Sarbanes Oxley Act 2002 seeks to lay the ground for a culture of proactive management of risks
going be...

The progress that Sarbanes Oxley Act 2002 seeks to make in corporate g...
Chief Executive’s responsibility for financial statements
A cornerstone of the Sarbanes Oxley le...
Internal auditors are required to attest to the management’s report on the effectiveness of these
systems in financial rep...
The SEC is also rapidly moving towards real time disclosures so that each investor has prompt
access to information, under...
companies. They are also required to make decisions on the incentive component of
compensation and ensure that they are ef...
Increasingly, governance bodies are concerned that executive compensation does not reflect the
performance of the chief ex...
a judgment on the materiality of an accounting policy. The facts “surrounding the circumstances”
and the “total mix” of in...
Fraud in corporate America is not exceptional as would seem from sound bites focused on Enron.
According to surveys ...
The Public Company Accounting Oversight Board spells this out in its Audit Standard 2 which
requires company wide operatin...
48% of them agree that their financial operations are now more efficient and 31% report lower
error rates.
Furthermore, co...
of Governors of companies and commensurate access to information and responsibility for the
outcomes in companies is being...
completion method or the completed contract method. The percentage of completion method is
prone to subjective interpretat...
The shorter reporting intervals mandated by Sarbanes Oxley requires companies to streamline
individual processes such as c...
their discussions. Financial earnings have been the much used and abused measures of
performance which often don’t present...
bankruptcy of a company. The vulnerability of companies has increased with the growing reliance
on sophisticated financial...
Business Intelligence Systems
single most important barrier to their effectiveness followed by adequate and relevant information
for their needs (22%) a...
Sarbanes Oxley: the architecture for operations risk management
Upcoming SlideShare
Loading in …5

Sarbanes Oxley: the architecture for operations risk management


Published on

Enterprise Risk Management is increasingly important as Sarbanes Oxley raises the costs of lapses in corporate governance. Companies have to learn to preempt disasters and other causes of shortfalls in performance

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sarbanes Oxley: the architecture for operations risk management

  1. 1. EXECUTIVE SUMMARY Sarbanes Oxley Act 2002 seeks to lay the ground for a culture of proactive management of risks going beyond the reactive approach that has been common so far. Typically, companies were often caught off-guard as unexpected events struck. In order to avoid the embarrassment of unmet expectations, companies took recourse to creative accounting to patch up their financial statements. The Chief Executives had a ready excuse that their responsibilities were limited to providing strategic direction to their companies. Similarly, the directors of boards of companies pleaded that their powers are limited in the presence of an omnipotent CEO and the paucity of access to information. Sarbanes Oxley ensures that the senior executives have greater responsibility as well as the means to meet them. Thus, the directors of boards of companies will have direct access to company information and their committees will have independent oversight over important matters such as executive compensation, selection of auditors and governance policy. In turn, the directors will have greater exposure to liability for any negligence in the management of companies. Similarly, the chief executives will now be responsible for not only the strategic direction of the company but also its operational effectiveness. Their hands will be strengthened by additional support they will receive from the board of directors for strategic planning. In addition, they will also receive much more detailed information about their companies than was possible in the past. Sarbanes Oxley provides for checks and balances that were not available in the past. Whistleblowers will now have greater protection of the law as well as the opportunity to report fraud in their companies. Similarly, the auditors of companies have to report to the independent audit committees. Above all, Sarbanes Oxley seeks to make companies more transparent and vigilant by requiring the reporting of all their operational risks as well as the internal controls put in place to monitor them. Any material change in the monitoring of risks has to be reported to the shareholders in real time. Overall, the Sarbanes Oxley Act seeks to focus the attention of companies on fortifying their companies by anticipating risks, all across the enterprise, and to take preemptive action to guard against the damage that they could wreak. The bedrock of this model of governance would be the business intelligence infrastructure that will help companies to receive information in real time. This information will be more widely shared among the executives, shareholders and the board of directors. All the stakeholders in the company will have both the opportunity and the resources to put all their minds together to effectively manage their companies.
