Managing the Risks of the Sarbanes-Oxley 404 Project
Enron, Worldcom, and Tyco are just a few of the companies that have found themselves in the headlines in the last few years. These corporations and others had taken finance to whole new levels that resulted in a breakdown of internal controls. Fraud and financial abuse were quite blatant in many cases, resulting in a decline in investor confidence and, subsequently, in stock values.
To deal with this rampant and flagrant decline in internal controls, US Congress passed the Sarbanes-Oxley (SOx) Act. Like the circumstances that contributed to the existence of the legislation, projects focused on compliance are fraught with many risks.
Scope of SOx
The SOx legislation is divided into several sections. These sections cover the roles and responsibilities of a corporation’s audit committee and executive management, the relationship of audit and non-audit services of external audit firms, quarterly and annual certification, and reporting of questionable financial transactions.
Section 404 is perhaps the most work intensive section of the act. It requires that at the end of each year that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) and the external auditing firm certify and attest, respectively, the adequacy of the controls of the corporation that is to be reflected in the annual report. It also requires establishing and maintaining an internal control structure.
As one would suspect the SOx legislation requires considerable upfront work to get to the point of certification and attestation for the first time and annually thereafter. Each year a project must be executed to comply with this legislation, not an easy task because such a project is fraught with many risks and severe consequences.
A SOx project has some major goals to achieve. These goals are not necessarily quantifiable but have quantifiable results if not achieved.
Maintain and even improve investor confidence is a major goal and perhaps the most important. If management cannot attest to the reliability of controls and the external auditor cannot satisfy them, investors will be less inclined to invest in a corporation.
The above goal can lead to achievement of another one: maintaining or even improving stock value. If this goal is not achieved the demand for a stock, due to a lack of confidence, will decline, impacting stock value.
Prevention of legal action can be another risk. If investors even perceive that a corporation has failed to exercise due diligence regarding internal controls, they may use any significant decline in stock value as grounds for legal action.
Management and the external auditors must be able to attest and certify, respectively, the validity of controls is a major goal. After developing documentation and testing controls reveals material weaknesses and cannot be fixed in time, then the other risks mentioned can quickly fall into place.
In the end, management must achieve these goals. They must determine the risks that threaten to achieve them. The number and degree of risks and the accompanying controls are determined by the scope of the SOx project.
It is imperative, therefore, that corporations managed their projects to comply with Section 404 efficiently and effectively if they hope to avoid the costs projected earlier and meet the deadline of December 31, 2004. This is no easy accomplishment because of the monumental challenges that they face. The larger and more geographically spread a corporation the challenges increase in scale and number.
Challenge: mental models. Most people do not think from a controls perspective and do not consciously think about them during their daily activities. This mental circumstance gets even more challenging when people must also be knowledgeable about other models and methodologies, e.g., ISO 9000, Capability Maturity Model, Committee on Sponsoring Organizations (COSO) Model, and Generally Accepted Accounting Practices (GAAP). A shift in mental models, what Peter Senge calls metanoia, is necessary. Such shifts do not come easily, however, and occurs usually after a significant event. Hence, taking on this challenge requires overcoming learning curves, sharing information, and having patience. Unfortunately, the tight SOx deadline provides little opportunity to deal with such matters with aplomb.
Challenge: Unprecedented. While this may not initially seem people oriented, a little thought reveals otherwise. Most people prefer the familiar and enjoy working with “proven” approaches. SOx, however, is not proven and corporations are still developing their approach to suit their unique environment and satisfy the Feds. This situation can lead to rework and exploration, something for some people to handle; the routine that often accompanies their normal work is nonexistent. Dealing with this challenge becomes further complicated because few people see compliance as a reward, e.g., positive re-enforcement, and more as a potential punishment for failure, e.g., negative re-enforcement. Furthermore, regulatory requirements, albeit getting clearer, remain vague, leaving for rework as rulings evolve from PCAOB.
