Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
25 July 2005  
Untitled Document
Sections

Market
Management
Technology
Office Next
Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Technology - Article

Vendor Accent

Benefits of Sarbanes-Oxley compliance

While many see the Sarbanes-Oxley Act of 2002 as an administrative and compliance exercise, MetricStream encourages companies to use the regulation to improve business processes, says Gunjan Sinha

Forward-thinking companies are leveraging the Sarbanes-Oxley 404 compliance requirements to define a higher standard in financial reporting and ensure that their companies deliver on these key value drivers—creating greater shareholder confidence through a superior financial-reporting process; institutionalising internal audit and controls throughout the corporation, both at the financial level and operational level; creating an environment where SOX programme offices, internal audit organisations, external auditors, operating business units and corporate boards can collaborate to identify, report and manage key business and financial risks; and delivering superior risk-adjusted return on shareholder equity.

Let us discuss the main value drivers of Sarbanes-Oxley in detail.

A superior financial reporting process

The spirit of SOX 404 is to create a company-wide culture and process to enhance the quality of financial reporting. For example, earlier, companies reported on the basis of certifications from regional business heads on the accuracies of their P&L. Now the certifications need to cascade through to the entities involved in the entire financial management process. This fundamentally requires more global collaboration and oversight from the board, executive committees, auditors, business unit heads and line organisations throughout the global organisation.

Best practices

SOX 404 requires buy-in from the board of directors and the senior executives. It also requires effective collaboration between line and business units across the extended organisation which contribute their key performance indicators, financial performance, material adverse events, known deficiencies and control to help prepare the SOX-compliant annual and quarterly financial reports.

Ensure that the financial reporting processes and policies have a quality-control oversight at all times. The financial reporting process has to be run similar to the disciplines of running error-free manufacturing operations where the operation managers have control and visibility into their operations all along the assembly line.

Ensure that the quality functions for financial reporting run independent of the operational units. Most companies are creating new job titles such as risk officers and SOX programme offices with significant internal audit resource staff to realise the inherent quality control of the financial reporting process.

Do not expect users to run applications for enhancing your financial reporting and management functions. It is critical that compliance programmes operate within the framework of how people work, as opposed to asking them to take extra steps to ensure compliance. Many early adopters of software-based solutions for SOX have been burnt by shelfware which never replaced the flood of spreadsheets and

e-mail to manage the financial reporting process quarter after quarter. We advocate e-mail-based collaborative processes to ensure that all internal and external parties effectively collaborate across the enterprise without requiring fundamental changes in how individuals work across the globe.

Create a real-time financial dashboard and visibility infrastructure to ensure that all parties in the financial reporting chain are able to view the appropriate metrics, performance indicators, business exceptions, risks and material adverse events in real-time. Without access to this critical information, managers are prone to make errors in financial reporting.

Institutionalise internal and external audits

Internal and external audits are still viewed as once-a-year or once-a-quarter events, a necessary ‘evil’ to ensure compliance with the SEC (in the US). Many companies realise that the audit functions can, if developed properly, result in significant improvements in corporate risk management. Early visibility into key financial and corporate risks most often mean lower cost of overall risk management. Practitioners of Six Sigma and quality management have always propagated the well-studied quality principle that errors found earlier in the process lifecycle can be re-mediated at significantly lower costs than the ones found later in the lifecycle. The same applies to corporate risks—the sooner we identify material deficiencies in the internal controls, the lower the cost of re-mediation.

Best practices

Think quality assurance: The management should create more objectivity in the testing process of effective internal controls, i.e. the organisation performing the control testing should be different from the one which is actually performing the control. Self-assessments, which are meaningful audit vehicles, do not provide sufficient evidence of compliance and hence, in most cases, do not adhere to the standards of external auditors.

Make sure that the internal control testing plans are discussed and communicated with the external auditors. Many SOX compliance managers are surprised to find that their external auditors do not have the same risk-scoring on certain controls as viewed internally. It is best to discuss and collaborate proactively with external auditors ahead of time.

How you structure your testing plans is critical to the success of your internal audit functions. One of the best practices we have seen in the industry is using a sample set of transactions that can naturally test multiple controls in one go. For instance, by inspecting and testing a set of sales contracts, one can test for controls on pricing, approval and sales authorisations, as well as revenue recognition controls.

Timing of testing: A well-designed internal-control testing spreads the manual automated tests throughout the year. These internal audit-control tests are not year-end or quarter-end activities, but are well-planned processes where all parties collaborate to test the effectiveness of controls. Good collaborative tools and frameworks come handy in making these a reality.

No internal audit function is a success without real-time monitoring. As obvious as it may sound, most companies are unable to monitor their controls on an as-needed basis. Upfront investments to ensure the continuous monitoring of key control activities, evidence of testing, and reporting of key exceptions become critical to the success of an internal audit.

A well-designed internal audit function finally ties back to updating all relevant process documentation and standard operating procedures if material or non-material deficiencies in the internal controls are discovered. Generally, a good rule of thumb is to retain the documents of management assessments, control re-mediation and evidence of control testing for up to seven years.

Collaborative risk management

There is no prescribed methodology in best managing your internal control deficiencies and re-mediation. However, in a large company, one may aggregate thousands of internal control deficiencies of varying severity and magnitude. The key issue that practitioners of compliance need to deal with is to summarise and assess the risks associated with the deficiencies. Strong collaboration is required across different groups to understand the patterns of deficiencies and put proactive remedies in place.

Best practices

It is best to use a corporate-wide tool to aggregate all the deficiencies, corrective action plans and re-mediation across the extended enterprise, and have a collaborative as well as analytic view to the data. Areas of significant material risks may emerge as one aggregates the control deficiencies; certain business units may require deeper examination based on control-deficiency trends.

Tightly-integrated employee training programmes often go a long way in re-mediating known material weaknesses. Evidence of training also creates a document of control re-mediation for the regulators.

Your SOX system must enable you to adjust your risk scoring of key deficiencies in collaboration with your external auditors. Early buy-in from the external auditors might serve well when it comes to show evidence of internal controls.

Greater risk-adjusted return on equity

Although the most difficult to prove or disprove, logical arguments suggest that as one lowers the overall risk and variance in key business and financial processes, it creates more predictable process outcomes. Processes with high variabilities are inherently riskier and less repeatable for consistent performance. As a financial manager, chartered to deliver greater return on equity, it is critical to reduce the cost of risk management. As companies create comparative business process advantages, they are inherently better situated to manage risks at lower costs, thereby delivering greater risk-adjusted returns on equity.

Best practices

Early discovery of process risks is critical. SOX compliance presents an opportunity to create a company-wide system to better visualise and manage corporate and process risks. This implicitly results in lower management costs in re-mediating these risks. For example, companies that are gaining better visibility into their price-discounting policies through internal controls are able to re-mediate the process through effective sales-force training, whereas companies which discover uncontrolled price discounting in their sales channels at the end of their fiscal year are left with significant earnings and revenue mis-statement risks.

SOX 404, coupled with the proposed SOX 409, forces companies to pay attention to material adverse events in their operations and not just in their accounting and financial controls. One of the benefits, if leveraged properly, is to tie operational quality and compliance initiatives with the SOX 404 efforts, ensuring that all known material adverse events from the factory, logistics departments and retail operations are reported to the SOX 404 programme office in near real-time, thus enabling a rapid management response to re-mediate the business problems. For instance, a large pharmaceutical company, which is able to spot significant FDA non-compliance risks, can proactively protect its block-buster drug being banned from the market, thus delivering superior financial returns to its shareholders.

The author is Chairman, MetricStream Inc

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.