  2. 2. SARBANES OXLEY: METRICS BASED CORPORATE GOVERNANCE The progress that Sarbanes Oxley Act 2002 seeks to make in corporate governance is best understood by drawing an analogy with the total quality movement. In the days of statistical quality control, companies looked at quality after the fact and measured defect rates in a sample of their final output. This was not helpful since companies could not undo the damage, i.e., they had no way to recover the costs incurred on the rejections. The Japanese brought about a paradigm shift by implementing systems to produce quality products at the outset. They placed built-in checks on the production floor where errors in manufacturing were corrected before they were compounded as work-in-progress moved from one stage to another. Similarly, the message of Sarbanes Oxley is that managements should change from a reactive approach to risky events to a proactive method which anticipates adverse situations, takes preemptive action before an unfavorable course of events snowballs into a crisis or the systems and processes are strong enough to weather the buffeting should unforeseen events strike. Sarbanes Oxley has removed the veil that hid many ills inside corporations. It now seeks real time information that can materially impact the financial performance of a corporation. Senior management cannot hide behind the familiar ruse that their task is to provide a strategic direction to their companies; they are now required to monitor performance metrics, in real time, to ensure that their companies are not overtaken by unexpected events. Sarbanes Oxley has dramatically raised the standards of transparency, and accountability in companies to ensure that they can sustain a consistent level of performance. The key instrument to clean corporations of fraud and inefficiency is to provide detailed information, delivered electronically, to executives, shareholders and regulatory bodies. Strategic and tactical metrics to measure the health of corporations will play a critical role in the governance of corporations in the future. Sarbanes Oxley also frees the Board of Directors and the Auditors from the cult of the Chief Executive and provides them space to play their roles.Increasingly; they will bring their knowledge and creativity to manage the risks of companies. Compliance would require data warehouses for storage of financial and non-financial data affecting risks and its analysis for continually reviewing strategies for risk management. In this framework, company executives and board members will not have any room to point fingers at someone else since they would have access to all corporate information and the responsibility to monitor it. In the past, companies had a knee-jerk reaction to unexpected turn of events and usually were not the masters of their situation. Typically, companies could only patch up their balance sheets when their financial performance fell short. Nothing in the extant corporate governance legislation required them to analyze the root causes of lapses in performance and work towards improving the outcomes over time. Sarbanes Oxley requires companies to take a strategic view of risk and learn from their experiences to improve their model for coping with risk.
  3. 3. KEY PROVISIONS OF THE LAW Chief Executive’s responsibility for financial statements A cornerstone of the Sarbanes Oxley legislation is the ownership CFOs and CEOs have for the quality of reporting of the financial health of their company. They are seen as more than the leaders of their companies; increasingly they have to act as stewards responsible to ensure that all processes in the company are working in the interests of shareholders. Under its Sections 302 and 906, they are required to certify quarterly and annual reports filed with the SEC. The certification confirms whether the CEO and CFO have reviewed the reports and can vouch that the reports are truthful and do not omit material information and fairly represent the financial situation of the company. The onus is also on the CEOs and CFOs to review all procedures and internal controls within the preceding 90 days and have disclosed material weaknesses in them and any significant changes after the most recent evaluation. Comprehensive Internal Controls Fortification of companies by strengthening their internal controls is one of the most important instruments that Sarbanes Oxley uses to improve governance. Any material weakness in the internal controls, consequently a company’s vulnerability to risk, has to be reported to the shareholders. Under its Section 302, Sarbanes Oxley requires that the CEO and the CFO of the company report and certify the internal controls established over financial reporting so that external reporting to shareholders and others is reliable. In addition, the financial reports should disclose any changes in internal controls with a material effect on financial reporting. The independent auditors are expected to establish procedures, as required by Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2 that will enable them to attest the management’s report on internal controls for financial reporting. They are also required to assess any material change in internal controls affecting the quality of financial reporting as well as report on the implications of any misstatements. Furthermore, the Sarbanes Oxley, under Section 404, requires that a management affirm its responsibility for establishing and maintaining adequate internal control over financial reporting. Managements are also required to assess the effectiveness of internal controls over financial controls each year. The statement of the management has to be also attested by an external public accounting firm. Finally, Section 404 and the PCOAB Auditing Standard 2,requires the independent auditor of the company to attest to the management’s assessment of the internal controls and the management is expected to provide all the relevant documents including results of the testing procedures. PCOAB Auditing Standard 2 also stresses the role Information Technology plays in determining the quality of the control environment since a great deal of reporting is done with information systems which also have controls built into them and are more likely to do so in the future.
  4. 4. Internal auditors are required to attest to the management’s report on the effectiveness of these systems in financial reporting. For more information http://fic.wharton.upenn.edu/fic/cmbt/Sibel%20Ulusoy.ppt#266,9,%20%20What%20Sarbanes- Oxley%20Brings Auditor Independence In the past, independence of external auditors was routinely compromised by conflicts of interests caused by related business dealings in consulting. Sarbanes Oxley and associated operative rules from the Securities Exchange Commission have created a new environment of greater independence of auditors and focused their attention on improving the quality of information that is shared with shareholders. External auditing companies are now banned from offering not only consulting services but also services such as accounting information systems, appraisal and valuation services, bookkeeping services related to record keeping and financial reporting, actuarial services, internal audit outsourcing services, management functions or expert services, recruitment services, investment banking services and legal services. Both the Sarbanes Oxley Act and SEC require external auditors to report to the audit committee and report on the critical accounting policies that have been used, the alternative accounting treatments with a discussion on the impact of using each of them and material communications between auditors and managements. The Public Company Accounting Oversight Board, with enhanced authority, is also now responsible for oversight over the profession as a whole. For more information http://www.sba.muohio.edu/abas/2003/vancouver/lee_auditor%20independence.pdf Board of Directors Increasingly, directors on boards of companies are expected to play much more active roles in the interest of shareholders. The New York Stock Exchange, consistent with the provisions of the Sarbanes Oxley Act, expects that non-management directors should hold regular sessions without the participation of the management or any other person with a material relationship with it. The regular meetings of the boards are sought for brainstorming without being biased by the concerns of the management or its influence. Disclosures The rampant misrepresentation of the financial situation of companies, especially in the technology industry, by the use of pro-forma financial statements is not possible now without additional disclosures to compare them with GAAP consistent accounting. Under Section 401 (b) of the Sarbanes Oxley Act, it would not be possible to for pro-forma statements to omit any material fact which misrepresents the fair or true position of the company. In addition, companies are now required to provide quantitative measures to reconcile the pro-forma statements with the GAAP consistent financial statements.
