Integrated Response To SOX 404, USSC, OCEG, COSO ERM

Without reading minds, it’s safe to say you’re likely at the end of your rope with Sarbanes-Oxley Act Section 404. Whether you’re a board member, CEO, CFO, compliance officer, chief audit executive or have another significant role in the effort to report on your financial reporting controls, you’ve put in more time and effort than you ever anticipated. Even if you recognize the benefit of this exercise in terms of your own company’s processes and the broader issue of regaining investor confidence in the capital markets, you desperately want to get to other pressing business issues.

Well, a number of companies’ directors and senior managements are looking at this issue from a somewhat broader perspective. Senior managements of several companies I’ve been working with, one a major electronics manufacturer and another a large financial services company, decided early on in dealing with Sarbanes-Oxley that they wanted to gain a real business benefit from the 404 exercise.

In these two cases, management looked not only at their company’s financial reporting controls, but also at the other categories under COSO—compliance and operations controls. By taking a disciplined, integrated approach, these companies leveraged the 404 work to enhance their processes, which will help them ensure compliance with laws and regulations, and make their business operations more effective and efficient, focusing on bottom line enhancement.

Now, another large company, in the consumer products industry, is going further, positioning itself to gain an even greater advantage. As with most companies, management decided initially to focus on getting the 404 work done, with the sole objective of getting its financial reporting controls right in order to justify a “clean” management report and auditor’s opinion. But as this process was moving towards completion, the company’s executives were looking at a number of converging factors, including:

Ongoing Sarbanes-Oxley Requirements—Having gone through what amounted to a more than year-long fire drill to ensure effectiveness of internal control over financial reporting, these executives began to focus on the fact that this is not going away. Section 404 is not like the Y2K exercise. When January 2000 arrived and companies’ IT systems didn’t crash, the issue indeed did go away. But that’s not the case here—under 404 and 302, reporting goes on indefinitely, every year, every quarter.

New Sentencing Guidelines—The U.S. Sentencing Commission recently amended its federal sentencing guidelines, expanding the scope with emphasis on corporate culture around ethical conduct, clear responsibility and accountability, risk reduction and assessment, personnel incentives, and board oversight. The amended guidelines became effective in November.

OCEG—A relatively new organization, the Open Compliance and Ethics Group, soon will be issuing its guidelines in final form. Involving corporate general counsels and law firms, as well as a number of business leaders, OCEG is finalizing its guidelines providing a benchmark for companies to measure their ethics, integrity and compliance programs.

COSO ERM—The Committee of Sponsoring Organizations of the Treadway Commission in September issued its Enterprise Risk Management—Integrated Framework final report. This document builds on the COSO internal control framework used for 404 reporting, with a broader and more robust focus on enterprise risk management and the related benefits.

Legal and Regulatory Precedent—Clear messages sent by the SEC, Justice Department, and a number of court cases emphasizing the critical importance for companies to maintain effective compliance processes.

This company’s management decided that it makes eminent sense not to look at these rules and guidelines one-off, but rather to consider the commonalities and deal with them in integrated fashion. The goal is three-fold: to ensure that the company’s environment, culture and processes are in line with the mandates above; to do so as efficiently as possibly; and to gain real bottom line benefit.

With the support of the audit committee and the full board, management has set out to assess its current status, to design an “end state” where it aims to be, and to develop a clear-cut plan for getting there. The company is using a proven implementation methodology with an 18-month start-to-completion project plan.

Importantly, the company is leveraging its 404 work in several respects. It is establishing a means of locking down its 404 documentation for 2004 while providing a basis for “rolling over” the materials for ongoing updating and enhancement. Also, taking advantage of the momentum established in 404 compliance, it is using some of the same team leaders in now building the desired processes for broad-based legal and regulatory compliance and operational effectiveness and efficiency. It is using as a foundation the COSO ERM framework, which is consistent with and builds on the COSO internal control framework used for 404, thereby ensuring that the other compliance mandates described above are integrated in an efficient, coordinated manner. This framework will enable managers to make more informed risk-based decisions, establish greater alignment with the company’s business objectives and strategies, and effect better results while avoiding operational and compliance surprises.

So, having already spent tremendous time and effort and millions of dollars on 404 compliance, managements and boards of some companies are looking to leverage that effort and gain business benefit beyond internal control over financial reporting. Companies that get this right will avoid the harsh penalties of compliance lapses, and be positioned to enhance risk-response decisions and seize business opportunities—all within clear view of senior management and the board.