As companies race toward the Nov. 15 deadline for the internal control provisions of Sarbanes-Oxley—ubiquitously known as “SOX 404”—the last thing on most compliance executives’ minds is next year’s compliance requirements.
INGREDIENTS
According to experts, there are three core elements to ongoing compliance—people, process, and technology.
1. People
According to Stephen Wagner, chairman of the Sarbanes-Oxley committee at Deloitte & Touche in Boston, the “People” ingredient focuses on company culture. Specifically, it calls for employees to have a high level of awareness of the organization’s ethical standards, and to understand the concept of “doing the right thing.”
To that end, companies should provide compliance-related training, make sure employees understand and acknowledge the company’s code of ethics, and provide ongoing internal communication that reinforces standards of performance. “It boils down to the company’s ability to institutionalize the whole concept of compliance,” says Wagner, “so that it is integrated into everything the company does and is not treated simply as a side project.”
2. Process
Companies need to develop a systems and procedures through which employees can report control weaknesses and risks without repercussions.
This type of reporting is not likely to provide the employee with “whistleblower” protection, so companies may need to take extra steps to provide employees with that opportunity. “Employees are always the best guard against problems because everything is executed by employees and they are most likely to see where things could be improved,” says Wagner.
3. Technology
Technology will come into play as companies increasingly require powerful internal control applications. Eventually, companies will have compliance systems in place that will give senior management the ability to know the state of compliance in the organization at any point in time.
In many cases, companies can leverage their existing technology to accomplish this. For example, most companies use a fraction of the control capabilities built into ERP systems, so companies can build on those systems. Eventually, compliance will become as formalized and routine as the quarterly closing of the books with documented activities and a clear series of automated and manual steps and processes, says Dan DiFilippo, a partner and U.S. Practice Leader, Governance, Risk and Compliance with PricewaterhouseCoopers in New York.
But according to experts, the current emphasis on immediate, short-term goals is in danger of being institutionalized, and that is not necessarily a good thing.
A recent survey found that two-thirds of companies have allocated no annual budget to maintain Section 404 compliance after the initial filing requirement. The survey of 248 companies with more than $1 billion in revenues, which was conducted by analytics firm ACL Services and the Center for Continuous Auditing, also found that a quarter of the respondents are only mildly confident—or not confident at all—in their company's ability to maintain Section 404 compliance after the first filing deadline.
Wagner
In many ways, this focus on this year’s deadline is understandable. “Most companies are just focused on completing this year’s compliance process successfully however they define that,” says Stephen Wagner, chairman of the Sarbanes-Oxley committee at Deloitte & Touche in Boston. In some cases, that means addressing control deficiencies that can have a negative bearing on the external auditor’s evaluation of the company’s assessment process. And in other cases, that means dealing with material control weaknesses that could impact public perception of the company as an investment.
“Companies that are rushing to the finish line are not necessarily thinking about having to do it again,” says Wagner. But that means long-term strategy is also neglected. “The danger there is that companies are dealing with compliance without continuity of thought and see it only as a project,” he notes. “Once that project is done, companies are likely to forget about it and miss opportunities to improve operations and to integrate compliance into daily operations.”
Rooney
Yet, there are some companies that are bucking this trend and taking a longer-term approach to compliance. Bowne & Company, a $1.1 billion printing and document management company based in New York, has been setting the stage for ongoing compliance for some time. “We recognized early on that SOX would require ongoing compliance activity, so we identified the people in each business segment and business unit who needed to be involved, selected the tools to support compliance, and developed targeted plans for how to keep the compliance effort going,” says Phil Rooney, the company’s director of internal audit.
The Importance Of Sustained Compliance
Management’s assessment of internal control over financial reporting is about to join taxes as an unavoidable annual rite for public companies.
But unlike some annual processes, assessment of internal control will require sustained commitment, as companies must disclose certain material changes on an ongoing basis. In addition, auditors will be on the lookout for interim issues, as they are required tell audit committees if they become aware of any significant deficiencies.
But according to experts, an ongoing and sustained compliance approach is also critical if companies hope to extract value from their efforts, and from the data and insight those efforts generate.