  5. 5. The SEC is also rapidly moving towards real time disclosures so that each investor has prompt access to information, under section 409 that will have a material impact on the company. The filing deadlines for quarterly and annual reports have been accelerated by a third. The SEC has also identified items that need to be disclosed in real time. Fraud The premise for fraud control is that managements frequently exploit weaknesses in internal controls for their dubious purposes. PCOAB’s Auditing Standard 2, therefore, specifically requires that the assessment of internal controls take into account the susceptibility of the company’s processes to fraud. The internal controls should be able to prevent, deter and detect fraud. Governance policies The Sarbanes Oxley Act seeks to encourage explicit discussion of the corporate governance policies that will set a direction for the board and the management. The New York Exchange has the operative rules which require that the boards of companies set up a Governance committee which will spell out the governance principles which will be used to evaluate the board and the management. Executive Compensation In order to check fraud from earnings management by senior executives, Section 304 of of the Sarbanes Oxley Act, requires a company which restates its financial statements due to material noncompliance, misconduct, or with any financial reporting requirement, the CEO and CFO must reimburse the company for bonus or other incentive-based or equity-based compensation received during the 12-month period following issuance of the financial statements and profits realized from the sale of equity during the same period. Protection of Whistleblowers Sarbanes Oxley has provided added protection to whistleblowers who can establish a prima facie case of retaliation when they report malfeasance in the company. The instrument for achieving this goal is the change in the burden of proof rules which are now in favor of employees. If they submit evidence that the retaliation was a contributing factor to the adverse employment action, a presumption of retaliation is created. In order to defeat this presumption, the employer must establish, by clear and convincing evidence, that it would have taken the same action with respect to the employee, regardless of the alleged protected activity. For more information www.goodwinprocter.com/publications/LE_SOX_whistleblow_05_04.pdf Compensation Committees Sarbanes Oxley does not explicitly spell out rules governing compensation in order not to restrict the freedom of companies to make their decisions. However, the New York Stock Exchange Governance rules require the Boards to form independent compensation committees which have the authority to decide on compensation policies consistent with the business goals of their
  6. 6. companies. They are also required to make decisions on the incentive component of compensation and ensure that they are effective in achieving the performance goals of the company. Compensation committees are also expected to seek advice from compensation consultants about executive pay. Audit Committees Sarbanes Oxley has sought to govern auditors at the board level in order to avoid the conflicts that can happen with the management. These audit committees are composed of directors and have the responsibility to ensure that the financial statements of the company and the internal controls are consistent with the regulatory policy. The audit committees are also required to discuss the company’s exposure to risk and the means to manage them. For more information www.nyse.com/pdfs/finalcorpgovrules.pdf http://www.thelenreid.com/articles/article/sec_corp_gov_chart_idx.htm SARBANES OXLEY: DEPARTURES FROM THE PAST Executive Compensation Sarbanes Oxley recognizes that the mode of compensation, an increasing share of equity and equity options, in the packages that executives received was responsible for the frauds that were committed at several large companies. This kind of compensation created incentives for fudging the balance sheet and the income statement to engineer stock price increases. In addition, severance packages are overly generous. A survey by McKenzie in 2003, a management consulting firm, found that 52% of the directors of companies believe that executive compensation is way too high. Academic literature also finds significant correlations between a high component of equity compensation and symptoms of fraud such as accounting restatements, high proportions of accruals, capitalization of expenses, etc. A widely quoted study of a professor from the business school of University of Chicago, reports that in a sample of 50 firms accused of fraud by SEC by contrast to another 50 companies which ware not, a clear pattern of higher occurrence of higher-than-average component of stock compensation was found in the former sample. Other studies also confirm that companies are more likely to be subject to enforcement action if their boards are dominated by the management and they don’t have a block holder or an audit committee. Severance pay is another contentious aspect of executive compensation often patently unrelated to performance. A striking case is that of the approval of a $140 million severance package for Michael Ovitz by the Disney Board in response to a request from CEO Michael Eisner, in 1996. Ovitz had hardly worked a year as Disney's president when Eisner decided he wasn't the right man for the job.
