Enterprise Risk Management is increasingly important as Sarbanes Oxley raises the costs of lapses in corporate governance. Companies have to learn to preempt disasters and other causes of shortfalls in performance
Sarbanes Oxley: the architecture for operations risk management
Sarbanes Oxley Act 2002 seeks to lay the ground for a culture of proactive management of risks
going beyond the reactive approach that has been common so far. Typically, companies were
often caught off-guard as unexpected events struck. In order to avoid the embarrassment of
unmet expectations, companies took recourse to creative accounting to patch up their financial
statements. The Chief Executives had a ready excuse that their responsibilities were limited to
providing strategic direction to their companies. Similarly, the directors of boards of companies
pleaded that their powers are limited in the presence of an omnipotent CEO and the paucity of
access to information.
Sarbanes Oxley ensures that the senior executives have greater responsibility as well as the
means to meet them. Thus, the directors of boards of companies will have direct access to
company information and their committees will have independent oversight over important
matters such as executive compensation, selection of auditors and governance policy. In turn, the
directors will have greater exposure to liability for any negligence in the management of
companies. Similarly, the chief executives will now be responsible for not only the strategic
direction of the company but also its operational effectiveness. Their hands will be strengthened
by additional support they will receive from the board of directors for strategic planning. In
addition, they will also receive much more detailed information about their companies than was
possible in the past.
Sarbanes Oxley provides for checks and balances that were not available in the past.
Whistleblowers will now have greater protection of the law as well as the opportunity to report
fraud in their companies. Similarly, the auditors of companies have to report to the independent
Above all, Sarbanes Oxley seeks to make companies more transparent and vigilant by requiring
the reporting of all their operational risks as well as the internal controls put in place to monitor
them. Any material change in the monitoring of risks has to be reported to the shareholders in
Overall, the Sarbanes Oxley Act seeks to focus the attention of companies on fortifying their
companies by anticipating risks, all across the enterprise, and to take preemptive action to guard
against the damage that they could wreak. The bedrock of this model of governance would be the
business intelligence infrastructure that will help companies to receive information in real time.
This information will be more widely shared among the executives, shareholders and the board of
directors. All the stakeholders in the company will have both the opportunity and the resources to
put all their minds together to effectively manage their companies.
SARBANES OXLEY: METRICS BASED CORPORATE GOVERNANCE
The progress that Sarbanes Oxley Act 2002 seeks to make in corporate governance is best
understood by drawing an analogy with the total quality movement. In the days of statistical
quality control, companies looked at quality after the fact and measured defect rates in a sample
of their final output. This was not helpful since companies could not undo the damage, i.e., they
had no way to recover the costs incurred on the rejections. The Japanese brought about a
paradigm shift by implementing systems to produce quality products at the outset. They placed
built-in checks on the production floor where errors in manufacturing were corrected before they
were compounded as work-in-progress moved from one stage to another.
Similarly, the message of Sarbanes Oxley is that managements should change from a reactive
approach to risky events to a proactive method which anticipates adverse situations, takes
preemptive action before an unfavorable course of events snowballs into a crisis or the systems
and processes are strong enough to weather the buffeting should unforeseen events strike.
Sarbanes Oxley has removed the veil that hid many ills inside corporations. It now seeks real
time information that can materially impact the financial performance of a corporation. Senior
management cannot hide behind the familiar ruse that their task is to provide a strategic direction
to their companies; they are now required to monitor performance metrics, in real time, to ensure
that their companies are not overtaken by unexpected events. Sarbanes Oxley has dramatically
raised the standards of transparency, and accountability in companies to ensure that they can
sustain a consistent level of performance. The key instrument to clean corporations of fraud and
inefficiency is to provide detailed information, delivered electronically, to executives, shareholders
and regulatory bodies. Strategic and tactical metrics to measure the health of corporations will
play a critical role in the governance of corporations in the future.
Sarbanes Oxley also frees the Board of Directors and the Auditors from the cult of the Chief
Executive and provides them space to play their roles.Increasingly; they will bring their knowledge
and creativity to manage the risks of companies.
Compliance would require data warehouses for storage of financial and non-financial data
affecting risks and its analysis for continually reviewing strategies for risk management. In this
framework, company executives and board members will not have any room to point fingers at
someone else since they would have access to all corporate information and the responsibility to
In the past, companies had a knee-jerk reaction to unexpected turn of events and usually were
not the masters of their situation. Typically, companies could only patch up their balance sheets
when their financial performance fell short. Nothing in the extant corporate governance legislation
required them to analyze the root causes of lapses in performance and work towards improving
the outcomes over time. Sarbanes Oxley requires companies to take a strategic view of risk and
learn from their experiences to improve their model for coping with risk.
