|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
An Integrated-Data View of Compliance
By
Richard Gibbons
|
|
Richard Gibbons
QUMAS
|
Previously, public companies approached regulation as a necessary evil. With the advent of Sarbanes-Oxley, the bar was raised. Enterprises must now address compliance from both strategic and tactical perspectives, adopting a proactive and holistic approach to robust & comprehensive controls-management and reporting. Corporate life at the top is far riskier than ever before. CEOs and CFOs are particularly exposed, because they are now more accountable to watchdogs and interested parties for each decision they make.
The most difficult part of Sarbanes-Oxley is Section 404, which is responsible for the greatest portion of compliance-spend, expected to reach $35 billion for new IT solutions and expertise. A large portion of that investment involves moving from manual processes to technology solutions that automate the compliance processes behind Sections 404 and 409, which stipulates that the board and executives must disclose real-time information ?concerning material changes in the financial condition or operations ? including trends as the (SEC) determines necessary for the protection of investors and in the public interest?.
Companies must be on the lookout for areas of "material weakness", characterized by the Public Company Accounting Oversight Board [PCAOB] as constituting ?significant control deficiencies that result in more than a remote likelihood that material misstatement of the annual or interim financial statements will not be prevented or detected?. PCAOB Auditing Standard No. 2 discusses the importance of IT, in the context of internal control, stating that ?The nature and characteristics of a company?s use of information technology in its information system affects the company?s internal control over financial reporting?. Current directives from the PCAOB and SEC warn auditors to pay close attention to higher level vulnerabilities and not on minutiae.
For those organizations that have begun the compliance process, it has become apparent that IT plays a vital role in internal control. Systems, data, and infrastructure components are critical to the financial reporting process. Auditors must spend more time evaluating control procedures and associated IT support-systems, to determine if they pose any underlying risks to the process controls. From an enterprise perspective, IT professionals, especially those in executive positions, must be well-versed in internal-control theory and practice, to meet the requirements of Sarbanes-Oxley. CIOs must take on the challenges of: enhancing their knowledge of internal controls; articulating their organization?s overall Sarbanes-Oxley compliance plan; executing a compliance plan to specifically address IT controls; and, integrating this plan into the overall Sarbanes-Oxley compliance plan. Companies who invest in holistic risk and compliance systems have the greatest potential to achieve enhanced compliance and decision-support
The right software solution can cut the amount of time needed to handle and document remediation of material weaknesses, reducing the possibility of non-compliance. It can also reduce the cost of performing audits and help companies leverage technology and business processes to improve enterprise efficiency.
Two control frameworks have been widely adopted by public companies subject to the requirements of Sarbanes-Oxley: the Committee of Sponsoring Organizations of the Treadway Commission?s (COSO) ?Internal Controls Integrated Framework?, released in 1992, and the IT Governance Institute's ?Control Objectives for Information and Related Technology? (CobiT). Both share the following common objectives and challenges with SOX organizations:
1- Identify processes and implement controls and tests.
2- Achieve first-audit compliance.
3- Reduce finance department operating costs.
4- Streamline the ?close? and the ?report production? processes, accelerating public announcement of financial results.
5- Mens Sana in Corporo Sano (?a sound mind in a healthy body?) ? Increase the CIOs? familiarity with the COSO mandates and CobiT framework for managing IT processes, while satisfying technical issues and performance requirements.
Although the SEC suggests that public companies consider the control components of COSO, neither the SEC nor the PCAOB have openly endorsed a specific IT control framework. This is wholly consistent with the SEC?s modus-operandi of if you endorse, you can?t enforce. As companies get closer to first-year certification, practical considerations take precedence, including the alignment between the COSO internal control framework and the CobiT objectives, which consist of:
1- Creating an environment of reliable internal financial controls, validated by attestations by management and its independent auditor, as to the reliability of internal controls and the accuracy of financial statements.
2- Training and managing personnel to identify internal and external risks to the operations, security, confidentiality, availability, and integrity of data.
3- Installing information systems to facilitate the processing, storage, transmission, and/or disposal of confidential information.
4- Mitigating risks from unlawful intrusions - unauthorized access and operational or IT failures.
5- Conducting periodic oversight and assessments, to ensure compliance and institute change.
Further complicating the regulatory landscape, the Basel Capital Accords prescribe regulatory capital requirements that ensure that FSIs have enough money to cover potential losses from transactions, prescribing rules for calculating a risk-weighted capital ratio, and mandating that total capital should never fall below 8% of the sum of risk-weighted assets. Under Basel II, the calculation of risk-weighted assets will expand, based on an organization?s size and complexity.
