How To Cut Sarbanes-Oxley Compliance Costs
January 2005
As I write this, the Christmas tree is still
twinkling in my living room, the children are still playing with their new toys,
and there's still leftover food in the fridge and cake in the tin. Christmas
excess lingers on but already I'm starting to think ahead to leaner, harder
months to come, when I can stop spending so much money and repair the damage
done. By coincidence that's exactly where we are with Sarbanes-Oxley compliance.
by Matthew
Leitch
When the Sarbanes-Oxley Act of 2002 (SOx) and related rules and requirements
first appeared, we moaned and groaned at the expense and the inconvenience,
but in the end the audit firms got what they wanted. Companies were sucked into
something that was not a controls improvement exercise, but a massive audit.
They spent money on things they didn't need and put on weight.
Rediscover Your Dissatisfaction
If you've been involved with a SOx compliance program, you probably feel
some pride in it. It was tough, but now you've done it, or at least have things
on track. You see benefits that go beyond mere compliance.
But is that enough for satisfaction? Weren't there things you would have
cut if you could? Things that have been tough to defend? If you had set out
to improve control and risk management in your company without the constraints,
would this be the way to do it?
You may be thinking of extending your achievements to more types of risk,
but does it make sense to do it exactly the same way as financial reporting, under the constraints imposed by the Securities
and Exchange Commission (SEC), the Public Company Accounting Oversight Board
(PCAOB), and your external auditors?
If you went back over your original concerns, reviewed what you have learned
so far, and thought creatively about how to improve the impact and cost of the
SOx program after year 1, would you come up with much?
This article will help you get your mind out of the SOx box and reveal some
potentially high impact changes that may well be applicable in your company.
Where and How Can We Cut Costs?
Here are some of the likely methods of saving work. Consider where you can
use each.
-
Adjust controls testing to risk, in detail. Everyone selects business units and cycles on the basis of materiality and
perhaps other risk factors. However, risk can be used to fine-tune work
in much more detail, increasing the amount of work in some places, decreasing
it in others, and cutting cost overall. In particular, it involves adjusting
the amount of work to the amount of change.
-
Remove unnecessary detail. Even if
you can only shave a few percent of the details from your documentation
it will help. In many cases, it may be possible to do much more than that.
At least some of the people who have been writing documentation will have
written far too much, creating a maintenance problem for you.
-
Shift reliance toward health metrics and inherent
risk information. You can take away even more detailed controls and
tests if you replace them with other evidence. The controls around large
scale business/financial processes can be adjusted to generate super-efficient
evidence in the form of statistics on error rates, backlogs, and inherent
risk factors. Health stats are direct indicators of controls effectiveness
that make your evaluation stronger and cheaper.
-
Remove control weaknesses. Control
weaknesses, gobble resources. They attract the attention of external auditors,
who then want more work. More senior people get involved. Conversations
become longer and repeated. Before you know it, your costs have exploded.
Remove those weaknesses if you can, and implement a process that adjusts
controls in time to meet new challenges so that new weaknesses do not arise.
-
If it's really a problem, reformat documentation. Reformatting documentation is unlikely to be a popular idea, but there are
some formats that are just too hard to maintain. If any of the following
apply, then reformatting could be the logical choice if: (1) control descriptions
have been duplicated to show they apply to more than one risk; (2) linkages
are too hard for most people to understand; or (3) controls can't be displayed
in meaningful groups, based on the type of control, owner, etc.
What Will Happen If We Don't Do Anything Different?
Suppose you stop thinking about your SOx program and just let nature take
its course. What might happen?
More than likely the dedicated resources and budget for it will be slashed
for year 2 and beyond. Even the most sincerely committed business leaders will
be expecting big reductions now that the documentation is in place. Most will
feel they've done enough and the danger is over.
Despite this, costs that have been hidden during year 1 or that are hidden
away in the transition to year 2 will tend to remain. (We'll consider this in
more detail later.)
Fortunately, the evidence needed from testing will reduce quickly as it accumulates
over time. This will happen to some extent regardless of whether it is sanctioned
by regulators.
Unfortunately, there's a big risk that documentation will quietly slip out
of date as the business and its systems change. Do you have a rock solid process,
applied everywhere, that proactively identifies the need for changes to controls,
plans and carries them out, and updates all documentation and evidence gathering
processes? Probably not.
The rules will probably be changed, perhaps to your advantage, but it will
be difficult to take advantage of the changes. Weaknesses in your program will
probably remain due to lack of resources and political will to sort them out.
What Should We Do about the Remaining SOx Program Weaknesses?
Do you think people in your business have an unrealistic view of how much
the SOx program has achieved? Do they recognize it is limited to the risk of
the accounts being wrong and does not cover all aspects of "financial control"?