KEY PROVISIONS OF THE LAW
Chief Executive’s responsibility for financial statements
A cornerstone of the Sarbanes Oxley legislation is the ownership CFOs and CEOs have for the
quality of reporting of the financial health of their company. They are seen as more than the
leaders of their companies; increasingly they have to act as stewards responsible to ensure that
all processes in the company are working in the interests of shareholders. Under its Sections 302
and 906, they are required to certify quarterly and annual reports filed with the SEC. The
certification confirms whether the CEO and CFO have reviewed the reports and can vouch that
the reports are truthful and do not omit material information and fairly represent the financial
situation of the company. The onus is also on the CEOs and CFOs to review all procedures and
internal controls within the preceding 90 days and have disclosed material weaknesses in them
and any significant changes after the most recent evaluation.
Comprehensive Internal Controls
Fortification of companies by strengthening their internal controls is one of the most important
instruments that Sarbanes Oxley uses to improve governance. Any material weakness in the
internal controls, consequently a company’s vulnerability to risk, has to be reported to the
shareholders. Under its Section 302, Sarbanes Oxley requires that the CEO and the CFO of the
company report and certify the internal controls established over financial reporting so that
external reporting to shareholders and others is reliable. In addition, the financial reports should
disclose any changes in internal controls with a material effect on financial reporting. The
independent auditors are expected to establish procedures, as required by Public Company
Accounting Oversight Board (PCAOB) Auditing Standard 2 that will enable them to attest the
management’s report on internal controls for financial reporting. They are also required to assess
any material change in internal controls affecting the quality of financial reporting as well as report
on the implications of any misstatements.
Furthermore, the Sarbanes Oxley, under Section 404, requires that a management affirm its
responsibility for establishing and maintaining adequate internal control over financial reporting.
Managements are also required to assess the effectiveness of internal controls over financial
controls each year. The statement of the management has to be also attested by an external
public accounting firm. Finally, Section 404 and the PCOAB Auditing Standard 2,requires the
independent auditor of the company to attest to the management’s assessment of the internal
controls and the management is expected to provide all the relevant documents including results
of the testing procedures.
PCOAB Auditing Standard 2 also stresses the role Information Technology plays in determining
the quality of the control environment since a great deal of reporting is done with information
systems which also have controls built into them and are more likely to do so in the future.
Internal auditors are required to attest to the management’s report on the effectiveness of these
systems in financial reporting.
For more information
In the past, independence of external auditors was routinely compromised by conflicts of interests
caused by related business dealings in consulting. Sarbanes Oxley and associated operative
rules from the Securities Exchange Commission have created a new environment of greater
independence of auditors and focused their attention on improving the quality of information that
is shared with shareholders. External auditing companies are now banned from offering not only
consulting services but also services such as accounting information systems, appraisal and
valuation services, bookkeeping services related to record keeping and financial reporting,
actuarial services, internal audit outsourcing services, management functions or expert services,
recruitment services, investment banking services and legal services.
Both the Sarbanes Oxley Act and SEC require external auditors to report to the audit committee
and report on the critical accounting policies that have been used, the alternative accounting
treatments with a discussion on the impact of using each of them and material communications
between auditors and managements. The Public Company Accounting Oversight Board, with
enhanced authority, is also now responsible for oversight over the profession as a whole.
For more information
Board of Directors
Increasingly, directors on boards of companies are expected to play much more active roles in
the interest of shareholders. The New York Stock Exchange, consistent with the provisions of the
Sarbanes Oxley Act, expects that non-management directors should hold regular sessions
without the participation of the management or any other person with a material relationship with
it. The regular meetings of the boards are sought for brainstorming without being biased by the
concerns of the management or its influence.
The rampant misrepresentation of the financial situation of companies, especially in the
technology industry, by the use of pro-forma financial statements is not possible now without
additional disclosures to compare them with GAAP consistent accounting. Under Section 401 (b)
of the Sarbanes Oxley Act, it would not be possible to for pro-forma statements to omit any
material fact which misrepresents the fair or true position of the company. In addition, companies
are now required to provide quantitative measures to reconcile the pro-forma statements with the
GAAP consistent financial statements.
The SEC is also rapidly moving towards real time disclosures so that each investor has prompt
access to information, under section 409 that will have a material impact on the company. The
filing deadlines for quarterly and annual reports have been accelerated by a third. The SEC has
also identified items that need to be disclosed in real time.
The premise for fraud control is that managements frequently exploit weaknesses in internal
controls for their dubious purposes. PCOAB’s Auditing Standard 2, therefore, specifically requires
that the assessment of internal controls take into account the susceptibility of the company’s
processes to fraud. The internal controls should be able to prevent, deter and detect fraud.
