Driving Value Out of the Section 404 Compliance Process

Driving Value Out of the Section 404 Compliance Process

No one is arguing with the oft-stated assertion that the first year cost of complying with Section 404 of The Sarbanes-Oxley Act of 2002 (SOA) is sky high. In fact, surveys and other sources of evidence make it clear that the administrative burden of compliance is signifi cant enough for most companies to warrant a review of strategies and tactics for maximizing value-add from the compliance process. While the SOA-stated purpose of protecting investors by improving the reliability of public reporting is an important goal, both executive management and directors are asking tough questions. For example, are the costs we incurred in Year One representative of the costs we should expect in future years? Can we derive tangible benefits from our compliance investments?

How can we make this compliance effort “work for us” in enhancing, as well as protecting, enterprise value? This issue of The Bulletin focuses on the answers to these and related questions.
Protiviti assists companies in different industries with developing best practices to improve the performance and effectiveness of their processes. Through these activities, benchmarks are often developed for certain process areas, including best practice metrics. This publication incorporates insights and “lessons learned” about finance processes that we hope will be of interest to readers of The Bulletin.


The opportunities are significant

Many companies are working very hard to comply with SOA, completing untold numbers of time-consuming account reconciliations, processing hundreds of manual journal entries, entering data into hundreds of spread sheets manually, and wading through and testing thou sands of controls. In addition, many companies have inadvertently ignored systems-based controls embedded within financial management ERP solutions that, if properly implemented and executed, would support compliance. Simply stated, for most companies, the compliance process has been difficult and painful.
Additionally, with the Securities and Exchange Commission’s (SEC) oncoming accelerated filing require ments, it seems that the difficulty and the pain can only get worse, if the status quo is sustained.
 
The good news is that SOA only sets compliance objectives. When it issued its rules to implement SOA, the SEC did not proscribe detailed compliance methods. Thus there are no restrictions on “working smarter, not harder.” The compliance process doesn’t have to be as costly as some companies are making it, especially when one recognizes that a lot of rework occurs in the financial reporting process. By understanding which financial reporting tasks are most time-consuming; identifying root causes of errors and improving processes upstream at the source; and eliminating nonessential procedures and simplifying, focusing and automating manual activities, there is a significant opportunity to leverage investments from 2004. To illustrate, among a group of 200 companies, the average company processes 250 manual journal entries each month. The bottom quartile companies process over 550 manual entries. In addition, the benchmark average for error correcting month-end journal entries is two percent, with the fourth quartile companies correcting five percent of their entries. With the amount of rework mounting over the course of the year, clearly there are improvements to be gained.

One point often missed in this conversation is that there is considerable linkage between (a) improving process cost, quality and time performance; and (b) strengthening the effectiveness of internal control over financial reporting.

After all, a simple process is easier to control than an unduly complex one. The message: Companies have opportunities to improve process performance by building in (versus inspecting-in) quality, reducing costs and com pressing time within their processes – and all of this while simultaneously reducing financial reporting risks.

As organizations eliminate nonessentials, they will examine the need for redundant controls. As they simplify, standardize and automate their processes, there will be greater emphasis on preventive controls (versus the detective controls that institutionalize costly and nonvalue-added rework into processes) and increased emphasis on systems-based controls (versus the more costly people-based controls). As efforts to eliminate rework and build quality into the process occur, companies will reduce the number of manual journal entries required to close the books, streamline account reconciliation activity, deploy available automated controls and reduce the number of spread sheets by transferring spreadsheet functionality into the organization's ERP system where it belongs. By improving and taking time out of the financial reporting process, organizations will facilitate continuing compliance with increasingly stringent SEC accelerated filing requirements. And as all of these changes occur, there will be a better mix of preventive and detective controls as well as of automated and manual controls. The result: The internal control structure will become more cost-effective and sustainable over time.

What’s wrong with this picture?

Consider the following simple scenario:

A company has a mature close process with experienced staff. An integrated ERP software tool is used for transaction processing. Close procedures are well documented. Staff accountants meticulously review computer reports to identify adjustments requiring manual journal entries. Each manual journal entry is approved by the controller. At least five trial balances are run each close to verify all adjustments are properly record ed. Staff accountants reconcile key accounts during the close cycle, which spans 12 days.

