As I write this, the Christmas tree is still twinkling in my living room, the children are still playing with their new toys, and there's still leftover food in the fridge and cake in the tin. Christmas excess lingers on but already I'm starting to think ahead to leaner, harder months to come, when I can stop spending so much money and repair the damage done. By coincidence that's exactly where we are with Sarbanes-Oxley compliance.
When the Sarbanes-Oxley Act of 2002 (SOx) and related rules and requirements first appeared, we moaned and groaned at the expense and the inconvenience, but in the end the audit firms got what they wanted. Companies were sucked into something that was not a controls improvement exercise, but a massive audit. They spent money on things they didn't need and put on weight.
Rediscover Your Dissatisfaction
If you've been involved with a SOx compliance program, you probably feel some pride in it. It was tough, but now you've done it, or at least have things on track. You see benefits that go beyond mere compliance.
But is that enough for satisfaction? Weren't there things you would have cut if you could? Things that have been tough to defend? If you had set out to improve control and risk management in your company without the constraints, would this be the way to do it?
You may be thinking of extending your achievements to more types of risk, but does it make sense to do it exactly the same way as financial reporting, under the constraints imposed by the Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and your external auditors?
If you went back over your original concerns, reviewed what you have learned so far, and thought creatively about how to improve the impact and cost of the SOx program after year 1, would you come up with much?
This article will help you get your mind out of the SOx box and reveal some potentially high impact changes that may well be applicable in your company.
Where and How Can We Cut Costs?
Here are some of the likely methods of saving work. Consider where you can use each.
- Adjust controls testing to risk, in detail. Everyone selects business units and cycles on the basis of materiality and perhaps other risk factors. However, risk can be used to fine-tune work in much more detail, increasing the amount of work in some places, decreasing it in others, and cutting cost overall. In particular, it involves adjusting the amount of work to the amount of change.
- Remove unnecessary detail. Even if you can only shave a few percent of the details from your documentation it will help. In many cases, it may be possible to do much more than that. At least some of the people who have been writing documentation will have written far too much, creating a maintenance problem for you.
- Shift reliance toward health metrics and inherent risk information. You can take away even more detailed controls and tests if you replace them with other evidence. The controls around large scale business/financial processes can be adjusted to generate super-efficient evidence in the form of statistics on error rates, backlogs, and inherent risk factors. Health stats are direct indicators of controls effectiveness that make your evaluation stronger and cheaper.
- Remove control weaknesses. Control weaknesses, gobble resources. They attract the attention of external auditors, who then want more work. More senior people get involved. Conversations become longer and repeated. Before you know it, your costs have exploded. Remove those weaknesses if you can, and implement a process that adjusts controls in time to meet new challenges so that new weaknesses do not arise.
- If it's really a problem, reformat documentation. Reformatting documentation is unlikely to be a popular idea, but there are some formats that are just too hard to maintain. If any of the following apply, then reformatting could be the logical choice if: (1) control descriptions have been duplicated to show they apply to more than one risk; (2) linkages are too hard for most people to understand; or (3) controls can't be displayed in meaningful groups, based on the type of control, owner, etc.
What Will Happen If We Don't Do Anything Different?
Suppose you stop thinking about your SOx program and just let nature take its course. What might happen?
More than likely the dedicated resources and budget for it will be slashed for year 2 and beyond. Even the most sincerely committed business leaders will be expecting big reductions now that the documentation is in place. Most will feel they've done enough and the danger is over.
Despite this, costs that have been hidden during year 1 or that are hidden away in the transition to year 2 will tend to remain. (We'll consider this in more detail later.)
Fortunately, the evidence needed from testing will reduce quickly as it accumulates over time. This will happen to some extent regardless of whether it is sanctioned by regulators.
Unfortunately, there's a big risk that documentation will quietly slip out of date as the business and its systems change. Do you have a rock solid process, applied everywhere, that proactively identifies the need for changes to controls, plans and carries them out, and updates all documentation and evidence gathering processes? Probably not.
The rules will probably be changed, perhaps to your advantage, but it will be difficult to take advantage of the changes. Weaknesses in your program will probably remain due to lack of resources and political will to sort them out.
What Should We Do about the Remaining SOx Program Weaknesses?
Do you think people in your business have an unrealistic view of how much the SOx program has achieved? Do they recognize it is limited to the risk of the accounts being wrong and does not cover all aspects of "financial control"? Do they assume everything has been done in a standard way, and the program proves controls are effective?