The Sarbanes Oxley Act seeks to encourage explicit discussion of the corporate governance
policies that will set a direction for the board and the management. The New York Exchange has
the operative rules which require that the boards of companies set up a Governance committee
which will spell out the governance principles which will be used to evaluate the board and the
In order to check fraud from earnings management by senior executives, Section 304 of of the
Sarbanes Oxley Act, requires a company which restates its financial statements due to material
noncompliance, misconduct, or with any financial reporting requirement, the CEO and CFO must
reimburse the company for bonus or other incentive-based or equity-based compensation
received during the 12-month period following issuance of the financial statements and profits
realized from the sale of equity during the same period.
Protection of Whistleblowers
Sarbanes Oxley has provided added protection to whistleblowers who can establish a prima facie
case of retaliation when they report malfeasance in the company. The instrument for achieving
this goal is the change in the burden of proof rules which are now in favor of employees. If they
submit evidence that the retaliation was a contributing factor to the adverse employment action, a
presumption of retaliation is created. In order to defeat this presumption, the employer must
establish, by clear and convincing evidence, that it would have taken the same action with
respect to the employee, regardless of the alleged protected activity.
For more information
Sarbanes Oxley does not explicitly spell out rules governing compensation in order not to restrict
the freedom of companies to make their decisions. However, the New York Stock Exchange
Governance rules require the Boards to form independent compensation committees which have
the authority to decide on compensation policies consistent with the business goals of their
companies. They are also required to make decisions on the incentive component of
compensation and ensure that they are effective in achieving the performance goals of the
company. Compensation committees are also expected to seek advice from compensation
consultants about executive pay.
Sarbanes Oxley has sought to govern auditors at the board level in order to avoid the conflicts
that can happen with the management. These audit committees are composed of directors and
have the responsibility to ensure that the financial statements of the company and the internal
controls are consistent with the regulatory policy. The audit committees are also required to
discuss the company’s exposure to risk and the means to manage them.
For more information
SARBANES OXLEY: DEPARTURES FROM THE PAST
Sarbanes Oxley recognizes that the mode of compensation, an increasing share of equity and
equity options, in the packages that executives received was responsible for the frauds that were
committed at several large companies. This kind of compensation created incentives for fudging
the balance sheet and the income statement to engineer stock price increases. In addition,
severance packages are overly generous. A survey by McKenzie in 2003, a management
consulting firm, found that 52% of the directors of companies believe that executive
compensation is way too high. Academic literature also finds significant correlations between a
high component of equity compensation and symptoms of fraud such as accounting
restatements, high proportions of accruals, capitalization of expenses, etc. A widely quoted study
of a professor from the business school of University of Chicago, reports that in a sample of 50
firms accused of fraud by SEC by contrast to another 50 companies which ware not, a clear
pattern of higher occurrence of higher-than-average component of stock compensation was found
in the former sample. Other studies also confirm that companies are more likely to be subject to
enforcement action if their boards are dominated by the management and they don’t have a block
holder or an audit committee.
Severance pay is another contentious aspect of executive compensation often patently unrelated
to performance. A striking case is that of the approval of a $140 million severance package for
Michael Ovitz by the Disney Board in response to a request from CEO Michael Eisner, in 1996.
Ovitz had hardly worked a year as Disney's president when Eisner decided he wasn't the right
man for the job.
Increasingly, governance bodies are concerned that executive compensation does not reflect the
performance of the chief executive. While equity compensation is a means to address the agency
issue by tying the interests of owners and managers, the executives undeservedly also benefit
from the overall increase in market indices unrelated to the financial performance of the company.
In addition, severance pay and retirement benefits and a host of other fees paid to former
executives are not related to performance. While Sarbanes Oxley has not specifically mandate
any rule for compensation for executives, it does vest authority on compensation committees to
decide on executive pay is consistent with the overall interest of the company.
For more information
“The Economics of Earnings Manipulation and Managerial Compensation”, by Keith J Crocker
and Joel Slemrod, February 2005
“Is there a link between Executive Compensation and Accounting Fraud” by Merle Erickson,
Michelle Hanlon and Edward Maydew, Feb 2004.
Traditionally, the accounting profession has followed the principles laid down by Generally
Accepted Accounting Practices (GAAP) when they prepare the financial statements of the
company. GAAP, however, is not necessarily a means to present a representative or fair picture
since it has several vague definitions of important terms like materiality. GAAP also creates room
for judgments on the treatment of special items besides the scope it allows for estimates of a
variety of items.
Under U. S. GAAP, an item is considered material if it has the potential to influence the judgment
of a financial statement reader. Since the term material has not been rigorously defined, it is often
hard to pin down just when creative accounting has a material impact. Typically, auditors look at
quantitative measures; for example, an item that does not change net income by any more than a
tiny percentage is considered immaterial. Similarly, it is hard to tell the threshold for the
materiality of changes in the policies towards estimates.