Challenge: Many stakeholders. For a SOx project to succeed many different categories of people must participate for a good reason. Successfully executing controls often cuts across multiple organizations and involves many processes. Naturally, this breadth touches many people and organizations. Affected internal stakeholders include executives, management, professionals who are involved in accounting, finance, law, audit, security, governance, and procurement. Affected external stakeholders include consultants who provide support to comply with SOx and external auditors who provide guidance and eventual certification on the effectiveness of internal controls.
Challenge: Changing business environment. Nothing remains static for a public corporation, internally or externally. Market forces coupled with political and social ones create an environment that requires flexibility, adaptation, and risk tolerance. For corporations and people used to stability this situation can wreak havoc on psyche and operations. SOx, being an unstable regulatory requirement and moving many corporations into a new realm, makes adaptation to change very challenging, especially when the regulatory requirements are vague and changing.
Challenge: Lack of commitment. As mentioned earlier, many people view SOx in terms of negative re-enforcement, that is, failure to comply will result in severe penalties Failure to attest and certify controls, relating to accountability, responsibility, authority, and disclosure can have, indeed, a devastating market impact by causing a dramatic drop in stock value. For many people, however, attestation and certification are akin to death and life insurance; they are abstractions that cannot be readily understood and appreciated until the moment of truth approaches. Also, many people view SOx as a consequence of bad actions on the part of executives with other firms, e.g., Tyco, and really does not have relevance to them.
Challenge: A potentially unrealistic end date. The December 2004 due date is already a slid date by PCAOB; the original one was in June 2003. There is hope that the current end date will slide but the evidence suggests otherwise. This false hope makes establishing a reliable schedule very difficult. If a corporation does develop a schedule and works towards achieving significant milestones, the end dates may change again, resulting in re-planning and, worse, causing a lull in the project causes a loss in momentum.
Challenge: Complexity of the organizational structure. An organizational structure often reflects a corporation’s history and culture as well as its response to market conditions. The larger the corporation in terms of geography and people and its longevity the more difficult it will be to gain agreement to even a high level schedule. SOx is extremely challenging in this regard because it involves inter-business, multi-disciplinary, and cross-functional stakeholders, each with different interests and perspectives.
Challenge: Rework. Because PCAOB’s direction on SOx continues to evolve in the midst of a tight deadline, rework is inevitable. Redefining scope as well as deleting and adding content in documentation will likely occur. Naturally, this circumstance can cause “stop and go” behavior and increase the learning curve. An additional effect is the difficulty in determining whether to hire additional people.
Challenge: Tools. Eventually, all the documentation related to SOx must be considered “final” after certification and updated periodically. Unfortunately, automated tools are gradually being released; their number is limited and the existing ones require extensive training. Whatever tool is adopted it will also likely require modifying it to suit the unique needs and requirements of a corporation. Such modifications take time and are frequently complex. Under a tight deadline and evolving requirements, this challenge can become seemingly insurmountable.
Challenge: fear of auditing and auditors. Most employees perceive auditing and auditors as threatening. As internal and external auditors get increasingly involved, people’s guard rises, thinking that the review of compliance with SOx requirements will likely expose control weaknesses that, in turn, reflect poorly on their organization and themselves. This situation becomes acute where historically auditing has been viewed with suspicion. People become reluctant to share information and tend to not accept responsibility for the effectiveness of controls that do, or should have, existed.
Challenge: Disparate information systems. This challenge is especially directed towards IT, especially in large corporations where legacy systems tend to have a life of their own. Some of these systems may lack adequate controls because plans in the past were made to retire these systems, though not necessarily before the end of December 2004. As a result, documentation and knowledge about the system may be incomplete, thereby making it difficult to answer SOx queries. Coupled with people having more advanced skills working on more state-of-the-art systems, this circumstance makes it extremely difficult to document SOx requirements due to the shortage of people having the requisite knowledge about these systems.