In the past, headaches were the norm for public companies implementing Sarbanes-Oxley. Now they’re glad they did.
Since the dawn of Sarbanes-Oxley (SOX) in 2002, corporate governance, or more specifically the mandated method to achieve strong corporate governance, has been under fire. For critics, the costs of SOX have far outweighed its benefits.
These costs are on the downturn, however, with the release of the SEC’s principles-based guidelines for SOX compliance. In addition, in September 2012, the Committee of Sponsoring Organizations of the Treadway Commissions (COSO) released an exposure draft of Internal Control – Integrated Framework (Framework), an update of the widely used framework for designing and evaluating internal controls. The updated Framework is expected to help organizations adapt to the increased complexity in today’s business environment. The updates to the original framework are not expected to fundamentally alter the original principles, but will formalize certain concepts. Included in the exposure draft are approaches and examples that illustrate how the principles are applied in financial reporting.
What does it have to do with private companies, nonprofits, and other non-SEC registrants that are not required to comply with SOX? It is really a question of good business strategy to embrace SOX principles to strengthen a company’s internal control environment. Companies and organizations that have a strong system of internal controls often prove to be successful in their respective marketplaces and industries. Strong internal controls push a company beyond its current limits by helping it implement best practices, retain valuable resources, and serve its customers better than its competitors.
Sarbanes-Oxley has long been criticized as a knee-jerk reaction, implemented far too quickly and without enough regard for its far-reaching implications. Early implementers (accelerated filers) experienced not only astronomical costs, but heavy burdens on their finance and internal audit staffs. But as accelerated filers have continued to comply with SOX, financial restatements are now on the downturn.
SOX was such a burden on organizations because in the post-Enron climate, its provisions were implemented to their extreme. Company management teams and their external auditors were concerned about the severe ramifications of poor internal controls, including huge shareholder settlements, and, in some cases, jail time for company executives. In addition, the guidelines published by the PCAOB were interpreted as being extremely prescriptive in nature. Therefore, companies and their auditors took the provisions of SOX in its most literal sense.
All processes that had anything to do with financial statements were examined with a magnifying glass. All controls that mitigated even the smallest of risks were documented and tested for effectiveness. Some companies reported thousands of primary or key controls for their organizations. Basically, a bottom-up approach evolved, meaning that processes and controls were identified, documented, and tested without regard for the true risk the process posed to the organization or its financial statements, but from a defensive mentality more concerned with following SOX to the letter. The result was that thousands of hours and millions of dollars were needlessly wasted. The worst part was that not only did management of companies follow this approach, but so did their external auditors, causing audit fees to skyrocket.
Several accelerated filers were interviewed and polled after their first year of SOX compliance. The results of the polls were overwhelmingly negative. The vast majority questioned whether or not SOX provided any benefit at all.
After a few years and several lessons learned, more corporate executives have started to realize some of the benefits of implementing SOX in their organizations. New guidelines have been issued, reducing some of the costs and greatly decreasing the burden on a company's finance and internal audit staff. Financial statement restatements are decreasing, while the quality of relevant financial data is increasing, allowing company executives to make quicker, more nimble decisions. Financial reporting and operational excellence have become more efficient. In addition, some companies are starting to use SOX as a springboard to a more holistic enterprise risk management initiative.
Should a nonpublic organization consider strengthening its internal control environment utilizing certain SOX principles? One reason why it should be considered may be the immediate benefits. Organizations often experience increased confidence in the company’s internal financial reporting and a reduction in fraud exposure. In addition, if a private company has strong financial reporting controls, it may yield more value and a more efficient due diligence process in an acquisition by a public company and would be perhaps better prepared if the entity or a division of the entity is brought public. Another reason: there is now an abundance of predefined tools, templates, and methodologies for SOX compliance in the marketplace. As a result, implementation is easier and less costly than it was in its infancy.
The best thing to come out of strengthening the internal control environment may be the risk assessment efforts employed by management. With a focus on financial reporting, a risk assessment is usually analyzed either by financial statement caption or by financial statement process (expenditure process, revenue process, treasury process, etc.). Each financial statement caption is then ranked using a likelihood and magnitude approach. The likelihood and magnitude approach considers how likely it is that there will be a misstatement in the process and, if so, how significant could the misstatement be. Evaluating likelihood and magnitude prior to the consideration of internal controls is a way to evaluate inherent risk. Based upon the level of inherent risk, organizational management can decide where to focus its attention. This is referred to as a top-down approach to assessing risk when strengthening internal controls.
Once the risk assessment is complete, an organization can begin to document the processes that mitigate the greatest risk. Documentation identifies the points within the process where primary or key controls take place. These are controls that reduce the likelihood or magnitude of an error in the financial statements or reduce the risk of fraud. To help identify key controls, consider the financial reporting or anti-fraud objectives of the process. Then identify the primary risks to accomplishing those objectives by asking the question "what could go wrong." Identify the key controls that sufficiently mitigate those risks or answer the question of "what could go wrong." Focusing on the key controls and employing the top-down approach will lead to a more efficient process in strengthening the internal control environment.
As management documents its processes and corresponding control environment, there may be parts of the process that do not contain adequate controls to reduce the risk of material misstatement or fraud. These are called design deficiencies, and they point out areas in which the organization will need to create and implement new internal controls to address the risk.
The next step after documentation is to test the control environment. This will be different for all companies and could be different for each internal process or financial statement caption, depending upon the risk. In some cases, especially in a simple or centralized environment, the daily interaction and involvement by certain levels of management may be sufficient testing.
As management is testing its control environment, it may note several areas in which controls are not functioning as expected. These are known as operating deficiencies and should be remediated. Operating deficiency remediation can take many routes, including re-engineering the process so as to further segregate duties between personnel or place the responsibility of the control on another operating unit within the company. It may mean performing extra steps so the performance of the control is more evident or abandoning the current control in favor of one that is more functional.
Certain chief executives acknowledge that because SOX required them to examine the adequacy of internal controls, they discovered accounting inaccuracies, acquired a better understanding of how their companies operate, and were able to cut costs and be more productive in other aspects of their businesses.
A strong internal control environment can be beneficial for all organizations, whether operating as a public, private, or nonprofit organization. Companies that have already started enhancing their internal control environment can gain a competitive edge over those that have not. These entities may be able to enhance confidence in their internal financial reporting, facilitate a more efficient due diligence process in a merger or acquisition situation, and take advantage of opportunities faster than their peers. Better risk management policy, reduced fraud risk, enhanced governance, and strengthened controls resulting from embracing these principles can generate a lot of benefits for nonpublic organizations.