The rising numbers of incidents of earnings management in the 1990s were indicative of the
significance that executives attached to the weaknesses in GAAP. The percentage of Industrial
companies reporting special items climbed from 48% in 1989 to 71% in 1998. Reports of special
items among Mid-Caps and Small-Caps moved from 31% to 53% and from 32% to 42%,
respectively. On an average, among companies with positive earnings before special items,
68.4% of special items reported were negative. The corresponding statistic for companies with
negative earnings before special items was 82.9%.
SEC’s Accounting Bulletin No. 99, issued to clarify operative aspects of Sarbanes Oxley, requires
that accountants take both quantitative and qualitative considerations into account before making
a judgment on the materiality of an accounting policy. The facts “surrounding the circumstances”
and the “total mix” of information has to be assessed before coming to a decision just as the
Supreme Court mandated in several landmark cases.
For more information
Sarbanes Oxley has significantly raised the stature of the audit committees and requires them to
have the competence, the independence and the knowledge to be capable of their fiduciary roles.
In the past, directors and audit committees were protected, by the business judgment rule, from
liability suits as long as they were taking decisions with due care, after evaluating all the material
information and in good faith and honest belief that they were acting in the best interests of the
company and its shareholders. The Sarbanes Oxley has raised the standards which are required
before directors will be immune to law suits.
One recent case of use of an expanded set of standards for defense under the business
judgment rule is the suit filed by shareholders against the CEO of Oracle and some of its
Directors for insider trading. A group of Directors, members of a specially set up litigation
committee, investigated the matter and came to the conclusion that the accused did not have
access to non-public information for an insider trading charge to be valid. However, the
shareholders counteracted by pointing out that the Directors of the committee were not
independent; some of the committee members were professors at Stanford and some of the
defendants were donors to the University or professors. The courts were willing to use soft
criterion to judge whether the relationship could have biased their decisions.
At the same time, the audit committees have the means to act in better judgment. One important
requirement of the current corporate governance laws is that they should have a financial expert
capable of judging the quality of financial reporting by internal and external auditors. They are
also expected to confer with external experts to come to their decisions.
In addition, audit committees now have greater access to information which flows to them directly
without the mediation of the Chief Executive. A KPMG survey in the spring of 2002 found that
nearly 19.2% of them were not receiving critical accounting information, judgments and estimates
to ensure the quality of reporting. Following the Sarbanes Oxley Act, the audit committee is
expected to seek information on the business, legal and financial risks besides keeping abreast of
issues related to the competitive, regulatory and the economic environment of the company.
For more information
Fraud in corporate America is not exceptional as would seem from sound bites focused on Enron.
According to surveys of the Association of Certified Fraud Examiners (ACFR), fraudsters and
white-collar hackers are the cause of loss of 6% of the revenue or $600 billion in 2002 ($ 2 million
for each company) earned by companies. Just how ineffective are the current controls are in
checking this fraud is indicated by the fact that an average scheme lasted 18 months before it
was detected if at all.
The malfeasance in Enron could not have been exposed without the whistleblowers. A report by
ACFR found that tips accounted for the highest share of fraud detected, i.e., 43% of all.
Additionally, tips accounted for 51% of the frauds committed by owners and executives. Yet, the
experience of whistleblowers in the past has been that they are not rewarded for the risks they
take, the more likely possibility is that they will be hounded for sticking their neck out. Sarbanes
Oxley Act, together with related proposals from NASDAQ and NYSE, require that the audit
committee establish procedures for receiving and reviewing complaints submitted without an
ulterior motive in mind. Companies are also required to build confidence so that employees don’t
fear any retaliation should they decide to report untoward accounting methods.
Fraud is most frequently perpetrated by senior executives in a company. According to a Wall
Street Journal (July 8th 2002), 70% of corporate frauds involved the CEO. The losses incurred
were much lower, when an employee was involved instead of a senior executive of a company,
by a factor of nearly fifteen. In the past, chief executives could override any dissent within a
company to escape the consequences of their crimes.
Sarbanes Oxley has strengthened the hands of audit committees within the boards to ensure that
report any management override. Fraud is also often reflected in unusual journal entries often at
the time of close of accounts. Sarbanes Oxley Act, under its Section 404, requires reporting on
control systems and their internal auditing so that shareholders know whether the company has
the processes to detect such fraudulent activities.
