as part of your Year One compliance effort?

We have to have a clean audit report from our external auditors. We have to be able to show to them that we’ve got the right controls in place, which are operating effectively, and management has to make that assertion itself.

We definitely want to leverage our IT controls because typically we get more bang for our buck. When we test IT controls, we test something once and get a lot of leverage across the business.

Our corporate governance activities are going to be key as well. For example, our code of business conduct policy and environment, the kind of tone at the top of the corporate culture—these are all a priority. We already have great tone at the top. A former GE executive is running the place and focusing on the integrity of the organization. That will set us in good stead.

A big-picture question: What are the largest compliance challenges companies face today?

The ever-changing regulations and best practices. It’s a full-time job to keep up with the new stuff coming out and turning it into something practical that you can use. Trying to stay on top of requirements is very challenging. I rely on folks in the legal department to keep me up-to-date on what’s required, for example with SEC filings or the disclosure process. I definitely need that help.

What are some best practices that you would recommend for companies?

You’ve got to keep talking to your people and stressing the importance of compliance. If you let it fall by the wayside, it will become stale. The benefits of compliance aren’t always immediately obvious. You have to explain that it is important and put things in practical terms so that they make sure that what they’re doing actually helps and so that they understand that it can have a personal impact for them.