|
Opinion: Sarbanes-Oxley Compliance: Prepare For The Long-Haul
Prashanth V. Boccasam
Aug. 2, 2004—Sometimes we are subjected to new laws because of politics and special interests, and other times it’s the egregious actions of a particular few that cause the outcry resulting in a new protective measure.
The Sarbanes Oxley Act of 2002, which came about because of the latter, is a mandate designed to protect investors by giving people more visibility into the companies in which they invest. Whether it’s a well-founded law or just good political theatre, compliance puts a heavy cost on companies that are publicly traded. But with the right planning and tools these costs can improve internal controls and business processes, creating competitive advantage for these forward-thinking companies.
“SOX,” as the Act is sometimes called, forces companies trading on U.S. stock exchanges to be more accountable regarding their financial statements by requiring chief executive and chief financial officers to vouch for the accuracy of revenue and other financial data.
Among the looming aspects of this law is Section 404, which requires public companies to demonstrate in annual reports adequate documentation and internal controls to ensure veracity. External auditors also must attest to management’s assertions, and penalties for falsifying information are stiff – up to 20 years in jail, not to mention ruined careers and negative publicity with its impact on shareholder value.
How can all of this be accomplished in an organization with several divisions spread across many locations, and with multiple enterprise resource planning (ERP) applications or Excel spreadsheets for each?
Processes And Systems
While regulatory compliance may be the external driver behind documenting and reporting on internal controls, compliance is not, and should not be, the only reason to do so. Documenting and reporting on financial processes is mere compliance for the sake of compliance.
Yet, savvy companies will view this requirement as an additional opportunity to gain a competitive advantage. They will be able to attest to the effectiveness of their internal controls with confidence that they have addressed the business processes and systems behind the controls.
For example, is the ERP system decentralized enough to allow someone to create a one-time vendor, approve an invoice and cut a check without oversight? Or are unauthorized users accessing sensitive data, demonstrating that appropriate controls are not in place and contradicting the CEO’s certification of proper administration?
Appropriately addressing these and similar types of issues requires documentation of processes from the ground up. Companies might be surprised to find that there is unnecessary duplication of efforts, such as having several levels of approval for simple expenditures, or there might be gaps in procedures that must be corrected. In either case, at the end of the documentation effort companies will know what their processes are, but must then test them to fulfill compliance requirements.
However, documentation of processes and the associated internal controls is not the end point. What happens if the documented process works fine in the test tube, but fails when applied under the pressure of deadlines, personnel constraints and other factors of everyday events? Businesses need to test processes and controls, and must do so on a continuous basis because these will change as staff come and go, as subsidiaries are acquired or sold, and as the business evolves. Process review and adjustment, and the continuous testing and monitoring of the new methods and controls are no less important than a periodic review of the corporate strategy.
Cost Or Investment?
Industry analyst firm AMR Research says that this year alone, companies will spend more than $5.5 billion on people and tools to ensure compliance with SOX. While the costs will peak in the near term and then level off as compliance becomes systematic, it is still a large expenditure of resources to absorb even in the best of economic times. That’s why the approach to compliance has to become automated, and the end result has to deliver not only continuous compliance, but also real long-term value to the business.
A certain amount of compliance costs will go toward auditors, insurance for board members and officers, time spent on process evaluation, documentation and other such needs. But ERP systems, with accounting, supply chain, inventory and database applications, are a major repository of processes within organizations, so technology is a notable expenditure. Any software program purchased to assist with compliance must handle the basics of making disparate financial operations, revenue recognition, and process management more transparent.
While some ERP systems have some capability to assist with some of the documentation effort – they lack the ability to continuously monitor changing conditions and proactively send alerts when there is a problem. The ability to look deep into the ERP system helps to keep individuals’ responsibilities segregated, restricts access when needed to decrease the potential for unscrupulous activities, and enables a smoother compliance effort because the continuous testing of sound processes is readily accomplished.
Start Yesteday
The November 15 deadline for most companies is right around the corner, and many will struggle – and fail – if they have not already begun to identify processes, document these processes, test and re-mediate the internal controls, and engage internal and external auditors to certify that everything is in order.
To be certain, SOX is causing pain in terms of redirected staff time and budgets. However, for businesses that desire to simply get a minimum, “passing” grade, the effort to maintain compliance in 2005 and beyond will become more costly, more manual and more cumbersome. For companies who choose to automate the testing process, prevent new issues from creeping into their systems and continuously monitor their controls, they will generate significant business efficiency and improve their own business cost structure. Instead of mere compliance, they will find it a true source of competitive advantage. So move beyond mere compliance. You’ll spend less time on meeting SOX requirements, and more time improving your business.
The views expressed are those of the author and not necessarily of the Association For Financial Professionals.
Prashanth V. Boccasam (PV) is CEO of Approva (www.approva.net), a leader in enterprise controls management software for ERP business processes in Vienna, Va. Before founding Approva, PV was co-founder and president of Entevo, Corp., which was sold to a NASDAQ-listed company for $125 million in January 2000. Prior to Entevo, PV spent several years developing and managing projects at Microsoft's Systems Division, and later in its Worldwide Consulting Groups (MCS). PV holds BS and MS degrees in Computer Science from the University of Pune (India) and the University of Cincinnati, and is a graduate of the Executive Management Program at MIT Sloan School.
Copyright © 2004 Association for Financial Professionals. All Rights Reserved.
|
Add to del.icio.us
Add to Facebook