Basel II will also make financial institutions more sensitive to credit and market related risks, deploying three reinforcing pillars that contribute to accurate assessment of ?Safety and Soundness. They include:
? Pillar 1: Minimum Capital Requirement. This covers market, credit and operational risk.
? Pillar 2: Supervisory Review Process. This sets the framework for supervision.
? Pillar 3: Market Discipline. This sets out the framework for market disclosures by financial institutions.
Pillar 1 mandates calculation of the risk-of-loss resulting from inadequate or failed internal processes, people and systems. Basel II excludes strategic and reputational risk from the calculations; requiring financial institutions to hold appropriate capital-in-reserve, to indemnify against such risks. Basel II is not mandatory and national regulators are free to choose how to apply it, but, the EU has taken a very rigid stance, applying the new rules to most banks and investment firms. The Federal Reserve has indicated that it expects the top 11 US banks to comply, although more are expected to voluntarily comply.
The general consensus is that two years of data will be required for competent risk measurement. Financial institutions should become operational in 2006. Analysts predict a possible $4 billion spend on software and services over the next 2 years in the run up to Basel II implementation. This will place significant demands on data management, to accomplish the capture, deployment of analytics, integration, and processing of appropriate data. Significant challenges may entail timing-issues around completing implementation lifecycles, lack of data, inflexibility of existing IT assets; and a shortage of Basel domain-expertise.
Applying Basel, in the post-SOX landscape, means that financial institutions must take the forward initiative in satisfying added layers of compliance and reporting. There is little doubt that the regulators view risk measurement, mitigation, and reporting systems as tools for assessing compliance with SOX. Logistically, the threat of regulatory penalties for non-compliance would be mitigated by making a capital investment in an appropriate technology solution that embodies cross-enterprise risk-mitigation, and ?Best Practices? correlation. Such financial institutions could enjoy allowance to use systems to calculate their capital holdings against their Basel II exposures. This may lead to reduced capital requirements and substantial business-performance benefits.
What Each Financial Institution Should Do?
Conduct impact assessment: What do these new laws and regulations require your organization to do to its existing IT systems in order to achieve compliance?
Implement Timescales: SOX and Basel II projects are time-critical. When do the changes need to be in place? Where your organization relies upon third-parties to achieve compliance, what incentives should be put in place to maximize on-time completion and what should the contractual recourse be for delay?
Complete a Contract review: Perform an audit of existing contracts with outsourced service-providers and vendors:
? Contracts should provide for the allocation of cost - either through one party paying all the costs or making everything subject to a negotiated ?change control? arrangement.
? Many contracts contain ?compliance with law? clauses under which the original supplier of the product or service commits to ensure that it remains compliant with laws and regulations during the term of the agreement.
Roadblocks to Compliance
All companies need to focus on ways to achieve efficient, sustainable compliance. Controlling people, processes, and systems comes with multiple challenges, which create roadblocks.
A lack of adequate compliance systems has increasingly been seen as having significant implications for the effectiveness of internal controls programs. The COSO standards are used to address the effectiveness of internal controls over financial reporting, When flaws are unresolved, they prevent management from determining the overall effectiveness of internal controls. Companies working toward SOX-404 compliance must carefully consider the strategic and tactical threats to COSO compliance, consisting of:
1. Lack of an enterprise-wide, executive-driven, internal control management program. Company leaders take explicit responsibility for managing the internal control program.
2. Lack of formal enterprise risk management program. This can hinder allocation of resources to areas that carry the greatest risk.
3. Inadequate controls associated with recording of non-routine, complex, and unusual transactions. This can sabotage efforts to institute risk remediation.
4. Ineffectively-controlled post-merger integration. Complex transactions can pose considerable financial reporting risks.
5. Lack of effective control over the IT environment ? Financial institutions are increasingly dependent on technology to execute and document activities. The more complex a company?s IT environment, and the less attention it has given to IT controls, the greater the likelihood for IT gaps.
6. Ineffective financial reporting and disclosure preparation processes. The accelerating rate of regulatory and legal change has increased the number and complexity of required financial disclosures ? a trend that shows no sign of slowing.
7. Lack of formal controls over the financial closing process. This is the final step in producing an official financial report. In the midst of filing deadlines, following rigorous internal control procedures may be the last thing on anyone?s mind.
8. Lack of current, consistent, complete, and documented accounting policies and procedures. Accounting policies and procedures may not be consistently and systematically applied. Policies and procedures may be inconsistent, failing to provide full spectrum coverage and lacking the necessary guidance and direction.
