In recent months, first-year compliance with Sections 302 and 404 of The Sarbanes-Oxley Act of 2002 (SOA) has commanded the attention of CEOs and CFOs (the “certifying officers”). In just a few months, many U.S. accelerated filers will progress beyond “first time through” compliance to ongoing annual compliance with these SOA sections. As they do so, many companies could face an even more challenging environment in future years for the following reasons:
- Internal control reporting will become an open display of management’s commitment to quality financial reporting. Investors will expect more transparency into the financial reporting process than ever before.
- Many companies have work to do with respect to improving the sustainability of their underlying business and accounting processes. Continued reliance by management on ad hoc, manual processes will result in increased financial reporting risk during times of change.
- Questions on internal controls from analysts, stockholders and underwriters will continue to increase. Management can expect to spend more time preparing for these discussions, because representations about internal control will be regarded as much more than implied promises. In effect, they place the company’s reputation on the line.
- The pace of litigation will increase . There is evidence that control deficiency disclosures are adversely affecting share prices on an overnight basis. In addition, Goldman Sachs recently published a report in which they concluded, “... an unfavorable auditor opinion could have significant negative share price implications given investors’ heightened interest in accounting transparency and corporate governance.” These developments will surely lead to class action suits.
- The call to r educe the cost of compliance will become even louder . Developing an efficient compliance process often requires structural improvements in policies, processes, people and systems. For many companies, recognizing the nature of the transition from year one to an ongoing process in future years is the key to controlling costs. Making this transition happen is not possible without some investment.
These emerging dynamics raise many questions about preparing for year two and beyond. If the effectiveness of an organization’s internal control over financial reporting is questioned, certifying officers should be able to make a convincing case that they did everything they could do to improve or advance the maturity of key business processes, the financial reporting process and the compliance process. Evidence of their personal involvement and commitment to the process will be very important in articulating how they discharged their responsibilities. The suggestions we provide in this issue of The Bulletin will help them make that case.
“Tone at the top” is where it all starts
“Tone at the top” captures the essence of where a commitment to responsible business behavior begins . Through their steady, unrelenting commitment to reliable financial reporting, the certifying officers set the tone that can strengthen or undermine the effectiveness of company accounting policies, disclosure processes and internal control over financial reporting. More importantly, the tone the certifying officers set helps to influence behavior that may not be subject to even the most elaborate controls and reporting systems.
Reinforce process owner accountability with a self-assessment process
When you want reasonable assurance that something important is happening, do you take someone’s word for it that “things are okay” or do you design and implement a management process to make sure it happens? Process owners should be held accountable for the effective functioning of internal controls for which they are responsible. Through an effective self-assessment process, that accountability is reinforced by requiring process owners to respond to specific questions regarding specific controls for which they are responsible, creating a transparent “chain of accountability” for internal control over financial repor ting . The Section 404 compliance process lays the foundation for an effective self-assessment process by providing insights as to the key controls and the owners of those controls.
The Public Company Accounting Oversight Board (PCAOB) has taken the position that company-level controls include “controls to monitor other controls, including ... self-assessment programs.” Because “process owners” are the men and women closest to the critical control points within the organization, they are best positioned to know what’s working and what isn’t, when changes are occurring in the process, and what’s the impact of systems and other pervasive changes on the controls within the process. Process owners both execute controls and supervise and monitor the owners of controls, and are ultimately responsible for assessing the design and the performance of controls.
What does this mean to certifying officers? If you don’t have a self-assessment process, implement one. If you have a self- assessment process already in place, improve it. Make it more robust by linking it to the critical controls identified by the Section 404 compliance process and including it as an integral part of the disclosure process and continuous monitoring required by Section 302 reporting. Look at self-assessment as a management tool that drives the “tone at the top” down to the process owners.
Augment disclosure controls with an effective change- recognition process
Are you confident your disclosure controls won’t grow stale over time, i.e., they become so “business as usual” no one is paying attention when something that matters happens? Is there a process for infusing the disclosure controls with new developments and risks on a timely basis? If so, how do you know it is working? These are important questions because SOA Section 302 requires disclosure of changes that materially affect, or are reasonably likely to materially affect, internal control over financial reporting. The COSO Internal Control – Integrated Framework states that “risk assessment” is a component of internal control over financial reporting, and provides guidance that an important aspect of assessing risk is identifying and reacting to change. A change-recognition process is not only needed, it is a requirement.
Every company needs a process for identifying environment, operating and other changes that impact the financial statements, other disclosures in public reports and the effectiveness of internal control over financial reporting. Examples of changes requiring evaluation include mergers and acquisitions, divestitures, new innovative business practices, new systems, changes in personnel (including significant early retirement or personnel reduction programs), significant market declines, and changes in laws and regulations. The disclosure committee, or an equivalent group of executives, should be charged with the responsibility of monitoring change for purposes of identifying material information requiring consideration and possible disclosure.
