With the main players in the drama that created Sarbanes-Oxley (SOX) taking the final curtain calls and leaving the stage, what does the world look like after SOX? Senator Paul Sarbanes and Congressman Paul Oxley will retire from active politics later this year, while the cases against Jeffrey Skilling and Andrew Fastow will conclude with their sentencing hearings this autumn. But even now, four years after the passage of the legislation, it is still criticised for being too costly, and for allegedly undermining America's entrepreneurial business spirit. Many remain wary of the shadow cast by SOX, particularly in respect of Section 404 (s404) on internal controls over financial reporting, where significant costs have been incurred.
As the key players take their final bows, what has been left as their legacy? Amongst all the criticism are there opportunities for us to learn from the experiences of complying with one of the most significant pieces of risk and control legislation in recent times? My belief from having worked with a multitude of different businesses, supporting them in their SOX efforts is a resounding "yes". There is real evidence that the pain of s404 has brought substantial gains, with accountability, improved levels of investor confidence, more assurance on financial risk, and greater transparency.
Pain vs gain
The scale of public anger over corporate misdeeds at the turn of the millennium gave a strong signal to politicians on Capitol Hill. The pain came as businesses started to implement the requirements with limited guidance. Initially, accelerated filers, the first wave of issuers required to comply, adopted an over zealous approach, which minimised the risk of getting it wrong by doing as much as possible. Ernst & Young's survey of accelerated filers found that 60% of companies with revenues greater than $20bn invested more than 100,000 man hours in s404 compliance-related activities (excluding independent auditor hours). And in the first year of operation, 70% of companies said the costs of s404 were 50% higher than original estimates. Foreign private issuers, the second wave of issuers required to comply, have had the benefit of time, to push for a top-down, risk-based approach, with a more balanced focus on entity level versus transaction level controls.
But it is now generally accepted that something like SOX was necessary to restore confidence in the integrity of financial information, and many of the observations and lessons from compliance reveal benefits applicable to other areas of risk. Recent company feedback via Securities and Exchange Commission (SEC) roundtable meetings broadly agreed that management ownership of internal financial control was the necessary step.
Critics might question the reasoning behind telling the SEC that SOX was necessary and effective. But there is increasing evidence that SOX will help companies improve investor confidence. For the first time, investors can rely on an audited attestation on the effectiveness of internal controls over financial reporting. This transparency has its benefits. A recent Ernst & Young survey of over 300 institutional investors found that 69% valued transparency over and above a long track record or business model when considering an investment. In addition 82% of large investors were prepared to pay a premium for good and transparent risk management and control. Investors are also beginning to impose a penalty on companies lacking those systems: 61% of them had not made investments where they felt risk management to be insufficient.
The view that investor confidence is enhanced by s404 compliance is also one that is supported by the companies themselves. A survey by Financial Executives International (FEI) found that companies largely agree with the view from their investors: 56% said s404 compliance had improved investor confidence in their financial reports. And, as part of one of Ernst & Young's Foreign Private Issuer surveys, Emerging Trends in Internal Controls, 85% of companies claimed they had seen added benefits from enhanced financial processes as a result of s404. One s404 programme leader attending one of our roundtables said: "The state of controls is better than ever it was in the past". A Fortune 200 company Chief Accounting Officer said s404 compliance had resulted in: "improved business efficiency and better customer satisfaction".
I have not spoken to a single CFO, group controller or audit committee member of an organisation that has had to comply with SOX that does not believe they now have more accountability for, and ownership of, financial controls. It is quite an easy thing to say, but to actually achieve it is very difficult, and the companies that have done it will likely take great benefit from it.
But the controls around financial reporting are just one part of the picture. At a recent SOX roundtable hosted by Ernst & Young, there was agreement that ultimately SOX could make the entire control environment more robust.