  7. 7. Increasingly, governance bodies are concerned that executive compensation does not reflect the performance of the chief executive. While equity compensation is a means to address the agency issue by tying the interests of owners and managers, the executives undeservedly also benefit from the overall increase in market indices unrelated to the financial performance of the company. In addition, severance pay and retirement benefits and a host of other fees paid to former executives are not related to performance. While Sarbanes Oxley has not specifically mandate any rule for compensation for executives, it does vest authority on compensation committees to decide on executive pay is consistent with the overall interest of the company. For more information http://www.ncnacd.org/Summaries/November%2020%202003%20Summary.pdf http://www.cfo.com/article.cfm/3011471/1/c_3046605?f=insidecfo “The Economics of Earnings Manipulation and Managerial Compensation”, by Keith J Crocker and Joel Slemrod, February 2005 “Is there a link between Executive Compensation and Accounting Fraud” by Merle Erickson, Michelle Hanlon and Edward Maydew, Feb 2004. Beyond GAAP Traditionally, the accounting profession has followed the principles laid down by Generally Accepted Accounting Practices (GAAP) when they prepare the financial statements of the company. GAAP, however, is not necessarily a means to present a representative or fair picture since it has several vague definitions of important terms like materiality. GAAP also creates room for judgments on the treatment of special items besides the scope it allows for estimates of a variety of items. Under U. S. GAAP, an item is considered material if it has the potential to influence the judgment of a financial statement reader. Since the term material has not been rigorously defined, it is often hard to pin down just when creative accounting has a material impact. Typically, auditors look at quantitative measures; for example, an item that does not change net income by any more than a tiny percentage is considered immaterial. Similarly, it is hard to tell the threshold for the materiality of changes in the policies towards estimates. The rising numbers of incidents of earnings management in the 1990s were indicative of the significance that executives attached to the weaknesses in GAAP. The percentage of Industrial companies reporting special items climbed from 48% in 1989 to 71% in 1998. Reports of special items among Mid-Caps and Small-Caps moved from 31% to 53% and from 32% to 42%, respectively. On an average, among companies with positive earnings before special items, 68.4% of special items reported were negative. The corresponding statistic for companies with negative earnings before special items was 82.9%. SEC’s Accounting Bulletin No. 99, issued to clarify operative aspects of Sarbanes Oxley, requires that accountants take both quantitative and qualitative considerations into account before making
  8. 8. a judgment on the materiality of an accounting policy. The facts “surrounding the circumstances” and the “total mix” of information has to be assessed before coming to a decision just as the Supreme Court mandated in several landmark cases. For more information www.findarticles.com/p/articles/mi_qa3972/is_200210/ai_n9119297/pg_3 http://www.sec.gov/interps/account/sab99.htm Audit Committees Sarbanes Oxley has significantly raised the stature of the audit committees and requires them to have the competence, the independence and the knowledge to be capable of their fiduciary roles. In the past, directors and audit committees were protected, by the business judgment rule, from liability suits as long as they were taking decisions with due care, after evaluating all the material information and in good faith and honest belief that they were acting in the best interests of the company and its shareholders. The Sarbanes Oxley has raised the standards which are required before directors will be immune to law suits. One recent case of use of an expanded set of standards for defense under the business judgment rule is the suit filed by shareholders against the CEO of Oracle and some of its Directors for insider trading. A group of Directors, members of a specially set up litigation committee, investigated the matter and came to the conclusion that the accused did not have access to non-public information for an insider trading charge to be valid. However, the shareholders counteracted by pointing out that the Directors of the committee were not independent; some of the committee members were professors at Stanford and some of the defendants were donors to the University or professors. The courts were willing to use soft criterion to judge whether the relationship could have biased their decisions. At the same time, the audit committees have the means to act in better judgment. One important requirement of the current corporate governance laws is that they should have a financial expert capable of judging the quality of financial reporting by internal and external auditors. They are also expected to confer with external experts to come to their decisions. In addition, audit committees now have greater access to information which flows to them directly without the mediation of the Chief Executive. A KPMG survey in the spring of 2002 found that nearly 19.2% of them were not receiving critical accounting information, judgments and estimates to ensure the quality of reporting. Following the Sarbanes Oxley Act, the audit committee is expected to seek information on the business, legal and financial risks besides keeping abreast of issues related to the competitive, regulatory and the economic environment of the company. For more information http://www.cfo.com/article.cfm/3011471/1/c_3046605?f=insidecfo http://www.thelenreid.com/articles/article/art_204.pdf
  9. 9. Fraud Fraud in corporate America is not exceptional as would seem from sound bites focused on Enron. According to surveys of the Association of Certified Fraud Examiners (ACFR), fraudsters and white-collar hackers are the cause of loss of 6% of the revenue or $600 billion in 2002 ($ 2 million for each company) earned by companies. Just how ineffective are the current controls are in checking this fraud is indicated by the fact that an average scheme lasted 18 months before it was detected if at all. The malfeasance in Enron could not have been exposed without the whistleblowers. A report by ACFR found that tips accounted for the highest share of fraud detected, i.e., 43% of all. Additionally, tips accounted for 51% of the frauds committed by owners and executives. Yet, the experience of whistleblowers in the past has been that they are not rewarded for the risks they take, the more likely possibility is that they will be hounded for sticking their neck out. Sarbanes Oxley Act, together with related proposals from NASDAQ and NYSE, require that the audit committee establish procedures for receiving and reviewing complaints submitted without an ulterior motive in mind. Companies are also required to build confidence so that employees don’t fear any retaliation should they decide to report untoward accounting methods. Fraud is most frequently perpetrated by senior executives in a company. According to a Wall Street Journal (July 8th 2002), 70% of corporate frauds involved the CEO. The losses incurred were much lower, when an employee was involved instead of a senior executive of a company, by a factor of nearly fifteen. In the past, chief executives could override any dissent within a company to escape the consequences of their crimes. Sarbanes Oxley has strengthened the hands of audit committees within the boards to ensure that report any management override. Fraud is also often reflected in unusual journal entries often at the time of close of accounts. Sarbanes Oxley Act, under its Section 404, requires reporting on control systems and their internal auditing so that shareholders know whether the company has the processes to detect such fraudulent activities. For more information www.deloitte.com/dtt/cda/doc/content/us_assur_Antifraud%20whitepaper.pdf http://www.oversightsystems.com/whitepapers/Control_tradeoffs.pdf http://www.cfenet.com/pdfs/2004RttN.pdf Internal Controls and Risk Management Sarbanes Oxley implicitly goes beyond the traditional financial accounting at a given point of time or at the end of the financial year by requiring that auditors examine both the internal controls over financial reporting as well as financial reports for any material weaknesses. Since the tests for the material weakness of financial statements can only be done over a period of time, they end up scrutinizing the stability of the finances of companies over an extended period of time.