Certifying officers need a change-recognition process that surfaces new developments and events timely for subsequent follow-up and disclosure. If there is ON E area in the future that is most likely to cause a breakdown in the disclosure process of companies which are strongly committed to reliable financial reporting, it is likely to be that the company did not timely identify the impact of change on the business, the financial statements and the required disclosures.
Invest in appropriate organizational structure to support process owners and ensure ongoing compliance
We have discussed the importance of (1) a strong tone at the top, (2) process owners who are accountable for the important controls, and (3) an effective change-recognition process. While these elements are important, they provide the foundation for something else that is not only as equally important but is also a matter that few companies have addressed. If there is an ar ea of this bulletin certifying officers should focus on soon, this one – the matter of organizational structure —is it.
Would you build a house and not maintain it? Or buy a car and never take it in for a tune up and oil change? Of course you wouldn’t. Similarly, the penalties and risk in year two of Section 404 compliance are no less severe. Companies are investing thousands of hours of effort in year one and in some cases spending millions. Going forward, it is unrealistic to expect your process owners to shoulder the burden of Section 404 compliance by themselves. If there are significant changes, it is inconceivable how they will get the job done without support. It is imperative, therefore, that companies protect their initial year investment by supporting process owners and ensuring ongoing compliance.
The PCAOB requires management to maintain up-to-date compliance documentation. The good news is that the first- year compliance documentation may be rolled forward if there are no changes in policies, processes, people and systems. That said, who will keep this documentation up-to- date going forward? Who will assess the impact of changes in processes and systems, redesign controls in response to change and update the related controls documentation for changes made? Who will remediate deficiencies when neces-sary? Do process owners know how to do these things? Who will coach, assist and evaluate them? How will certifying officers know the job gets done? An appropriate organizational structure that facilitates compliance must provide answers to these questions, because process owners are neither auditors nor experts in documentation and remediation.
Manage Gaps and Overlaps
An organizational structure that drives effective internal control over financial reporting is predicated on a sharp delineation of roles and responsibilities. When discussing process owner accountability earlier, we did not point out that the question of “ownership” is often times obscured by the “command and control” structure of most organizations because that structure has always placed strong emphasis on managing silos. For example, the “procure to pay” process is executed by the purchasing, receiving, accounts payable and treasury (cash disbursements) functions. Not only do these functions operate at different levels of the organization, there are critical interfaces or “touch points” among these functions that make the “procure to pay” process work. There must be effective controls over these interfaces, as well as owners of these controls who are accountable for their effective operation.
Certifying officers can benefit from clarifying accountability at all levels and for all key financial reporting processes within the organization. While Section 404 compliance should drive this definition, the ultimate litmus test occurs when management deploys a self-assessment process. To make self assessment happen, every key control must have a name by it. Gaps (such as when there is no one responsible for executing a control) should be eliminated and overlaps (such as when there are multiple owners of a control) minimized. While easy to say, this kind of clarity is not easy to achieve. Therefore, many companies face situations in which process ownership must be clarified, particularly at the interface points within processes.
Because Section 404 compliance demands attention to execution, it is important to understand that the process ownership aspects of identifying processes and the controls within processes is a significant change management issue. The mere exercise of assigning responsibility can result in redrawing the scope of control responsibilities that previously existed for specific individuals. Thus it is critical that companies consider carefully the transitional organizational structure over the next couple of years to facilitate process owner understanding and acceptance of the scope of their respective responsibilities. Such responsibilities include appropriately testing and self-assessing internal controls to provide assurance that they are operating effectively as designed.
Establish the Appropriate Transitional Organizational Structure
Certifying officers need an organizational structure that facilitates ongoing compliance with SOA Sections 302 and 404. This structure should emphasize the internal audit function, a group of risk control specialists or both. For example, assume an organization contemplates a lot of changes, or the skill sets, capacity and charter of the internal audit function are not conducive to providing the assistance that process owners need with respect to documenting controls, evaluating change, assessing controls design, testing controls operation and remediation. In such instances, certifying officers should consider creating a risk control function or engaging risk control specialists. A risk control group does not exe- cute processes and controls. It may report to and be embed- ded within the entity’s operations. Alternatively, it may be independent of operations, reporting to the chief financial officer, the chief compliance officer or the chief risk officer. In fact, the change management aspects of eliminating gaps and minimizing overlaps suggest a need for risk control specialists to support process owners over a 12- to 24-month period as they assume responsibility for the ongoing operation of specific controls after the first internal control report is filed. Another factor management may choose to consider is the impact on desired objectivity of the internal audit function.