9. Inability to evaluate and test controls over outsourced processes. Companies often delegate responsibility for internal control to its service providers, but seldom clarify division of responsibilities in service-contracts, failing to establish the contractual right to conduct audits or request a SAS 70 or equivalent report, seriously hampering SOX Section 404 compliance efforts.
10. Inadequate board and audit committee understanding of risk and control. It is of utmost importance, that board and audit committee members demonstrate an ongoing commitment to increasing their understanding and knowledge of company-specific risk and control issues, striving to uncover, challenge, and resolve all issues that could compromise the internal control environment.
? Complexity. Due to increased levels of merger and acquisition activity, in recent years, many corporate infrastructures have become a complex maze of heterogeneous people, processes, and technology, mixed corporate cultures, business processes, hardware and software.
? Manual Processes. Mandated processes are inevitably supported by personnel who must manually aggregate information, assess status, address shortcomings, and cobble reports. This is a costly and error-prone approach that is neither comprehensive nor sustainable.
Interestingly, as an outcome of a technology-solution implementation, many organizations anticipate a substantial reduction in staffing levels needed to carry-out and support reduced manual processes. The most critical part of any internal control management program is the human resource component ? the need to hire, develop, and manage enough qualified control specialists to achieve sustained compliance. The majority of organizations, post-solution implementation, haven?t seen their staffing levels really drop much, if at all, having come to the realization of a need for system-trained staff deployment.
Remember, the motivators for automated solutions continue to include striving for better/efficient resource deployment, enhanced enterprise management, and, improved timeliness, responsiveness, and communication of material risk, with recommended action-plans, to upper management, leading to remediation, enhanced revenue, brand recognition, and market-share. Cutting staff, under such circumstances, is correctly viewed as imprudent and unwise.
This clearly amplifies the need for knowledgeable staff to provide that critical physical intervention, according to regulator-prescribed and industry-standard precepts of accountability and reporting. This big shift is what the Financial Services Industry calls the ?80/20 Rule?. Basically, the shift from a analog processing environment ? where endless hours are spent physically searching for breaks and other exceptions -- to an automated environment -- where qualified staffers spend 80% of their work-day responding to the top 20% of exceptions that pose the highest risks.
? Lack of Standardization. Inconsistent processes across business units and geographies create fragmented efforts involving multiple ways of testing, measuring, and reporting on the same business and IT control issues.
In order to achieve and sustain risk & compliance, take this four-step approach:
1. Assess the current risk and compliance controls environments. To obtain this information, companies must dig into their processes and technologies to inventory the business and associated IT environments, as well as, understand how internal/external risks and compliance oversight responsibilities affect critical business processes.
2. Establish people, processes, and technology to operate the controls environment. This means testing for control gaps against change management ?Best Practices?. The goal here is to implement standardized physical and automated controls, deploying industry ?Best Practices? and best-of-breed technologies.
3. Sustain risk management and compliance from both business and IT perspectives. Once the proper controls are in place, an automated and standardized process should be established for the continual measuring and testing of business and IT controls, remediating those that are non-compliant, recording all associated business processes and reporting, intra-company, according to Board and management protocols.
4. Install an integrated 'System of Record' that best leverages legacy systems and technology infrastructure. Many organizations are beginning to implement a cross-enterprise "system of record" in a manner that best satisfies the myriad of both business and compliance requirements.
Conclusion
The impact of Sarbanes-Oxley is broad-range, covering stringent regulator oversight and auditor independence, close-scrutiny of corporate behavior, ethics of business practices, and accuracy & fairness of financial disclosure. Sarbanes Oxley imposes clear disciplines of corporate responsibility on public companies - disciplines intended to promote a scrupulously-informed investor public, fully-versed in all risk indicators of corporate health and a clear-view of brand-recognition, market-share, and investor-value. In this context, today's financial enterprises need to transform their risk and compliance approaches, from reactive to predictive, best-triggered by efficient control-driven information technology. Companies struggling with establishing less-efficient manual processes, will find themselves at a competitive disadvantage, since Sarbanes-Oxley is not just about control, but also about competition.
Richard Gibbons
QUMAS
Richard Gibbons works for Qumas as a financial services domain expert. Qumas provides enterprise compliance, governance and risk management solutions. Gibbons is a former SEC/NYSE regulator and has been Compliance Director for Fidelity/NFSC, Banque Paribas, Deutsche Bank and U.S. Trust Company of NY. Prior to joining Qumas, he was IBM?s Associate Partner/SME to the FS industry. He is recognized as a foremost expert on AML/Anti-Fraud controls-management.
|
|
|
|
|
