Sarbanes-Oxley (Sox 404), COSO 2013, and the Trend in Risk Management:
By: Peter Welch
Even though, for large public companies, Sox 404 has been in existence since 2002, even today it is still not fully operationally imbedded within all ‘small entities’ (and still not necessarily within the larger public organizations as it ought to be after six-years). Last year, 2007, witnessed many important developments in this area and by all accounts, Sox 404 is still a WIP! Despite Sarbanes-Oxley, the SEC continues to process numerous embezzlement and fraud cases with prison time being the outcome!
Back in the early 90's when 'quality' was being viewed as not just applicable to manufacturing and service organizations started embracing the concepts; it only became embedded (functional and valuable) as it is today, when management encompassed ‘quality’ within strategic initiatives and mission statements. Sox 404 and internal control management needs to run down that same parallel path and not repeat the same mistakes nor incur unnecessary costs. You must ask the right questions and determine what it takes to get there!!
In 2007, the PCAOB issued Auditing Standard (AS) 5, replacing AS2 that had caused a great deal of ‘confusion’ and over zealousness regarding its application. In October 2007, the PCAOB released its Guidance for Auditors of Smaller Public Companies; and, three-months prior, the SEC published an interpretive release to provide guidance for management regarding its evaluation and assessment of internal controls over financial reporting, effective June 27, 2007 (33-8810). Additionally, Sox 404 will extend into the Non-Profit sector and even very small companies ought to seriously consider implementing voluntarily to provide a competitive edge in negotiations with Vendors, Banks, Lenders and potential partners.
Critically important, is that Sox 404 needs to become embedded within the corporate culture (a control mindset within each employee effectively) from the top down. This ‘change and/or attitude’ can only be achieved by training and incorporating 'compliance' into performance incentives and employee evaluations. For small (micro) entities (SMEs), this can create both cultural and political difficulties as management creates resistance as they view such controls as not adding value only cost. However, though this could be construed, within a very limited group (i.e. family-owned businesses), as probably true; when applied to the entire population of small-medium sized organizations and SMEs, this is a misplaced perception.
Evidence shows that management themselves may be dishonest and committing fraud and that employees with sufficient access can either keep transactions 'off-the-books' or create fictitious transactions with poor or inadequate internal controls in existence. The discovery of such acts could potentially destroy a business's reputation, and seriously damage key business relationships with customers, vendors and financial institutions especially with respect to raising capital and demonstrating the ability to comply with debt-covenants. Management will have to reestablish that they are in control and can be trusted, a less than simple task in a very competitive and unforgiving world.
Also, any private company that is planning an IPO (Going Public) needs to embrace the “Sox/control culture” at least a year ahead of the planned 'road-show'. Today the trend is towards packaging all compliance efforts into a single and targeted objective to manage all perceived risks, hence the recent release of COSO 2013, a new Framework covering many facets of governance and risk management and much broader in scope than its predecessor COSO 2002.
“FGRC integrates three areas that have become critical factors for leading CFO teams around the globe: governance, the set of accountabilities and alignment of responsibilities in an organization; risk, including ERM (Enterprise Risk Management); and compliance, the system of internal controls to satisfy regulatory, industry and organizational requirements. IMA’s FGRC research practice is focused on broadening its advocacy initiatives and educating management accountants and organizations about producing right, reliable and relevant financial information for an organization’s stakeholders using risk, performance and quality assessment techniques across the supply chain.”
In addition to viewing Sox as part of a comprehensive approach to managing risk
and compliance efforts, Sox 404 compliance will also impact the adoption of IFRS,
(International Financial Reporting Standards). Key internal controls will need
to be reevaluated and process flows reengineered as IFRS will change the way
financial information flows amongst and between organizational
units/subsidiaries and intra-company departments.
Where do we go from here?
• Sox compliance, part of COSO 2013, will become part of an integrated FGRC approach.
• Sox compliance (PCAOB-AS5 and SEC Internal Control Guidance) is critical to pre-IPO planning and raising capital.
• Employees need training and understanding of controls and process flows (corporate culture).
• Human Resource managers will need to understand compliance, initiate training and reevaluate hiring criterion and interview techniques.
• Management will need to redefine performance standards and incentives and create strategic objectives to fully meet and embrace FGRC concepts.
• IFRS eventual adoption and convergence will create a need/demand to reevaluate process flows and identify new key internal controls.