As compliance costs mount, the status quo can no longer go unquestioned. In the above situation, management needs to ask some tough questions. First and foremost, why does it take us 12 days to close the books? Why are five trial balances run to ensure all adjustments are properly recorded? How many manual entries are we processing? What is happening upstream in our business processes that drives this activity in our period-end financial close?

Consider this second scenario:

A company uses an integrated ERP package to process its accounts payable. All purchase orders and receiving activity are entered online. An experienced clerical staff enters invoices and also manually matches hard copy documents as a verification check of data entry. Strong review and approval controls identify matching exceptions, which run as high as 18 percent of all invoices processed. Purchasing assists the accounts payable function in resolving all exceptions and approves changes to PO pricing.

In this situation, there are additional tough questions to ask. First, why is a manual match taking place given online entry of purchasing and receiving documents and the available technology horsepower? Most importantly, would we accept an 18 percent rework rate on the shop floor? Without a doubt, every manager would answer, “No!” If that is the case, then why should the answer be different for processing financial transactions? In the past, these situations have continued unabated because they occurred below management’s radar. The Section 404 compliance process raises the visibility of these conditions.

These are not pipe-dream scenarios. They are real-life situations. Yes, management can obtain a clean opinion through effective rework and timely correction of errors. But the question of the day is, “At what cost?” There has to be a better way.

It’s a potential gold mine, so start digging!

Valuable nuggets of savings lie buried in the mountain of process documentation, controls evaluation and controls testing that companies have created to comply with Section 404. Further analysis of the SOA documentation can yield savings as high as 30 percent in some processing areas. The stakes are high. For example, AMR Research recently reported that only 12 percent of companies surveyed expected their SOA compliance costs to decrease in the year following filing of their initial internal control report. AMR noted that 36 percent of companies expect their Year Two SOA compliance costs to increase. An additional 52 percent expect their Year Two compliance costs to remain constant with the initial year. And we aren’t talking small amounts. Financial Executives Institute estimates that companies with average revenues of $2.5 billion will spend more than $3 million to comply with SOA requirements. And that number may be low because it was published in mid-2004.

While everyone agrees with the objective of reliable financial reporting and the importance of investor confidence in the integrity of the public reporting model, executives and directors at many companies are beginning to question whether the costs of compliance outweigh the benefits.

As this debate takes place, we believe there is an opportunity to leverage the compliance work performed to date to make financial processes more effective and efficient and reduce the overall cost of ongoing compliance.

To illustrate, Section 404 of SOA requires a thorough review of financial processes, risks and controls to ascertain whether there are control deficiencies. If deficiencies exist, companies must evaluate their severity to deter mine whether disclosure to the audit committee, the auditors and the public is required. Such a granular view can also be expanded to identify processing redundancies, unbalanced work flows, inadequate systems and process quality issues that reduce process effectiveness and efficiency. By analyzing the compliance documentation to identify where improvements are possible, and then taking appropriate action through an analysis of financial reporting processes, many companies may be able to shift their SOA paradigm from a “costly investment” to a “return on investment.”

Look for the indicators

Now that many companies have wrapped their initial compliance activities for Year One and are preparing for Year Two, the time is ripe to mine the compliance documentation for cost savings opportunities. Recent experiences in reviewing SOA Section 404 documentation suggest process-related issues such as the ten noted in the box below. These issues provide high-level indicators that a company’s finance processes might benefit from a review for opportunities. Further commentary regarding certain indicators is also provided below.

With respect to indicators (1) and (2), the reporting time frame for annual and quarterly reports is shrinking for accelerated filers. Under the SEC’s amended rules, the deadline for accelerated filers remains at 75 days after year-end for annual reports and at 40 days after quarter end for quarterly reports. For annual reports filed for fiscal years ending on or after Dec. 15, 2005, an accelerated filer will file its annual report within 60 days after year end. For quarterly reports filed after the filing of the aforesaid annual report, the accelerated filer will file its quarterly report within 35 days after quarter-end. The accelerated filing requirements reduce the amount of time available for management to review the quality of financial reports before they are released to the public.

With respect to indicator (3), high exception rates can lead to lengthy lists of control deficiencies requiring excruciatingly detailed analysis to ascertain whether the deficiencies constitute significant deficiencies or material weaknesses. If management is successful in keeping the list of control deficiencies to a “short list” over time, less nonvalue-added activity will be expended to assess their severity.