For more information
Internal Controls and Risk Management
Sarbanes Oxley implicitly goes beyond the traditional financial accounting at a given point of time
or at the end of the financial year by requiring that auditors examine both the internal controls
over financial reporting as well as financial reports for any material weaknesses. Since the tests
for the material weakness of financial statements can only be done over a period of time, they
end up scrutinizing the stability of the finances of companies over an extended period of time.
The Public Company Accounting Oversight Board spells this out in its Audit Standard 2 which
requires company wide operating effectiveness of controls. The operating effectiveness can only
be tested for a number of periods of time. The reconciliation of cash receipts, for example, would
be free from material weakness if the test is successful for a number of days or months. Similarly,
controls over debt management would not be complete unless the auditors also study the
controls over all the inter-connected departments of the company and the effect each of them
separately and all put together could have on the solvency or the financial health of the company.
The comprehensive examination of the controls and the exposure of the company to operating
risks have broken new ground since it takes an integrated view of the exposure of the company to
risks. This is only a short step away from enterprise risk management systems.
For more information
SARBANES OXLEY: IS IT PERFORMING?
Costs and Benefits of Compliance
Sarbanes Oxley sweeping provisions greatly add to the costs of compliance without a doubt.
Most companies see compliance as a sunk cost for the long-term benefits of credibility and
efficiency benefits that will extend over many years. In addition, they expect that the costs of
compliance will decline as companies as systems are put in place and companies learn to
automate their processes. Currently, many companies are unsure about the benefits they will
actually reap and the means to automate compliance in a situation where processes are hard to
According to widely quoted figures from Foley and Lardner, the costs of compliance for
companies with sales turnover of less than one billion dollars, the costs of compliance was about
$2.86 billion in financial year 2003 up from $2.12 billion in financial year 2002 and the
corresponding figures for companies with revenues in excess of $1 billion is $7.4 billion. The
major components of costs were Directors and Officers Insurance, lost productivity and
Figures have been presented in a variety of ways depending on how they are collected. Other
sources such as Parson Consulting indicate that 50 percent or more of overall corporate
governance cost revolves around process improvement, controls documentation, testing and
adapting controls to changing needs.
In more recent years, however, companies are also increasingly reporting benefits from their
investments in compliance with Sarbanes Oxley. In a survey of 200 financial executives by
Oversight Systems, 49% of them reported that the risk of fraud and errors has been reduced,
48% of them agree that their financial operations are now more efficient and 31% report lower
Furthermore, companies will be increasingly focused on lowering costs from automation of their
compliance processes. As many as 60% of them have plans to implement technology to
automate their manual processes.
For more information
Transformation of Board of Directors
A charismatic and omnipotent Chief Executive Officer has long been the hallmark of the American
corporate sector while the Directors on Boards of companies have been content to remain
passive. Sarbanes Oxley has significantly raised the profile of Directors and expects them to
provide alternative perspectives besides their monitoring role in companies. Eventually, directors
of companies are expected to contribute to strategy formulation, refine the culture of their
companies as well as manage strategic risks. Accounting problems, in the final analysis, are
caused by failures of strategy or the inability to read the early warnings of stress on corporations.
Directors have to be willing to analyze relevant information, suggest solutions and supervise the
implementation of strategies.
A pre-requisite for a more active role for directors is the separation of the role of the Chairman
and Chief Executives or vesting of greater authority of the Board of Directors in some other form.
In a recent survey conducted by AT Kearney, it was found that 61% of the companies had a lead
or presiding director and 43% of them appointed them in the year before the survey in 2004. The
same survey also shows that the large majority of directors do not favor the separation of the role
of the Chairman and the Chief Executive Officer. The diminished role of Chief Executives is
evident from the fact that the Chairpersons of Committees are selected by the Boards in 50% of
the cases up from 24% in 2002.
Willingness to acquire knowledge of the financials of the company, as well as the competitive and
industrial environment of the company, would prepare the directors to participate in the decision
making process. In the past, they had neither direct access to the details of the financials of the
company or the knowledge and interest to ensure the integrity of the reporting. Recent surveys
are indicating that a significant numbers of the members of the Board (66%) as well as their Audit
Committees (71%) are gaining understanding of the finances of their companies and knowledge
of their internal controls which they need to do to understand the many nuances of chancery in
accounting methods. The internal auditors of companies are also reporting directly to the Audit
committees. The intended objective of Sarbanes Oxley to increase the independence of Boards
of Governors of companies and commensurate access to information and responsibility for the
outcomes in companies is being achieved.
Boards still have to make a great deal of progress before they can contribute to the performance
of companies and shareholder value. They are still pre-occupied with ensuring the compliance of
their companies with the existing regulations (74% report active involvement) while 32% report
active involvement in improving the performance of companies. The Boards of Directors rate their
effectiveness in examining problems and monitoring financials is relatively high at 49% and 43%
respectively while the corresponding figures for guiding strategies and managing risks was 21%
and 16%. The achievement of this objective will depend greatly on the availability of relevant
information about the company in real time.