These views will hasten cuts for year 2 compliance, despite weaknesses remaining that are more serious than most people realize. In reality, the weaknesses are likely to be so serious that further action is essential, yet it will have to be done with less resources. Consider the following points.
- Itemizing accounting controls does little to counter the risk of controls being overridden by very senior people—precisely the behavior that led to the Sarbanes-Oxley Act in the first place.
- The PCAOB's method of evaluating controls effectiveness does not directly look at effectiveness. It is possible for the design to look sound, and for all controls to be operating as intended, yet to still have ineffective controls. You only need one or two odd-but-frequent error types that dodge the controls, and you have a big problem.
- Businesses and their systems change all the time. Many of these changes require changes to controls. Few companies have an organized, methodical approach to this.
On top of these generic problems, you may be aware of several specific to your program.
If We Lose Most of Our Core Team, Isn't That the Same as Cutting SOx Costs?
Cutting people out of roles dedicated to SOx and described as such is the obvious way to show that costs have been cut, but there will probably be other costs that have been hidden or are, at this moment, going into hiding.
It is hard to cut costs unless you're honest about what the costs currently are. When people are given the job of carrying through an urgent compliance exercise, they often use a set of behaviors designed to get things done regardless. Can you confidently say that none of the following has happened in your company?
- Initial cost/time estimates that proved to be optimistic still influence the perceived costs of the program.
- Paper and online surveys are distributed to many people, either with no attention to the time needed to respond, or with an unrealistic estimate of the time needed.
- Software tools (e.g., an Intranet website) are developed and rolled out, leading to more time spent by perhaps thousands of people going through installation/log-in procedures, dealing with technical problems resulting, and generally fiddling.
- People are told that documenting procedures and controls is part of their job and something they should be doing already. It's one way to deny that extra work has been created.
- Documentation and testing work is gradually shifted out of the SOx core team and spread throughout the company. One company already says it has "embedded monitors" in place, i.e., people who test controls (probably part time) but don't live in the SOx team. It will be hard to keep track of the work demands of compliance once it has moved out of the core team.
- Claims are made that automation has radically reduced the workload of compliance. In reality, creating databases for this kind of work has a dramatic time saving effect only for certain central reporting processes, but may even increase the workload everywhere else as the amount of data required to be captured and entered gradually creeps up.
Optimistic estimates, denial of costs, and blind faith in databases are part of our corporate culture. The legacy for your company is likely to be a lot of people doing compliance work that is no longer visible or accounted for.
How Much Flexibility Do We Really Have?
At last, some good news. The regulations are so high level that companies have a great deal of flexibility in how they comply. There are no specific control requirements, and effectiveness can be achieved in an infinite number of ways. (Technically, you don't even need effective controls; you just have to report how effective they are.)
Crucially, the key PCAOB document on how to evaluate controls effectiveness does not say you must document all your important controls and test them. It says your evidence should include some controls documentation and testing. The document says a lot about how to do that, but leaves flexibility to reduce reliance on detailed controls work if there is other evidence.
How Can We Make Our External Auditors Happy with Our Changes?
"We've got to make sure the auditors are happy," is one of the thoughts that contributed to our current situation. Countless companies have tried to get their external auditors to say what work they want done, and usually have been disappointed and frustrated by the result. The auditors aren't very clear about what they want, but it sounds like a lot.
Until we lose our fear of the external auditor, it is difficult to think freely about alternative compliance approaches, so let's take a moment to understand the external auditor's main problem. It is simply that the amount of work the auditor would like done depends on the results of that work. Sophisticated audit firms like PricewaterhouseCoopers prefer to audit incrementally, increasing work where the initial results indicate it, and stopping as soon as their worries are dealt with.
When a company asks its auditors what work they want done for SOx compliance, the auditors have a problem. If they say an amount that seems reasonable "on average," there is a risk that poor results might create a situation where there is too little time for the extra work needed for a safe opinion. The obvious alternatives are to stay vague or to ask for more than they will probably need.
Don't force your external auditors to ask for lots of work. Do a bit of what you have in mind, in good time, and show the auditors what the results look like. Make sure the auditors understand you plan to adapt work to the results, increasing it where there are problems.
Companies can and should rethink their approach to year 2 SOx and look to radically cutting down the work involved, while still removing weaknesses. There is plenty of room for improvement.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.