Do they assume everything has been done in a standard way, and the program proves
controls are effective?
These views will hasten cuts for year 2 compliance, despite weaknesses remaining
that are more serious than most people realize. In reality, the weaknesses are
likely to be so serious that further action is essential, yet it will have to
be done with less resources. Consider the following points.
-
Itemizing accounting controls does little to counter the risk of controls
being overridden by very senior people—precisely the behavior that led to
the Sarbanes-Oxley Act in the first place.
-
The PCAOB's method of evaluating controls effectiveness does not directly
look at effectiveness. It is possible for the design to look sound, and
for all controls to be operating as intended, yet to still have ineffective
controls. You only need one or two odd-but-frequent error types that dodge
the controls, and you have a big problem.
-
Businesses and their systems change all the time. Many of these changes
require changes to controls. Few companies have an organized, methodical
approach to this.
On top of these generic problems, you may be aware of several specific to
your program.
If We Lose Most of Our Core Team, Isn't That the Same as Cutting SOx Costs?
Cutting people out of roles dedicated to SOx and described as such is the
obvious way to show that costs have been cut, but there will probably be other
costs that have been hidden or are, at this moment, going into hiding.
It is hard to cut costs unless you're honest about what the costs currently
are. When people are given the job of carrying through an urgent compliance
exercise, they often use a set of behaviors designed to get things done regardless.
Can you confidently say that none of the following has happened in your company?
-
Initial cost/time estimates that proved to be optimistic still influence
the perceived costs of the program.
-
Paper and online surveys are distributed to many people, either with
no attention to the time needed to respond, or with an unrealistic estimate
of the time needed.
-
Software tools (e.g., an Intranet Web site) are developed and rolled
out, leading to more time spent by perhaps thousands of people going through
installation/log-in procedures, dealing with technical problems resulting,
and generally fiddling.
-
People are told that documenting procedures and controls is part of their
job and something they should be doing already. It's one way to deny that
extra work has been created.
-
Documentation and testing work is gradually shifted out of the SOx core
team and spread throughout the company. One company already says it has
"embedded monitors" in place, i.e., people who test controls (probably part
time) but don't live in the SOx team. It will be hard to keep track of the
work demands of compliance once it has moved out of the core team.
-
Claims are made that automation has radically reduced the workload of
compliance. In reality, creating databases for this kind of work has a dramatic
time saving effect only for certain central reporting processes, but may
even increase the workload everywhere else as the amount of data required
to be captured and entered gradually creeps up.
Optimistic estimates, denial of costs, and blind faith in databases are part
of our corporate culture. The legacy for your company is likely to be a lot
of people doing compliance work that is no longer visible or accounted for.
How Much Flexibility Do We Really Have?
At last, some good news. The regulations are so high level that companies
have a great deal of flexibility in how they comply. There are no specific control
requirements, and effectiveness can be achieved in an infinite number of ways.
(Technically, you don't even need effective controls; you just have to report
how effective they are.)
Crucially, the key PCAOB document on how to evaluate controls effectiveness
does not say you must document all your important controls and test them. It
says your evidence should include some controls documentation and testing. The
document says a lot about how to do that, but leaves flexibility to reduce reliance
on detailed controls work if there is other evidence.
How Can We Make Our External Auditors Happy with Our Changes?
"We've got to make sure the auditors are happy," is one of the thoughts that
contributed to our current situation. Countless companies have tried to get
their external auditors to say what work they want done, and usually have been
disappointed and frustrated by the result. The auditors aren't very clear about
what they want, but it sounds like a lot.
Until we lose our fear of the external auditor, it is difficult to think
freely about alternative compliance approaches, so let's take a moment to understand
the external auditor's main problem. It is simply that the amount of work the
auditor would like done depends on the results of that work. Sophisticated audit
firms like PricewaterhouseCoopers prefer to audit incrementally, increasing
work where the initial results indicate it, and stopping as soon as their worries
are dealt with.
When a company asks its auditors what work they want done for SOx compliance,
the auditors have a problem. If they say an amount that seems reasonable "on
average," there is a risk that poor results might create a situation where there
is too little time for the extra work needed for a safe opinion. The obvious
alternatives are to stay vague or to ask for more than they will probably need.
Don't force your external auditors to ask for lots of work. Do a bit of what
you have in mind, in good time, and show the auditors what the results look
like. Make sure the auditors understand you plan to adapt work to the results,
increasing it where there are problems.
Conclusion
Companies can and should rethink their approach to year 2 SOx and look to
radically cutting down the work involved, while still removing weaknesses. There
is plenty of room for improvement.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.