For more information
Independence of External Auditors
External auditors now need to exercise independent judgment when they review the accounts of
their clients and attest to the management’s assessment to continue to qualify for the registration
with the Public Company Accounting Oversight Board. There is also evidence to show that they
are beginning to prevail. Instead of browbeating their external auditors or dismissing them in the
event of a dispute over material weaknesses or disclosures, managements are learning to be
more constructive and disclose their plans to improve their processes or face the prospect of a
drastic decline in their share prices.
A recent case of increasing independence of external auditors was revealed in the case of Molex,
the Chicago-area electronics maker. The company's auditor, Deloitte & Touche, quit when it’s
CEO and his chief financial officer refused to disclose an accounting error worth 1% of net
income into the audited results and were supported by their board.
The firm followed by writing a trenchant account of the incident at the SEC. That sent out a signal
to other auditors who would not have worked for Molex again as long as the concerned CEO was
involved. The directors had to change their decision and they decided to oust the CEO.
For more information
Quality of Financial Reporting
Financial statements, such as the balance sheet and the income statement, have long been
amenable to manipulation euphemistically known as creative accounting. These statements
report the financial situation of a company for a given year while the accounting for revenues and
expenses extending beyond the year are subject to a variety of special rules. Revenue
recognition for earnings from construction contracts, for example, can be by percentage of
completion method or the completed contract method. The percentage of completion method is
prone to subjective interpretation while the completed contract method can present an overly
positive picture of a company for the year when revenues are recognized at the time a contract is
fully completed. Misrepresentation of the financial situation of companies has grown as the
emerging industries like software and telecom as well as new business models involving off-
balance sheet financing have emerged in recent times. In addition, pro-forma statements became
a regular feature, especially in press releases of companies in the 1990s, and a means of
deception. Pro-forma statements exclude one time expenses, such as goodwill expensing or
write-offs of inventories, and help to focus attention of cash flows which are widely seen as a
measure of health of a company. Over time, companies found it a convenient method to distract
attention from their long-term liabilities.
Recent surveys are indicating substantial improvement in oversight of the frequently manipulated
aspects of accounting (mean response of 46%) such as revenue recognition, closing entries and
estimates (62%) as well as accounting estimates (46%).
For more information
Redesign of Business Processes
Sarbanes Oxley calls for real time reporting of material facts about the financial health of the
company, going beyond the quarterly and annual reporting, that has been common in corporate
America so far. Increasingly, companies are under pressure to accelerate the flow of information,
improve its quality and accessibility to keep pace with the reporting requirements of Sarbanes
Oxley. A recent Ventana study found that 80% of executives agreed that that fundamental
process and financial system design is important or very important for compliance. Executives
also identified "harmonizing the company's charts of accounts" and "reducing spreadsheet use"
as important goals. A harmonized design of accounts across the company can facilitate
consolidation and consistency of data and it’s reporting besides simplifying external audit
processes. Routine processes, such as accounts payable, are accounted in a variety of ways
which contributes to inconsistency in data.
Sarbanes Oxley requires the documentation of the audit trail but this is hard to achieve as
financial processes are typically spread over numerous spreadsheets, hosted on a variety of IT
systems, which are hard to audit and are replete with flawed formulas. In a survey conducted by
IDC, jointly with the Revenue Recognition Magazine (a unit of CFO.com), 63 percent of
respondents believe that spreadsheets are prone to errors, 58 percent cited the lack of audit trail
and 56 percent said they lacked internal controls. It is also hard to build controls to ensure quality
in the preparation of spreadsheets which can often have fraudulent schemes. The separation of
duties that controls over these spreadsheets would require disproportionate auditing effort.
The shorter reporting intervals mandated by Sarbanes Oxley requires companies to streamline
individual processes such as cycle time for financial closure, procure-to-pay and the order-to-
Business Intelligence systems are expected to achieve the goals of consolidating data, improving
its quality and its rapid reporting.
For more information
Awareness of Risk
Sarbanes Oxley’s focus on instituting controls over the finances and operations of companies has
made them transparent for their own managements. The detailed and on-going monitoring of
these controls also increases the knowledge of the risks that they are expected to mitigate. Since
Sarbanes Oxley requires reporting on both the financial and operating risks, companies now have
the ability to analyze their financial performance based on their knowledge of their operations. For
example, theft in retail chains is endemic and can have deleterious effect on their financial
performance. Auditing of controls would reveal how the managements of the retail store try to
stem losses from theft and the problems they face in doing so. The information about incidents
about theft is made available not only to the store managers but also to the senior management
and the boards of directors who can then consider means to lower the losses from theft by either
buying insurance or reinforcing security or use video technology as a deterrent to theft.
