Doug Farmer Partner, Enterprise Risk Plante & Moran

With the advent of the Sarbanes Oxley Act of 2002, publicly traded organizations diverted focus and resources from traditional operational reviews to full-on compliance efforts to satisfy the new reporting requirements.

Sarbanes-Oxley was placed into law in 2002 and was formed in response to numerous high-profile failures of several of the world’s most respected and admired institutions. Borne in part from greed, yet facilitated by years of gradual divergence from a focus on fundamental internal controls, executives of the failed institutions saw an opportunity to further personal objectives. Through creative financing agreements and in many cases, blatant theft through disbursements fraud, investors lost money and honest employees lost jobs.

The Sarbanes-Oxley Act, named after senators Rick Sarbanes and Bill Oxley, requires publicly traded companies to provide an assertion regarding the design and operating effectiveness of its internal controls over financial reporting and disclosures. The act itself is comprised of 11 titles and included the formation of the Public Company Accounting and Oversight Board (PCAOB).
While the widely debated sections 404 and 302 garnered much press, other titles and sections required an expedited move back to basics relating to internal controls and corporate governance.

Section 404 requires an organization to document processes that have a significant impact on financial statements and to test key controls which reside in these processes. Over the course of the past several years, companies have been paying hundreds of thousands, and in many instances millions of dollars, to document and test their control environment - in many instances, at the cost of forgoing operational audits for efficiency and effectiveness.

Pre-SOX, most progressive internal audit functions moved heatedly towards audits for effectiveness and efficiency with a focused eye on improving operations, reducing costs, and improving overall performance. Internal audit engagements had become much more consultative in nature and line managers looked at their internal audit function as a partner to success in streamlining and improving maligned operations. Of course this value came with cost. Experience and skilled auditors became more expensive, length of engagements expanded and cost to implement recommendations became more capital in nature.

All the while companies where using highly educated, skilled auditors as consultants, internal controls were deteriorating un-supervised. This of course opened the organization to looting and ultimately, failure.

In today’s risk environment, how do organizations move the compliance – value pendulum back to an amenable point?
How do you balance compliance with value?

New implementation standards and countless articles of lessons learned provide more than adequate opportunity to rebalance the effort between SOX compliance and value-based or operational auditing. Following are several potential solutions that, if implemented, can allow most organizations to offset the cost of SOX compliance by freeing talented resources to focus on cost savings associated with operational efficiency and effectiveness.

Several of the suggestions are simply a recanting of the implantation guidelines as defined within Auditing Standard number 5 (AS5). While many organizations and professional service providers are well versed on these standards, there has been hesitancy to fully leverage this guidance. Doing so, however, would allow companies to swing the pendulum back towards value-based internal auditing. Instrumental to leveraging these suggestions is the ability to gain buy-in with all vested parties. This is achieved through open candid dialogue between management, internal audit and the external auditors.

1. Focus only on key controls – even today, some four years post compliance, many companies continue to test more than is required. Ongoing guidance has been consistent in defining the need to take a top-down approach and to focus only on key controls. If you are simply rolling-over testing year-over-year, there is a significant likelihood that you can reduce the amount of testing and related hour requirements.

2. Take a top down approach – AS5 suggests that effective company-level controls directly impact the level of detail testing required. Again, if you’re simply duplicating tests performed in prior years, it’s time to follow guidance and take a look from the top down.

3. Review documentation approach – documentation guidance under SOX was intentionally ambiguous, leaving the ultimate decision to companies and their attest audit provider. By utilizing flow-charts in place of narratives, an organization can easily identify key controls as well as potentially deficient operational design.

4. Don’t ignore operational deficiencies – during SOX early years, and fueled by the need to achieve compliance, operational or non-SOX related deficiencies were disposed of as being irrelevant to the immediate cause. Losing sight of these issues can be both significant and costly. SOX compliance work frequently does uncover operational inefficiencies; identify them as such, include them in the remediation log and during annual planning, allocate resources to address them.

5. Redirect process documentation accountability – key to an effective compliance effort is the need for ownership at the process level. The heavy lifting has been done. In early compliance years, most organizations utilized internal audit and third-party consultants to document or flowchart processes. By requiring process owners to “own the process,” ongoing maintenance and updates are out of the hands of your process consultants. This alone can free significant resources to re-focus efforts on operational effectiveness.

6. Take a more strategic view of risk assessment and audit scheduling processes – it’s practical to believe that operational audits can be performed and components of SOX testing achieved simultaneously, but this takes close coordination between the SOX PMO, assurance auditors and management.

Getting back to fundamentals may be cumbersome and will minimally require strategic, well planned out risk modeling and audit execution. However, the opportunity exists to regain some level of focus on cost reduction through improved effectiveness and efficiency, and less on the cost of compliance. The cost of SOX compliance is substantial, and easily quantifiable. The more difficult cost to quantify is the opportunity cost associated with ignoring operational efficiency and effectiveness and their associated cost savings.

The Committee on Sponsoring Organizations of the Treadway Commission (COSO) developed the widely accepted control framework in 1992. COSO aimed to provide reasonable assurance regarding the achievement of objectives in three categories: 1) effectiveness and efficiency of operations, 2) reliability of financial reporting, and 3) compliance with laws and regulations. With the inception of SOX in 2002, publicly traded companies have focused nearly all their efforts on the objective for reliability of financial reporting.

While the general perception is that Sarbanes- Oxley has created value in terms of helping to alleviate investor risk and concerns, it can also be argued that the general effort for maintenance has become somewhat status quo. And, just as a pre-SOX lack of focus on controls over financial reporting facilitated the opportunity for loss and corporate failure, organizational leaders and board members must now ask themselves, is our lack of focus on operational effectiveness and efficiency costing us money?