  10. 10. The Public Company Accounting Oversight Board spells this out in its Audit Standard 2 which requires company wide operating effectiveness of controls. The operating effectiveness can only be tested for a number of periods of time. The reconciliation of cash receipts, for example, would be free from material weakness if the test is successful for a number of days or months. Similarly, controls over debt management would not be complete unless the auditors also study the controls over all the inter-connected departments of the company and the effect each of them separately and all put together could have on the solvency or the financial health of the company. The comprehensive examination of the controls and the exposure of the company to operating risks have broken new ground since it takes an integrated view of the exposure of the company to risks. This is only a short step away from enterprise risk management systems. For more information http://www.nysscpa.org/cpajournal/2005/505/essentials/p22.htm http://www.kpmg.ie/seminarslides04/sarbanes.pdf http://www.pcaobus.org/ SARBANES OXLEY: IS IT PERFORMING? Costs and Benefits of Compliance Sarbanes Oxley sweeping provisions greatly add to the costs of compliance without a doubt. Most companies see compliance as a sunk cost for the long-term benefits of credibility and efficiency benefits that will extend over many years. In addition, they expect that the costs of compliance will decline as companies as systems are put in place and companies learn to automate their processes. Currently, many companies are unsure about the benefits they will actually reap and the means to automate compliance in a situation where processes are hard to standardize. According to widely quoted figures from Foley and Lardner, the costs of compliance for companies with sales turnover of less than one billion dollars, the costs of compliance was about $2.86 billion in financial year 2003 up from $2.12 billion in financial year 2002 and the corresponding figures for companies with revenues in excess of $1 billion is $7.4 billion. The major components of costs were Directors and Officers Insurance, lost productivity and accounting. Figures have been presented in a variety of ways depending on how they are collected. Other sources such as Parson Consulting indicate that 50 percent or more of overall corporate governance cost revolves around process improvement, controls documentation, testing and adapting controls to changing needs. In more recent years, however, companies are also increasingly reporting benefits from their investments in compliance with Sarbanes Oxley. In a survey of 200 financial executives by Oversight Systems, 49% of them reported that the risk of fraud and errors has been reduced,
  11. 11. 48% of them agree that their financial operations are now more efficient and 31% report lower error rates. Furthermore, companies will be increasingly focused on lowering costs from automation of their compliance processes. As many as 60% of them have plans to implement technology to automate their manual processes. For more information http://www.complianceweek.com/_articleFiles/foley-lardner-052504.pdf http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14276 http://www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf http://www.fei.org/advocacy/sarbanesoxley.cfm Transformation of Board of Directors A charismatic and omnipotent Chief Executive Officer has long been the hallmark of the American corporate sector while the Directors on Boards of companies have been content to remain passive. Sarbanes Oxley has significantly raised the profile of Directors and expects them to provide alternative perspectives besides their monitoring role in companies. Eventually, directors of companies are expected to contribute to strategy formulation, refine the culture of their companies as well as manage strategic risks. Accounting problems, in the final analysis, are caused by failures of strategy or the inability to read the early warnings of stress on corporations. Directors have to be willing to analyze relevant information, suggest solutions and supervise the implementation of strategies. A pre-requisite for a more active role for directors is the separation of the role of the Chairman and Chief Executives or vesting of greater authority of the Board of Directors in some other form. In a recent survey conducted by AT Kearney, it was found that 61% of the companies had a lead or presiding director and 43% of them appointed them in the year before the survey in 2004. The same survey also shows that the large majority of directors do not favor the separation of the role of the Chairman and the Chief Executive Officer. The diminished role of Chief Executives is evident from the fact that the Chairpersons of Committees are selected by the Boards in 50% of the cases up from 24% in 2002. Willingness to acquire knowledge of the financials of the company, as well as the competitive and industrial environment of the company, would prepare the directors to participate in the decision making process. In the past, they had neither direct access to the details of the financials of the company or the knowledge and interest to ensure the integrity of the reporting. Recent surveys are indicating that a significant numbers of the members of the Board (66%) as well as their Audit Committees (71%) are gaining understanding of the finances of their companies and knowledge of their internal controls which they need to do to understand the many nuances of chancery in accounting methods. The internal auditors of companies are also reporting directly to the Audit committees. The intended objective of Sarbanes Oxley to increase the independence of Boards