With respect to indicator (5), companies are relying on the back-end controls to detect errors when much cost and risk can be reduced if the root cause of the errors is eliminated. Financial performance metrics indicate that, despite sophisticated ERP software tools, the average public company records a high number of manual journal entries each month. Some of those entries are simply insignificant using anyone’s threshold test. Other entries are required to correct errors that occur earlier in the process. While it is comforting to know that back-end detective controls catch errors, this approach is hardly the most efficient way to close the books each month. In a high-volume process such as the accounts payable process, performance data suggests that process quality issues may exist in nearly one of every five transactions. As a high defect rate (or any defect rate, for that matter) is unacceptable with respect to a company’s products delivered to its customers, so also is a high transaction processing error rate. These quality issues have always driven up internal processing costs. Now this historical problem is exacerbated because management and internal auditors must test the underlying controls for operating effectiveness. With the external auditor also invited to the party, the costs continue to escalate. Given the never ending cycle of testing, remediating and retesting controls, this condition of high error rates is not sustainable.

These ten indicators suggest opportunities for improving the operating efficiency and effectiveness of business processes affecting financial reporting. They also suggest the internal control structure is exposed to high stress circumstances, such as integrating a significant acquisition or merger.

Develop a business case

Here are a few examples of companies improving the effectiveness of their financial reporting processes:

  • A distribution company reduced month-end close cycle time from 13 to five days, increasing the time available for value-added analysis. The company also reduced the number of reports and the complexity of month-end reporting.
  • A software company reduced month-end close cycle time from 12 to six days. The company integrated budgeting and financial reporting for comparative analysis.
  • A logistics services company reduced month-end close cycle time from 10 to two days.
  • A printing company compressed its month-end close cycle from eight to three days and installed performance measures to track resolution of process improvement ideas.

Each of the above examples resulted in measurable economic benefits. Experience shows that companies implementing finance best practice processing techniques have achieved average cost savings of about 30 percent. Savings may range from 20 percent in accounts receivable and cred it management to nearly 45 percent in general accounting processes. Month-end close cycle times have been reduced up to 70 percent. In many situations, investments in technology are not required to achieve the savings. Therefore, the payback timeframe is often 12 months or less.

When formulating the business case and economic justification for going forward, think in terms of value creation and investment payback, not in terms of project cost.

Avoid confusing systems enhancements with process improvements. Because “to be” process ideas should drive technology requirements, always focus on improving work methods, simplifying processes and eliminating nonessentials. Solutions must also be practical and easy to implement; therefore, discard time-wasting theoretical recommendations. Don’t accept estimates of the theoretical savings (or so-called “soft benefits”). Insist on tying hard dollar savings to specific improvement ideas.

Integrate performance metrics into the business case to measure results.

Deploy a sound approach

A solid internal control structure protects enterprise value. Opportunities exist to maximize process efficiency and effectiveness and enhance enterprise value. While the potential savings arising from improving financial reporting processes are significant, achieving such savings is often easier said than done. Most organizations lack the necessary objectivity, focus and expertise to identify savings opportunities. To be successful in improving the effectiveness and efficiency of your business processes, your company’s approach must focus on the development of holistic solutions to integrate the people, processes and technologies that are a part of your financial system. These solutions must be aligned with your business strategy and environment so that they will meet your business needs both now and in the future.

The good news is that the approach to mining and implementing process improvement opportunities is not a difficult one to understand. To drive a return on the Section 404 compliance investment, management should insist that appropriate personnel analyze SOA documentation to understand current process activities and performance results. From there, the organization develops “future state” process definitions that eliminate duplicate work, reduce cycle times and minimize manual tasks, while also effectively managing financial reporting risk. The team then establishes improvement targets and estimates the savings potential. Once management approves the recommended changes, the team implements them.

Potential solutions are prioritized toward realizing the major savings opportunities. They could range from finite process improvements in accounts payable to finance function shared service centers for multilocation companies. Staff training and education in the new processing techniques are provided during the implementation process. Process improvement solutions arise from:

  • Simplifying processes, work flow and tasks
  • Eliminating activities and tasks which are unnecessary or add no value, e.g., manual tasks which duplicate ERP functionality, numerous revisions prior to report finalization, etc.
  • Eliminating the root cause of exceptions and errors to “build in” quality
  • Leveling workloads among people, across processes and within periods to eliminate workload peaks
  • Focusing and automating manual tasks and reducing cycle times

Process improvement solutions are formulated through benchmarking and application of best practices. Process improvements arise from the combination of improvements in policies, processes, people and technology.