DiFilippo
“Companies that are able to develop a compliance mindset and integrate compliance into day-to-day operations have a huge opportunity to differentiate themselves,” says Dan DiFilippo, a partner and U.S. Practice Leader, Governance, Risk and Compliance with PricewaterhouseCoopers in New York.
Ongoing and sustainable compliance may not directly increase shareholder value, but not having such a compliance approach and culture certainly could damage shareholder value. The more effective the compliance process, the more likely the company can quickly address internal control problems. And companies that risk a negative opinion on internal controls could also damage their relationships with lenders, insurance underwriters, and the capital markets.
“It is more cost and operationally effective to build the compliance process into our normal routine, rather than making the process an event that interrupts that routine,” says David Ownby, senior vice president of finance at Regal Entertainment, the $2.5 billion movie theatre chain based in Knoxville, Tenn. “It is important not to get trapped in a cycle of requirements.”
According to Ownby, he company’s movie-theater business is “pretty simple,” so the company’s ongoing acquisition activity tends not to result in major changes to internal controls. However, when something in the business does change, the company wants to make sure internal controls and documentation reflect that as soon as possible.
To that end, the company is developing a schedule of quarterly check ups for internal controls and documentation to make sure everything is up to date. “We don’t want to check the box and move on to something else,” he says. “That may meet requirements, but it won’t add value to the company.”
The (Limited) Role Of Technology
Crown Media Holdings, Inc., a $224 million media and entertainment company based in Greenwood Village, Colo., is small but growing, so the company has taken pains to develop an ongoing compliance process that will keep up with the changes occurring in the company. “We’re an entrepreneurial company, so we need to have well documented process flows and have a process to look for changes in the internal control environment,” says Mark Thompson, the company’s senior vice president of finance. “When business models change,” he note, “we need to update controls.”
According to Thompson, it is up to the process owners to understand the controls and monitor any need for change. If there is a need to change controls at Crown Media, the appropriate individual can submit a written request that will move up the company’s chain of command to the company’s disclosure committee. The company’s process owners and other employees have received training on the control process and what to be aware of. “People have to certify that they are in compliance with controls,” says Thompson. “Testing is the last place to catch problems.”
The company has also created a data warehouse to serve as a repository for documentation of controls, testing results, and testing plans for the future. The company is also using software with scheduling capability to map out future testing plans.
Other companies are also relying on technology to aid ongoing compliance. Bowne & Company has three business segments and multiple business units within each segment. Once each business unit completes the initial compliance requirements this year, it will store its documentation in the company’s online compliance tool. Each unit will responsible for keeping that information current throughout the year, and will develop a compliance plan for next year based on any anticipated changes, such as adding new systems or a reorganization, that are likely to affect internal controls and documentation.
Kugel
But technology can’t solve all problems. According to Compliance Week’s monthly analysis of internal control weakness disclosures at U.S. public companies, one-third of the deficiencies regularly involve personnel issues. According to Robert Kugel, vice president and research director at Ventana Research, “There's a piece of this technology puzzle that is routinely ignored, and that's the people part.” According to Kugel, SOX 404 technologies can help automate repetitive tasks that are error prone, but good management can’t be automated out. “Brains and experience close the loop,” notes Kugel, “not software.”
Bowne is one of the companies emphasizing intelligent human intervention in the ongoing improvement process. The company is trying to develop an ongoing compliance mentality so that if there is a change in the business—or a way of conducting business during the year—the individuals responsible for SOX compliance in the business units and segments will immediately begin considering how that change will affect compliance. “We don’t want to wait until the annual compliance process to start looking at things,” says internal audit director Rooney, “so we plan to develop a schedule for the business units and segments to conduct ongoing reviews.” These reviews will cover all the documentation in the system to ensure that all controls are still performing as documented and to verify updates of any controls that have changed.
Many companies are looking to reinforce the importance of ongoing compliance efforts by incorporating requirements into performance goals and metrics. Instead of relying solely on traditional financial operating metrics, for example, some companies also include metrics relating to compliance and conduct. Crown Media has tied individual performance metrics to the testing results of internal controls whenever appropriate. The company’s human resources department is also updating job responsibilities and descriptions to make sure that they reflect whether a position has internal control responsibility.
Finding Value, Competitive Advantage In Compliance
Companies developing ongoing compliance processes are doing so with the goal of helping the company generate some value from compliance.