  12. 12. of Governors of companies and commensurate access to information and responsibility for the outcomes in companies is being achieved. Boards still have to make a great deal of progress before they can contribute to the performance of companies and shareholder value. They are still pre-occupied with ensuring the compliance of their companies with the existing regulations (74% report active involvement) while 32% report active involvement in improving the performance of companies. The Boards of Directors rate their effectiveness in examining problems and monitoring financials is relatively high at 49% and 43% respectively while the corresponding figures for guiding strategies and managing risks was 21% and 16%. The achievement of this objective will depend greatly on the availability of relevant information about the company in real time. For more information http://www.atkearney.com/shared_res/pdf/Corporate_Boards_S.pdf Independence of External Auditors External auditors now need to exercise independent judgment when they review the accounts of their clients and attest to the management’s assessment to continue to qualify for the registration with the Public Company Accounting Oversight Board. There is also evidence to show that they are beginning to prevail. Instead of browbeating their external auditors or dismissing them in the event of a dispute over material weaknesses or disclosures, managements are learning to be more constructive and disclose their plans to improve their processes or face the prospect of a drastic decline in their share prices. A recent case of increasing independence of external auditors was revealed in the case of Molex, the Chicago-area electronics maker. The company's auditor, Deloitte & Touche, quit when it’s CEO and his chief financial officer refused to disclose an accounting error worth 1% of net income into the audited results and were supported by their board. The firm followed by writing a trenchant account of the incident at the SEC. That sent out a signal to other auditors who would not have worked for Molex again as long as the concerned CEO was involved. The directors had to change their decision and they decided to oust the CEO. For more information http://www.businessweek.com/magazine/content/05_17/b3930015_mz001.htm http://www.cfo.com/article.cfm/3126520/1/c_3148382?f=archives http://www.theiia.org/index.cfm?doc_id=5161 Quality of Financial Reporting Financial statements, such as the balance sheet and the income statement, have long been amenable to manipulation euphemistically known as creative accounting. These statements report the financial situation of a company for a given year while the accounting for revenues and expenses extending beyond the year are subject to a variety of special rules. Revenue recognition for earnings from construction contracts, for example, can be by percentage of
  13. 13. completion method or the completed contract method. The percentage of completion method is prone to subjective interpretation while the completed contract method can present an overly positive picture of a company for the year when revenues are recognized at the time a contract is fully completed. Misrepresentation of the financial situation of companies has grown as the emerging industries like software and telecom as well as new business models involving off- balance sheet financing have emerged in recent times. In addition, pro-forma statements became a regular feature, especially in press releases of companies in the 1990s, and a means of deception. Pro-forma statements exclude one time expenses, such as goodwill expensing or write-offs of inventories, and help to focus attention of cash flows which are widely seen as a measure of health of a company. Over time, companies found it a convenient method to distract attention from their long-term liabilities. Recent surveys are indicating substantial improvement in oversight of the frequently manipulated aspects of accounting (mean response of 46%) such as revenue recognition, closing entries and estimates (62%) as well as accounting estimates (46%). For more information http://www.benbest.com/business/newecon.html www.theiia.org/iia/download.cfm?file=1617 Redesign of Business Processes Sarbanes Oxley calls for real time reporting of material facts about the financial health of the company, going beyond the quarterly and annual reporting, that has been common in corporate America so far. Increasingly, companies are under pressure to accelerate the flow of information, improve its quality and accessibility to keep pace with the reporting requirements of Sarbanes Oxley. A recent Ventana study found that 80% of executives agreed that that fundamental process and financial system design is important or very important for compliance. Executives also identified "harmonizing the company's charts of accounts" and "reducing spreadsheet use" as important goals. A harmonized design of accounts across the company can facilitate consolidation and consistency of data and it’s reporting besides simplifying external audit processes. Routine processes, such as accounts payable, are accounted in a variety of ways which contributes to inconsistency in data. Sarbanes Oxley requires the documentation of the audit trail but this is hard to achieve as financial processes are typically spread over numerous spreadsheets, hosted on a variety of IT systems, which are hard to audit and are replete with flawed formulas. In a survey conducted by IDC, jointly with the Revenue Recognition Magazine (a unit of CFO.com), 63 percent of respondents believe that spreadsheets are prone to errors, 58 percent cited the lack of audit trail and 56 percent said they lacked internal controls. It is also hard to build controls to ensure quality in the preparation of spreadsheets which can often have fraudulent schemes. The separation of duties that controls over these spreadsheets would require disproportionate auditing effort.
