|
publications |
|
ON BALANCE • FREQUENCY • THE BRIDGE • CPA2B • ACCOUNTING FOR THE FUTURE |
(taken from the July/August 2006 issue of On Balance magazine)
Lessons of Sox
By Donna Pinsoneault
Did Michael Oxley and Paul Sarbanes understand the ramifications of the legislation they championed? Carl L. Zaar, CPA
doesn’t think so. "They were well-intentioned," said Zaar, corporate internal audit manager for The Marcus Corp., "but they could not really know what was going to happen."Complying with the Sarbanes-Oxley Act (SOX) of 2002 has been an adventure, Zaar said. The first challenge was finding adequate time and resources to study and implement requirements. Originally, legislators expected public companies to spend 75 to 100 hours complying with SOX, but Zaar estimated that some companies invested more than 10,000 hours to meet the 2005 deadline.
Ladish Co. Inc. faced such a time and cost crunch as a result of unexpected good news. "We were not planning that we would have to be compliant as soon as we ultimately had to be," said
James P. Miller, CPA, corporate controller at Ladish. "At mid-year, our stock price rose to a level that made us an accelerated filer. That threw us for a curve because we weren’t sure how the mid-year change would affect our status for year-end 2004."Miller had already initiated the SOX implementation process, but internal resources were heavily strained. "SOX requires a lot of documentation," he said. "By the early 1990s, computerized, integrated systems replaced the old methods of documenting by hand and Ladish no longer had an internal audit department. Most of the procedures were set in the software, so the software became the manual and the control."
To make the situation more challenging, the company’s external auditors were unable to provide assistance. "Standards were such that they could not counsel their clients on compliance or on how management was going to assess risk and document," Miller said. "It was truly hands-off from our auditor."
Many companies turned to outsourcing. In the first phase, Ladish formed a disclosure committee, resurrected a hotline number for callers who suspected wrongdoings, surveyed top-level managers to evaluate controls and identify areas of weakness, and consulted Grant Thornton for testing and guidance on documentation.
Ladish brought most processes back in-house the following year by forming an internal audit task force made up of resident MBAs from outside the finance department who were educated to work with various process owners and as testers.
The Marcus Corp. also turned to outsourcing at first but, by doing the majority of the work himself during the second year, Zaar has scaled costs back by nearly 90 percent.
"The first year was like going out on a first date where the PCAOB, external auditors, consultants and internal management had little experience to draw on," he said. "Now it’s as if we have been going together for a year. Guidance and auditing pronouncements are clear and we all understand what has to be done to attain the end result."
IT challenge
SOX poses significant information technology challenges. "We often find there is a lack of awareness, adequate IT controls, or understanding of what needs to be done," said Paul Rozek, director of technology risk management services at Jefferson Wells.
Rozek’s team may be called in to help an organization build IT SOX documentation, identify IT risks and controls, develop and execute test scripts, summarize control exceptions or make recommendations to management. As organizations move into successive years, Jefferson Wells might help update documentation, independent reviews and control tests, or help with remediation. Sometimes clients call for advisory service when they need tweaking of their documentation or to verify that they have gone to the right level of depth.
Rozek relies on templates from the IT Governance Institute (www.itgi.org), Common Objectives for Information and Related Technologies (CobiT), and relevant materials from the Information Systems Audit and Control Association (www.isaca.org). He suggested keeping journals that track the use of back-up tapes to add credibility and ensure back-up integrity.
"What’s really important is to get buy-in from the organization’s external auditors," he said.
Miller believes IT will become an even bigger component of SOX compliance, especially when companies make use of all the controls that are already available with their software packages. Ladish uses an integrated software system to run the business and provide financial reporting. The system makes it easier for testing, but it also opens the general ledger to many more people in the plant.
"They may not realize it but the personnel in shipping and receiving are actually making transactions in the general ledger," Miller said.
Making SOX work
Although Sarbanes-Oxley changed board, audit committee and management procedures, methodologies have not changed significantly, Zaar said. The difference is that now companies must document what they have been doing, especially if any material changes occur.
Zaar developed a quarterly testing plan to ensure that enough transactions are tested to satisfy SOX requirements for a full year. By testing a certain number of transactions each quarter, the company is able to ensure that controls are operating as intended. Remediation of any control deficiencies can be performed in a timely manner.
"We communicate on a daily basis," Zaar said. "If we find any control weaknesses, we’re on top of it right away and a remediation plan is developed to ensure that the proper control is established."
Rozek hesitated to use the term "best practices" for implementing Sarbanes-Oxley because what is right for one company may not benefit another. He does believe companies will make use of IT control frameworks in the future and involve IT in risk assessment and management.
"What’s really important is that organizations be consistent from year to year," he said. "If something happens once a week, once a month or once a quarter, they can easily go back and identify for people testing the operational effectiveness if their controls are working over time. Having hard copy or electronic filing systems in proper order to support that evidence is very important."
Miller recommended narrowing the focus and developing ownership within each of the processes to coordinate the planning of test activities and selection of sample items.
"We started with 15 or 16 processes and narrowed them down to seven," he said. "For each of the key processes we’ve designated a process owner to manage compliance activity throughout the year. The number of ‘key’ controls identified within these processes will impact the cost of compliance. Deficiencies found will also increase the work and cost required."
Miller also recommended preparing audit work papers to reconcile key account balances developed by the system. "You can’t just trust the system to give you an accurate report," he said. "The financial reporting closing cycle needs to be managed and monitored like a project in itself to reduce the chance for reporting errors. This is most likely one of the last points before public release."
Accepting SOX has been hard for everyone, Zaar said, because responsibility has been pushed through the entire organization. "It’s ‘old dogs, new tricks,’" he said. "We have a good control environment; we have responsible people. You tell the ‘old dogs’ to continue to do what they have always been doing. Your ‘new tricks’ are to ensure everything is signed and dated showing that someone has taken responsibility to make sure the document you have is accurate. Although time-consuming, if you have good controls, SOX is a non-event from a reporting standpoint."
Donna Pinsoneault is senior public relations executive at Emerald Isle Marketing Public Relations. She is a feature writer, researcher and strategist. She can be reached at donna@emeraldislepr.com or (262) 780-0841 ext. 180.