One the biggest opportunities in SOX compliance is looking for ways to reduce or eliminate the organization’s complexity, risks, and costs. For example, Deloitte’s Wagner recalls one CFO who was using SOX compliance as an opportunity to consolidate five enterprise resource planning systems into one. In this executive’s mind, that ambitious approach made more sense than documenting controls for five separate systems.
However, these companies stop short of saying they plan to measure their return on investment in these efforts—at least right now. According to a recent survey conducted by PricewaterhouseCoopers, most companies are not tracking the costs of Sarbanes-Oxley or other compliance program.
“While it is possible that there might be ROI from SOX compliance someday, it is not prime in anyone’s mind at the moment,” says Rooney at Bowne. “Still, we are not going about this willy nilly; we are trying to manage the process.”
Specifically, Bowne is using its SOX compliance efforts to rethink its processes and look for best practices inside and outside of the company.
For example, the company’s financial print segment uses a common accounting system with the same capabilities for all of its business units. Over time, however, individuals have developed their own ways to use the system through short cuts and different ways to run reports. SOX documentation efforts are revealing these different approaches and allowing other business units to learn from each other. “People ask questions, look for ways to eliminate steps, and show each other how to handle shortcuts or to extract information from the system,” says Rooney.
This type of sharing also occurs at the business segment level when participants in compliance-related meetings and conference calls are encouraged to share beneficial information that they are picking up during compliance efforts.
While companies may not be in a position to calculate their return on investment in compliance efforts, they are taking steps to ensure that the information gleaned from SOX compliance, particularly Section 404 compliance, is used to best advantage.
For PDI Inc., the $338 million healthcare sales and marketing company based in Upper Saddle River, N.J., its overall compliance effort is not only a way to make company operations more efficient and cost effective, it is also a competitive advantage. “The compliance effort is a way to show that our company is even more compliant than they are because that is a selling point to clients,” says Bill Jennings, the company’s corporate compliance officer. That’s partially because the healthcare and pharmaceutical industries are highly regulated. “In our industry,” notes Jennings, “compliance is everything.”
When it comes to improving operations, Jennings says that SOX compliance has helped the company to create a roadmap of how it does everything. “There are so many uses for that roadmap,” he says. In addition to addressing inefficiencies, PDI is also pursuing some outsourcing opportunities that it had never considered before. “Our goal is to become more cost effective and efficient because just complying is a waste of resources,” says Jennings.
Indeed, Jennings feels that PDI has no choice but to turn compliance into a competitive advantage. “Our competition is using 404 compliance to bring their performance to the next level, so we have to keep pushing to do things that much better,” says Jennings.
Some companies are institutionalizing this drive for compliance-related value creation by developing new corporate functions and working groups. Within the next 18 months, Cognos, Inc., the $700 million software company based in Ottawa, Ontario, plans to create a business process improvement group charged with implementing all advancements identified through 404 compliance and internal audits. “We’re trying to use 404 compliance as an opportunity to standardize operations and adopt best practices to improve performance and efficiency,” says Jason Burke, the company’s senior manager of global consolidations. “The faster you can react to change and improve processes and procedures, the more cost effective compliance will become.”
Crown Media is also trying to take its efforts beyond compliance to business process and work flow improvement. For example, as a result of SOX compliance efforts, the company has automated expense reports, replaced two existing purchase order systems with a single new system, and implemented a worldwide contract management system.
The company’s contract management system is particularly important from a control and process improvement standpoint, as Crown Media must manage usage rights to its entertainment holdings throughout the world. The new system has allowed the company to create a consistent process for dealing with rights and contract issues. “We moved forward on that in the guise that the system would create a better internal control environment,” says SVP Thompson.
The company did not increase the IT budget for these improvements, but it did shift priorities to reflect the importance of SOX-related IT projects. That’s in line with the study from ACL and the Center for Continuous Auditing, which noted that two-thirds of companies surveyed had no budget allocated for ongoing compliance.
Even so, Crown Media is finding that its new standardized finance processes have had numerous indirect financial benefits, and that its overall compliance efforts have reflected favorably on the company’s insurance rates.
“We will calculate ROI at some point,” says Thompson.
Just not right now.
No comments yet