If not much change is contemplated or internal audit has strong requisite process, risk and control skill sets and available capacity, the department may be expanded and deployed and its charter aligned to provide process owners the assistance they need in lieu of a separate risk control group. If it is desired to deploy risk control specialists, such specialists may be organized as a separate division within the internal audit function, reporting to the chief audit executive, or integrated across the organization. In any event, the internal audit function should align its audit plan with whatever SOA compliance-related monitoring role management has designated for it to fulfill.
Whether embedded or independent, whether reporting to a C-level executive or whether housed within internal audit, risk control specialists play a vital role. Through their knowledge of risk, SOA requirements and business process, they ensure consistent compliance enterprise wide and effectively evaluate the risk at critical interface points between business functions. They infuse process innovations on a periodic basis. They facilitate the identification of metrics that will drive efficiency and effectiveness. In specialty areas like technology, supply chain, commodity trading and treasury, they have access to organizations with whom they may co- source personnel with expertise that is not deployed daily in most organizations. Most importantly, they give the process owners assistance from someone they respect, which is vital in the early transitional stage as process owners assume new and expanded responsibilities for controls.
In summary, we have suggested three alternative organizational structures that facilitate ongoing compliance with Sections 404 and 302:
There are several factors certifying officers should consider as they evaluate the appropriate transitional organizational structure going forward. Following are five:
(1) The need to clarify roles and responsibilities of, among others, process owners, operating unit managers and, depending on the selected structure, internal auditors and risk control specialists. As noted earlier, clarity of roles and responsibilities is essential to achieve accountability.
(2) As the underlying business processes are simplified, focused and automated, there will be greater emphasis on preventive controls (versus detective controls), systems- based controls (versus manual controls) and monitoring. The state of maturity of the company’s processes (meaning the extent to which they are defined and managed) will drive the nature of the skills needed. For example, business processes that rely heavily on automated controls will require less test- ing. However, testing in these environments demands more emphasis on technology-related skills that are not required with respect to processes that rely on manual controls. What’s the point? The more efficient and effective the organization’s processes, the more they will depend on preventive and automated controls. Consequently, less testing will be necessary and compliance costs will decline over time.
(3) The extent of change expected within the industry should be considered, e.g., regulatory, consolidation and other developments. The more change, the more help process owners will need.
(4) A highly competent and objective risk control function (either within internal audit or separate) and a strong internal audit department are management tools recognized by the PCAOB as units whose work the external auditor can rely on to a greater extent than on work performed by others within the company. Going forward, this may be an important factor as companies look for ways to mitigate net audit costs while maintaining audit effectiveness.
(5) The choice of using internal audit and risk control specialist(s) to advise and coach process owners and perform testing is based upon:
- the assigned role and responsibilities of process owners;
- the capabilities, capacity and cost of deploying process owners; and
- the capabilities, capacity and cost of deploying internal audit.
If the needs of the organization require expansion of these skill sets, hiring all of the necessary skills may be expensive, particularly in areas of specialized skills such as IT. Therefore, co-sourcing may provide an attractive option to management.
Other steps certifying officers should take
Once the appropriate organizational structure to support process owners and ensure ongoing compliance is in place, certifying officers should also do the following:
- Make sure someone is paying attention to the importance of technology — In many companies, business processes are very dependent on technology embedded within them for timely, comprehensive and accurate execution. The processes that initiate, authorize, record, process and report the transactions underlying financial reporting in most, if not all, companies, are accomplished with computers, programs, and other technology-related equipment and software. Many applications and systems also have con- trols programmed into them, and some of these programmed controls may be critical to the evaluation of internal control over financial reporting. In addition, tech- nology is also a key enabler for SOA compliance, as there is a wide range of software tools available in the marketplace, either in the form of “point solutions” or “platform solutions.” Point solutions are applications designed specifically for SOA compliance. Platform solutions are software infrastructure that is designed for another purpose, such as business process automation, document management, financial management or broader compliance, and is adapted for SOA compliance.
The implication: Technology introduces unique and potentially significant risks affecting security, change management, business continuity and other vital areas. Therefore, certifying officers should ensure the appropriate personnel are considering those risks and the controls that mitigate them. In addition, companies must select the technology solution they need going forward. Depending upon such factors as the organization’s size and complexity, the total number and location of individuals involved with the compliance effort, the needs around security and workflow, the existing investments in software (e.g., ERP, content management, process management or compliance software) and other factors, companies will often choose either a “compliance-driven” (short-term) approach or a “value-driven” (long-term) approach to their SOA compliance process.