  14. 14. The shorter reporting intervals mandated by Sarbanes Oxley requires companies to streamline individual processes such as cycle time for financial closure, procure-to-pay and the order-to- cash cycle. Business Intelligence systems are expected to achieve the goals of consolidating data, improving its quality and its rapid reporting. For more information http://www.revenuerecognition.com/printarticle.cfm/3468589 http://www.intelligententerprise.com/print_article.jhtml?articleID=56200373 Awareness of Risk Sarbanes Oxley’s focus on instituting controls over the finances and operations of companies has made them transparent for their own managements. The detailed and on-going monitoring of these controls also increases the knowledge of the risks that they are expected to mitigate. Since Sarbanes Oxley requires reporting on both the financial and operating risks, companies now have the ability to analyze their financial performance based on their knowledge of their operations. For example, theft in retail chains is endemic and can have deleterious effect on their financial performance. Auditing of controls would reveal how the managements of the retail store try to stem losses from theft and the problems they face in doing so. The information about incidents about theft is made available not only to the store managers but also to the senior management and the boards of directors who can then consider means to lower the losses from theft by either buying insurance or reinforcing security or use video technology as a deterrent to theft. The greater awareness of risk within the enterprise paves the way for using analytical methods to find its causes and to find strategies to overcome it. For example, store managers have to make decision about the inventory they need to stock. If they make mistakes, the company is likely to suffer losses. The sharing of information within the company that Sarbanes Oxley enables helps senior management to bring to bear analytics such as the impact of economic, demographic and competitive factors on sales to make better decisions about stocking. In the past, individual departments in marketing or operations made assessments of their own risks and very rarely shared them with others. Sarbanes Oxley has put in place an institutional process where the risks effecting all departments can be gathered and analyzed in all its inter- dependence. Companies can now look at their business, financial and operational risks and understand how they interact with each other. Companies have a measure of the risk associated with their strategies and make decide on how much risk they are willing to undertake. For more information http://www.kpmg.ca/en/services/advisory/err/documents/complianceJourney.pdf Performance Metrics and Financial Performance In the aftermath of Sarbanes Oxley, boards and shareholders have been increasingly concerned about transparency in measures of performance and their predictability. According to a survey of the BPM forum, 82% of Board members felt that performance data was increasingly important in
  15. 15. their discussions. Financial earnings have been the much used and abused measures of performance which often don’t present a consistent picture of the achievements of companies. Non-financial data, when seen together with the financial data, is likely to forewarn investors about latent problems in companies. Trends in customer satisfaction is one such measure that investors could use to predict future financial performance. In the early 1990s, for example, Apple was famously successful company much admired for the quality of its products. Customer satisfaction data would have revealed that consumers were increasingly dissatisfied with the pricing of the company. As many as 91% of the respondents in the BPM survey indicated that companies do not have the operational data required to predict financial health and performance. Pemstar, a manufacturer of printed circuit boards realizes that it will need to monitor both financial and operating parameters to comply with Sarbanes Oxley. It has deployed a data warehouse and analytical software that draws on its operational data from its ERP system. The senior executives are now able to read the operating metrics on their desktops and understand the financial implications of an unexpected turn of events and be able to report it. www.optimizemag.com/article/showArticle.jhtml?articleId=17700918&pgno=2 http://www.bpmforum.org/ http://www.managingautomation.com/maonline/magazine/read/753675?page=1 INFORMATION MANAGEMENT AND THE FUTURE OF SARBANES OXLEY Managing Risks Across the Enterprise Corporations are rethinking their strategies towards the management of risk in the future to effectively comply with the Sarbanes Oxley Act. Increasingly, companies are implementing Enterprise Risk Management Systems and employing Chief Risk Officers to govern their strategies for risk across the enterprise. Companies do not any longer want to be taken by surprise and incur losses as they are hit by unexpected events. They now realize that their ability to manage risks depends on anticipating risks, detecting their risks more effectively by looking at them in all its inter-dependence and fortifying their systems to withstand shocks. Some of the more sophisticated corporations, such as Microsoft and Boeing, implemented such systems in the past, independent of regulatory policy, while other companies are following in their steps under pressure from new laws such as Sarbanes Oxley, Basel II, etc. A recent survey indicates that 50% of financial executives believe that they integrate their SOX compliance with Enterprise Risk Management. This best practice has been spelled out, in all its details, in the seminal document of the Committee of the Sponsoring Organizations of the Treadway Commission on the subject. The conceptual breakthrough that under girds the new approach to risk management is the realization that business risks, financial risk and operational risk feed on each other and compound the impact of any one type of shock to a company. Operational risk, such as fraud in the company, can create a liquidity crisis for the company. Similarly, business risk, such as loss of intellectual property from outsourcing of business processes overseas, could lead to
  16. 16. bankruptcy of a company. The vulnerability of companies has increased with the growing reliance on sophisticated financial instruments, an extended enterprise and information technologies. Increasingly, companies realize that they need to create a culture in which employees at all levels respond to unnoticed sources of risk in any corner of the enterprise and communicate it to the rest of the organization. This is facilitated by Enterprise Risk Dashboards which help to communicate potential threats to the company and galvanize organizations to react rapidly before a crisis goes out of control. An example of enterprise wide management of risks is the case of TriQuint Semiconductor Inc., a Hillsboro, Ore.