No-one is pretending these benefits are cost free, but the painful impact of the early costs is easing as companies incorporate a top-down approach and seek an appropriate balance between company-wide controls - entity level controls (ELCs) - and transaction level controls (TLCs). There is a realisation that ELCs were under-utilised in the initial compliance years and there is now greater focus and potential reliance on them. But effective ELCs ordinarily have some necessary dependency on controls that operate at the transaction level, so key TLCs need to continue to be tested to ensure that an appropriate balance is struck.
So the lessons from the initial years are that compliance is not always about inventing new controls, but is also about taking credit for existing controls and other existing management activities that address the integrity of financial reporting. Foreign private issuers also are reflecting on other lessons and guidance, and are placing particular emphasis on a risk-based approach, rather than a bottom-up restructuring of controls.
Reviewing internal controls
They say that in times of war, technology evolves fastest. Whatever your view on SOX, its onset has brought higher expectations about the capabilities of effective systems of internal control over financial reporting. SEC registrants have been forced to review their systems of internal control over financial reporting; as a result, their internal controls have had to evolve. SEC registrants are now in a position to have formally documented their financial reporting risk, how they manage it, and identify clear decision points and accountabilities. More importantly, they have determined how processes and controls need to change as the business evolves (for example expanding into overseas markets). They have also benefited from sharpening some areas.
It is becoming apparent that the assessment of internal controls required by s404 has prompted management to carry out those assessments more frequently, and with a better-trained eye. That gives earlier warning of some common gremlins which might otherwise creep in unnoticed under the corporate radar. Inventory shrink in retailing, revenue recorded in the wrong period, front loading sales entries, project spending slipping against forecasts: the list spans all industries and sectors.
So as foreign private issuers enter the final phases of complying with SOX, it is worth reflecting on the areas that have been found to be lacking, so that all those involved in risk management, control or assurance can learn and take these lessons back to their own organisations.
Our experience indicates that the areas with significant control issues are those that are highly complex and are based on processes which require a high degree of judgment and estimation. In addition, the areas where significant remediation was required post-pilot as reported in an Ernst & Young Foreign Private Issuer survey were:
- IT systems (76% of companies)
- core business operations (48% of companies)
- financial statement close processes (45% of companies)
- entity-level controls (34% of companies)
- tax (17% of companies).
Our work with clients would support the finding that there is a significant area of weakness in IT controls. The work involved in introducing SOX has highlighted gaps in this area, especially relating to user security and access. In addition, clients have cited control weaknesses that occur in the documentation and testing of new systems; the effectiveness of control over program changes; and the effectiveness of user administration and monitoring. Global organisations have discovered that IT governance is an area where they may think they have a strong central IT information management strategy but when they go to some of the more remote, yet significant, locations, they find that the governance has got lost somewhere in the process.
We are finding that, as clients dust off their risk manuals and begin the task of understanding how fit for purpose their system of internal control is over financial reporting, they are discovering opportunities for improvement.
There is a lot to be said for investing in a review of internal control systems - not just for SOX compliance, but for investor confidence, for good business and potential competitive advantage.
And for an encore performance?
In the longer term, some have predicted that compliance with SOX will tend to slip into complacency as companies learn to live with the processes and controls, and that complacency may be encouraged by automation. The argument goes that as more of the processes and controls become automated, they slip out of sight and out of mind. Automation should not be seen as a panacea to the pain of compliance. Automated tools can help enable the compliance process and can embed preventative and detective controls into business processes. However, some argue that the more integrated and automated your business processes become, the greater the risk of control failures having a significant and pervasive effect. IT does have a role to play in enabling and embedding the processes, but is not the whole answer.
However, the requirement for an annual assessment by management and the clear emerging pattern of aggressive enforcement from the SEC serve as strong counter weights to complacency. The cost and effort of annual assessments will likely foster constant evolution of the SOX environment as practitioners and regulators work within it, establish precedents, and generate regular updates to best practice. These updates will also serve as a regular reminder and help to counter complacency. The new SEC chairman, Christopher Cox, has indicated he favours reforms that strike a balance between simple measurement of controls and processes on the one hand, and the real understanding of risk on the other.