The greater awareness of risk within the enterprise paves the way for using analytical methods to
find its causes and to find strategies to overcome it. For example, store managers have to make
decision about the inventory they need to stock. If they make mistakes, the company is likely to
suffer losses. The sharing of information within the company that Sarbanes Oxley enables helps
senior management to bring to bear analytics such as the impact of economic, demographic and
competitive factors on sales to make better decisions about stocking.
In the past, individual departments in marketing or operations made assessments of their own
risks and very rarely shared them with others. Sarbanes Oxley has put in place an institutional
process where the risks effecting all departments can be gathered and analyzed in all its inter-
dependence. Companies can now look at their business, financial and operational risks and
understand how they interact with each other. Companies have a measure of the risk associated
with their strategies and make decide on how much risk they are willing to undertake.
For more information
Performance Metrics and Financial Performance
In the aftermath of Sarbanes Oxley, boards and shareholders have been increasingly concerned
about transparency in measures of performance and their predictability. According to a survey of
the BPM forum, 82% of Board members felt that performance data was increasingly important in
their discussions. Financial earnings have been the much used and abused measures of
performance which often don’t present a consistent picture of the achievements of companies.
Non-financial data, when seen together with the financial data, is likely to forewarn investors
about latent problems in companies. Trends in customer satisfaction is one such measure that
investors could use to predict future financial performance. In the early 1990s, for example, Apple
was famously successful company much admired for the quality of its products. Customer
satisfaction data would have revealed that consumers were increasingly dissatisfied with the
pricing of the company. As many as 91% of the respondents in the BPM survey indicated that
companies do not have the operational data required to predict financial health and performance.
Pemstar, a manufacturer of printed circuit boards realizes that it will need to monitor both financial
and operating parameters to comply with Sarbanes Oxley. It has deployed a data warehouse and
analytical software that draws on its operational data from its ERP system. The senior executives
are now able to read the operating metrics on their desktops and understand the financial
implications of an unexpected turn of events and be able to report it.
INFORMATION MANAGEMENT AND THE FUTURE OF SARBANES OXLEY
Managing Risks Across the Enterprise
Corporations are rethinking their strategies towards the management of risk in the future to
effectively comply with the Sarbanes Oxley Act. Increasingly, companies are implementing
Enterprise Risk Management Systems and employing Chief Risk Officers to govern their
strategies for risk across the enterprise. Companies do not any longer want to be taken by
surprise and incur losses as they are hit by unexpected events. They now realize that their ability
to manage risks depends on anticipating risks, detecting their risks more effectively by looking at
them in all its inter-dependence and fortifying their systems to withstand shocks. Some of the
more sophisticated corporations, such as Microsoft and Boeing, implemented such systems in the
past, independent of regulatory policy, while other companies are following in their steps under
pressure from new laws such as Sarbanes Oxley, Basel II, etc. A recent survey indicates that
50% of financial executives believe that they integrate their SOX compliance with Enterprise Risk
Management. This best practice has been spelled out, in all its details, in the seminal document
of the Committee of the Sponsoring Organizations of the Treadway Commission on the subject.
The conceptual breakthrough that under girds the new approach to risk management is the
realization that business risks, financial risk and operational risk feed on each other and
compound the impact of any one type of shock to a company. Operational risk, such as fraud in
the company, can create a liquidity crisis for the company. Similarly, business risk, such as loss
of intellectual property from outsourcing of business processes overseas, could lead to
bankruptcy of a company. The vulnerability of companies has increased with the growing reliance
on sophisticated financial instruments, an extended enterprise and information technologies.
Increasingly, companies realize that they need to create a culture in which employees at all levels
respond to unnoticed sources of risk in any corner of the enterprise and communicate it to the
rest of the organization. This is facilitated by Enterprise Risk Dashboards which help to
communicate potential threats to the company and galvanize organizations to react rapidly before
a crisis goes out of control.
An example of enterprise wide management of risks is the case of TriQuint Semiconductor Inc., a
Hillsboro, Ore.-based supplier of communications components and modules. As part of its
compliance effort, TriQuint is conducting a risk assessment of all the business processes that
affect its balance sheet and income statement. That evaluation is helping the company uncover
latent risk across all its five divisions. TriQuint's combined Sarbanes-Oxley and ERM efforts have
helped it to gain insight into risks in the businesses it acquires. Typically, mergers fail when the
cultures of two different companies clash. TriQuint has made several acquisitions in recent years,
and some of those businesses have operations outside the United States. The company has
been able to identify and discuss the risks new acquisitions face, including exposures related to
specific cultural and regulatory environments.