-based supplier of communications components and modules. As part of its compliance effort, TriQuint is conducting a risk assessment of all the business processes that affect its balance sheet and income statement. That evaluation is helping the company uncover latent risk across all its five divisions. TriQuint's combined Sarbanes-Oxley and ERM efforts have helped it to gain insight into risks in the businesses it acquires. Typically, mergers fail when the cultures of two different companies clash. TriQuint has made several acquisitions in recent years, and some of those businesses have operations outside the United States. The company has been able to identify and discuss the risks new acquisitions face, including exposures related to specific cultural and regulatory environments. For more information http://www.asse.org/jameslam.ppt#256,1,Slide 1 http://www.coso.org/ http://www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14193&pg=3 http://www.cio.com/archive/110104/risk.html Streamlining business processes Many companies are complaining about the high costs of compliance with Sarbanes Oxley while others are using the opportunity to raise the efficiency of their business processes. The thorough investigation of processes that is now possible would have otherwise been stymied by turf battles within companies. One distinctive case of remarkable improvement in business processes is Owens Corning which used the opportunity to review and reorganize business processes in all its 115 plants spread around the world. The company managers reduced the company's income statement, balance sheet and disclosures into 16 business cycles (e.g., the order-to-cash cycle) and vested ownership of each of them to a project manager who has the responsibility to design internal controls. The company executives identified the best control system for each of these processes in all their plants and decided to implement it in all the rest of the plants. For more information
  17. 17. http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14276&pg=5 Business Intelligence Systems Business Intelligence software is the technology of choice to go beyond the Ken Lay defense, “That wasn't my responsibility -- it was the fault of internal audit, the external auditor or the accounting department." The message from Sarbanes Oxley is “The buck stops here, period”. CEOs and CFOs have to find a way to be aware of every beat of the pulse of business activity in their company even as they are absorbed with strategic management. Companies agonize over its potential to add to several layers of bureaucracy and slow down the decision making process. The smarter companies, on the other hand, are integrating their business intelligence systems with their compliance systems to monitor activity in their companies without being intrusive. For example, the monitoring of fraud activity can happen by keeping track of unusual or suspicious transactional activity. Auditors can then focus their attention on transactions that are most likely to be fraudulent. Automation of compliance has also yielded other unintended benefits of uncovering information that was spread out on myriad Excel sheets and other formats. The thorough going review of controls and procedures has enabled companies to unearth the information and to begin to analyze for their strategic planning. One case of this is Crown Media which decided to upload its entire Excel on new compliance and business intelligence software. In addition, the software has the ability to create processes for monitoring each financial transaction. If a transaction is conducted by the unauthorized person or without the approval of the assigned person, the program triggers a warning. Crown Media is realizing a benefit from this investment which it has not expected at the outset. The new software has made the company data available throughout the company and accessible anywhere in the company. The data on advertising contracts is not buried in some spreadsheet in an obscure corner of the company. This has enabled Crown Media to conduct marketing campaigns involving sales and other operations to realize business benefits that are generally done by its larger competitors. The appetite for new technologies for compliance varies across companies and most were, till recently, unwilling to take the plunge or and preferred to adapt their content management infrastructure to adapt them for compliance purposes. Lately, however, companies have shown a much greater interest in integrating their internal controls with enterprise management systems as they realize that they can recoup their investments in processes to reap benefits of better risk management. The more significant benefits of information sharing will be realized when company management, including the Boards of Directors, is able to use the information from dashboards to guide the destiny of their companies. According to the AT Kearney survey cited above, the large majority of directors felt that the lack of tools and processes providing early warning signs (41%) was the
  18. 18. single most important barrier to their effectiveness followed by adequate and relevant information for their needs (22%) and board culture close behind (21%). An overwhelming majority still rely on management presentations (90%) while only 6% use dashboards. Most directors expressed dissatisfaction with their current sources of information and will prefer forward looking information with details of performance data such as shifts in repeat customers, demographics and customer segments and sales performance data all of which is more readily available from dashboards. For more information www.cioinsight.com/print_article2/0,2533,a=127248,00.asp www.oversightsystems.com/whitepapers/2005_Oversight_Report_on_SOX.pdf Chief Risk Officer Companies are finding it increasingly burdensome to comply with all pervasive compliance as they are required to monitor operating risks. The Chief Risk Officers (CROs) are symptomatic of the transition towards enterprise risk management systems and increasingly strategic perspectives towards regulatory compliance. According to a survey conducted by the Economist Intelligence Unit, 45 per cent of the companies interviewed had already appointed a CRO or equivalent predominantly in the financial services sector. In other industries, one in four companies is planning to appoint CROs. The Chief Risk Officer has become the point person to take the onus for all the compliance with the regulations of Sarbanes Oxley. The Chief Risk Officers are taking on the all important role of managing enterprise wide risks. In a survey of the insurance industry, it was found that 39% of the respondents noted that chief risk officers have the primary responsibility for risk management-up from 19% in 2002. And 40% of chief risk officers now report to the CEO-an increase from 26% in 2002. The growing importance of the Chief Risk Officers reflects the need for a new breed of finance employees with a forte in strategic finance planning. According to a survey reported by the CFO magazine, 79 percent of the respondents chose "strategic financial thinking" as one of the top three qualities they would value in a new CFO. This contrasts with the qualities in a traditional finance executive such as "champion of financial transparency" (36 percent), "zero tolerance toward accounting errors and fraud" (34 percent), and "operational experience running parts of the business" (30 percent). http://www.keepmedia.com/pubs/InsuranceNetworkingNews/2005/04/01/795704?page=2 http://www.cfodirect.com/cfopublic.nsf? opendatabase&content=http://www.cfodirect.com/cfopublic.nsf/vContent/MSRA-659QSM?Open http://www.gvsi.com/download/editorials/World-Energy-Jul-04.pdf http://management.silicon.com/government/0,39024677,39130302,00.htm http://www.cfo.com/article.cfm/3013927/c_3042575?f=TodayInFinance_Inside