Performance metrics set targets for improving quality, reducing costs and compressing time. These metrics are incorporated into the performance expectations of process owners. Appropriate change management tactics are incorporated into the solution implementation to avoid trivializing human behavior issues. These tactics include executive management leading the change initiative from the top, and employee skill development to sustain the new processes, technology and organization.

From an internal control standpoint, the solution often improves the mix of preventive and detective controls, with more emphasis on the former by positioning the control procedures at the source of risk rather than downstream in the process. In addition, solutions often shift the focus on automating labor intensive manual activities to more comprehensively mitigate the risk at a lower cost. As processes are improved, controls are enhanced.

Summary

The process improvement principles we have discussed in this issue of The Bulletin apply to all organizations, including private companies and not-for-profit organizations. Because the time, effort and money spent on SOA compliance have been much greater than most companies anticipated, certifying officers should ask their people to mine the value out of the increased transparency into the organization’s business processes that the Section 404 compliance documentation provides. There are significant opportunities extending beyond compliance because the financial reporting processes for many companies are overly dependent on people-based detective controls and institutionalize the high error rates requiring costly rework. That is why certifying officers should insist on value returned from Section 404 compliance just like they would for any other investment or expenditure. With the proper focus, we believe their people can deliver that value. If they don’t, they either don’t have the time or aren’t looking hard enough.

Key Questions to Ask

Key questions for board members:

  • Are you satisfied management has a plan to look beyond compliance issues to identify and capitalize on opportunities for improving the efficiency and effectiveness of the company’s business processes impacting financial reporting?
  • Are you satisfied management has a plan to remediate control deficiencies which are reasonably likely to adversely affect the company’s ability to initiate, authorize,record, process, summarize and report financial information, even though such deficiencies are not material weaknesses?

Key questions for management:

  • Are there process-related issues suggesting opportunities for improvement?  For example:
    • Are there high exception rates in your financial transaction processes?
    • Does your general ledger close cycle time exceed five days?
    • Are there a significant number of manual journal entries used to record transactions or make adjustments and reclassifications to information reported by the ERP system?
    • Is there a high dependency on spreadsheets to record accounting transactions and support man ual journal entries?
  • Does the organization provide process personnel with an effective channel for upward communication of ideas to simplify processes, eliminate non-essentials, level workloads and automate manual tasks? Is anyone listening to their input?
  •  Has management benchmarked the performance of the enterprise’s business processes from a quality, cost and time standpoint to identify performance gaps? Has management sourced the root causes of these gaps to identify opportunities for improvement through best practice solutions?
  • Have you thought about improving process areas where there is extensive reliance on manual detective controls to “inspect in” quality by identifying and correcting errors? Have you considered analyzing the root causes of exceptions and errors to “build in” quality upstream in your processes affecting financial reporting?
  • Do your personnel have the necessary objectivity, focus and expertise to identify savings opportunities relating to improving process quality, cost and time performance while simultaneously reducing financial reporting risk? Would outside advisors help you succeed in improving the effectiveness and efficiency of your financial reporting processes?

Improving the financial close process. Seen clearly, delivered objectively.

At Protiviti, we know that Sarbanes-Oxley compliance has been difficult and expensive. As the margin for error is reduced, companies are being asked to meet accelerated filing deadlines and expanded reporting requirements. As they do so, they may be tempted to add more effort and cost, and perhaps even accept greater exposure to error. While others see this as a risk, we see opportunity. By eliminating unnecessary manual activity, simplifying the financial close process, automating manual tasks and increasing visibility of key controls, companies will reduce reporting cycle time, increase reporting reliability and often reduce costs. Want to know more? Give us a call.

For our point of view on improving your financial reporting process and other matters related to Year 2 compliance with the Sarbanes-Oxley Act, check out our informative resource guides. Protiviti continues to be recognized worldwide for our publications. Our Guide to Internal Audit is a comprehensive discussion about internal audit and the related New York Stock Exchange listing requirements. Our 3rd edition of Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements includes 90 new questions and well over 100 pages of new or substantially revised material. For a free copy of these or any of our other resource guides, please visit protiviti.com or call 1.888.556.7420.

The Bulletin (Volume 2, Issue 2)

Click here to access all series

Ready to work with us?