For more information
Streamlining business processes
Many companies are complaining about the high costs of compliance with Sarbanes Oxley while
others are using the opportunity to raise the efficiency of their business processes. The thorough
investigation of processes that is now possible would have otherwise been stymied by turf battles
One distinctive case of remarkable improvement in business processes is Owens Corning which
used the opportunity to review and reorganize business processes in all its 115 plants spread
around the world. The company managers reduced the company's income statement, balance
sheet and disclosures into 16 business cycles (e.g., the order-to-cash cycle) and vested
ownership of each of them to a project manager who has the responsibility to design internal
controls. The company executives identified the best control system for each of these processes
in all their plants and decided to implement it in all the rest of the plants.
For more information
Business Intelligence Systems
Business Intelligence software is the technology of choice to go beyond the Ken Lay defense,
“That wasn't my responsibility -- it was the fault of internal audit, the external auditor or the
accounting department." The message from Sarbanes Oxley is “The buck stops here, period”.
CEOs and CFOs have to find a way to be aware of every beat of the pulse of business activity in
their company even as they are absorbed with strategic management. Companies agonize over
its potential to add to several layers of bureaucracy and slow down the decision making process.
The smarter companies, on the other hand, are integrating their business intelligence systems
with their compliance systems to monitor activity in their companies without being intrusive. For
example, the monitoring of fraud activity can happen by keeping track of unusual or suspicious
transactional activity. Auditors can then focus their attention on transactions that are most likely to
Automation of compliance has also yielded other unintended benefits of uncovering information
that was spread out on myriad Excel sheets and other formats. The thorough going review of
controls and procedures has enabled companies to unearth the information and to begin to
analyze for their strategic planning. One case of this is Crown Media which decided to upload its
entire Excel on new compliance and business intelligence software. In addition, the software has
the ability to create processes for monitoring each financial transaction. If a transaction is
conducted by the unauthorized person or without the approval of the assigned person, the
program triggers a warning.
Crown Media is realizing a benefit from this investment which it has not expected at the outset.
The new software has made the company data available throughout the company and accessible
anywhere in the company. The data on advertising contracts is not buried in some spreadsheet in
an obscure corner of the company. This has enabled Crown Media to conduct marketing
campaigns involving sales and other operations to realize business benefits that are generally
done by its larger competitors.
The appetite for new technologies for compliance varies across companies and most were, till
recently, unwilling to take the plunge or and preferred to adapt their content management
infrastructure to adapt them for compliance purposes. Lately, however, companies have shown a
much greater interest in integrating their internal controls with enterprise management systems as
they realize that they can recoup their investments in processes to reap benefits of better risk
The more significant benefits of information sharing will be realized when company management,
including the Boards of Directors, is able to use the information from dashboards to guide the
destiny of their companies. According to the AT Kearney survey cited above, the large majority of
directors felt that the lack of tools and processes providing early warning signs (41%) was the
single most important barrier to their effectiveness followed by adequate and relevant information
for their needs (22%) and board culture close behind (21%). An overwhelming majority still rely
on management presentations (90%) while only 6% use dashboards. Most directors expressed
dissatisfaction with their current sources of information and will prefer forward looking information
with details of performance data such as shifts in repeat customers, demographics and customer
segments and sales performance data all of which is more readily available from dashboards.
For more information
Chief Risk Officer
Companies are finding it increasingly burdensome to comply with all pervasive compliance as
they are required to monitor operating risks. The Chief Risk Officers (CROs) are symptomatic of
the transition towards enterprise risk management systems and increasingly strategic
perspectives towards regulatory compliance. According to a survey conducted by the Economist
Intelligence Unit, 45 per cent of the companies interviewed had already appointed a CRO or
equivalent predominantly in the financial services sector. In other industries, one in four
companies is planning to appoint CROs. The Chief Risk Officer has become the point person to
take the onus for all the compliance with the regulations of Sarbanes Oxley.
The Chief Risk Officers are taking on the all important role of managing enterprise wide risks. In a
survey of the insurance industry, it was found that 39% of the respondents noted that chief risk
officers have the primary responsibility for risk management-up from 19% in 2002. And 40% of
chief risk officers now report to the CEO-an increase from 26% in 2002.
The growing importance of the Chief Risk Officers reflects the need for a new breed of finance
employees with a forte in strategic finance planning. According to a survey reported by the CFO
magazine, 79 percent of the respondents chose "strategic financial thinking" as one of the top
three qualities they would value in a new CFO. This contrasts with the qualities in a traditional
finance executive such as "champion of financial transparency" (36 percent), "zero tolerance
toward accounting errors and fraud" (34 percent), and "operational experience running parts of
the business" (30 percent).