Create a Controls-Friendly Culture From the Top
Goal: Lay the groundwork for a smooth audit process.
Ownership of Sarbox compliance should rest with managers who have access to financial controls and the clout to do something about them. “Although internal auditors make recommendations to management, they are not the ones who put policies and processes into place,” says Dominique Vincenti, chief advocacy officer for the Institute of Internal Auditors, a professional trade group.
It’s also cheaper and easier if managers build controls into their day-to-day activities. For example, instituting a regular policy of changing the passwords to financial systems generally costs less than tracing hundreds of possibly unauthorized accesses after a breach. “Top management should make it completely clear that attention to financial controls is a key element of each group’s operational mandate,” says J.R. Reagan, vice president and managing director of Global Risk Compliance at BearingPoint. Corporate mission statements, organizational mandates, and individual managers’ goals should all make financial controls an absolute requirement. Performance metrics for operational managers should include how well they implement any changes that internal auditors suggest. These steps also protect the reputation of your executives. “If it’s clear that a company truly values financial controls, the external auditors will be far less likely to call your corporate governance into question,” says Sanjay Narain, a principal with Ernst & Young.
The Legalese
The Sarbox Lexicon
Sarbox: The Sarbanes-Oxley Act of 2002, formerly known as the Public Company Accounting Reform and Investor Protection Act. It created a policing oversight board and banned auditors from doing other kinds of business with clients, such as IT consulting. Sarbox mandated that CEOs and CFOs certify and sign quarterly and annual SEC filings, and it required detailed reporting of stock and off-balance-sheet transactions. The law also imposed stricter internal auditing controls and harsher criminal penalties for fraud.
AICPA: American Institute of Certified Public Accountants. The largest professional organization of CPAs in the United States.
PCAOB: The Public Company Accounting Oversight Board. Created by Sarbox, it registers auditors, defines compliance, and polices conduct.
Section 404: The Sarbox regulation that requires management and external auditors to report on the adequacy of a company’s internal controls over its financial reporting. Implementing this can double audit expenses for small to medium-sized firms.
Standard 2: The original guidance from the SEC about how external auditors should approach Section 404. This standard suggested a detailed checklist approach for auditing every financial account, regardless of its relative importance to the overall business.
Standard 5: The new SEC guidance, announced in July 2007, about how external auditors should approach Section 404. It narrows the focus of external audits to high-risk areas of a business and broadly applies to all public companies, although small-cap companies (firms with $75 million or less in market capitalization) generally face less Sarbox scrutiny.
Evaluate Your Business and Focus on Areas of High Risk
GOAL: Reduce the cost of setting up controls.
A risk evaluation of a company’s operation determines which accounts deserve serious auditing attention and which do not. After reviewing operations with the company’s internal auditor, management can implement the level of control appropriate for each area of the business.
For example, a VP of manufacturing might do a risk assessment and determine that accounts receivable for raw materials is high risk (because of the high dollar value), the online ordering system for office supplies is medium risk (because everyone has access to it), and in-plant inventory is low risk (because products are shipped within an hour of being manufactured).
In this case, the VP and the internal auditors would determine which controls are adequate and which need further work. Changes might be required to the company’s product data management software, for example, in order to ensure that payments for raw materials exactly match shipments.
Technically Speaking
Software to the Rescue?
Software plays a key role in every aspect of Sarbox compliance. Unfortunately, few (if any) companies have the kind of completely integrated computer system that makes it possible to automate the audit. A recent IDC survey of 685 companies revealed that 92 percent use offline data to calculate quarterly revenue reports, which requires manual check by the finance staff.
A number of software vendors — such as Cokato, Minnesota-based Paisley — have emerged with solutions that patch Sarbox-compliant controls into existing software. But such programs can’t do much more than create a framework that helps users understand what controls need to be added, according to Tom Eid, vice president of software applications at the Gartner Group. “You can’t buy compliance off the shelf,” he says. “It’s not something that can be shrink-wrapped.”
Select the Right External Auditor
GOAL: Find the best fit for your company, and reduce the cost of external auditing.
If your company has executed the first two steps, the actual external audit should go smoothly — provided you hire an external auditor with the right attitude.
Two types of auditors are dangerous: the one that is motivated — implicitly or explicitly — with running up his or her fees, and the auditor with a “gotcha” personality that revels in finding an error your internal guys missed. Avoid these negative types by getting a recommendation from a peer or colleague you trust. “You want auditors who think of themselves as partners in ensuring accurate, compliant financial statements rather than policemen looking only for rules violations,” says Toby Lucich of insidesarbanesoxley.com, an online clearinghouse on Sarbox issues.
Remember that the auditor is taking a risk by agreeing to audit your firm. The mighty Arthur Andersen fell as a direct result of Enron, and CPA firms have not forgotten about the inherit risks associated with their work. Get your CPA on board and keep him or her working for you by involving operational managers in every step of the audit process. “External auditors look for confidence and competence in the companies that they audit,” says Thomas Connors, a partner at auditing firm Deloitte Touche Tohmatsu. “A top-down approach, with management committed to making sure the audit goes smoothly, is the best way to make sure that companies get the most value from the process.”
Checklist
External Auditor Quick-Pick Checklist
We asked Daniel Schroeder, officer of Technology Risk Services at auditing firm Amper, Politziner and Mattia, what to look for in an external auditor. Here are his five must haves:
Qualification. Are they registered with the PCAOB? Don’t laugh. The SEC recently charged 69 accounting firms with violations of this requirement, essentially invalidating their client’s audits.
Experience. Have they conducted comparable audits in your industry, with companies about your size, in the past? Choose a team right for you over a big-name CPA firm.
Track Record. Were those audits cost effective for the client? Get on the phone and check references.
Knowledge. Do they understand your business and industry?
Pragmatism. Can they look at risks realistically and in context? Do they have the maturity to make judgment calls about when to dig deep and when to shrug and move on?
Eliminate Redundancies and Streamline the Audit Process
GOAL: Reduce the ongoing cost of compliance while creating a competitive advantage.
“It’s not at all uncommon for companies to discover that, in response to previous government mandates, they’ve put multiple controls in place that overlap or reproduce the same effect,” says BearingPoint’s Reagan. “Eliminating such controls not only costs less operationally but makes a company easier to audit, because the auditor doesn’t need to check extra controls.”
Management’s focus on risk areas also allows a company to reexamine its financial strategy to make it more efficient. For example, a retail manufacturer might determine that the bulk of the financial risk comes from its factory outlet, which provides a clearinghouse function that could be outsourced. It might make sense in this case to close the outlet, eliminating both the risk and the need to audit that risk.
The goal of Sarbox should be to create a company that runs better, not just a company that complies with regulations, says Deloitte’s Connors. “This is the first time that the government has ever mandated that companies take the entire idea of quality control seriously,” he says. “Ultimately, achieving Sarbanes compliance should be viewed as similar to achieving Six Sigma or TQM — an effort that is as useful and positive for the company as it is for the investors.”
Nitty Gritty
How Much Will It Cost?
The average fee paid to external auditors since the introduction of Sarbox:
| 2001 | 2005 | Increase | |
|---|---|---|---|
| S&P Small-Cap | $342,000 | $1,342,000 | 292% |
| S&P Mid-Cap | $650,000 | $2,240,000 | 245% |
| S&P 500 | $3,200,000 | $8,400,000 | 163% |
Source: “The Cost of Being Public in the Era of Sarbanes-Oxley,” Foley & Lardner LLP, a business law firm
