The Sarbanes-Oxley Act was passed by the US Congress in 2002 to reform the accounting procedures used by publicly traded companies and to protect investors from any misstatement of earnings, which, in a worst case scenario, could leave a company worthless. Since the Act came into effect at the end of 2004, most attention has been paid to Section 404, which requires that management establish adequate internal controls and report annually on their effectiveness, while auditors report on management’s assessment process and accuracy of management’s conclusions as well as the company’s internal controls. The first year under Section 404 was a learning process for everyone: auditors, companies, and regulators. Compliance activities began by:
- Creating a library and organization structure – The definition of critical financial accounts, processes, and related risks and controls in conjunction with auditors.
- Documenting processes – On average, companies spent 25 per cent of their total Section 404 resource time in the first year documenting their internal controls. Standard templates or formats simplified the process.
- Assessing internal controls – Companies determined if controls were in place to mitigate risks. The Institute of Internal Auditors (IIA) estimates that 10-15 per cent of compliance costs were spent on learning new tasks and concepts, such as the definition of legally acceptable controls. In the rush to meet the audit deadline, many companies put more controls in place than they really needed, and most of them were manual controls. Non-US companies should learn from these understandable errors. Audit firms erred on the side of caution too by testing everything in the first year. On the corporate side, significant resources were allocated to test the design and operating effectiveness of controls. Manual controls required more testing than automated controls, which, in large part, is why companies are focusing on automating controls in year two.
- Documenting findings and remediating the controls – First year Section 404 costs were more than forecasted due to the learning curve experienced by all parties and the large amount of resources required to complete first year activities, such as documentation, training, and remediation. Companies spent, on average, 15 per cent of their total 404 first year resources time on remediation efforts. An average of 35,000 hours was spent on compliance, equating to an industry-wide cost of over $4.4bn by March of 2005. These high costs have resulted in the issuance of new guidance for auditors.
Lessons Learned
The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) issued guidance for internal auditors and their external counterparts that encouraged them to focus on corporations’ most critical internal controls while integrating this work with financial reporting. Outside auditors should work from the top down to determine what areas are critical, rather than spending time looking at low-level controls that aren’t that important. To further streamline the process, auditors – when it is appropriate – should rely on control assessments performed by the company.
Lessons learned in the first year include avoiding unnecessary documentation and testing; determining which controls are really necessary; and pushing back on auditors who have a ‘better to be safe than sorry’ mentality.
Companies also found it helpful to establish a program office to coordinate cross-functional activities (finance, IT, compliance). Additionally, many companies will have more time and resources to automate key controls in year two, when two-thirds of companies, according to CFO Research Services, indicated that automating compliance and control of the environment is a priority. The biggest long-term gain from automation will come from embedding automated controls that focus on prevention over detection throughout cross-enterprise business processes.
Finally, many of the largest companies are decentralizing responsibility for different aspects of the Act. Pushing down the accountability enables business process owners to identify process improvements and key areas of risk.
|
Oracle has learned these lessons and others from its own Sarbanes-Oxley compliance implementation. We were the second company to gain certification of compliance, and our experience has been applied to the development of products that we used throughout the implementation. For most companies, compliance has meant forcing internal systems to create the audit trail and data verification unnaturally. This sub-optimal approach has failed to make the core infrastructure of the institution more responsive to inevitable regulatory updates and additions. Without fundamental changes to compliance infrastructures, shortcomings in business information processes and corporate reporting are becoming more apparent. Corporations must examine how their IT infrastructure impacts their overall business. Prior to Section 404, Oracle had many of the components necessary for good business practices and controls: data availability, integrity, security, business processes with integrated controls, and performance management and reporting. After all, Oracle’s first products were in the area of databases, delivering data warehousing, system management, data quality management tools, back-up and recovery and storage – along with a single, master source of data. Thus, we had a strong foundation on which to build analysis and data reporting for regulatory compliance. Security management is the next critical layer in achieving Sarbanes-Oxley compliance, while enterprise content management, which encompasses records management, legal discovery, and change management is also important. In addition, critical to compliance are business processes and controls. A key part of Section 404 focuses on analyzing and documenting business processes. Utilizing two of the newer technologies, Business Process Execution Language (BPEL) and Business Activities Monitoring (BAM), a financial institution can implement automation for business process flows, while also automating development, documentation, the transactions themselves, and integration and monitoring. Oracle has adopted the BEPL standard and it will be a key part of the next-generation in a service-oriented architecture (SOA). As we get closer to the top of the compliance stack, we add risk and learning management. Being in compliance requires communication to employees and training. Learning management standardizes that training and automates the process of insuring that all employees have successfully completed required compliance training. Oracle requires all employees to access and complete the automated compliance training on a regular basis. Risk management must be performed across all types of risk – credit, market, legal and operational risk. We believe that if a financial institution adopts and practices good performance management, then compliance with various regulatory directives can be completed more rapidly, errors will be dramatically improved, and overall management of the institution will be greatly simplified. Understanding costs at the activity level, equating them to profitability, and then planning resource utilization based on those insights improves management at all levels of the corporation. Additionally, customer satisfaction is improved when customers believe that a vendor understands its costs well enough to base prices on clear knowledge of costs and desired margins. |