Cox has a careful course to steer between those calling for wholesale reform or repeal, while proposing changes to meet business concerns, without losing the benefits that SOX has brought. Sarbanes-Oxley, he said, has "great potential" to improve financial reporting. But he added that, "in practice, it hasn't always worked out that way."
Risk: Enter stage right
Whether or not reforms take place, we have seen the benefits for companies that follow a top-down, risk based approach to their assessment, starting with entity level controls. There is a clear mandate from investors, which is reflected in the emergence of a variety of similar guidance from regulators all over the world. In the UK, the Financial Reporting Council has already placed a marker, reminding industry it has the ability to adopt more mandatory requirements. Swiss, Japanese, Indian, Swedish and French regulators are all considering their positions, and companies in these countries are beginning to see a plethora of internal control regulation and guidance, all based in some way on s404.
As risk, control and assurance professionals, what do we need to be doing to make sure that we continue to learn and help protect the capital invested in our businesses? We have found that many of our clients are revisiting enterprise risk management - they are adopting certain risk management elements to help embed the process and improve coordination, efficiency, accountability, coverage and risk reporting overall. These include:
Establish a simple, relevant framework - you have an opportunity now to leverage and refine any framework you have adopted for compliance reasons, employing aspects of other frameworks and customised approaches to help address your full spectrum of risk in a way that is relevant, practical and provides value.
Demand a clear, concise view of risk, control and assurance - SOX gave companies the opportunity to document control and process ownership across functions for the first time. The benefits of this are that when the process changes, it is far simpler to update the control system.
Avoid enterprise list management - in the early days, many companies made the mistake of ranking exhaustive lists of risks and processes rather than identifying the risks and processes that mattered most. Leading companies are making subtle changes to their risk assessments, issues tracking and reporting, based on their understanding of the entity's control environment.
Seek to know what you don't know. Traditional risk assessment approaches may not reveal new or emerging risks. By employing different approaches to risk assessment or accessing risk knowledge from outside, risks can be revealed earlier and surprises minimised.
Conduct risk and control assessment as an embedded activity; it should be embedded in the company's strategic, business and audit planning processes.
Enable internal audit coverage across risk areas - with many internal audit functions increasingly focused on financial reporting risk, this may reduce coverage in other key risk areas. In response, audit committees and executives are re-examining the focus, staffing, and charter of internal audit, and investigating options to identify and address areas where risk coverage may be unacceptably low.
A final word
As former SEC chairman William H Donaldson said: "The voices calling for a rollback of portions of Sarbanes-Oxley ... are short-sighted". If you are an international company, it could pay to be ahead of the game. Do not wait for regulation to ask you to prove the strength of your system - your investors and audit committee may ask for that reassurance just a little earlier.
- Fiona Sheridan is a partner, Ernst & Young, E-mail: fsheridan@uk.ey.com
Real life examples
'Life after SOX' leading practice that has emerged includes the following.
- An SEC listed FTSE 100 organisation conducted an internal control review which exposed vast difference in the number of controls for standard processes across the globe (for example China 50+, UK 10+). It has now developed a generic framework and templates for key risk and controls expected for most common processes, brought process owners together to understand end to end processes and conducted country controls reviews. Since embarking on the project it has:
- reduced the number of controls globally by 15%
- greater confidence in the controls now in place
- increased understanding and awareness of the role of controls in business
- embedded optimised new controls into business as usual activities so that new controls are built in advance (for example new system developments, offshoring).
- A major multinational that operates in a highly regulated industry has embarked on a review of its sales and marketing controls to address concerns that failure of these in relation to its compliance obligations could lead to significant fines and reputational damage. Findings have been that not only was it exposed to a compliance risk but that some of the bonus systems and controls around them were not adequate in ensuring that standards of behaviour were effectively aligned with key sales performance indicators and strategies.
- A leading multinational has embarked on a large risk and control review to align the multiple processes that were being used across the business to assess, treat and monitor risks and to obtain assurance, as there was awareness that current assurance was not efficient and in danger of having blind spots. This is a key stepping stone before moving on to evaluate the effectiveness of assurance as a key business process.