- Aggressively dispose of significant deficiencies — Unfortunately, most material weaknesses do not get reported to management until it is too late to fix them. Simply stated, in many instances management didn’t know they even existed. Furthermore, despite the fact that the PCAOB has strived to define the distinction between a significant deficiency and a material weakness, evaluating the severity of deficiencies will require much judgment in practice. As a result, reasonable men and women may differ when applying the Board’s rules.
The implication : Someone needs to pay attention when significant control issues arise. Certifying officers shouldn’t be surprised with what they don’t know. There are four imperatives they should stress:
(1) Make sure control deficiencies that could potentially be significant deficiencies or material weaknesses are identified and reported timely. For example, provide process owners and internal audit with a process for escalating potentially significant issues outside the formal reporting process to get them on the table for resolution as soon as practicable, particularly during the quarterly reporting season.
(2) Fix control deficiencies that could potentially be significant deficiencies or material weaknesses on a timely basis. If unresolved deficiencies “stack up,” there is a risk the external auditor could conclude the deficiencies, in the aggregate, comprise one or more material weaknesses in internal control over financial reporting. Recognize that legal counsel may also advise external disclosure of a mul- titude of unresolved deficiencies to protect management.
(3) Evaluate the key business processes not only to assess control design effectiveness but also to assess process maturity as a measure of sustainability. Don’t stand pat with your existing processes just because they may be repeatable and may have passed the assessment test in year one. If processes are heavily dependent on manual and detective controls and on human intervention, your internal control structure may not be sustainable during periods of change. Target such processes strategically for improvement and for increased scrutiny by internal audit or risk control specialists.
(4) Finally, implement some type of program management around control deficiencies identified by process owner self assessments, by the Section 404 compliance team, by internal audit and by external audit. This process should report the identified deficiencies by source and track progress from evaluation of the deficiency to completion of remediation or other appropriate disposition.
- Put in place and support a strong audit committee — Is your audit committee another hoop to jump through or is it a brain trust for evaluating issues and providing objective insights regarding how specific matters might be viewed by the public? An effectively functioning audit committee provides appropriate oversight with respect to external financial reporting and internal control over financial reporting. From a Section 404 compliance standpoint, it is important to understand that the external auditor assesses the effectiveness of the committee’s oversight role. That assessment is conducted within the broader context of the auditor’s evaluation of the company’s control environment and entity-level monitoring process. The board retains the overall responsibility to assess the effectiveness of the audit committee.
The implication : Certifying officers should make sure the audit committee has the resources it needs to play the over- sight role it is expected to perform. Management and the audit committee should re-evaluate the committee charter and agenda and the information reported to the committee with the objective of determining that the committee is fully responsive to the expanded requirements set forth by SOA and the applicable exchange listing requirements. A strong audit committee can provide support for diligent certifying officers if unexpected surprises occur.
- Find the value — When the final bill is tallied for Section 404 compliance, will the certifying officers ask where the value is? Our advice: Not only should they ask for value returned just like they do for any other investment or expenditure, they should insist on it.
The implication: There is a significant opportunity to build- in (versus inspect-in) quality, optimize costs and compress time within the organization’s processes while simultaneously reducing its financial reporting risks. With improved financial reporting, companies can also augment the governance process by managing reputation and other business risks to protect and enhance enterprise value. Companies with documented processes can compare and benchmark their processes to improve efficiency, articulate clearer job descriptions, better train their people, design improved metrics, eliminate nonessentials, and simplify, focus and automate manual activities.
It could be your organization
Just as your organization puts its reputation and integrity on the line through its products and services, so it does through its financial reporting. Companies are currently reporting material weaknesses (and even significant deficiencies) in internal control over financial reporting, are providing updates on the status of their control-improvement efforts and are disclosing risk factors related to uncertainties in the internal control structure. Over the eight-month period through June 2004, there were over 220 filings regarding control deficiencies and other related issues. Most of these filings were material weaknesses covering a broad range of control deficiencies, with the most common being inadequate financial personnel, revenue recognition, account reconciliations, and ineffective monitoring, review and analysis.
When all is said and done, certifying officers should be in a position to make a convincing case that they did everything they could do to improve or advance the maturity of the financial reporting process and reduce financial reporting risks to an acceptable level. The steps we have outlined in this issue of The Bulletin are an imperative for certifying officers and are summarized on page 7 in “A Call to Act – What Certifying Officers Should Do.” By taking these steps, certifying officers demonstrate due care in reinforcing the responsibility and accountability of process owners and in supporting these owners in their respective roles. While we see companies remediating their control deficiencies with short-term solu- tions, we also see them planning for longer-term improvement in key processes that support financial reporting. Certifying officers should waste no time in giving these and other steps their strongest consideration and in discussing their conclusions with the audit committee and the full board.